On October 2021, the European Data protection board (EDPB) adopted a final version of the guidelines on restrictions of data subject rights under Art. 23 (Guidelines) of the General Data Protection Regulation (GDPR). The Guidelines aim to recall the conditions surrounding the use of such restrictions by Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR.
The scope of Article 23 of the GDPR
According to the Guidelines, the restrictions must be set out in a clear and precise legislative measure, which should also adequately indicate the circumstances and conditions in which the restrictions will apply. Article 23 of the GDPR allows for Union or the Member States to restrict the scope of the obligations and rights provided for under the Articles 12 to 22, Article 34, as well as Article 5 of the GDPR when the restriction is necessary and proportionate to safeguard national security, defense, or public security, among other matters.
The Article in question, if imposed, could restrict a wide scope of data subject’s rights; therefore, it is necessary to understand it. The Guidelines aim to provide a thorough analysis of the criteria to apply the restrictions, the assessments that need to be observed, answer how data subjects can exercise their rights after the restrictions are applied, and the consequences of infringements. The Guidelines also explain a definition of “restrictions” a term undefined in GDPR.
The grounds for these restrictions contain an exhaustive list, from which a few relevant examples are provided below:
- in certain cases, providing information to the data subjects who are under investigation might jeopardize the success of that investigation. The restriction of the right to information or other data subject’s rights may be necessary, for instance, in the framework of anti-money laundering or the activities of forensic laboratories;
- for allegations of harassment in the workplace, whistle-blowers, where the need to protect the identity of certain workers may be required. In such case, a legislative measure may provide that the person subject to an inquiry or disciplinary proceedings may experience a limitation to his or her right of access, where the identity of an alleged victim or witness whistle-blower cannot be disclosed to protect him or her from retaliation.
What rights can be restricted?
The rights that could potentially be restricted include Articles 12 to 22, Article 34 of the GDPR, and Article 5 as far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22. The following include: the restrictions to rights concerning the right to transparent information, right to information, right of access, right to rectification, right to erasure, right to restriction of processing, notification obligation regarding rectification or erasure of personal data, or restriction of processing, right to data portability, right to object, right not to be subject to an automated individual decision making.
Other rights that are not within the scope of Article 23 of the GDPR cannot be restricted, so, e.g., data subjects still retain rights such as lodging a complaint to the supervisory authority (Art. 77 of the GDPR).
The Guidelines set out a list of additional actions that organizations should undertake when relying on restrictions, such as documenting how the restrictions were applied, including the applicability of the necessity and proportionality test.
What to take out from this?
The key points of Guidelines:
- EBDP highlights that the list of restrictions in Art. 23 of the GDPR is exhaustive;
- the EDPB highlights that restricting the scope of the obligations and rights provided may take different forms but may never reach the point of a general suspension of all rights;
- EDPB considers that restrictions imposed for a duration not precisely limited in time do not meet the foreseeability criterion, including when such restrictions apply retroactively or are subject to undefined conditions;
- in case the organization has a data protection officer (DPO), the DPO shall be informed. DPO should be given access to the relevant records concerning the factual or legal context in which the restriction takes place;
- organizations should document the application of restrictions on particular cases by keeping a record of their applications.
The content of this article is intended to provide a general guide to the subject matter. The expert should be consulted for the assessment of the specific situation. If you need assistance in matters involving data subjects’ rights restrictions, please consult the experts of ECOVIS ProventusLaw.
The review was prepared by ECOVIS ProventusLaw data protection group’s experts.