5 Practical Examples of GDPR Article 18: Understanding the Right to Restriction of Processing

Dec 2, 2025

The General Data Protection Regulation (GDPR) is built around a simple but powerful principle: individuals must have meaningful control over how their personal data is used. Article 18 of the GDPR—Right to Restriction of Processing—is one of the lesser-discussed rights, yet it serves as a highly important safeguard against misuse, inaccuracies, or unlawful processing of personal data.

In practical terms, Article 18 allows individuals (data subjects) to demand that an organization temporarily stops using their data, even if the company is allowed to store it. This right is especially relevant in situations where something about the data or its use is being disputed or investigated.

To truly understand Article 18, it is best to study it through real-world scenarios. Below are five detailed examples that demonstrate how and when Article 18 applies, how companies should respond, and what internal processes need to be in place to comply.

Example 1: A Customer Disputes the Accuracy of Their Personal Data

One of the most common triggers for Article 18 is when a customer questions whether their personal data is accurate. The GDPR recognizes that inaccurate data can lead to anything from customer dissatisfaction to serious financial harm, so it gives individuals the right to pause processing while accuracy is checked.

Scenario

A customer of an insurance company notices that the company has recorded an outdated postal address. This has led to several important policy documents being sent to the wrong location. The customer contacts the company and formally disputes the accuracy of the data.

How Article 18 Applies

Under Article 18(1)(a), the customer can request that the insurer restrict the processing of their data until the accuracy issue is resolved. During this time:

  • The insurance company may store the data, but cannot use it for new decisions.

  • The company cannot send further letters, calculate premium adjustments, or perform profiling based on this disputed data.

  • Internal systems may need to flag the profile as “restricted.”

Why This Matters

Restricting processing prevents the company from making further mistakes while the dispute is being resolved. If the insurer continued processing the incorrect address, legal and financial consequences could grow.

This example demonstrates that processing restriction is not only a legal requirement—it is a practical way to prevent operational errors.

Example 2: A User Objects to Processing Based on Legitimate Interests

Another common situation arises when a company processes data under the lawful basis of legitimate interests—for example, for business analytics, limited marketing, fraud detection, or personalization. Article 21 allows individuals to object to such processing, and Article 18 reinforces this right by enabling processing restriction during the assessment of the objection.

Scenario

A retail platform uses customer behavior analytics to recommend products. A user objects, arguing that such profiling feels intrusive and unnecessary. They claim that their privacy interests outweigh the company's legitimate interest in personalized suggestions.

How Article 18 Applies

Under Article 18(1)(d), when a user objects to processing under Article 21, the retailer must restrict processing while they evaluate whether their legitimate interest truly overrides the individual’s rights.

During this evaluation:

  • The company cannot continue the objectionable profiling.

  • Behavior tracking for recommendation algorithms must be paused.

  • The objection must be reviewed by a data protection team or officer.

  • The company needs to decide whether it can continue processing or must stop entirely.

Why This Matters

This restriction period ensures a fair and balanced review rather than allowing a company to continue using personal data uninterrupted. It prevents organizations from simply ignoring objections until they “get around to it.”

Example 3: Processing Is Unlawful, but the Data Subject Requests Restriction Instead of Erasure

Sometimes an organization may discover—or be informed—that it has processed personal data in a way that violates GDPR. Under Article 17, individuals may request erasure (“right to be forgotten”). However, Article 18 recognizes that some individuals may still want their data retained—for example, to prove a claim, defend their rights, or support an investigation.

Scenario

A telecommunications company mistakenly shared a customer’s usage data with a third-party marketing partner without consent. The customer discovers the error and complains. The company acknowledges that the processing was unlawful.

However, instead of requesting complete deletion, the customer formally asks the telecom provider to restrict processing of the data. They want the record preserved because they plan to pursue legal action or lodge a complaint with a supervisory authority.

How Article 18 Applies

Under Article 18(1)(b), the company must:

  • Restrict all processing activities involving the unlawfully shared data.

  • Prevent any further disclosure or use.

  • Maintain the data only for archival or legal purposes.

  • Implement internal flags to prevent accidental processing.

Why This Matters

This example shows that the right to restriction is often used strategically. Data deletion could eliminate evidence, whereas restricting processing allows the data subject to maintain their leverage in legal or regulatory proceedings.

Example 4: The Company No Longer Needs the Data, but the Individual Does

Article 18(1)(c) addresses a subtle but important case: when a company no longer needs personal data for its own purposes, but the individual still needs it stored for legal claims. In such cases, the data subject can demand that processing be restricted rather than the data being deleted.

Scenario

A subscription-based fitness app terminates accounts that have been inactive for over 24 months. As part of this process, it deletes user data that is no longer necessary.

One user whose account is about to be deleted informs the company that they are currently in a dispute over incorrect charges made during their subscription. They need the historical payment records preserved as evidence. The user requests a restriction of processing.

How Article 18 Applies

Under Article 18(1)(c), the company must:

  • Stop all other forms of processing (marketing, analytics, deletion).

  • Store the data securely in case the user needs it as evidence.

  • Inform internal teams not to alter or remove the data.

  • Retain the information until the legal matter is resolved.

Why This Matters

This example highlights that the GDPR balances the rights of individuals with the operational needs of organizations. The business may not need the data, but the individual’s rights take precedence when legal claims are involved.

Example 5: A Data Subject Requests a Temporary Pause During a Complaint Investigation

This is one of the most overlooked but highly practical applications of Article 18. When a user files a complaint (either internally or with a supervisory authority), they may fear that the company will continue using their personal data in ways that could be harmful or unfair during the investigation.

Article 18 allows the individual to request a temporary freeze until the matter is clarified.

Scenario

A user submits a complaint to a bank because they believe their account was flagged for fraud incorrectly. They fear that ongoing automated fraud-detection processes might lead to account suspension or credit-worthiness changes. To avoid further negative effects during the investigation, they request restriction of processing.

How Article 18 Applies

The bank must:

  • Put the fraud-flagged data into a restricted state.

  • Pause automated decision-making related to the disputed information.

  • Prevent third-party sharing of the suspicious-activity data.

  • Continue to store the data but avoid further analysis, scoring, or profiling.

Why This Matters

This example shows how Article 18 protects individuals from cascading harm when data is under review. A mistaken fraud flag could affect credit scores, employment applications, or financial security. Restriction helps contain the damage.

How Organizations Must Respond to Article 18 Requests

Understanding examples is only part of compliance. Companies must also follow specific obligations once they receive an Article 18 request. In all cases:

1. Processing Must Be Restricted Immediately

This often requires internal mechanisms such as:

  • Account freezing.

  • Flags inside CRMs or databases.

  • Restriction tags on specific data fields.

2. The Company Must Inform the Data Subject

Once processing has been restricted, the organization must notify the individual.

3. Data May Only Be Stored

During restriction, data can be stored but not processed except:

  • With explicit consent,

  • For legal claims,

  • For protection of another person’s rights,

  • Or for important public-interest reasons.

4. Before Lifting Restrictions, the Individual Must Be Notified

Transparency is mandatory. The company cannot silently resume processing.

5. Restrictions Must Be Documented

To prove compliance, organizations should maintain internal logs of:

  • The request,

  • How the restriction was applied,

  • Systems where processing was paused,

  • Audit trails of actions performed during the restriction period.

Conclusion: Article 18 as a Key GDPR Safeguard

Although Article 18 is not as widely discussed as the right to erasure or access, it plays an essential protective role within the GDPR framework. The right to restriction of processing empowers individuals in moments of uncertainty—when data is inaccurate, disputed, or used unlawfully.

The five examples above illustrate how Article 18 works in real-life contexts:

  1. When data accuracy is challenged.

  2. When a data subject objects to legitimate-interest processing.

  3. When processing is unlawful but the individual prefers preservation.

  4. When the organization no longer needs the data, but the individual does.

  5. When a complaint is under investigation and harmful processing must be paused.

For businesses, understanding Article 18 is not only a compliance requirement—it's a practical tool for data governance, customer trust, and risk reduction. Implementing clear procedures for restriction requests ensures smoother operations, reduced legal exposure, and greater transparency, all of which strengthen the overall data protection framework.