Article 23 GDPR: Difference between revisions
m (→Commentary) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 231: | Line 231: | ||
==Commentary== | ==Commentary== | ||
Data protection principles, data subject rights and controller obligations are not absolute. They can each be limited, restricted or lightened by way of Union or Member State law. In order to be lawful, however, the limitation must fulfill the requirements set out in Article 23 GDPR. | Data protection principles, data subject rights and controller obligations are not absolute. They can each be limited, restricted or lightened by way of Union or Member State law. In order to be lawful, however, the limitation must fulfill the requirements set out in Article 23 GDPR. In particular, the measure must (1) respect the essence of the right to data protection, (2) be foreseeable in its effects, (3) reflect a qualified public interest, (4) address only those rights and obligations which can be limited according to the GDPR, (5) necessary, (6) proportionate and (7) provide for specific safeguards and information as laid out in Article 23(2) GDPR. Provided that the measure is valid and lawful (in the sense that it has successfully fulfilled the assessment above), the accountability principle in [[Article 5 GDPR|Article 5(2) GDPR]], would require the controller to document and keep a record of the application of these restrictions in concrete cases. This record should include the practical reasons for the restrictions, which grounds among those listed in Article 23(1) GDPR applied, their timing, and the outcome of the case-specific necessity and proportionality test. The controller should lift the restrictions as soon as the circumstances that justify them no longer apply. If the controller does not allow data subjects to exercise their rights after the restriction has been lifted, the data subject can submit a complaint to the supervisory authority against the controller, in accordance with [[Article 57 GDPR|Article 57(1)(f) GDPR]]. | ||
===(1) Restrictions=== | |||
The right to personal data protection is laid down in Article 8 CFR. This right, as is underlined by the CJEU,<ref>CJEU, Joined Cases C-92/09 and C-93/09, ''Schecke'', 9 November 2018, margin number 48 (available [https://curia.europa.eu/juris/document/document.jsf?docid=79001&doclang=EN here]).</ref> is relative, not absolute. Hence, Article 52(1) of the Charter allows the enactment of limitations to this right, if the provisions’ requirements are fulfilled. Following this rationale, Article 23 GDPR allows Member States and the Union to restrict, limit, or lighten the rights of the data subject, ''“provided for in Articles 12 to 22, Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22”.'' However, since these are exceptions to the general rule of personal data protection, these restrictions<ref>The term “restrictions” is not defined in the GDPR. However, the EDPB defines it as follows: ''“any limitation of scope of the obligations and rights provided for in Articles 12 to 22 and 34 GDPR as well the corresponding provisions in Article 5 in accordance with Article 23 GDPR”'', see EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 6 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-102020-restrictions-under-article-23-gdpr_en here]).</ref> “''should be interpreted narrowly, only applied in specifically provided circumstances and only when certain conditions are met”''. Moreover, even when restrictions apply, the accountability principle remains relevant (Article 5(2) GDPR). Hence, controllers must always be able to demonstrate compliance with the EU data protection framework.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 6 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-102020-restrictions-under-article-23-gdpr_en here]).</ref> Lastly, the legislator must assess whether the restriction is limited to what is strictly necessary. There are several requirements that need to be met, before a restriction is lawful | |||
==== Limited scope ==== | |||
Under Article 23(1) GDPR, the legislative measure can only interfere with the “obligations and rights provided for in Articles 12 to 22 and Article 34, as well as [the principles in] Article 5." The rights which can be restricted are those to transparent information ([[Article 12 GDPR]]), information ([[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]), access ([[Article 15 GDPR]]), rectification ([[Article 16 GDPR]]), erasure ([[Article 17 GDPR]]), restriction of processing ([[Article 18 GDPR]]), notification obligation regarding rectification or erasure of personal data or restriction of processing ([[Article 19 GDPR]]), data portability ([[Article 20 GDPR]]), object ([[Article 21 GDPR]]), and refusal of automated individual decision making ([[Article 22 GDPR]]). This means that any other data subjects’ rights, such as the right to lodge a complaint to the supervisory authority ([[Article 77 GDPR]]), or other controller obligations, cannot be restricted under this provision. | |||
The | ==== Legislative measure ==== | ||
The restriction must be specified in Union or Member State law. As recital 41 specifies, this legislative measure must not necessarily be a legislative act adopted by a parliament.<ref>However, the restriction must certainly be laid down in Union or Member State law. In a recent judgement, the CJEU reiterated the importance of this requirement. The Court determined that “''the tax authority of a Member State may not derogate from Article 5(1) of that regulation where such a right has not been conferred on it by a legislative measure within the meaning of Article 23(1)''” [unofficial translation], in CJEU, Case C-175/20, ''SIA ‘SS’ v Valsts ieņēmumu dienests,'' 24 February 2022, margin numbers 55-57 (available [https://curia.europa.eu/juris/liste.jsf?num=C-175/20&language=en here]).</ref> What is important, is that it is ''“clear and precise”'', so that its application is ''“foreseeable to persons subject to it, in accordance with the case-law of the CJEU […] and the ECtHR”''. This requirement is sufficed when citizens have an “''adequate indication''” of the circumstances and conditions under which controllers can impose such restrictions. Moreover, the EDPB stipulates that restrictions must not necessarily be limited in time or linked to a timeframe, to meet the foreseeability criterion.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 8 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> In this respect, the restrictive measure must be sufficiently clear and give citizens an adequate indication of the circumstances that justify controllers to invoke it lawfully.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 7 (available here), which also review the case law of the Court of Justice of the European Union (CJEU) and of the European Court of Human Rights (ECtHR). See in particular footnote 8 of the Guidelines which mentions “European Court of Human Rights, 14 September 2010, Sanoma Uitgevers B.V. v. The Netherlands, EC:ECHR:2010:0914JUD003822403, margin number 83: “''Further, as regards the words “in accordance with the law''” and “prescribed by law” which appear in Articles 8 to 11 of the Convention, the Court observes that it has always understood the term “law” in its “substantive” sense, not its “formal” one; it has included both “written law”, encompassing enactments of lower ranking statutes and regulatory measures taken by professional regulatory bodies under independent rule-making powers delegated to them by Parliament, and unwritten law. “Law” must be understood to include both statutory law and judge-made “law”. In sum, the “law”is the provision in force as the competent courts have interpreted it”. On the notion of "provided for by law", the criteria developed by the European Court of Human Rights should be used as suggested in CJEU Advocates General opinions in joined cases C203/15 and C698/15, Tele2Sverige AB, ECLI:EU:C:2016:572, paragraphs 137-154 or in case C-70/10, Scarlet Extended, ECLI:EU:C:2011:255, margin number 99.”</ref> It could be that the ground for the restriction is not limited in time because that ground needs to be safeguarded permanently, i.e., safeguarding the “''protection of judicial independence and judicial proceedings”''. Of course, this needs to be assessed in light of the principle of necessity and proportionality. However, if the ground for restriction is, in itself, limited in time, (i.e., because of a state of emergency) the restriction must also be limited in time, and cannot work retroactively. Lastly, the legislative measure should clearly state how the restriction serves the objective.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 8-9 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | |||
==== | ==== Respects the essence of the fundamental rights and freedoms ==== | ||
This means that any restriction that renders the fundamental right void of its content cannot be justified. Hence, a ''general'' exclusion of data subjects’ rights with regard to ''all'' processing operations would not respect the essence. The same goes for a ''general'' limitation to the rights mentioned in Article 23 of ''all'' data subjects, even if this relates to ''specific'' data processing operations or concerns ''specific'' controllers.<ref>Per general EU law, any restriction to a fundamental right cannot violate the restricted right’s very essence. For this reason, the EDPB Guidelines 10/2020 on restrictions under Article 23 GDPR reject the idea of extensive restrictive measures that, for instance, exclude all data subjects’ rights about all processing operations carried out by a controller. See EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 7 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | This means that any restriction that renders the fundamental right void of its content cannot be justified. Hence, a ''general'' exclusion of data subjects’ rights with regard to ''all'' processing operations would not respect the essence. The same goes for a ''general'' limitation to the rights mentioned in Article 23 of ''all'' data subjects, even if this relates to ''specific'' data processing operations or concerns ''specific'' controllers.<ref>Per general EU law, any restriction to a fundamental right cannot violate the restricted right’s very essence. For this reason, the EDPB Guidelines 10/2020 on restrictions under Article 23 GDPR reject the idea of extensive restrictive measures that, for instance, exclude all data subjects’ rights about all processing operations carried out by a controller. See EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 7 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
==== | ==== Necessary and proportionate in a democratic society ==== | ||
The EDPB notes that Article 5 is one of the most important provisions of the GDPR, and stipulates that restrictions to the principles need to be justified by an exceptional situation if the essence of the fundamental rights are respected, and if they are proportionate and necessary. Moreover, provisions of Article 5 that do not correspond to the rights and obligations in Articles 12 to 22 GDPR, cannot be restricted. | The EDPB notes that Article 5 is one of the most important provisions of the GDPR, and stipulates that restrictions to the principles need to be justified by an exceptional situation if the essence of the fundamental rights are respected, and if they are proportionate and necessary. Moreover, provisions of Article 5 that do not correspond to the rights and obligations in Articles 12 to 22 GDPR, cannot be restricted. | ||
Line 263: | Line 254: | ||
Hence, it should describe the problem addressed, how it will be addressed, why other less intrusive measures don’t suffice, and demonstrate how this measure meets the State’s or EU’s objective. The EDPB mentions “''restrictions'' [that] ''contribute to safeguarding public health in a state of emergency''” as an example, and stipulates that a measure can only restrict the data subject’s rights, but not deny them.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), pp. 12-13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | Hence, it should describe the problem addressed, how it will be addressed, why other less intrusive measures don’t suffice, and demonstrate how this measure meets the State’s or EU’s objective. The EDPB mentions “''restrictions'' [that] ''contribute to safeguarding public health in a state of emergency''” as an example, and stipulates that a measure can only restrict the data subject’s rights, but not deny them.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), pp. 12-13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
==== | ====To safeguard (qualified public interests)==== | ||
The grounds for restrictions are exhaustively listed in Article 23(1) GDPR. | The grounds for restrictions are exhaustively listed in Article 23(1) GDPR. | ||
===== (a) National | ===== (a) National security, (b) Defense and (c) Public security ===== | ||
These grounds, listed in Article 23(1)(a)-(c) are closely related. National security refers to both the internal, and external security of Member States.<ref>''Paal,'' in Paal, Pauly, DS-GVO BDSG, Article 23, margin number 17 (C.H.Beck 2021, 3rd Edition).</ref> Public security covers the protection of human life, particularly in cases of “''natural or manmade disasters''”.<ref>EDPB referring to recital 73 GDPR, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 9 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]). See also, GH Baden-Württemberg, 10 March 2020, 1 S 397/19 (available [[VGH Baden-Württemberg - 1 S 397/19|here]]) stating “''The civil register "serves as a basis for information for the administration, the administration of justice, religious societies under public law and the public. It is recognised in supreme court jurisprudence 'that the individual cannot completely withdraw from his environment without good reason, but must remain accessible and accept that others - also with state assistance - make contact with him' (BVerwG, NJW 2006, 3367ff.)''”''.''</ref> | These grounds, listed in Article 23(1)(a)-(c) are closely related. National security refers to both the internal, and external security of Member States.<ref>''Paal,'' in Paal, Pauly, DS-GVO BDSG, Article 23, margin number 17 (C.H.Beck 2021, 3rd Edition).</ref> Public security covers the protection of human life, particularly in cases of “''natural or manmade disasters''”.<ref>EDPB referring to recital 73 GDPR, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 9 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]). See also, GH Baden-Württemberg, 10 March 2020, 1 S 397/19 (available [[VGH Baden-Württemberg - 1 S 397/19|here]]) stating “''The civil register "serves as a basis for information for the administration, the administration of justice, religious societies under public law and the public. It is recognised in supreme court jurisprudence 'that the individual cannot completely withdraw from his environment without good reason, but must remain accessible and accept that others - also with state assistance - make contact with him' (BVerwG, NJW 2006, 3367ff.)''”''.''</ref> | ||
===== (d) Prevention, | ===== (d) Prevention, investigation, detection or prosecution of criminal offenses ===== | ||
When personal data is processed for these specific purposes by a competent authority, the GDPR does not apply, since this processing is within the scope of the Law Enforcement Directive.<ref>Article 1(1) in conjunction with Article 2(1) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.</ref> However, recital 19 GDPR clarifies that, when a private (non-competent) body processes personal data for the above-mentioned purposes, the GDPR does apply. Moreover, the recital explains that this is relevant, for example, “''in the framework of anti-money laundering or the activities of forensic laboratories''”. However, once the omitted information can no longer jeopardise the investigation being carried out, it must be provided.<ref>EDPB referring in footnote 11 to “Opinion 1/15 of the CJEU (Grand Chamber) on the Draft PNR Agreement between Canada and the European Union, 26 July 2017, ECLI:EU:C:2017:592”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 9 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | When personal data is processed for these specific purposes by a competent authority, the GDPR does not apply, since this processing is within the scope of the Law Enforcement Directive.<ref>Article 1(1) in conjunction with Article 2(1) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.</ref> However, recital 19 GDPR clarifies that, when a private (non-competent) body processes personal data for the above-mentioned purposes, the GDPR does apply. Moreover, the recital explains that this is relevant, for example, “''in the framework of anti-money laundering or the activities of forensic laboratories''”. However, once the omitted information can no longer jeopardise the investigation being carried out, it must be provided.<ref>EDPB referring in footnote 11 to “Opinion 1/15 of the CJEU (Grand Chamber) on the Draft PNR Agreement between Canada and the European Union, 26 July 2017, ECLI:EU:C:2017:592”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 9 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
===== (e) Economic and | ===== (e) Economic and financial interests ===== | ||
One can think of examples like the keeping of public registers, or “''the further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes''”.<ref>EDPB referring in footnote 13 to recital 73, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> The EDPB notes, however, that financial burdens on public budgets to comply with the data subjects’ rights are not sufficient to justify a public interest to restrict these rights. As an example, the EDPB also stipulates that any restriction by a Tax Administration to the data subject’s right of access, is only justified if this person is under an investigation by this administration, and the right of access would jeopardise the investigation. Moreover, this restriction must be lifted as soon as the investigation is over. When such a restriction is justified, appropriate safeguards like “indirect access” (when the supervisory authority exercises the right on behalf of the data subject to verify whether the restriction is lawful) must be implemented. Lastly, the EDPB has mentioned, for example, that in order to ensure a public interest objective related to the accessibility of the law, a public administration could restrict the right to object to the processing of pseudonymised personal data if it’s used to develop a benchmark document that clarifies which compensation is fair according to a certain type of damage. However, it also notes that this kind of restriction may take place only when appropriate safeguards are in place.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | One can think of examples like the keeping of public registers, or “''the further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes''”.<ref>EDPB referring in footnote 13 to recital 73, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> The EDPB notes, however, that financial burdens on public budgets to comply with the data subjects’ rights are not sufficient to justify a public interest to restrict these rights. As an example, the EDPB also stipulates that any restriction by a Tax Administration to the data subject’s right of access, is only justified if this person is under an investigation by this administration, and the right of access would jeopardise the investigation. Moreover, this restriction must be lifted as soon as the investigation is over. When such a restriction is justified, appropriate safeguards like “indirect access” (when the supervisory authority exercises the right on behalf of the data subject to verify whether the restriction is lawful) must be implemented. Lastly, the EDPB has mentioned, for example, that in order to ensure a public interest objective related to the accessibility of the law, a public administration could restrict the right to object to the processing of pseudonymised personal data if it’s used to develop a benchmark document that clarifies which compensation is fair according to a certain type of damage. However, it also notes that this kind of restriction may take place only when appropriate safeguards are in place.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
===== (f) Judicial | ===== (f) Judicial independence ===== | ||
The EDPB mentions that “''the scope of these restrictions should be aligned with national legislation regulating these matters”''.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> Moreover, ''Bäcker'' and ''Paal'' note that this ground does not include criminal proceedings, since in such cases, Article 23(1)(d) GDPR applies.<ref>''Paal,'' in Paal, Pauly, DS-GVO BDSG Article 23, margin number 33 (C.H.Beck 2021, 3rd Edition) and ''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 23, margin number 25 (C.H.Beck 2020, 3rd Edition).</ref> | The EDPB mentions that “''the scope of these restrictions should be aligned with national legislation regulating these matters”''.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> Moreover, ''Bäcker'' and ''Paal'' note that this ground does not include criminal proceedings, since in such cases, Article 23(1)(d) GDPR applies.<ref>''Paal,'' in Paal, Pauly, DS-GVO BDSG Article 23, margin number 33 (C.H.Beck 2021, 3rd Edition) and ''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 23, margin number 25 (C.H.Beck 2020, 3rd Edition).</ref> | ||
===== (g) Breaches of | ===== (g) Breaches of ethics ===== | ||
Breaches of ethics for regulated professions (one can think of medical doctors or lawyers) are also a ground for restrictions. As in the previous provision, the EDPB notes that this ground only applies in cases where there is no criminal offence (in which case Article 23(1)(d) GDPR would also apply).<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | Breaches of ethics for regulated professions (one can think of medical doctors or lawyers) are also a ground for restrictions. As in the previous provision, the EDPB notes that this ground only applies in cases where there is no criminal offence (in which case Article 23(1)(d) GDPR would also apply).<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
===== (h) Exercise of | ===== (h) Exercise of official authority ===== | ||
This ground expands on some of the grounds listed in this section by clearly stating that, limitations to data subjects’ rights and controllers’ obligations can also be justified, to safeguard a monitoring, inspection or regulatory function, if these are connectedto the exercise or official authority of the grounds listed in 23(1)(a) to (e), and (g) GDPR, even in the case that they are only occasionally connected.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]). The EDPB refers to Article 23(2)(h) instead of Article 23(1)(h), but this is clearly a typo.</ref> | This ground expands on some of the grounds listed in this section by clearly stating that, limitations to data subjects’ rights and controllers’ obligations can also be justified, to safeguard a monitoring, inspection or regulatory function, if these are connectedto the exercise or official authority of the grounds listed in 23(1)(a) to (e), and (g) GDPR, even in the case that they are only occasionally connected.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]). The EDPB refers to Article 23(2)(h) instead of Article 23(1)(h), but this is clearly a typo.</ref> | ||
Line 287: | Line 278: | ||
There are also cases where a data subject’s rights can be limited to protect another data subject. As an example, the EDPB lists administrative inquiries, disciplinary proceedings or investigations on allegations of harassment in the workplace. In such cases, the person subject to these proceedings’ right of access could be restricted to protect an alleged victim or witness whistle-blower from retaliation, or conversely, the latter might see their right of access restricted to respect the privacy and data protection rights of the former.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 11 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | There are also cases where a data subject’s rights can be limited to protect another data subject. As an example, the EDPB lists administrative inquiries, disciplinary proceedings or investigations on allegations of harassment in the workplace. In such cases, the person subject to these proceedings’ right of access could be restricted to protect an alleged victim or witness whistle-blower from retaliation, or conversely, the latter might see their right of access restricted to respect the privacy and data protection rights of the former.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 11 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
===== (j) Enforcement of | ===== (j) Enforcement of civil law ===== | ||
Lastly, whereas the protection of court proceedings and the applicable procedural rules are covered by Article 23(1)(f), limitations to specifically safeguard the enforcement of civil law claims of potential litigants fall under Article 23(1)(j) GDPR. | Lastly, whereas the protection of court proceedings and the applicable procedural rules are covered by Article 23(1)(f), limitations to specifically safeguard the enforcement of civil law claims of potential litigants fall under Article 23(1)(j) GDPR. | ||
===(2) Specific | ===(2) Specific requirements=== | ||
Any legislative measure adopted on the basis of Article 23(1), must contain, ''where relevant'', specific provisions about the criteria listed in Article 23(2)(a) to (h) GDPR.<ref>EDPB referring in footnote 19 to “CJEU, judgment of 6 October 2020, La Quadrature du net and others joined cases C-511/18, C-512/18 and C-520/18, ECLI:EU:C:2020:791, paragraph 209”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> The phrase “''where relevant''” is linked to the circumstances. Hence, the legislator needs to justify why it is not relevant to include such provisions in the legislative measure. | Any legislative measure adopted on the basis of Article 23(1), must contain, ''where relevant'', specific provisions about the criteria listed in Article 23(2)(a) to (h) GDPR.<ref>EDPB referring in footnote 19 to “CJEU, judgment of 6 October 2020, La Quadrature du net and others joined cases C-511/18, C-512/18 and C-520/18, ECLI:EU:C:2020:791, paragraph 209”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> The phrase “''where relevant''” is linked to the circumstances. Hence, the legislator needs to justify why it is not relevant to include such provisions in the legislative measure. The EDPB highlights the importance of Recital 8 GDPR in this regard: the reason for the restriction, ''how'' and ''when'' it applies, should be comprehensible to persons ''to whom'' it applies.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
The legislative measure should clearly explain the purposes or categories of the processing (Article 23(2)(a)) to explain the objective of the restriction. The categories of personal data (Article 23(2)(b)), should also be listed. The EDPB notes that “''Where possible, the controller can go further and list the specific data items to which the restriction of rights may apply, such as the preliminary results of an investigation, a decision opening an inquiry, etc.''”<ref>See footnote 21, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> Moreover, if special categories of personal data are involved, this should also be mentioned.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 14 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | The legislative measure should clearly explain the purposes or categories of the processing (Article 23(2)(a)) to explain the objective of the restriction. The categories of personal data (Article 23(2)(b)), should also be listed. The EDPB notes that “''Where possible, the controller can go further and list the specific data items to which the restriction of rights may apply, such as the preliminary results of an investigation, a decision opening an inquiry, etc.''”<ref>See footnote 21, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> Moreover, if special categories of personal data are involved, this should also be mentioned.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 14 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
Line 308: | Line 298: | ||
The EDPB stipulates that the European Commission, as Guardian of the Treaties, must monitor the application of EU primary and secondary law, and ensure uniform application throughout the EU. Moreover, it follows from the principle of supremacy of EU law (also see Case C-378/17)<ref>EDPB in footnote 29 referring to “CJEU, judgment 4 December 2018, Case C-378/17, ECLI:EU:C:2018:979, paragraph 38.”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 16 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> that all state organs should not apply national legislation that is contrary to EU law. Hence, any legislative measure pursuant to Article 23 GDPR that does not meet the requirements of the provision, cannot be applied. | The EDPB stipulates that the European Commission, as Guardian of the Treaties, must monitor the application of EU primary and secondary law, and ensure uniform application throughout the EU. Moreover, it follows from the principle of supremacy of EU law (also see Case C-378/17)<ref>EDPB in footnote 29 referring to “CJEU, judgment 4 December 2018, Case C-378/17, ECLI:EU:C:2018:979, paragraph 38.”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 16 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> that all state organs should not apply national legislation that is contrary to EU law. Hence, any legislative measure pursuant to Article 23 GDPR that does not meet the requirements of the provision, cannot be applied. | ||
==== Specific elements for | ==== Specific elements for controllers and processors ==== | ||
The EDPB highlighted a few elements for controllers and processors. First, although it is not listed in Article 30 GDPR, in light of the accountability principle (Article 5(2) GDPR) it is good practice that the controller keeps record of the application of restrictions on concrete cases. This record should list the reason, the ground(s), and the timing of the restriction, as well as the outcome of the necessity- and proportionality test, so that this can be made available to the DPA upon request. In any case, if the controller has a DPO, this peson should be involved in the restriction process, so that they can assess the restriction as well. Second, data subjects should be informed of the restrictions, at the latest when they do no longer apply. After the lifting of the restriction, the data subject can exercise all their rights. Third, if a controller infringes a legislative measure that imposes restrictions, the DPA can use their advisory, investigative, and corrective powers pursuant to Article 58 GDPR.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), pp. 16-17 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | The EDPB highlighted a few elements for controllers and processors. First, although it is not listed in Article 30 GDPR, in light of the accountability principle (Article 5(2) GDPR) it is good practice that the controller keeps record of the application of restrictions on concrete cases. This record should list the reason, the ground(s), and the timing of the restriction, as well as the outcome of the necessity- and proportionality test, so that this can be made available to the DPA upon request. In any case, if the controller has a DPO, this peson should be involved in the restriction process, so that they can assess the restriction as well. Second, data subjects should be informed of the restrictions, at the latest when they do no longer apply. After the lifting of the restriction, the data subject can exercise all their rights. Third, if a controller infringes a legislative measure that imposes restrictions, the DPA can use their advisory, investigative, and corrective powers pursuant to Article 58 GDPR.<ref>EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), pp. 16-17 (available [https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf here]).</ref> | ||
Latest revision as of 06:25, 16 June 2023
Legal Text
1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
- (a) national security;
- (b) defence;
- (c) public security;
- (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
- (f) the protection of judicial independence and judicial proceedings;
- (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
- (i) the protection of the data subject or the rights and freedoms of others;
- (j) the enforcement of civil law claims.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
- (a) the purposes of the processing or categories of processing;
- (b) the categories of personal data;
- (c) the scope of the restrictions introduced;
- (d) the safeguards to prevent abuse or unlawful access or transfer;
- (e) the specification of the controller or categories of controllers;
- (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
- (g) the risks to the rights and freedoms of data subjects; and
- (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
Relevant Recitals
Commentary
Data protection principles, data subject rights and controller obligations are not absolute. They can each be limited, restricted or lightened by way of Union or Member State law. In order to be lawful, however, the limitation must fulfill the requirements set out in Article 23 GDPR. In particular, the measure must (1) respect the essence of the right to data protection, (2) be foreseeable in its effects, (3) reflect a qualified public interest, (4) address only those rights and obligations which can be limited according to the GDPR, (5) necessary, (6) proportionate and (7) provide for specific safeguards and information as laid out in Article 23(2) GDPR. Provided that the measure is valid and lawful (in the sense that it has successfully fulfilled the assessment above), the accountability principle in Article 5(2) GDPR, would require the controller to document and keep a record of the application of these restrictions in concrete cases. This record should include the practical reasons for the restrictions, which grounds among those listed in Article 23(1) GDPR applied, their timing, and the outcome of the case-specific necessity and proportionality test. The controller should lift the restrictions as soon as the circumstances that justify them no longer apply. If the controller does not allow data subjects to exercise their rights after the restriction has been lifted, the data subject can submit a complaint to the supervisory authority against the controller, in accordance with Article 57(1)(f) GDPR.
(1) Restrictions
The right to personal data protection is laid down in Article 8 CFR. This right, as is underlined by the CJEU,[1] is relative, not absolute. Hence, Article 52(1) of the Charter allows the enactment of limitations to this right, if the provisions’ requirements are fulfilled. Following this rationale, Article 23 GDPR allows Member States and the Union to restrict, limit, or lighten the rights of the data subject, “provided for in Articles 12 to 22, Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22”. However, since these are exceptions to the general rule of personal data protection, these restrictions[2] “should be interpreted narrowly, only applied in specifically provided circumstances and only when certain conditions are met”. Moreover, even when restrictions apply, the accountability principle remains relevant (Article 5(2) GDPR). Hence, controllers must always be able to demonstrate compliance with the EU data protection framework.[3] Lastly, the legislator must assess whether the restriction is limited to what is strictly necessary. There are several requirements that need to be met, before a restriction is lawful
Limited scope
Under Article 23(1) GDPR, the legislative measure can only interfere with the “obligations and rights provided for in Articles 12 to 22 and Article 34, as well as [the principles in] Article 5." The rights which can be restricted are those to transparent information (Article 12 GDPR), information (Articles 13 and 14 GDPR), access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 GDPR), data portability (Article 20 GDPR), object (Article 21 GDPR), and refusal of automated individual decision making (Article 22 GDPR). This means that any other data subjects’ rights, such as the right to lodge a complaint to the supervisory authority (Article 77 GDPR), or other controller obligations, cannot be restricted under this provision.
Legislative measure
The restriction must be specified in Union or Member State law. As recital 41 specifies, this legislative measure must not necessarily be a legislative act adopted by a parliament.[4] What is important, is that it is “clear and precise”, so that its application is “foreseeable to persons subject to it, in accordance with the case-law of the CJEU […] and the ECtHR”. This requirement is sufficed when citizens have an “adequate indication” of the circumstances and conditions under which controllers can impose such restrictions. Moreover, the EDPB stipulates that restrictions must not necessarily be limited in time or linked to a timeframe, to meet the foreseeability criterion.[5] In this respect, the restrictive measure must be sufficiently clear and give citizens an adequate indication of the circumstances that justify controllers to invoke it lawfully.[6] It could be that the ground for the restriction is not limited in time because that ground needs to be safeguarded permanently, i.e., safeguarding the “protection of judicial independence and judicial proceedings”. Of course, this needs to be assessed in light of the principle of necessity and proportionality. However, if the ground for restriction is, in itself, limited in time, (i.e., because of a state of emergency) the restriction must also be limited in time, and cannot work retroactively. Lastly, the legislative measure should clearly state how the restriction serves the objective.[7]
Respects the essence of the fundamental rights and freedoms
This means that any restriction that renders the fundamental right void of its content cannot be justified. Hence, a general exclusion of data subjects’ rights with regard to all processing operations would not respect the essence. The same goes for a general limitation to the rights mentioned in Article 23 of all data subjects, even if this relates to specific data processing operations or concerns specific controllers.[8]
Necessary and proportionate in a democratic society
The EDPB notes that Article 5 is one of the most important provisions of the GDPR, and stipulates that restrictions to the principles need to be justified by an exceptional situation if the essence of the fundamental rights are respected, and if they are proportionate and necessary. Moreover, provisions of Article 5 that do not correspond to the rights and obligations in Articles 12 to 22 GDPR, cannot be restricted.
First, the necessity of a restriction must be assessed. The EDPB notes that one must identify the objective “in sufficient detail” to assess whether the objective is necessary. If, for example, a restriction is grounded on Article 23(1)(d) GDPR, but some information can be disclosed without jeopardising an investigation, then it must be disclosed.[9] The CJEU applies a test of strict necessity when assessing any limitation to the rights to personal data protection, and privacy.[10] The ECtHR maintains the same benchmark depending on the context, for example in the case of secret surveillance measures.[11]
If, and only when, the necessity of the measure is proven, will its proportionality be assessed. If the measure exceeds what is strictly necessary to safeguard the objectives listed in Article 23(1)(a) to (j), this measure is not proportionate.[12] The EDPB lists La Quadrature du net and others[13] as an example of CJEU case law where the state did not adhere to what was strictly necessary by requiring service providers to provide access to personal data generally and indiscriminately. Lastly, any proposed restriction measure should be accompanied with evidence proving why the measure is necessary and proportionate.[14]
Hence, it should describe the problem addressed, how it will be addressed, why other less intrusive measures don’t suffice, and demonstrate how this measure meets the State’s or EU’s objective. The EDPB mentions “restrictions [that] contribute to safeguarding public health in a state of emergency” as an example, and stipulates that a measure can only restrict the data subject’s rights, but not deny them.[15]
To safeguard (qualified public interests)
The grounds for restrictions are exhaustively listed in Article 23(1) GDPR.
(a) National security, (b) Defense and (c) Public security
These grounds, listed in Article 23(1)(a)-(c) are closely related. National security refers to both the internal, and external security of Member States.[16] Public security covers the protection of human life, particularly in cases of “natural or manmade disasters”.[17]
(d) Prevention, investigation, detection or prosecution of criminal offenses
When personal data is processed for these specific purposes by a competent authority, the GDPR does not apply, since this processing is within the scope of the Law Enforcement Directive.[18] However, recital 19 GDPR clarifies that, when a private (non-competent) body processes personal data for the above-mentioned purposes, the GDPR does apply. Moreover, the recital explains that this is relevant, for example, “in the framework of anti-money laundering or the activities of forensic laboratories”. However, once the omitted information can no longer jeopardise the investigation being carried out, it must be provided.[19]
(e) Economic and financial interests
One can think of examples like the keeping of public registers, or “the further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes”.[20] The EDPB notes, however, that financial burdens on public budgets to comply with the data subjects’ rights are not sufficient to justify a public interest to restrict these rights. As an example, the EDPB also stipulates that any restriction by a Tax Administration to the data subject’s right of access, is only justified if this person is under an investigation by this administration, and the right of access would jeopardise the investigation. Moreover, this restriction must be lifted as soon as the investigation is over. When such a restriction is justified, appropriate safeguards like “indirect access” (when the supervisory authority exercises the right on behalf of the data subject to verify whether the restriction is lawful) must be implemented. Lastly, the EDPB has mentioned, for example, that in order to ensure a public interest objective related to the accessibility of the law, a public administration could restrict the right to object to the processing of pseudonymised personal data if it’s used to develop a benchmark document that clarifies which compensation is fair according to a certain type of damage. However, it also notes that this kind of restriction may take place only when appropriate safeguards are in place.[21]
(f) Judicial independence
The EDPB mentions that “the scope of these restrictions should be aligned with national legislation regulating these matters”.[22] Moreover, Bäcker and Paal note that this ground does not include criminal proceedings, since in such cases, Article 23(1)(d) GDPR applies.[23]
(g) Breaches of ethics
Breaches of ethics for regulated professions (one can think of medical doctors or lawyers) are also a ground for restrictions. As in the previous provision, the EDPB notes that this ground only applies in cases where there is no criminal offence (in which case Article 23(1)(d) GDPR would also apply).[24]
(h) Exercise of official authority
This ground expands on some of the grounds listed in this section by clearly stating that, limitations to data subjects’ rights and controllers’ obligations can also be justified, to safeguard a monitoring, inspection or regulatory function, if these are connectedto the exercise or official authority of the grounds listed in 23(1)(a) to (e), and (g) GDPR, even in the case that they are only occasionally connected.[25]
(i) Protection of the data subject or the rights and freedoms of others
There are also cases where a data subject’s rights can be limited to protect another data subject. As an example, the EDPB lists administrative inquiries, disciplinary proceedings or investigations on allegations of harassment in the workplace. In such cases, the person subject to these proceedings’ right of access could be restricted to protect an alleged victim or witness whistle-blower from retaliation, or conversely, the latter might see their right of access restricted to respect the privacy and data protection rights of the former.[26]
(j) Enforcement of civil law
Lastly, whereas the protection of court proceedings and the applicable procedural rules are covered by Article 23(1)(f), limitations to specifically safeguard the enforcement of civil law claims of potential litigants fall under Article 23(1)(j) GDPR.
(2) Specific requirements
Any legislative measure adopted on the basis of Article 23(1), must contain, where relevant, specific provisions about the criteria listed in Article 23(2)(a) to (h) GDPR.[27] The phrase “where relevant” is linked to the circumstances. Hence, the legislator needs to justify why it is not relevant to include such provisions in the legislative measure. The EDPB highlights the importance of Recital 8 GDPR in this regard: the reason for the restriction, how and when it applies, should be comprehensible to persons to whom it applies.[28]
The legislative measure should clearly explain the purposes or categories of the processing (Article 23(2)(a)) to explain the objective of the restriction. The categories of personal data (Article 23(2)(b)), should also be listed. The EDPB notes that “Where possible, the controller can go further and list the specific data items to which the restriction of rights may apply, such as the preliminary results of an investigation, a decision opening an inquiry, etc.”[29] Moreover, if special categories of personal data are involved, this should also be mentioned.[30]
The scope of restrictions (Article 23(2)(c)), specifies which rights or obligations are limited, and to which extent. The requirement to include safeguards to prevent abuse or unlawful access or transfer (Article 23(2)(d)), refers particularly to technical or organisational measures. The measure could, for example, contain the obligation for periodic measures to review the restriction. The requirement to specify the controller, or categories of controllers (Article 23(2)(e)), besides giving the data subjects a higher degree of legal certainty, also provides them with information regarding whom to address in order to exercise their rights once the restriction is over. Furthermore, the storage periods and applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing (Article 23(2)(f)) must be clearly explained.[31]
The risks to a data subject’s rights and freedoms should be previously assessed in the necessity and proportionality test. If there are such risks, then these should be included in the legislative measure (Article 23(2)(g)). If processing is "likely to result in a high risk" for the purposes of the GDPR, a Data Protection Impact Assessment (DPIA) should be conducted. According to the EDPB, such risks could include “discrimination, reduced human dignity, freedom of speech, the right to privacy and data protection, a bigger impact on vulnerable groups (such as children or persons with disability), to mention a few”.[32]
Lastly, the legislator should always include the assessment of these risks in recitals or explanatory memorandum of the legislation, or in the DPIA itself.The last requirement, “the right to be informed about the restriction, unless prejudicial to the purpose of the restriction” (Article 23(2)(h)), could be fulfilled via a general data protection notice. As a general rule, data subjects should be informed about restrictions to exercise their rights. However, for example, during the (very) preliminary stages of an investigation, notifying the data subject of a restriction to exercise their rights, could hamper the investigation. Therefore, in such exceptional circumstances, this requirement can be set aside . However, in cases like these, once the notification of this restriction would no longer hamper the investigation, the data subject should then be informed.[33]
Consultation with the DPAs (Articles 36(4) and 57(1)(c) GDPR)
Pursuant to Article 36(4) GDPR, the DPA shall be consulted before a legislative measure under Article 23 GDPR is adopted. Moreover, Article 57(1)(c) GDPR requires the DPA to give its advice on legislative measures regarding the protection of data subjects’ rights and freedoms. It follows from Article 58(3)(b) GDPR, that, if the DPA is not consulted, they can issue an opinion on any data-protection related issue. They can do this on their own initiative, to different Member State institutions, like the national parliament, government or other institutions, as well as to the public.
Non-observation of Article 23 requirements by a Member State
The EDPB stipulates that the European Commission, as Guardian of the Treaties, must monitor the application of EU primary and secondary law, and ensure uniform application throughout the EU. Moreover, it follows from the principle of supremacy of EU law (also see Case C-378/17)[34] that all state organs should not apply national legislation that is contrary to EU law. Hence, any legislative measure pursuant to Article 23 GDPR that does not meet the requirements of the provision, cannot be applied.
Specific elements for controllers and processors
The EDPB highlighted a few elements for controllers and processors. First, although it is not listed in Article 30 GDPR, in light of the accountability principle (Article 5(2) GDPR) it is good practice that the controller keeps record of the application of restrictions on concrete cases. This record should list the reason, the ground(s), and the timing of the restriction, as well as the outcome of the necessity- and proportionality test, so that this can be made available to the DPA upon request. In any case, if the controller has a DPO, this peson should be involved in the restriction process, so that they can assess the restriction as well. Second, data subjects should be informed of the restrictions, at the latest when they do no longer apply. After the lifting of the restriction, the data subject can exercise all their rights. Third, if a controller infringes a legislative measure that imposes restrictions, the DPA can use their advisory, investigative, and corrective powers pursuant to Article 58 GDPR.[35]
Decisions
→ You can find all related decisions in Category:Article 23 GDPR
References
- ↑ CJEU, Joined Cases C-92/09 and C-93/09, Schecke, 9 November 2018, margin number 48 (available here).
- ↑ The term “restrictions” is not defined in the GDPR. However, the EDPB defines it as follows: “any limitation of scope of the obligations and rights provided for in Articles 12 to 22 and 34 GDPR as well the corresponding provisions in Article 5 in accordance with Article 23 GDPR”, see EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 6 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 6 (available here).
- ↑ However, the restriction must certainly be laid down in Union or Member State law. In a recent judgement, the CJEU reiterated the importance of this requirement. The Court determined that “the tax authority of a Member State may not derogate from Article 5(1) of that regulation where such a right has not been conferred on it by a legislative measure within the meaning of Article 23(1)” [unofficial translation], in CJEU, Case C-175/20, SIA ‘SS’ v Valsts ieņēmumu dienests, 24 February 2022, margin numbers 55-57 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 8 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 7 (available here), which also review the case law of the Court of Justice of the European Union (CJEU) and of the European Court of Human Rights (ECtHR). See in particular footnote 8 of the Guidelines which mentions “European Court of Human Rights, 14 September 2010, Sanoma Uitgevers B.V. v. The Netherlands, EC:ECHR:2010:0914JUD003822403, margin number 83: “Further, as regards the words “in accordance with the law” and “prescribed by law” which appear in Articles 8 to 11 of the Convention, the Court observes that it has always understood the term “law” in its “substantive” sense, not its “formal” one; it has included both “written law”, encompassing enactments of lower ranking statutes and regulatory measures taken by professional regulatory bodies under independent rule-making powers delegated to them by Parliament, and unwritten law. “Law” must be understood to include both statutory law and judge-made “law”. In sum, the “law”is the provision in force as the competent courts have interpreted it”. On the notion of "provided for by law", the criteria developed by the European Court of Human Rights should be used as suggested in CJEU Advocates General opinions in joined cases C203/15 and C698/15, Tele2Sverige AB, ECLI:EU:C:2016:572, paragraphs 137-154 or in case C-70/10, Scarlet Extended, ECLI:EU:C:2011:255, margin number 99.”
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 8-9 (available here).
- ↑ Per general EU law, any restriction to a fundamental right cannot violate the restricted right’s very essence. For this reason, the EDPB Guidelines 10/2020 on restrictions under Article 23 GDPR reject the idea of extensive restrictive measures that, for instance, exclude all data subjects’ rights about all processing operations carried out by a controller. See EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 7 (available here).
- ↑ The necessity of a measure can only be assessed if both the measure and the pursued interest are adequately defined. If these are not adequately defined then it is impossible for a third party to assess proportionality. See EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 12 (available here).
- ↑ CJEU, Case C-73/07, Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy and Satamedia Oy, 16 December 2008, margin number 56.
- ↑ ECtHR, Szabo and Vissy v. Hungary, 12 January 2016, margin number 73
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 8-9 (available here).
- ↑ CJEU, Joined Cases C-511/18, C-512/18 and C-520/18, La Quadrature du net and others, 6 October 2020, margin number 210 (available here).
- ↑ If a measure is necessary to protect the qualified public interest, then its proportionality must also be assessed. In particular, following the EDPB reading, a proposed restriction should be supported by evidence describing the problem to be addressed by that measure, how it will be addressed, and why existing or less intrusive measures are not sufficient. See EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 12 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), pp. 12-13 (available here).
- ↑ Paal, in Paal, Pauly, DS-GVO BDSG, Article 23, margin number 17 (C.H.Beck 2021, 3rd Edition).
- ↑ EDPB referring to recital 73 GDPR, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 9 (available here). See also, GH Baden-Württemberg, 10 March 2020, 1 S 397/19 (available here) stating “The civil register "serves as a basis for information for the administration, the administration of justice, religious societies under public law and the public. It is recognised in supreme court jurisprudence 'that the individual cannot completely withdraw from his environment without good reason, but must remain accessible and accept that others - also with state assistance - make contact with him' (BVerwG, NJW 2006, 3367ff.)”.
- ↑ Article 1(1) in conjunction with Article 2(1) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
- ↑ EDPB referring in footnote 11 to “Opinion 1/15 of the CJEU (Grand Chamber) on the Draft PNR Agreement between Canada and the European Union, 26 July 2017, ECLI:EU:C:2017:592”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 9 (available here).
- ↑ EDPB referring in footnote 13 to recital 73, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available here).
- ↑ Paal, in Paal, Pauly, DS-GVO BDSG Article 23, margin number 33 (C.H.Beck 2021, 3rd Edition) and Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 23, margin number 25 (C.H.Beck 2020, 3rd Edition).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 10 (available here). The EDPB refers to Article 23(2)(h) instead of Article 23(1)(h), but this is clearly a typo.
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 11 (available here).
- ↑ EDPB referring in footnote 19 to “CJEU, judgment of 6 October 2020, La Quadrature du net and others joined cases C-511/18, C-512/18 and C-520/18, ECLI:EU:C:2020:791, paragraph 209”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available here).
- ↑ See footnote 21, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 13 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 14 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 14 (available here).
- ↑ EDPB referring in footnote 23 to “Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01, endorsed by the EDPB on 25 may 2018”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 14 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 15 (available here).
- ↑ EDPB in footnote 29 referring to “CJEU, judgment 4 December 2018, Case C-378/17, ECLI:EU:C:2018:979, paragraph 38.”, in EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), p. 16 (available here).
- ↑ EDPB, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’, 13 October 2021 (Version 2.0), pp. 16-17 (available here).