Skip to main content

Lesson 12 of 25

Data Subject Rights II: Restriction, Objection, Portability, Automated Decisions

5 min read · CIPP/E

Nail the precise conditions on restriction, objection (absolute for marketing), portability, and Article 22 automated decisions and profiling—the exact conditions the exam's wrong answers misstate.

The rest of the rights toolkit

  • Article 18 — restriction of processing
  • Article 21 — objection
  • Article 20 — data portability
  • Article 22 — automated decisions and profiling

We finish data subject rights with four more, and each has a precise trigger the exam tests. Restriction lets a person freeze processing temporarily. Objection lets them stop certain processing for reasons relating to their situation.

Portability lets them move their data elsewhere. And Article 22 limits decisions made about people purely by machines. These are more nuanced than access or erasure, so pay attention to the conditions on each, because the wrong-answer choices on the exam usually misstate exactly those conditions.

Restriction of processing (Article 18)

  • A temporary 'pause' on processing
  • Triggers: accuracy contested; processing unlawful but no erasure wanted
  • Data no longer needed but kept for legal claims; objection pending
  • While restricted: store only, with limited exceptions

Article 18 gives the right to restriction of processing, which you can think of as a pause button. It applies in four situations: the data subject contests the accuracy of the data, for a period letting you verify it; the processing is unlawful but the person prefers restriction over erasure; you no longer need the data but the person needs it for a legal claim; or the person has objected and you are weighing whether your grounds override theirs. While processing is restricted, you may generally only store the data, not otherwise use it, except with consent, for legal claims, to protect another person, or for important public interest.

Restriction is temporary and conditional, that is the heart of what the exam tests here.

The right to object (Article 21)

  • Object to processing based on legitimate interests or public task
  • Controller must stop unless compelling overriding grounds
  • Direct marketing — absolute right to object, no balancing
  • Must be made clear, separately, at first communication

Article 21 gives the right to object. Where processing relies on legitimate interests or on a public-interest task, the data subject can object on grounds relating to their particular situation, and the controller must stop unless it demonstrates compelling legitimate grounds that override the person's interests, or the processing is needed for legal claims. But there is a special, much stronger version: where data is processed for direct marketing, the right to object is absolute.

There is no balancing test, you must stop on request, full stop. And this right must be brought to the person's attention explicitly and separately at the latest at the first communication. Direct marketing being an absolute opt-out is a favourite exam point.

Data portability (Article 20)

  • Receive your data in a structured, common, machine-readable format
  • Transmit it to another controller; direct transfer where feasible
  • Only when basis is consent OR contract AND processing is automated
  • Narrower than people assume

Article 20 gives the right to data portability, and its conditions are narrower than people expect, which the exam exploits. A data subject can receive the personal data they provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller, with a direct controller-to-controller transfer where technically feasible. But portability applies only when two conditions are both met: the processing is based on consent or on a contract, and the processing is carried out by automated means.

So data processed under legitimate interests, or under a legal obligation, is not portable. And it covers data the person provided, including through their activity, not data you inferred or derived about them. Remember consent-or-contract plus automated, and provided data only.

Automated decisions and profiling (Article 22)

  • Right not to be subject to solely automated decisions with legal/similar effect
  • Exceptions: necessary for a contract; authorised by law; explicit consent
  • Safeguards: human intervention, express view, contest the decision
  • Extra limits on using special-category data

Article 22 addresses decisions made about people without human involvement. The rule is that a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them, think an automated loan refusal or job-application rejection. The word solely matters: meaningful human involvement takes it outside Article 22.

There are three exceptions allowing such automated decisions: where it is necessary for entering or performing a contract; where authorised by EU or member-state law; or where based on the person's explicit consent. Even then, the controller must put safeguards in place, at least the right to obtain human intervention, to express their point of view, and to contest the decision. And solely automated decisions generally cannot use special-category data unless tighter conditions are met.

Restrictions on the rights and recap

  • Article 23 — EU/member-state law can restrict the rights
  • E.g. national security, defence, crime prevention
  • Restrictions must respect the essence of the right and be proportionate
  • Recap: restriction, objection, portability, automated decisions

Finally, the rights are not unlimited. Article 23 allows EU or member-state law to restrict the scope of these rights and obligations when necessary and proportionate to safeguard important objectives such as national security, defence, public security, the prevention of crime, or other important public interests. Any such restriction must respect the essence of the fundamental right and be a proportionate measure.

So when the exam describes a law-enforcement or national-security carve-out, think Article 23. To recap this lecture: Article 18 restriction is a temporary pause; Article 21 objection can be balanced, except for direct marketing which is absolute; Article 20 portability needs consent or contract plus automated processing; and Article 22 limits solely automated decisions with significant effects. That completes Domain two.

Go take the Domain two practice test before we move into European data processing.

Sources

  • Regulation (EU) 2016/679 (GDPR), Article 18 (restriction), Article 20 (portability), Article 21 (objection), Article 22 (automated decisions and profiling), Article 23 (restrictions on rights)
  • EDPB / former Article 29 Working Party guidance on automated decision-making

Test your knowledge

A few CIPP/E questions on this material — pick an answer to see the explanation.

  1. Q1. A research institution collects patient health records for a cardiovascular study. Two years later, it wants to use the same records for a separate oncology study. Which test determines whether this is permissible without fresh consent?

  2. Q2. Which Article 5 principle requires that personal data be kept in identifiable form for no longer than necessary for the purposes for which it is processed?

  3. Q3. A trade union wants to process the health data of its members in connection with an occupational-safety campaign. Which combination of legal grounds is required?

  4. Q4. A company purchases a marketing list from a data broker and starts contacting the individuals on it. Under which Article must the company provide a privacy notice, and when?

Ready to practice?

Put this lesson to work on real CIPP/E questions.

Drill the full CIPP/E bank →