Article 23-Restrictions

image credit: pharmaceutical-journal.com

GDPR has set forth ample rights which a data subject can avail of. However, these rights are not absolute and to avoid the misuse of these rights the Regulation also sets forth certain restrictions that can be imposed on the rights. 

The restrictions that are valid as per the GDPR are as follows:

  1. Union or Member State law may introduce legislation that restricts the rights set forth in Articles 12-22, Article 34 and Article 5 provided the restriction does not infringe upon the fundamental rights and freedoms of the data subject. An important point to consider is that the restriction must be enforced in order to safeguard the following:
  1. “national security;
  2. defence;
  3. public security;
  4. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  5. other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
  6. the protection of judicial independence and judicial proceedings;
  7. the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  8. a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
  9. the protection of the data subject or the rights and freedoms of others;
  10. the enforcement of civil law claims.”

2.The legislative measures mentioned above must contain specific provisions such as:

  1. “the purposes of the processing or categories of processing;
  2. the categories of personal data;
  3. the scope of the restrictions introduced;
  4. the safeguards to prevent abuse or unlawful access or transfer;
  5. the specification of the controller or categories of controllers;
  6. the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
  7. the risks to the rights and freedoms of data subjects; and
  8. the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.”

Article 23 in the GDPR can act as a boon and a bane to the society. On the one hand, the GDPR is offering rights that can empower the individual but at the same time snatching away those rights by giving the power to the Union or Member State to enforce such laws. An example of misuse of this Article would be Hungary. During the coronavirus pandemic, the Government suspended all the GDPR rights. This has evoked outrage by privacy advocates stating since bringing in restrictions does not comply with the provisions as stated in point 1. 

It shall be seen how this article is interpreted and till what extent the nations implement the restrictions on the data subjects.