Lexicon > Right to limitation

IT Glossary

Right to limitation

The right to restrict the processing of personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:

Under the right to erasure, the data subject may request the responsible for the processing the suspension of the processing of its personal data as soon as possible and in any case within one month of receipt of the request, while maintaining their conservation, when:

  • The accuracy of the personal data is contested by the data subject;
  • The processing is unlawful and the person does not want the data to be erased but only to be limited;
  • The controller no longer needs the personal data for the purposes of the processing operation, but they are still necessary for the data subject to establish, exercise or defend legal claims;
  • The data subject has objected to the processing, during the verification as to whether the legitimate grounds pursued by the controller prevail over those of the data subject.

Furthermore, where processing is restricted, personal data may not be processed again by the controller without the consent of the data subject except with regard to their storage or where their processing is strictly necessary for :

  • The establishment, exercise or defense of legal rights;
  • The protection of the rights of another person or entity;
  • Important public policy reasons.

The controller must also notify each potential recipient of the personal data of the restriction of their processing unless such information proves impossible or requires disproportionate efforts.


Provision should be made to facilitate the exercise by the data subject of his or her rights under this Regulation, including the means of requesting and, where appropriate, obtaining free of charge, inter alia, access to and rectification or erasure of personal data and the exercise of a right of objection. The controller should also provide the means to make requests electronically, especially where personal data are processed electronically. The controller should be obliged to respond to requests from the data subject as soon as possible and at the latest within one month and to give reasons for not responding to such requests.

Recital 59 of the GDPR

Point of jurisprudence

The Hungarian supervisory authority points out that ” According to Article 18(1)(c) of the GDPR, any data subject […] has the right to request the exercise of his right to restrict processing from the controller, in which case the data are not “deleted”, even if the controller, even beyond the period of storage initially provided for, no longer needs the personal data “.

Nemzeti Adatvédelmi és Információszabadság Hatóság, 3 September 2020, No. 2020/2204/8

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.