Pursuant to Article 23 GDPR, EU or Member State law may restrict the scope of certain data subject rights in order to safeguard certain objectives, namely:
- National security;
- Public security
- The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
- Other important objectives of general public interest of the EU or of a Member State;
- The protection of judicial independence and proceedings;
- The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the aforementioned cases (except for the protection of judicial independence and proceedings);
- The protection of the data subject or the rights and freedoms of others; or
- The enforcement of civil law claims
For any restriction to be lawful, Article 23(1) GDPR clarifies that it must be provided for in a legislative measure, concern the sole data subject’s rights and the corresponding obligations enshrined in Articles 5, 12-22, and 34 GDPR, respect the essence of fundamental rights and freedoms, and be a necessary and proportionate measure in a democratic society.
As explained by the EDPB, the condition to respect the essence of fundamental rights and freedoms means that the restrictions cannot be so extensive and intrusive that will void these rights and freedoms of their basic content.When it comes to the necessity and proportionality requirements, the EDPS outlines, the former is satisfied insofar as the objective of general interest is sufficiently identified in detail. In this way, it will be possible to evaluate whether the restrictive measure is necessary. As regards its proportional nature, it means that the legislative measure must be appropriate for achieving the legitimate objectives.
Later, Article 23(2) GDPR provides that the legislative measures restricting the data subject’s rights and the controller’s obligations must include, where relevant:
- The purposes of the processing or categories of processing;
- The categories of personal data;
- The scope of the restrictions introduced;
- The safeguards to prevent abuse or unlawful access or transfer;
- The specification of the controller or categories of controllers;
- The storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
- The risks to the rights and freedoms of data subjects; and
- The right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
In its Guidelines, the EDPB also clarifies, “the controller should document the application of restrictions on concrete cases by keeping a record of their application”, in compliance with the accountability principle (Article 5(2) GDPR). This record should contain the applicable reasons for the restrictions, which grounds among those listed in Article 23(1) GDPR apply, its timing, as well as the outcome of the necessity and proportionality test.
1European Data Protection Board, Guidelines 10/2020 on Restrictions under Article 23 GDPR, adopted on 15 December 2020, p. 10, available at: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-102020-restrictions-under-article-23_en [last access: 15.09.2021] ↑
3Ibidem, p. 14 ↑