Article 23
Restrictions
(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;
(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;
Regulation
Art. 23 1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; (f) the protection of judicial independence and judicial proceedings; (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims. 2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to: (a) the purposes of the processing or categories of processing; (b) the categories of personal data; (c) the scope of the restrictions introduced; (d) the safeguards to prevent abuse or unlawful access or transfer; (e) the specification of the controller or categories of controllers; (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (g) the risks to the rights and freedoms of data subjects; and (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction |
Directive
Art. 13 1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; (e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters; (f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e); (g) the protection of the data subject or of the rights and freedoms of others. 2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics. |
Denmark
30. – (1) Section 28 (1) and section 29 (1) shall not apply if the data subject’s interest in obtaining this information is found to be overridden by essential considerations of private interests, including the consideration for the data subject himself. (2) Derogations from section 28 (1) and section 29 (1) may also take place if the data subject’s interest in obtaining this information is found to be overridden by essential considerations of public interests, including in particular:
|
Austria
All of the following in force until May 25, 2018: § 26 DSG 2000 [...] (2) The information shall not be given insofar as this is essential for the protection of the person requesting information for special reasons or insofar as overriding legitimate interests pursued by the controller or by a third party, especially overriding public interests, are an obstacle to furnishing the information. Overriding public interests can arise out of the necessity 1. to protect of the constitutional institutions of the Republic of Austria or 2. to safeguard of the operational readiness of the federal army or 3. to safeguard the interests of comprehensive national defence or 4. to protect important foreign policy, economic or financial interests of the Republic of Austria or the European Union or 5. to prevent and prosecute crimes. The right to refuse information for the reasons stated in sub-paras. 1 to 5 is subject to control by the Data Protection Authority pursuant to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4. [...] (5) In the areas of the executive responsible for the fields described in para. 2 sub-para. 1 to 5, the procedure in a case where public interests require that no information be given shall be as follows: In all cases where no information is given even when in fact no data on the person requesting information is used instead of giving a reason in substance, an indication shall be given that no data are being used which are subject to the right to information. The legality of such course of action is subject to review by the Data Protection Authority pursuant to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4. [...] § 27 DSG 2000 [...] (5) In the areas of the executive responsible for the fields described in § 26 para. 2 sub paras. 1 to 5, the following procedure shall be applied to applications for rectification or erasure, insofar as this is required to safeguard those public interests that require secrecy: The rectification or erasure shall be carried out if the demands of the data subject are justified in the opinion of the controller. The required information pursuant to para. 4 shall in all cases be that a check of the data files of the controller with regard to the application for rectification or erasure has been performed. The legality of this course of action is subject to review by the Data Protection Authority according to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4. [...] Right to Object § 28 DSG 2000 [...] (3) § 27 para 4 to 6 shall also be applied in the cases of paras 1 and 2.
|