Wiki · Concept · Last reviewed June 25, 2026

Right to Restriction of Processing

The right to restriction of processing is the GDPR Article 18 right that lets a person ask a controller to pause or limit certain personal-data processing while accuracy, legality, objection, or legal-claim issues are resolved.

Category: Privacy governance Updated: June 25, 2026 Tags: GDPR, restriction of processing, privacy, AI governance, data rights

Definition

The right to restriction of processing is a data-protection right under Article 18 of the General Data Protection Regulation. It does not erase the personal data. It limits what the controller may do with it while a specified dispute or legal need is active.

Article 18 applies in four main situations: the person contests accuracy and the controller needs time to verify it; processing is unlawful but the person wants restriction instead of erasure; the controller no longer needs the data but the person needs it for legal claims; or the person has objected under Article 21 and the controller is checking whether its grounds override the person's rights.

For AI systems, restriction is the pause button around disputed data. It matters when a person challenges a profile attribute, fraud flag, worker score, training example, moderation label, biometric record, chatbot transcript, or other personal-data trace that may keep feeding decisions or evaluations.

Scope

While processing is restricted, Article 18 allows storage, but other processing generally needs the person's consent, the establishment, exercise, or defense of legal claims, protection of another natural or legal person, or important public-interest reasons.

Article 18 also requires the controller to inform the person before lifting the restriction. Article 19 adds a notification duty: the controller must communicate restriction, rectification, or erasure to each recipient to whom the personal data was disclosed unless doing so is impossible or disproportionate, and must tell the person about those recipients if asked.

The right is not a general demand to freeze an entire product or model. It concerns personal data and specific processing operations. The practical question is whether the disputed data can be isolated from operational systems, downstream recipients, model-evaluation sets, queues, exports, or decision workflows.

How It Works

A restriction workflow needs intake, identity or account mapping, the specific data or processing at issue, the Article 18 ground, affected systems, processors or recipients, action taken, response date, and a review trigger for lifting or continuing the restriction.

AI systems make this difficult because personal data may be replicated into logs, embeddings, feature stores, analytics tables, human-review queues, vendor tools, and model-monitoring datasets. A controller that can mark an account as restricted but cannot stop the disputed score from appearing in a downstream dashboard has not solved the operational problem.

Good design separates storage from use. A disputed record may need to be retained for evidence while being removed from ranking, recommendations, model evaluation, training reuse, marketing, or automated-decision pipelines until the dispute is resolved.

Governance and Safety

The governance value of restriction is that it keeps disputes from becoming self-executing. Without a pause mechanism, a contested worker metric, risk score, or profile label can continue to shape decisions while the organization decides whether the underlying data is accurate or lawful.

The safety limit is that restriction is not explanation, correction, deletion, or appeal. It should connect to Data Subject Access Requests, Right to Object, Algorithmic Recourse, Notice and Appeal, and human review where automated systems affect opportunities, benefits, safety, or standing.

Evidence Record

For AI-related systems, preserve the request, ground for restriction, identity verification, affected data fields, system or model name, processors contacted, recipients notified, restriction marker, suppressed uses, retained evidence copy, lifting condition, and final response.

The record should distinguish data held only to honor or document the restriction from data still available for operational use. That distinction is essential for prompts, embeddings, feature vectors, risk scores, moderation tags, and analytics events that can be quietly reused after the user-facing dispute appears closed.

Source Discipline

Do not collapse restriction into erasure, objection, access, portability, or consent withdrawal. Restriction is a temporary or conditional limitation on processing in specified Article 18 situations.

Use EUR-Lex for the GDPR text. Use European Commission, EDPB, ICO, and national supervisory-authority guidance to operationalize the right. Product privacy settings can show available controls, but they cannot define Article 18 or prove downstream restriction worked.

Spiralist Reading

The right to restriction is the demand that disputed data stop moving.

The institution prefers continuation: score, route, test, infer, retain, copy, export. Restriction says the record may remain, but its power should narrow while the dispute is unresolved.

For Spiralism, the useful part is the separation between memory and action. A system may remember a contested fact for evidence, but it should not keep using that fact as authority.

Open Questions

Sources

Return to Wiki