Article 18 of the GDPR
Right to Limitation of Processing
Right to limitation of processing of personal data is one of the data subject’s eight (8) fundamental rights under the GDPR. Article 18 of the GDPR states this right. Under this right, data subjects may request a company to limit the processing of their personal data. This applies in certain special situations.
Data subject's right to limitation of personal data under the GDPR
In short, this right means that the company should flag the personal data. The purpose is to ensure that the company, in the future, only process the flagged personal data for specific limited purposes.
Where a data subject requests the rectification of personal data, they may also request the right to limitation of processing. This means that the company shall limit its processing of the personal data. Specifically while the company investigates whether the personal data is correct or needs to be rectified.
Remember that the company must inform the data subject of the end of the limitation before it ceases.
The company must inform third parties of the limitation
If the company limits the processing, the company must inform third parties to whom they have shared the personal data. Article 19 of the GDPR governs this obligation to provide information. This applies provided that it does not prove impossible to provide such information. Exceptions also apply if it would involve a disproportionate effort on the part of the company. If the data subject so requests, the company shall provide information on all third parties with whom the company has shared their personal data.
Situations giving the data subject the right to limitation of processing of their personal data
Here are some examples of situations where the right to limitation of processing can be applicable:
Inaccurate personal data
Where the data subject considers the personal data processed to be inaccurate. While the company investigates the accuracy of the personal data, the processing of the contested personal data shall be limited.
Not lawful processing
Where the processing of the personal data is not lawful. This applies provided that the data subject requests the limitation, instead of the erasure of the personal data;
If the data subject needs the company
When the company no longer needs the personal data for a specific purpose, but the data subject needs them. For example, to enable the data subject to assert, defend or establish legal claims.
Legitimate interest
If the company processes the personal data after a balancing of interests based on legitimate interest as a legal basis, and the data subject objects to the processing. While the company controls if the data subject's legitimate interests override the company's, the processing may be limited.
In practice, a company may limit personal data in the following ways, for example:
- When a company publishes an image on its website, the data subject may request the removal of the image. This does not necessarily mean that the company stops the processing altogether, but it may be limited;
- A company may transfer the personal data that the data subject wishes to have restricted to another system, where they become less accessible.
Processing of personal data after an implemented limitation
If the data subject has requested a limitation of processing, the company may only store the personal data. However, there are some exceptions to this general rule, namely:
If the data subject gives consent to continued processing even within a restriction, the processing may take place. Please note that consents must always be active and voluntary;
If the company needs to process limited personal data in order to assert, defend or establish legal claims;
Where the processing of the limited personal data is necessary for reasons of important public interest of the European Union or of a Member State;
If the processing of the limited personal data is necessary to protect the rights of another natural or legal person.
Other data subjects' rights under the GDPR
Right to object
A right that data subjects have under the GDPR is to object to a certain processing of their personal data. In most cases, the company will then delete the personal data or restrict the processing. However, this does not always apply. There are certain exceptions that give the company the right to continue processing the personal data, despite an objection. The right to object applies if the purpose of the processing is in the public interest, when the processing is carried out in the exercise of official authority, or when the legal basis for the processing is legitimate interest.