Insights European Data Protection Board adopts final version of Guidelines on restrictions of data subject rights under Article 23 GDPR


Article 23 of the GDPR provides that the application of certain provisions of the GDPR relating to the rights of data subjects and controllers’ obligations may be restricted in certain situations, such as to safeguard national or public security. Such a restriction must respect the essence of fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society. Restrictions should be seen as exceptions to the general rule allowing the exercise of rights and imposing the obligations enshrined in the GDPR.

During its October plenary, the EDPB adopted a final version of its Guidelines on restrictions of data subject rights under Article 23 following public consultation.

The Guidelines set out the conditions surrounding the use of restrictions by Member States or the EU in light of the Charter of Fundamental Rights and the GDPR. They provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Article 23.

Additionally, the Guidelines analyse how legislation setting out the restrictions needs to meet the foreseeability requirement, and examine the grounds for restrictions in Article 23(1), as well as the obligations and rights that may be restricted. To access the Guidelines, click here.