Right to Restriction of Processing: When Data Subjects Can Freeze Your Use of Their Data

Freeze, Do Not Delete

The right to restriction of processing is one of the least well-known data subject rights, but it comes up more often than you might expect. It allows individuals to tell you: "Stop using my data, but do not delete it." Think of it as putting a hold on personal data -- the information stays in your systems, but you are not allowed to do much with it.

This is different from erasure, where the data is deleted entirely. Restriction is a middle ground -- the individual wants the data preserved (often because they need it for something), but they want you to stop processing it in the meantime.

Understanding when and how this right applies is important because it frequently arises alongside other rights, particularly rectification and objection. If someone disputes the accuracy of their data or objects to your processing, restriction is often the interim measure while the dispute is resolved.

What "Restriction of Processing" Actually Means

Under GDPR Article 18(2), when processing is restricted, you may store the data but you must not process it in any other way unless:

1. The data subject consents to further processing
2. The processing is necessary for the establishment, exercise, or defense of legal claims
3. The processing is necessary for the protection of the rights of another natural or legal person
4. The processing is necessary for reasons of important public interest of the EU or a member state

In practical terms, restriction means the data sits in your systems untouched. You do not use it for analytics, you do not include it in marketing lists, you do not share it with third parties, you do not run reports on it, and you do not feed it into automated decision-making. It is there, but it is frozen.

What Restriction Is NOT

• It is not deletion. This is the most common mistake. If someone requests restriction, and you delete their data instead, you have violated both the restriction right and potentially their other interests (they may need the data preserved for legal claims).
• It is not the same as objection. The right to object (Article 21) is a separate right that challenges the legal basis for processing. Restriction is about pausing processing, often temporarily, while something else is resolved.
• It is not opt-out from marketing. If someone wants to stop receiving marketing emails, that is their right to object to direct marketing (Article 21(2)), not restriction of processing.

The Four Circumstances When Restriction Applies

GDPR Article 18(1) sets out four specific situations where an individual can request restriction. Unlike some other rights, these are exhaustive -- restriction only applies when one of these four circumstances exists.

1. Accuracy Is Contested

The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

When an individual submits a rectification request saying their data is wrong, there is often a gap between the request and your verification. During that gap, the individual can request that you stop using the potentially inaccurate data until you have verified whether it is correct.

Example: An employee submits a rectification request saying their performance review contains factual errors. While HR investigates, the employee requests that the review not be used for any promotion or compensation decisions. The employee is exercising the right to restriction while accuracy is being verified.

Duration: The restriction lasts for as long as it takes you to verify the accuracy claim. Once you have determined whether the data is accurate or inaccurate (and made any necessary corrections), you can lift the restriction.

2. Processing Is Unlawful, but Erasure Is Opposed

The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

This arises when the individual acknowledges that you should not be processing their data (there is no valid legal basis), but they do not want you to delete it -- they want you to keep it but stop using it. This typically happens when the individual needs the data preserved for their own purposes.

Example: A company has been processing customer data without a valid legal basis. The customer realizes this and could request erasure, but instead asks for restriction because they want the data preserved as evidence for a potential compensation claim. The data must be kept (restricted) so it can be used as evidence, but the company must stop all other processing.

Duration: Until the individual either consents to further processing, requests erasure, or the situation that required preservation is resolved.

3. Controller No Longer Needs the Data, but the Individual Does

The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

Your retention period has expired and you would normally delete the data, but the individual needs it preserved for legal proceedings.

Example: A former customer's account data is scheduled for deletion under your retention policy. The customer is involved in a legal dispute with a third party and needs the transaction records as evidence. They request restriction -- you stop processing the data for your purposes (you were going to delete it anyway) but you keep it available for their legal needs.

Duration: Until the legal proceedings are concluded or the individual no longer needs the data.

4. Objection Under Article 21 Is Pending Verification

The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

When someone objects to processing based on legitimate interests, you need to assess whether your legitimate grounds override the individual's interests, rights, and freedoms. While you are making that assessment, the individual can request that processing be restricted.

Example: A customer objects to your use of their purchase history for profiling and personalized pricing, arguing it is causing them harm. You believe you have legitimate grounds for this processing, but you need time to conduct the balancing test. While you assess, the customer requests restriction, and you must stop using their data for profiling until you have reached a conclusion.

Duration: Until you complete the balancing test. If you conclude that your legitimate grounds override, you can lift the restriction and resume processing (after notifying the individual). If the individual's objection succeeds, processing stops permanently.

How to Technically Implement Restriction

The GDPR does not prescribe how you must implement restriction, but the intent is clear: the data must be effectively frozen. Here are practical approaches depending on your systems:

Database-Level Approaches

• Flag or tag records -- add a "restricted" flag to the individual's records that your applications check before processing. This is the most common approach and works well with most database systems.
• Move to a restricted table or schema -- physically separate restricted data from active data. This provides stronger isolation but requires more engineering.
• Revoke application access -- remove the records from the datasets that your applications, analytics tools, and reporting systems can access. The data remains in storage but is not available for processing.

Application-Level Approaches

• Exclude from automated processing -- ensure restricted records are excluded from scheduled jobs, batch processing, automated emails, analytics runs, and any other automated operations.
• Remove from active user interfaces -- if your staff access personal data through internal tools, restrict visibility of flagged records so they cannot be used in day-to-day operations.
• Disable API access -- if third-party systems access the data via API, block their access to restricted records.

What You Must Avoid

• Do not continue including restricted data in reports or analytics -- even aggregated or anonymized processing may be challenged if the data is supposed to be restricted.
• Do not share restricted data with third parties -- this is a clear violation of the restriction.
• Do not use restricted data for marketing -- even if the individual is still a customer and would otherwise receive communications.
• Do not delete restricted data -- unless the individual subsequently requests erasure and the conditions for erasure are met.

Practical Tip: The "Restricted" Label

The simplest approach for most small businesses is a status field or tag. Add a "processing_status" field to your customer or data subject records with values like "active" and "restricted." Then ensure that every process that touches personal data checks this field before proceeding. This is not a complex engineering task, but it does require discipline -- every automated process, every manual workflow, and every third-party integration needs to respect the flag.

Obligation to Inform Before Lifting Restriction

Under GDPR Article 18(3):

A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

This is a mandatory notification. You cannot simply resume processing restricted data without telling the individual first. The notification should:

• Inform them that you intend to lift the restriction
• Explain the basis for lifting it (for example, that you have completed your accuracy verification, or that the balancing test under Article 21 is concluded)
• Give them the opportunity to respond before you resume processing

This is particularly important in the Article 21 scenario (circumstance 4 above). If you conclude that your legitimate grounds override the individual's objection, you must inform them before resuming processing. They may then choose to exercise other rights, such as erasure.

Obligation to Notify Third Parties

Under GDPR Article 19, you must communicate any restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

This means:

1. Identify recipients -- check who you have shared the individual's data with (processors, joint controllers, other recipients)
2. Notify them of the restriction -- they must also stop processing the data (except for storage and the permitted exceptions)
3. Document the notifications you sent
4. Inform the individual about which recipients you notified, if they ask (they have the right to this information under Article 19)

The same "disproportionate effort" exception applies as with rectification notifications -- but as always, this exception is narrow and should not be used as a routine escape clause.

Multi-Jurisdiction Comparison

No Direct CCPA Equivalent

The CCPA does not include a right to restriction of processing in the GDPR sense. The closest CCPA provision is the right to limit the use and disclosure of sensitive personal information (Cal. Civ. Code Section 1798.121), but this is a fundamentally different concept:

• It applies only to sensitive personal information (Social Security numbers, financial account details, precise geolocation, etc.), not all personal data
• It limits use to what is necessary to perform the services or provide the goods reasonably expected by the consumer
• It is a permanent limitation, not a temporary freeze tied to specific circumstances
• It does not have the four specific triggering conditions of GDPR Article 18

If you receive a CCPA request that sounds like a restriction request, assess whether it actually falls under the right to limit use of sensitive PI, the right to opt out of sale/sharing, or another CCPA right. If none of the CCPA rights map to the request, you may not have an obligation under California law, but consider whether GDPR or another jurisdiction's law applies.

PIPEDA

PIPEDA does not include a standalone right to restriction of processing. However, PIPEDA Principle 9 (Individual Access) gives individuals the right to challenge the accuracy and completeness of their personal information and have it amended. When a challenge is unresolved, PIPEDA Principle 9.6 requires the organization to record the substance of the unresolved challenge and, where appropriate, transmit the existence of the challenge to third parties with access to the information.

This does not explicitly freeze processing, but in practice, an organization that continues to actively use data that is subject to an unresolved accuracy challenge is taking a risk. The prudent approach under PIPEDA is to treat disputed data similarly to GDPR restriction until the challenge is resolved.

UK GDPR

The UK GDPR retains Article 18 in the same form as the EU GDPR. The ICO's guidance on restriction aligns with the EDPB's interpretation. The four circumstances, the definition of restricted processing, and the notification obligations are identical.

Timeline

The response deadline for restriction requests is the same as for other data subject rights under GDPR:

• GDPR / UK GDPR: One calendar month from receipt, extendable by up to two additional months for complex requests (Article 12(3))
• You must inform the individual within the first month if you are extending

For details on deadline calculation and extensions, see our DSAR response deadlines guide.

Note that the implementation of restriction may need to happen faster than the formal response deadline. If someone contests the accuracy of data that is being actively used in automated decision-making, continuing to process it for 30 days while you draft your response defeats the purpose of the restriction. The GDPR says you must respond within one month, but it also says processing must be restricted "for a period enabling the controller to verify the accuracy." In practice, this means you should implement the restriction as soon as possible after receiving the request, even if the formal response comes later.

Practical Scenarios

Employee Disputes Performance Review Accuracy

Situation: An employee receives their annual performance review and believes the manager's assessment contains factual errors about their sales figures. They submit a rectification request and, simultaneously, request restriction of processing of the review data.

What to do:

1. Implement the restriction immediately -- flag the performance review as restricted so it is not used for compensation, promotion, or other HR decisions
2. Investigate the accuracy claim by checking the actual sales data
3. If the review is inaccurate, correct it (rectification) and then lift the restriction, notifying the employee first
4. If the review is accurate, refuse the rectification, lift the restriction (with prior notice to the employee), and explain your reasoning

Common mistake: Using the disputed review to deny a promotion while the investigation is ongoing. If processing is restricted, the data must not be used for decisions like this.

Customer Says Processing Is Unlawful but Wants Data Preserved

Situation: A customer discovers that you have been processing their location data without a valid legal basis. They could request erasure, but they are considering filing a compensation claim and want the data preserved as evidence.

What to do:

1. Stop all processing of the location data immediately (except storage)
2. Do not delete the data -- the customer has specifically asked for restriction, not erasure
3. Notify any third parties you shared the location data with
4. Respond to the customer confirming the restriction
5. Keep the data securely stored until the customer either requests erasure, consents to further processing, or the legal claim is resolved

Common mistake: Deleting the data because "the processing was unlawful." The customer has the right to choose restriction over erasure, and you must respect that choice.

Individual Objects to Profiling Under Article 21

Situation: A customer objects to your use of their purchase history for automated product recommendations and dynamic pricing, citing Article 21(1). They request restriction while you conduct the balancing test.

What to do:

1. Immediately stop using the customer's data for profiling and dynamic pricing
2. Continue serving the customer normally in all other respects (they are still a customer -- you just cannot profile them)
3. Conduct the Article 21 balancing test: do your legitimate grounds for profiling override the customer's interests, rights, and freedoms?
4. If you conclude that your grounds override, notify the customer before lifting the restriction and resuming profiling. Explain your reasoning and inform them of their right to complain to the supervisory authority
5. If you conclude that the customer's objection is valid, stop the profiling permanently and consider whether any other legal basis supports it

Common mistake: Continuing profiling while "considering" the objection. Once restriction is requested alongside an objection, processing must stop until the balancing test is complete.

Data Scheduled for Deletion but Needed for Litigation

Situation: Your retention policy says customer data should be deleted two years after the account is closed. A former customer's data is due for deletion, but the customer is in a legal dispute with a supplier and needs their transaction records as evidence.

What to do:

1. Do not delete the data on schedule -- the customer has a legitimate need for it
2. Restrict the data so it is not used for any purpose other than supporting the legal claim
3. Store it securely and separately if possible
4. When the legal proceedings conclude, check with the customer whether they still need the data. If not, proceed with deletion under your normal retention policy

Relationship With Other Rights

Restriction rarely operates in isolation. It is typically exercised alongside another right:

• Rectification + Restriction: The individual contests accuracy and wants processing frozen while you verify. This is the most common combination.
• Objection + Restriction: The individual objects to processing under Article 21(1) and wants processing frozen while you conduct the balancing test.
• Erasure alternative: The individual could request erasure but chooses restriction instead, usually to preserve data for legal claims.

Understanding these relationships helps you handle combined requests correctly. When you receive a restriction request, always check whether it is linked to another right being exercised at the same time.

Common Mistakes to Avoid

Treating Restriction as Deletion

The most dangerous mistake. Restriction means you keep the data but stop processing it. If you delete restricted data, you may be destroying evidence the individual needs, violating their explicit request, and breaching Article 18.

Forgetting to Lift the Restriction

Restriction is usually temporary. Once the triggering circumstance is resolved (accuracy verified, balancing test completed, legal claims concluded), the restriction should be lifted. Leaving data permanently restricted when there is no longer a basis for it creates operational problems and may itself be a compliance issue.

Not Checking Automated Processes

It is easy to flag a record as restricted in your CRM and assume the job is done. But if automated batch processes, email marketing tools, analytics platforms, or third-party integrations pull data from upstream systems, they may not respect the restriction flag unless you have explicitly configured them to do so. Audit your data flows to ensure restricted data is genuinely frozen across all processing.

Failing to Notify Before Lifting

Article 18(3) requires you to inform the individual before lifting the restriction. Resuming processing without notice is a violation, even if the underlying reason for lifting is valid.

References

• GDPR Article 18: Right to restriction of processing. Article 18
• GDPR Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing. Article 19
• GDPR Article 21: Right to object. Article 21
• GDPR Article 12: Transparent information, communication, and modalities. Article 12
• ICO: Right to restrict processing guidance. ICO guidance
• CCPA / CPRA: Cal. Civ. Code Section 1798.121 -- Right to limit use and disclosure of sensitive personal information. Full text