Article 23
Restrictions

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 23 keyboard_arrow_down Hide the recitals of the Regulation related to article 23 keyboard_arrow_up

(8) Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Show the recitals of the Directive related to article 23 keyboard_arrow_down Hide the recitals of the Directive related to article 23 keyboard_arrow_up

(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;

(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;

The GDPR

Article 23 of the Regulation being directly inspired by Article 13 of the Directive states that the Member States may maintain or introduce statutory restrictions to the data subject rights under Articles 12 to 22 and Article 34 relating to the notification to the data subject about a breach of personal data and the principles set out in Article 5, provided that those restrictions comply with the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain interests that are listed exhaustively.

Compared to the Directive, there is an extension of these interests including protection against threats to public safety and the prevention of these, important objectives of public interests of the Union or a Member State including an economic or financial interest of the Union or of a Member State, including monetary, budgetary and fiscal areas, public health and social security, or even the protection of the independence of justice and of judicial proceedings or to enable the execution of applications of civil law.

Article 23 in fine provides however that the legislative restrictions introduced by the Member States should contain many specific provisions relating to purposes, categories of processing and personal data, the extent of the introduced restrictions, or also to the risks to the rights and freedoms of individuals and the right of the data subject to be informed about such restrictions.

The Directive

Under the Directive (Art. 13), the Member States were already allowed to limit the scope of the rights and obligations provided for in Article 6 on the quality of the data; in Articles 10 and 11 relating to the information to be provided to the data subject; Article 12 on the right to object and article 21 on the publicizing of processing. 

However such limitations are measures necessary for the implementation of exhaustively listed interests, for example, for ensuring the national security, defence, public security or prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics in the case of the regulated professions.

Potential issues

The possibilities of restrictions being extended, the room for maneuvering of the states increases, resulting in a risk of divergence of the protection systems, at the expense of the goal of harmonization of the new regulations. It is true that in return, the states will have to adapt them by more guarantees for the people, which can then be controlled by the Court of Justice.

Summary

European Union

European Union

European data protection board (EDPB)

Statement on the processing of personal data in the context of the COVID-19 outbreak (19 March 2020)

The European Data Protection Board has adopted the following statement: Governments, public and private organisations throughout Europe are taking measures to contain and mitigate COVID-19. This can involve the processing of different types of personal data. Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way. It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data and in all cases it should be recalled that any measure taken in this context must respect the general principles of law and must not be irreversible. Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.

Link

Statement on restrictions on data subject rights in connection to the state of emergency1 in Member States (2 June 2020)

Link

Guidelines on restrictions under Article 23 GDPR - 10/2020 (13 October 2021)

This document seeks to provide guidance as to the application of Article 23 GDPR. These Guidelines provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights once the restriction is lifted and the consequences for infringements of Article 23 GDPR.

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 16(2) of the Treaty on the Functioning of the European Union mandates the European Parliament and the Council to lay down the rules in relation to the protection of personal data and the rules relating to the free movement of personal data. The GDPR protects the rights and freedoms of natural persons and in particular their right to data protection. Data protection cannot be ensured without adhering to the rights and principles set out in the GDPR (Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided in Articles 12 to 22 GDPR). All these rights and obligations are at the core of the fundamental right to data protection and their application should be the general rule. In particular, any limitation to the fundamental right to data protection needs to observe Article 52 of the Charter of fundamental rights of the European Union (‘the Charter’).

It is against this background that Article 23 GDPR should be read and interpreted. This provision is entitled ‘restrictions’. It provides that, under Union or Member State law, the application of certain provisions of the Regulation, relating to the rights of the data subjects and controllers’ obligations, may be restricted in the situations therein listed. Restrictions should be seen as exceptions to the general rule allowing the exercise of rights and imposing the obligations enshrined in the GDPR . 

As such, restrictions should be interpreted narrowly, only be applied in specifically provided circumstances and only when certain conditions are met.

Even in exceptional situations, the protection of personal data cannot be restricted in its entirety. It must be upheld in all emergency measures, as per Article 23 GDPR thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded: any measure taken by Member States shall respect the general principles of law, the essence of the fundamental rights and freedoms and shall not be irreversible and data controllers and processors shall continue to comply with data protection rules.

In all cases, where Union or Member State law allows restrictions to data subjects’ rights or to the obligations of the controllers (including joint controllers3 ) and processors4 , it should be noted that the accountability principle, as laid down in Article 5(2) GDPR, is still applicable. This means that the controller is responsible for, and shall be able to demonstrate to the data subjects his or her compliance with the EU data protection framework, including the principles relating to the processing of their data.

When the EU or national legislator lays down restrictions based on Article 23 GDPR, it shall ensure that it meets the requirements set out in Article 52(1) of the Charter, and in particular conduct a proportionality assessment so that restrictions are limited to what is strictly necessary.

Links

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-473/12 (7 november 2013) - IPI

Article 13(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that Member States have no obligation, but have the option, to transpose into their national law one or more of the exceptions which it lays down to the obligation to inform data subjects of the processing of their personal data.

The activity of a private detective acting for a professional body in order to investigate breaches of ethics of a regulated profession, in this case that of estate agent, is covered by the exception in Article 13(1)(d) of Directive 95/46.

Judgment of the Court

C-201/14 (1 october 2015) - Bara e.a.

Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.

Opinion of Advocate general

Judgment of the Court

C-817/19 (21 june 2022)

1. Article 2(2)(d) and Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the processing of personal data envisaged by national legislation intended to transpose, into domestic law, the provisions of Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data, those of Directive 2010/65/EU of the European Parliament and of the Council of 20 October 2010 on reporting formalities for ships arriving in and/or departing from ports of the Member States and repealing Directive 2002/6/EC and also those of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in respect of, on the one hand, data processing operations carried out by private operators and, on the other hand, data processing operations carried out by public authorities covered, solely or in addition, by Directive 2004/82 or Directive 2010/65. By contrast, the said regulation does not apply to the data processing operations envisaged by such legislation which are covered only by Directive 2016/681 and are carried out by the passenger information unit (PIU) or by the authorities competent for the purposes referred to in Article 1(2) of that directive.

Judgment of the court

Opinion of the advocate general

C‑307/22, FT v. DW, (23 October 2023)

1.      Article 12(5) and Article 15(1) and (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of that regulation.

2.      Article 23(1)(i) of Regulation 2016/679

must be interpreted as meaning that a piece of national legislation adopted prior to the entry into force of that regulation is capable of falling within the scope of that provision. However, such a possibility does not permit the adoption of a piece of national legislation which, with a view to protecting the economic interests of the controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing.

3.      The first sentence of Article 15(3) of Regulation 2016/679

must be interpreted as meaning that, in the context of a doctor-patient relationship, the right to obtain a copy of personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain a full copy of the documents included in his or her medical records and containing, inter alia, those data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible. Regarding data relating to the health of the data subject, that right includes in any event the right to obtain a copy of the data in his or her medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided to him or her.

Judgment of the court

Opinion of the advocate general

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 23

1.   Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or the rights and freedoms of others;

(j) the enforcement of civil law claims.

2.   In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction

1st proposal close

Art. 21

1.           Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:

(a)     public security;

(b)     the prevention, investigation, detection and prosecution of criminal offences;

(c)     other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;

(d)     the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(e)     a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);

(f)      the protection of the data subject or the rights and freedoms of others.

2nd proposal close

Art. 21

1.  Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in (...) Articles 12 to 20 and Article 32,  as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 20, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:

(aa) national security;

(ab) defence;

(a) public security;

(b) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties or the safeguarding against and the prevention of threats to public security;

(c) other important objectives of general public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including, monetary, budgetary and taxation matters, public health and social security,the protection of market stability and integrity;

(ca) the protection of judicial independence and judicial proceedings ;

(d) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (aa), (ab), (a), (b), (c) and (d);

(f) the protection of the data subject or the rights and freedoms of others;

(g) the enforcement of civil law claims

2. Any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to the purposes of the processing or categories of processing, the categories of personal data, the scope of the restrictions introduced, the specification of the controller or categories of controllers, the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing and the risks for the rights and freedoms of data subjects

.

 

Directive close

Art. 13

1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(g) the protection of the data subject or of the rights and freedoms of others.

2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.

30. – (1)  Section 28 (1) and section 29 (1) shall not apply if the data subject’s interest in obtaining this information is found to be overridden by essential considerations of private interests, including the consideration for the data subject himself.

(2) Derogations from section 28 (1) and section 29 (1) may also take place if the data subject’s interest in obtaining this information is found to be overridden by essential considerations of public interests, including in particular:

  1. national security;
  2. defence; 
  3. public security; 
  4. the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for regulated professions; 
  5. important economic or financial interests of a Member State or of the European Union, including monetary, budgetary and taxation matters; and 
  6. monitoring, inspection or regulatory functions, including temporary tasks, connected with the exercise of official authority in cases referred to in paragraphs 3 to 5.

Belgique close

Art. 3

(…)

§ 3. Les articles 6 à 10, 12, 14, 15, 17, 17bis, alinéa 1er, 18, 20 et 31, §§ 1er à 3, ne s'appliquent pas aux traitements de données à caractère personnel gérés par la Sûreté de l'Etat, par le Service général du renseignement et de la sécurité des forces armées, par (les autorités visées aux articles 15, 22ter et 22quinquies de la loi du 11 décembre 1998 relative à la classification et aux habilitations, attestations et avis de sécurité et l'organe de recours créé par la loi du 11 décembre 1998 portant création d'un organe de recours en matière d'habilitations, d'attestations et d'avis de sécurité), par les officiers de sécurité et par le Comité permanent de contrôle des services de renseignements et son Service d'enquêtes, (ainsi que par l'Organe de coordination pour l'analyse de la menace,) lorsque ces traitements sont nécessaires à l'exercice de leurs missions.

§ 5. Les articles 9, 10, § 1er, et 12 ne s'appliquent pas :

  1° aux traitements de données à caractère personnel gérés par des autorités publiques en vue de l'exercice de leurs missions de police judiciaire;

  2° aux traitements de données à caractère personnel gérés par les services de police visés à l'article 3 de la loi du 18 juillet 1991 organique du contrôle des services de police et de renseignements, en vue de l'exercice de leurs missions de police administrative;

  3° aux traitements de données à caractère personnel gérés en vue de l'exercice de leurs missions de police administrative, par d'autres autorités publiques qui ont été désignées par arrêté royal délibéré en Conseil des ministres, après avis de la Commission de la protection de la vie privée;

  4° aux traitements de données à caractère personnel rendus nécessaires par la loi du 11 janvier 1993 relative à la prévention de l'utilisation du système financier aux fins du blanchiment de capitaux;

  5° au traitement de données à caractère personnel géré par le Comité permanent de contrôle des services de police et par son Service d'enquêtes en vue de l'exercice de leurs missions légales.

  § 6. Les articles 6, 8, 9, 10, § 1er, et 12 ne sont pas applicables après autorisation accordée par le Roi par arrêté délibéré en Conseil des ministres, aux traitements gérés par le Centre européen pour enfants disparus et sexuellement exploités, ci-après dénommé "le Centre", établissement d'utilité publique constitué par acte du 25 juin 1997 et reconnu par arrêté royal du 10 juillet 1997, pour la réception, la transmission à l'autorité judiciaire et le suivi de données concernant des personnes qui sont suspectées dans un dossier déterminé de disparition ou d'exploitation sexuelle, d'avoir commis un crime ou un délit. Cet arrêté détermine la durée et les conditions de l'autorisation après avis de la Commission de la protection de la vie privée

  Le Centre ne peut tenir un fichier de personnes suspectes d'avoir commis un crime ou un délit ou de personnes condamnées.

  Le conseil d'administration du Centre désigne parmi les membres du personnel du Centre un préposé à la protection des données ayant connaissance de la gestion et de la protection des données à caractère personnel. L'exercice de ses missions ne peut entraîner pour le préposé des désavantages. Il ne peut, en particulier, être licencié ou remplacé comme préposé à cause de l'exécution des tâches qui lui sont confiées. Le Roi détermine par arrêté délibéré en Conseil des ministres et après avis de la Commission de la protection de la vie privée les tâches du préposé et la manière dont ces tâches sont exécutées ainsi que la manière dont le Centre doit faire rapport à la Commission de la protection de la vie privée sur le traitement des données à caractère personnel effectué dans le cadre de l'autorisation accordée.

  Les membres du personnel et ceux qui traitent des données à caractère personnel pour le Centre sont tenus au secret.

  Toute violation de ce secret sera sanctionnée conformément aux dispositions de l'article 458 du Code pénal.

  Dans le cadre de ses missions d'appui à la recherche d'enfants signalés comme disparus ou enlevés, le Centre ne peut procéder à l'enregistrement de conversations téléphoniques si l'appelant en a été informé et dans la mesure où il ne s'y oppose pas.

  § 7. [1 Sans préjudice de l'application de dispositions légales particulières, l'article 10 n'est pas applicable aux traitements de données à caractère personnel gérés par le Service public fédéral Finances pendant la période durant laquelle la personne concernée fait l'objet d'un contrôle ou d'une enquête ou d'actes préparatoires à ceux-ci, effectués par le Service public fédéral Finances dans le cadre de l'exécution de ses missions légales, dans la mesure où cette application nuirait aux besoins du contrôle, de l'enquête ou des actes préparatoires et pour leur seule durée.

   La durée de ces actes préparatoires pendant laquelle ledit article 10 n'est pas applicable, ne peut excéder un an à partir de la demande introduite en application de cet article 10.

   Lorsque le Service public fédéral Finances a fait usage de l'exception telle que déterminée à l'alinéa 1er, la règle de l'exception est immédiatement levée après la clôture du contrôle ou de l'enquête ou dès la clôture des actes préparatoires lorsque ceux-ci n'ont pas abouti à un contrôle ou une enquête. Le Service de Sécurité de l'Information et Protection de la Vie Privée en informe le contribuable concerné sans délai et lui communique dans son entièreté la motivation contenue dans la décision du responsable du traitement ayant fait usage de l'exception.

close