Skip to content
Rights & Requests calendar_today Updated: 11 April 2026 schedule 5 min read

Right to Restriction of Processing: When and How

A customer says 'stop using my data while we sort this out.' This article explains step by step how to handle a restriction request under the GDPR, including the four legal grounds and practical implementation.

summarize Key Takeaways
  • check_circle Restriction means you can store the data but not process it further
  • check_circle There are four specific grounds under Article 18 where restriction applies
  • check_circle You must inform the data subject before lifting a restriction
  • check_circle You have one month to respond to a restriction request

What is restriction of processing?

Under Article 18 of the GDPR, a data subject can ask you to restrict the processing of their personal data. This means you can still store the data, but you cannot use it - no sending, no analysing, no sharing, no decision-making based on it.

Think of it as putting data in a locked drawer. It is still there, but nobody touches it until the situation is resolved.

When does the right apply?

There are exactly four grounds under which a data subject can request restriction. You must apply restriction if any of these situations applies.

Ground 1: Accuracy is contested

The data subject says the data is incorrect and you need time to verify. During that verification period, the data must be restricted.

Example: A customer claims their date of birth in your system is wrong. While you check your original records, you restrict processing of that data.

Ground 2: Processing is unlawful, but no deletion wanted

The processing is unlawful (e.g. no valid legal basis), but the data subject prefers restriction over erasure.

Example: You collected email addresses without proper consent. Instead of requesting deletion, a customer says “keep my data but don’t use it until you have my consent.”

You no longer need the data for your original purpose, but the data subject needs it to establish, exercise, or defend legal claims.

Example: A former employee asks you to keep their performance records even though your retention period has expired, because they need the records for an ongoing employment dispute.

Ground 4: Objection pending verification

The data subject has objected to processing under Article 21, and you are verifying whether your legitimate grounds override theirs.

Example: A customer objects to your direct marketing profiling. While you assess whether your legitimate interest overrides their objection, you restrict the profiling.

Step 1: Register the request

As soon as the request comes in, note down:

  • Who is making the request
  • When you received it (the one-month deadline starts now)
  • Through which channel it came in
  • Which ground applies (or let the data subject explain their reason)
  • Which data should be restricted
description

Template: Request Register

Keep track of every request in a register: who, when, what was asked, and how it was handled.

View the template arrow_forward

Step 2: Verify the identity

Before restricting data, confirm you are dealing with the right person. The same verification rules apply as with other data subject requests:

  • Account holders: confirm through their account
  • Known persons: confirmation via known email
  • Unknown persons: request a redacted copy of an ID document

Step 3: Implement the restriction

This is where it gets practical. You need to ensure that the data is stored but not processed in any other way. Here are concrete approaches:

MethodHow it works
Flag in CRMAdd a “restricted” flag or status to the record so staff know not to use it
Separate folderMove the data to a restricted-access folder or database table
Access restrictionRemove processing permissions for the record, keeping only read access for authorised staff
System blockIf your system supports it, block the record from being included in mailings, reports, or automated processes

What you must stop doing:

  • Sending marketing or communications using the data
  • Including the data in analyses or reports
  • Sharing the data with third parties
  • Making any decisions based on the data

What you can still do:

  • Store the data
  • Process it with the data subject’s consent
  • Process it for legal claims
  • Process it to protect the rights of another person
  • Process it for important public interest reasons

Step 4: Inform recipients (Article 19)

Just like with rectification and erasure, you must notify any recipients who received the data that processing is now restricted, unless this is impossible or involves disproportionate effort.

Step 5: Respond to the data subject

Send a clear response within one month:

  • Confirm that the restriction has been applied
  • Explain which data is affected
  • Describe how you have implemented the restriction
  • If you refuse (in whole or in part), explain why and inform them of the right to complain to the supervisory authority

When to lift the restriction

This is critical: you must inform the data subject before lifting the restriction. You cannot simply start processing the data again without telling them.

The restriction can be lifted when:

  • The accuracy dispute is resolved and the data is confirmed correct
  • The unlawful processing issue is resolved (e.g. consent is obtained)
  • The legal claims for which the data was kept are concluded
  • Your verification of the Article 21 objection is complete

Always notify the data subject in advance. Give them a reasonable opportunity to respond before you resume processing.

Common implementation challenges

CRM systems without restriction flags

Many standard CRM systems do not have a built-in “restricted” status. Workarounds include:

  • Adding a custom field or tag
  • Moving the record to a separate “restricted” list
  • Adding a note to the record with clear instructions for staff

Automated processes

Check whether any automated workflows (email sequences, reporting, data syncs) include the restricted data. You may need to create exclusion rules or manually remove the record from automated processes.

Shared databases

If multiple departments or systems access the same data, make sure all of them respect the restriction. A restriction in your CRM is useless if the marketing team can still pull the data from a shared database.

Frequently asked questions

What is the difference between restriction and erasure?

With erasure, the data is permanently deleted. With restriction, the data is kept but you cannot use it. Restriction is useful when the data may still be needed - for example, during a dispute about accuracy, or when the data subject needs the data for legal claims.

Can I still back up restricted data?

Storage is explicitly allowed during restriction. Including restricted data in regular backups as part of normal storage operations is generally acceptable. However, you must not actively use backup data for any processing purpose beyond storage.

What if I accidentally process restricted data?

This is a potential data breach. Document what happened, assess the risk to the data subject, and inform them. If the risk is high, you may need to notify the supervisory authority within 72 hours. Review your technical controls to prevent recurrence.

auto_awesome Stay on top of data subject requests

GDPRWise helps you track restriction requests and ensures you respond correctly within the legal deadline.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.