5 Examples of GDPR Article 18 (Right to Restriction of Processing)

Dec 8, 2025

The General Data Protection Regulation (GDPR) grants individuals various rights over their personal data. Among them, Article 18 — the Right to Restriction of Processing — is often overlooked but extremely important in legal and operational compliance. When this right is exercised, organizations must limit the way they use personal data, even if they keep storing it.

In simple terms:
➡️ The data is still held, but paused from normal processing.

This right helps individuals protect their data while disagreements about accuracy, legality, or business needs are resolved.

What Does GDPR Article 18 Mean?

Article 18 allows data subjects to request a restriction when:

  1. The accuracy of the personal data is contested
  2. Processing is unlawful, but deletion is not desired
  3. The controller no longer needs the data, but the subject requires it for legal claims
  4. The individual objects to processing under Article 21, pending verification of legitimate interest

When a restriction is granted:

  • Data must be clearly marked as restricted
  • Data can only be processed:
    • With the subject’s consent
    • For legal claims
    • For protecting another individual’s rights
    • For reasons of important public interest

Why Does Article 18 Matter?

Organizations often rely heavily on personal data for:

  • Marketing and advertising
  • Sales and profiling
  • Fraud prevention
  • Statistical reporting
  • Operational decision-making

A restriction request may interrupt business processes, so companies must implement:

✔️ Flexible data management
✔️ Escalation procedures
✔️ Clear access control logic
✔️ Internal logging and documentation

Mismanaging a restriction can lead to heavy GDPR penalties, similar to other rights violations.

5 Practical Examples of GDPR Article 18 Requests

These examples illustrate when and how individuals might use the right to restrict processing — and how controllers should respond.

Example 1: The Employee Dispute — Accuracy Contested

A former employee discovers inaccurate salary information in their HR records. The incorrect data could negatively affect their reference letter and severance package.

➡️ The individual contests the accuracy
➡️ They request correction (Article 16)
➡️ While the correction is pending, they request Restriction of Processing (Article 18)

What the company must do:

  • Freeze any processing of HR data related to the dispute
  • Prevent use of the inaccurate record in:
    • Payroll
    • Performance reviews
    • Employment reference letters
  • Maintain the data securely while verifying accuracy

Compliance Tip:
Organizations must notify all additional recipients (e.g., payroll vendors) about the restriction — unless impossible or excessively difficult.

Example 2: Customer Opposes Marketing — Pending Legitimate Interest Check

A telecom company uses legitimate interest as its legal basis for marketing communications. A customer objects to profiling for targeted ads (Article 21).

➡️ The company must stop marketing immediately
➡️ Before deciding whether processing may continue, they must restrict the data under Article 18

What the company must do:

  • Pause marketing segmentation
  • Block automated profiling in CRM
  • Keep the data in the system but limit it to essential operational use
  • Document assessment of legitimate interest vs. individual rights

Compliance Tip:
Marketing systems must include technical restrictions ensuring no unauthorized use of restricted data.

Example 3: Unlawful Processing Allegation — Data Needed for Legal Defense

A healthcare provider discovers that a patient’s data was shared with a third-party researcher without proper consent.

The patient:

  • Refuses erasure because they need the data for legal claims
  • Requests restriction to prevent further unlawful processing

What the organization must do:

  • Keep the data securely for litigation purposes only
  • Disable access for unauthorized departments
  • Suspend any further sharing with researchers, insurers, or third parties
  • Log the incident as a potential data breach assessment

Compliance Tip:
Legal departments must remain the only active processors during the dispute.

Example 4: The Right to Restriction in Automated Credit Assessment

A bank denies a customer loan based on automated credit scoring. The customer challenges:

  • The accuracy of employment data
  • The fairness of the automated decision

➡️ Article 18 applies while the institution verifies data inputs and scoring logic

What the bank must do:

  • Pause decision-making tied to the disputed data
  • Prevent communication of the assessment to external credit bureaus
  • Maintain data for internal correction and review only

Compliance Tip:
Processes involving automated decision-making must include auditable checkpoints for Article 18 exercises — especially in high-impact areas like lending, insurance, and employment.

Example 5: Data No Longer Needed — But Still Required by the Data Subject

An online store completes a product return case. The retailer:

  • No longer needs the customer’s order history data for business purposes
  • Wants to delete it for storage minimization

The customer:

  • Requests restriction of processing instead of erasure
  • Needs the purchase record for ongoing warranty or legal dispute

What the company must do:

  • Retain data securely for evidence only
  • Remove from:
    • Marketing audiences
    • Recommendation engines
    • Statistical and analytics processing

Compliance Tip:
Mark restricted data and set automatic review when legal retention ends.

How Companies Must Handle Restriction Requests

Organizations must follow strict operational rules:

Requirement Description
Confirmation of restriction Notify the data subject in writing and define scope
Technical access controls Limit users and systems that can access or process restricted data
Audit trail documentation Record who accessed, why, and under what exception
Re-evaluation Review restriction when dispute or legal need ends
Notification of case conclusion Inform subject before removing restriction

Prohibited Actions During Restriction

No profiling
No automated processing
No selling or sharing with third parties
No marketing communication
No unnecessary analytics
No operational use beyond legal justification

Controllers must adopt data-segregation strategies such as:

  • Flagging records as restricted
  • Encryption of disputed entries
  • Policy-based processing permissions

Exceptions to Restriction

Even when restricted, data may still be processed for:

✔️ Legal claims
✔️ Public interest based on EU or state law
✔️ Protecting vital interests of another person
✔️ With explicit consent from the data subject

Controllers must ensure exceptions are used sparingly and documented.

How to Respond to Article 18 Requests — Best Practices

1. Clear Communication

Explain why processing is restricted and which processing activities stop.

2. Legal Basis Reassessment

Determine whether the purpose still exists and if alternative legal bases apply.

3. System Integration

Configure DPA, CRM, and data warehouse systems to apply uniform restriction.

4. Retention Policy Review

Restricted data must be periodically reviewed to determine removal or reactivation.

5. Employee Training

Teams handling data must be aware of restriction flags and compliance obligations.

Consequences of Non-Compliance

Failing to honor Article 18 requests may lead to penalties under:

  • Article 83(5) – up to €20M or 4% of global annual revenue
  • Compensation under Article 82
  • Reputational damage and legal complaints

Audits often focus on how restrictions are operationalized, not just acknowledged.

Conclusion

GDPR Article 18 gives individuals a unique protection mechanism: keeping their data safe while disputes, objections, or legal matters are resolved. Organizations must be able to:

  • Identify requests quickly
  • Restrict processing correctly
  • Maintain proper documentation
  • Communicate transparently with the requester
  • Control internal and third-party data flows

These five scenarios — HR disputes, marketing objections, unlawful processing allegations, credit scoring errors, and warranty claims — demonstrate how common Article 18 requests can be across industries.

Respecting this right strengthens trust, accountability, and transparency — core principles of the GDPR.