GDPR A18-01: Right to Restriction of Processing
Organizations must establish formal processes to restrict data processing when data subjects submit valid requests. This control ensures you can pause processing activities while maintaining compliance with GDPR Article 18, protecting both individual rights and your regulatory standing.
What this means
The right to restriction of processing requires you to stop processing personal data (while retaining it) under four specific circumstances: when a data subject contests the accuracy of their data pending verification; when processing is unlawful and the individual opposes deletion; when you no longer need the data but the data subject requires it for legal claims; or when a data subject objects to processing pending your assessment of competing interests. Unlike erasure, restriction preserves the data but limits how you use it.
How to comply
- 1.Document all four restriction request scenarios in your data handling policies and train staff to recognize them
- 2.Create a standardized request form or process that captures restriction requests from data subjects with clear categorization
- 3.Implement technical controls (tagging, access restrictions, processing limitations) to mark restricted data in your systems
- 4.Establish timelines: acknowledge requests within 1 month, complete restriction without undue delay, and confirm completion to the requester
- 5.Maintain a register of all restriction requests with dates, reasons, data affected, and resolution status
- 6.Verify the legitimacy of each request before implementing restrictions to prevent abuse
- 7.Define retention periods for restricted data and procedures for lifting restrictions when applicable
- 8.Audit your data processing workflows to ensure restricted data is excluded from routine business operations
Evidence auditors look for
- Data subject request forms and templates specific to restriction of processing
- Documented policies outlining the four restriction scenarios and decision workflows
- System screenshots showing restricted data flagged or segmented in your database
- Request register with timestamps, categorization by restriction reason, and resolution dates
- Staff training records and competency assessments for restriction request handling
- Sample acknowledgment letters sent to data subjects confirming restriction implementation
- Technical configurations limiting processing access to restricted data sets
- Audit logs showing restricted data exclusion from bulk operations, analytics, or marketing campaigns
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates restriction request intake, tracks all four scenario types, flags restricted data across your systems, and maintains audit-ready registers—eliminating manual spreadsheets and reducing response time from weeks to days.
See how GRCWatch handles this control automatically
Start free trial