How to Demonstrate Compliance With GDPR Article 18

GDPR Compliance Software

Book a demo

shot,of,a,man,working,in,an,office

GDPR Article 18 deals with a data subject’s ability to request the blocking of data where, processing activities have been deemed unlawful.

Under GDPR law, data subjects can limit the amount of processing that’s performed on their data.

If an individual asks a data controller to restrict their processing activities, organisations are only then allowed to store said data, and are unable to share it with third parties or process it in any other way without the data subject’s express consent.

GDPR Article 18 Legal Text

EU GDPR Version

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
    • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

  2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
  3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

UK GDPR Version

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
    • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

  2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
  3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Technical Commentary

Data subjects have four legal grounds through which to make a request that restricts the processing of their data:

  1. the accuracy of the data;
  2. illegal/unlawful processing activities;
  3. in support of legal claims;
  4. official objections (in line with Article 21 GDPR).

Organisations are able to fall back upon a series of conditions that allow them to continue to process the data in the same way, even though a request has been received to restrict such operations:

  • the data subject has provided consent to other processing activities;
  • in support of a legal claim or court case;
  • the protection of the individual rights and freedoms of another person;
  • where there is an important public interest.
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 7.2.2 and EU GDPR Article 18 (2)

Identifying a Lawful Basis

To form a legal basis for processing PII, organisations should confirm and document:

  1. consent from PII principals;
  2. a contract;
  3. any other legal obligations;
  4. that the the interests of the various PII principals are being protected;
  5. the fact that tasks are being carried out in the public interest;
  6. that PII processing is a legitimate interest.

ISO 27701 Clause 7.3.2 and EU GDPR Article 18 (3)

Determining Information for PII Principals

Organisations need to document the information that PII principals receive, relating to the processing of PII.

Organisations should adhere to a set of requirements that dictate when information is to be provided to PII principals

  • the purpose of the data being collected;
  • contact details;
  • how the data was obtained;
  • any prevailing legal, contractual and/or statutory requirements;
  • how individuals are able to remove consent;
  • data transfers to third party organisations, including international transfers;
  • how individuals are able to log a complaint;
  • how the organisation makes internal decisions relating to the processing of PII;
  • data retention periods.

ISO 27701 Clause 7.3.4 and EU GDPR Article 18

In this section we talk about GDPR Articles 18 (1)(a), 18 (1)(b), 18 (1)(c) and 18 (1)(d)

Providing Mechanism to Modify or Withdraw Consent

Organisations need to provide a mechanism for data subjects who want to withdraw consent (that are in accordance with the methods first used to collect the data). Data subjects should also be able to restrict the organisation from performing certain action.

When facilitating the above two functions, organisations should adhere to reasonable response and resolution times that adequately reflect the level of work required.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 18 (2)ISO 27701 7.2.2None
EU GDPR Article 18 (3)ISO 27701 7.3.2None
EU GDPR Articles 18 (1)(a), 18 (1)(b), 18 (1)(c) and 18 (1)(d)ISO 27701 7.3.4None

How ISMS.online Helps

ISMS.online makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure, always-on location.

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced. You will also benefit from a range of powerful time-saving features.

Find out more by booking a short demo today.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Explore ISMS.online's platform with a self-guided tour - Start Now