GDPR Art. 18 grants users the right to request restriction of processing in four specific circumstances: contested accuracy, unlawful processing they oppose erasing, data needed for legal claims, or pending objection under Art. 21. This right is rarely exercised but must be possible to honor. An application with no restriction mechanism and no documented process cannot respond to an Art. 18 request within the legally required one-month window. Crucially, a restriction flag must actually prevent the data from being used in analytics exports, marketing sends, and third-party pipelines — a flag that exists in the database but is never checked in application code is not compliance.
Low because Art. 18 requests are infrequent in practice for most SaaS products, but the absence of any mechanism means zero ability to comply when a request arrives, which is a clear-cut regulatory gap.
Add a processingRestricted boolean to your users table and expose a self-service restriction endpoint. Honor the flag everywhere personal data is used outside direct service delivery.
// app/api/user/restrict/route.ts
export async function POST() {
const session = await getServerSession()
if (!session?.user?.id) return new Response('Unauthorized', { status: 401 })
await db.user.update({
where: { id: session.user.id },
data: { processingRestricted: true, restrictionRequestedAt: new Date() }
})
await notifyPrivacyTeam({ userId: session.user.id, type: 'restriction_request' })
return Response.json({ ok: true })
}
Check processingRestricted before including users in analytics exports, marketing sends, or third-party data shares. Add the right to your privacy policy: "You have the right to request restriction of processing under Art. 18 GDPR. Contact privacy@example.com."
ID: gdpr-readiness.user-rights.right-to-restrict
Severity: low
What to look for: GDPR Article 18 grants users the right to restrict processing in specific circumstances: when accuracy is contested, when processing is unlawful but the user opposes erasure, when the controller no longer needs the data but the user needs it for legal claims, or when the user has objected to legitimate interest processing. Look for a "Restrict processing" option in user settings, a contact mechanism for making such a request, or an internal process for handling restriction requests. At minimum, there should be a documented process (even if manual) for handling these requests, a way for users to flag their account, and an internal mechanism to honor restrictions (e.g., a processing_restricted flag on the user record that prevents certain data uses). Count all instances found and enumerate each.
Pass criteria: There is either a self-service restriction mechanism in the UI, or a documented and accessible process for users to request restriction by contacting the privacy team. Restriction requests are tracked. A processing_restricted or equivalent flag on the user record prevents restricted data from being used in analytics, exports to third parties, or automated processing. At least 1 implementation must be confirmed.
Fail criteria: No restriction mechanism exists and no documented process for handling restriction requests. The privacy policy does not mention the right to restrict processing.
Skip (N/A) when: Application has no user accounts, or processes personal data only under legal obligation (where restriction rights do not apply to that processing activity).
Detail on fail: Example: "No processing restriction mechanism found. Privacy policy does not mention the right to restrict processing. No documented internal process for handling Art. 18 requests.".
Remediation: Implement a minimal restriction mechanism:
// Database: add a flag to the users table (prisma/schema.prisma)
// processingRestricted Boolean @default(false)
// restrictionRequestedAt DateTime?
// app/api/user/restrict/route.ts
export async function POST() {
const session = await getServerSession()
if (!session?.user?.id) return new Response('Unauthorized', { status: 401 })
await db.user.update({
where: { id: session.user.id },
data: {
processingRestricted: true,
restrictionRequestedAt: new Date(),
}
})
// Notify privacy team to review and respond within 30 days
await notifyPrivacyTeam({ userId: session.user.id, type: 'restriction_request' })
return Response.json({ ok: true, message: 'Processing restriction requested.' })
}
Check the processingRestricted flag before including users in analytics exports, marketing sends, or third-party data shares. Add this right to your privacy policy: "You have the right to request restriction of processing of your personal data. Contact us at privacy@example.com."