Skip to content
AuditFront
Art.18 GDPR

GDPR Art.18: Right to Restriction of Processing

What This Control Requires

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (c) the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

In Plain Language

Sometimes a person doesn't want their data deleted - they just want you to stop using it while something gets sorted out. That's what restriction of processing is: a freeze. The data stays in your systems, but all active processing stops. You can store it, but you can't run analytics on it, feed it into marketing campaigns, or use it in day-to-day operations. There are four situations where this right kicks in. The individual disputes the accuracy of their data and you need time to verify it. The processing is unlawful but the person prefers restriction over deletion. You no longer need the data, but the individual needs it preserved for a legal claim. Or the individual has objected under Article 21(1) and you're still working out whether your legitimate grounds override theirs. The tricky part is making this actually work in your systems. You need a reliable way to flag records as restricted and ensure your applications respect that flag. Before you lift any restriction, you must tell the data subject first. And just like other rights requests, you're on a one-month clock to respond, with an Article 19 obligation to notify any third parties you've shared the data with.

How to Implement

Start by figuring out how your systems will technically enforce a restriction. Options include adding a restricted flag to records that your application logic checks before any processing, moving restricted data into a separate storage area with tightly controlled access, or using database-level permissions to block modifications. Pick whatever fits your architecture, but make sure it actually prevents the data from being used in normal operations. Build a clear handling procedure for restriction requests. Each request needs to be assessed against the four permitted grounds, then implemented across every system that holds the data. Document what processing has been restricted and why. Set up a process for reviewing and lifting restrictions when the underlying issue is resolved, and always notify the data subject before you lift the freeze. Make sure your teams know exactly what's allowed during a restriction and what isn't. Storage is fine. Processing with the individual's explicit consent is fine. Using the data for legal claims or important public interest reasons is fine. Everything else - business operations, analytics, marketing, profiling, third-party sharing - is off limits. Don't forget the Article 19 notification requirement. Every third party who received the restricted data needs to be told about the restriction, unless it's genuinely impossible or would involve disproportionate effort. Keep records of who you notified and be ready to share that list with the data subject if they ask. Set up a review cycle for ongoing restrictions. Check periodically whether the grounds still apply. For accuracy disputes, set a firm deadline for completing your verification. For objection-related restrictions, track where you are with the balancing assessment. Document every review and decision so you have a clear audit trail.

Evidence Your Auditor Will Request

  • Technical capability demonstration for restricting processing in systems
  • Documented restriction request handling procedure
  • Restriction request log showing grounds assessment, implementation, and status
  • Evidence of notification to third-party recipients of restricted data
  • Records of periodic reviews of ongoing restrictions

Common Mistakes

  • No technical capability to restrict processing - systems cannot flag or isolate restricted data
  • Restricted data continues to be included in normal processing operations such as analytics or marketing
  • Failure to notify the data subject before lifting a restriction
  • No periodic review process for ongoing restrictions, leading to indefinite freezing of data
  • Not notifying third-party recipients about the restriction as required by Article 19

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

What does 'restriction of processing' actually mean in practice?
Think of it as putting a record on ice. The data stays in your systems, but you stop doing anything with it - no analytics, no marketing, no automated processing, no business operations. Technically, you might flag the record, move it to isolated storage, or build logic that skips restricted records. The point is that the data is preserved but not actively used.
How long does a restriction last?
It depends on why it was restricted. If someone disputed accuracy, it lasts until you've verified the data. If it's tied to an objection, it lasts until you've completed the balancing test. There's no hard maximum, but regulators expect you to resolve the underlying issue promptly rather than letting data sit in limbo indefinitely. You must notify the individual before lifting it.
Can we still include restricted data in backups?
Yes - storage, including backups, is permitted during a restriction. The catch is that if you ever restore from that backup, the restriction must survive the restore process. Make sure your restricted flag or marker is included in whatever gets backed up, so you don't accidentally reactivate data that's supposed to be frozen.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment