On 13 October 2021, the European Data Protection Board (EDPB) adopted the final version of its Guidelines (10/20) on restrictions of data subject rights under article 23 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) (the Guidelines) during its forty-third plenary session. The adoption comes after a public consultation on the EDPB’s draft guidelines, which was concluded in February 2021. The Guidelines aim to provide clarity on the application of article 23 of the GDPR.
Article 23 GDPR
The rights of data subjects under the GDPR are set out in articles 5, 12 to 22 and 34. Article 23 lists the conditions under which EU member states can restrict these rights, by legislative measures, to protect the rights and freedoms of others; for example, in relation to safeguarding national and public security, enforcement of civil law claims, and protection of judicial independence, among others.
Following the publication of the Guidelines in a press release on 19 October 2021, the EDPB specified that the Guidelines:
- aim to recall the conditions surrounding the use of such restrictions by EU member states or the EU legislator in light of the EU Charter of Fundamental Rights and the GDPR;
- provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of article 23 GDPR; and
- analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed in article 23 GDPR, and the obligations and rights which may be restricted.
Notably, there is no definition of ‘restrictions’ in the GDPR. The Guidelines, however, define the term ‘restrictions’ as any limitation of scope of the obligations and rights provided for in articles 12 to 22 and 34 GDPR, as well as the corresponding provisions of article 5.
The Guidelines state that the restrictions to rights concern the right to transparent information, right to information, right of access, right to rectification, right to erasure, right to restriction of processing, notification obligation regarding rectification or erasure of personal data or restriction of processing, right to data portability, right to object, and right not to be subject to automated individual decision making. Any other data subject rights, such as the right to lodge a complaint to the supervisory authority, or other controllers’ obligations cannot be restricted. Any restrictions should be seen as exceptions to the general rule allowing the exercise of rights and imposing the obligations enshrined in the GDPR. Restrictions should be interpreted narrowly, and only be applied in specific circumstances and only when certain conditions are met.
Further, the Guidelines note that restrictions must pass a necessity and proportionality test in order to be compliant with the GDPR, and that this test should be carried out before the legislator decides to provide for a restriction. As such, restrictions that are extensive and intrusive, to the extent that they void fundamental rights, cannot be justified.