Article 23 GDPR provides a framework for exceptional situations where EU or Member States may restrict the application of certain provisions in the GDPR relating to the rights of data subjects or the obligations of controllers and processors (stipulated in Articles 5, 12-22 and 34 GDPR), for instance, where they consider it necessary to safeguard national security, important objectives of general public interest or protect data subjects.
The Guidelines set out the EDPB's view as to the application of Article 23, analyse the criteria that apply to the restrictions, clarify how data subjects can exercise their rights once the restriction is lifted and address the consequences of infringement.
The EDPB emphasises that the restrictions should be interpreted narrowly, and should only be applied in specific circumstances where the conditions under Article 23 are met. The EDPB also notes that the accountability principle in Article 5(2) GDPR is still applicable when considering the restrictions and means that controllers remain responsible for, and must be able to demonstrate to data subjects their compliance with the GDPR.
The Guidelines highlight the following key points:
- imposing restrictions on the data protection principles must only be done in exceptional circumstances and even then must not restrict the protection of personal data in its entirety;
- when considering the restrictions, the EU or national legislator must carry out a necessity and proportionality test;
- a Member State legislator must consult with the relevant supervisory authorities (in accordance with Article 36(4) GDPR) before adopting or enacting any restrictions; and
- where a restriction has been applied, data subjects must continue to be allowed to exercise their rights in respect of the non-restricted provisions. Once the restriction is lifted (which the controller must document), data subjects should be able to revert to exercising all their rights and be informed by the controller of this fact.
Compared to the consultation version, the EDPB has expanded the final Guidelines to include some practical examples. For instance, in relation to what constitutes "other important objectives of general public interest", the Guidelines discuss a restriction to the right of access by a data subject imposed by a tax administration insofar as this access could jeopardise an ongoing investigation. The EDPB explains that such a restriction should be limited in time, necessary for the specific investigation and subject to appropriate safeguards.
A further example concerns the general public interest objective of accessibility of the law, where a public administration may impose restrictions to the right to object to the processing of pseudonymised personal data contained in court decisions, where the processing is performed to benchmark compensation amounts claimed and awarded in personal injury cases. Such restrictions may be imposed if the conditions under Article 23(2) GDPR are met, such as if appropriate safeguards have been implemented (e.g. the approximation of compensation amounts, the deletion of the first and last names of the parties to the dispute and the data pseudonymisation).
In addition to numerous technical changes, the final Guidelines also removed a statement about the powers of supervisory authorities to commence or otherwise engage in legal proceedings in court if they consider the legislative measures imposing restrictions under Article 23 to infringe the GDPR.
Read the press release EDPB adopts Guidelines on restrictions of data subject rights under Article 23 GDPR following public consultation and the Guidelines 10/2020 on restrictions under Article 23 GDPR.