The General Data Protection Regulation (GDPR) is well known for giving individuals significant rights over their personal data. Among these rights, Article 18 stands out because it gives people the ability to pause how organizations use their data without requiring the organization to delete it. This right is formally called “the right to restriction of processing.”
While other GDPR rights—such as access, erasure, or objection—are more frequently discussed, Article 18 is extremely important for situations where the individual wants to limit how their information is used while a dispute, verification, or correction is underway. This article explains the meaning, conditions, obligations, exceptions, and real-world examples of Article 18 in straightforward language.
What GDPR Article 18 Actually Says
GDPR Article 18 grants individuals (data subjects) the right to request that an organization restrict the processing of their personal data if certain conditions apply. “Restricting processing” means putting data on hold. The organization can store the data but cannot use it for most purposes until the restriction is lifted.
This right acts like a temporary stop sign—pausing the use of personal data while a question or conflict is resolved. It ensures that the organization cannot use the data in ways that might harm the individual before all facts are clear.
The Purpose of Article 18
The goal of the right to restriction of processing is to give individuals more control during sensitive moments. Sometimes people do not want their data processed further, but they also do not want it deleted (as it might be needed for legal claims, corrections, or verification). Article 18 provides that middle ground.
It serves three main functions:
- Protection during disputes – If someone believes their data is incorrect or misused, they can stop processing while the organization checks.
- Prevention of harm – Restricting the data gives individuals time to react, especially if the data could be used unlawfully or cause negative consequences.
- Preservation of information – Restriction ensures data is not erased prematurely, which is important when information may be required as evidence.
In short, Article 18 is about balance: protecting individuals while giving organizations time to resolve issues properly.
When an Individual Can Request Restriction of Processing
Under Article 18, people can request restriction of processing in four specific situations. These conditions are strictly defined but relatively broad, allowing many types of disputes to qualify.
1. When the Data’s Accuracy Is Contested
If a person believes personal data is inaccurate, they can request a restriction while the organization verifies it.
During this period, the organization must stop using the data for decision-making, profiling, analysis, or other operations. They can only store it until accuracy is confirmed.
This is particularly important in financial, employment, medical, or credit-related contexts where inaccuracies may cause harm.
2. When Processing Is Unlawful
If an organization uses data without a valid legal basis or in violation of GDPR requirements, the individual can ask for restriction instead of deletion.
People may choose restriction over erasure because:
- They might need the data later for legal claims
- They may want to preserve evidence
- They may not want the organization to remove the data completely
Restriction prevents further unlawful use while preserving the information.
3. When the Organization No Longer Needs the Data
If an organization itself states it no longer needs certain data, the person may request a restriction rather than deletion if they need the information for:
- Legal claims
- Defending against claims
- Exercising lawful rights
This gives the data subject the ability to ensure that relevant evidence is preserved.
4. When the Individual Has Objected to Processing
If someone objects to processing under Article 21, they can also request restriction while the organization evaluates the objection.
During this evaluation, the organization must pause processing unless they can demonstrate compelling legitimate grounds that override the individual’s interests, rights, and freedoms.
What “Restriction of Processing” Means in Practice
When processing is restricted, the data cannot be used for almost any purpose except storage. The organization must implement technical measures that prevent ordinary use, analysis, or transfer.
Under GDPR, acceptable actions during restriction are extremely limited. Organizations can:
- store the data securely
- use it only with the person’s consent
- process it for legal claims
- process it for reasons of substantial public interest
- ensure it is not accidentally erased
- maintain internal logs or records
They cannot:
- use the data for marketing
- use it for automated decision-making
- share it with partners
- analyze or profile it
- conduct ordinary business operations with it
Essentially, Article 18 requires organizations to freeze data in place, ensuring it cannot be used until the restriction is lifted.
How Organizations Must Implement Restriction
GDPR does not prescribe exact technical methods but expects meaningful, reliable measures. Common approaches include:
- Marking the data as restricted
- Moving it to a separate secure environment
- Blocking access rights in software
- Using flags within CRM or HR systems
- Temporarily disabling processing workflows
- Creating manual override procedures
Employees who normally access the data must be prevented from doing so unless the processing meets an allowed exception.
Organizations must also document the restriction and ensure it remains in place until a clear, transparent decision is made.
How Long the Restriction Lasts
There is no fixed duration. It lasts as long as the condition that triggered it remains unresolved.
Examples:
- If a customer disputes an incorrect address, restriction lasts until the organization verifies accuracy.
- If the individual objects to profiling, restriction lasts until the organization decides whether its legitimate interests override the individual’s rights.
- If unlawful processing is claimed, restriction lasts until the legal question is clarified.
The organization must carry out its investigation or evaluation without undue delay. Leaving data restricted indefinitely without resolution would violate GDPR.
Organizations Must Notify the Data Subject
Under Article 18(3), organizations must inform individuals:
- when they impose a restriction
- when the restriction is lifted
- when investigation or verification has finished
This notification must be clear and must explain the outcome of the review.
Communication With Other Recipients (Article 19)
If the organization has shared the restricted data with third parties—such as processors, affiliates, or service providers—it must notify each of them about the restriction unless this is impossible or requires disproportionate effort.
The individual can also request information about exactly whom their data was shared with.
This ensures the restriction applies across the entire ecosystem, not just the original holder.
Exceptions to the Restriction
Even during restriction, organizations may process the data in certain cases. GDPR allows limited exceptions:
- With the individual’s explicit consent
- For legal claims
- To protect the rights of another person
- For reasons of important public interest
These exceptions are narrow, ensuring that restriction remains a strong protective measure.
Examples of When Article 18 Applies
Below are clear scenarios illustrating how GDPR Article 18 functions in real life.
Example 1: Inaccurate Credit Information
A customer sees an incorrect loan amount listed in their credit file. They contact the financial institution and request restriction while accuracy is checked. During this period, the institution must not use the incorrect data to assess creditworthiness or create reports.
Example 2: Unlawful Marketing Use
A person discovers their email address was added to a marketing list without consent. Instead of deletion—because they may need proof later—they request restriction so the company cannot send messages during the investigation.
Example 3: Objection to Profiling
Someone objects to automated decision-making used by an employer. The employer must restrict processing until it determines whether the profiling is allowed under GDPR.
Example 4: Data Needed for Legal Claims
A former employee believes they were discriminated against. They request restriction of HR records that the employer no longer needs but that may be essential for proving their case.
Example 5: Data Used in Analytics but Accuracy Is Disputed
A delivery company uses GPS and time-tracking data to monitor drivers. If a driver claims that the data is inaccurate, the company must restrict its use while verifying logs and timestamps.
These scenarios demonstrate why Article 18 is crucial: it protects individuals during disputes while ensuring that organizations maintain data responsibly.
The Relationship Between Article 18 and Other GDPR Rights
Article 18 often works alongside other rights:
- With Article 16 (Right to Rectification): Restriction stays in place while accuracy is verified.
- With Article 17 (Right to Erasure): Some people prefer restriction instead of deletion.
- With Article 21 (Right to Object): Restriction applies until the organization evaluates the objection.
- With Article 15 (Right of Access): Access requests may reveal reasons why restriction is needed.
Overall, Article 18 is one of the most practical and protective rights in the entire GDPR framework.
What Organizations Should Do to Comply With Article 18
To comply fully, organizations must:
- Have clear internal procedures for handling restriction requests
- Train staff to recognize and escalate such requests
- Implement technical controls to enforce restriction
- Maintain logs showing when processing was paused
- Document reasons for restriction and decisions to lift it
- Communicate with third parties that received the data
- Respond without undue delay
Organizational preparedness is key because Article 18 requests can appear suddenly, often involving time-sensitive disputes.
Conclusion: Why GDPR Article 18 Matters
GDPR Article 18 provides individuals with a strong protective mechanism: the ability to temporarily halt processing when something is unclear, disputed, or potentially unlawful. It gives people breathing room and protects them from decisions or actions based on inaccurate or improperly used information.
For organizations, it requires transparency, technical controls, and responsible data governance. For individuals, it offers reassurance that their data cannot harm them while a question or issue is being resolved.