Now that we have looked into the rights of natural persons, or data subjects, under the GDPR, it is important to consider possible restrictions of the scope of these rights, as laid down in Article 23 GDPR.
It is allowed under the EU law or the law of Member States to restrict the scope of rights as provided in Articles 12 to 22 and Article 34 of the GDPR. Also, the reach of Article 5 GDPR concerning the principles of data processing can be restricted if its provisions correspond to the rights and obligations found in Articles 12 to 22 GDPR.
The European Union and its Member States cannot simply impose restrictions addressed in Article 23 GDPR when they wish to. These restrictions must respect the essence of the fundamental rights and freedoms and be in line with the requirements of the EU Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. In addition, they are required to constitute necessary and proportionate measures in a democratic society meaning that there must be a pressing social need to adopt these legal instruments and that they must be proportionate to the pursued legitimate aim. Also, they must be aiming to safeguard certain important interests. So, laws adopted by the EU of its Members States that seek to restrict the scope of data subjects’ rights are required to be necessary and proportionate and must protect various interests discussed below.
The interests protected by imposing restrictions could be those relating to national security, defence and public security. These interests are, for instance, at stake when States engage in intelligence gathering activities in the field of national security and process personal data.
Also, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties fall under these important interests and they include safeguarding against threats to public security and preventing them.
Furthermore, there are other significant objectives of general public interest of the European Union or its Member States, such as important economic or financial interests of both the Union or its Member States, which include monetary, budgetary and taxation matters, public health and social security. In this regard, you can think of the processing of personal data for the purposes of keeping certain public registers, such as those relating to real estate, that are maintained for general public interest.
In addition, the protection of judicial independence and judicial proceedings and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, such as lawyers and doctors, should be mentioned here. Importantly, there is also an interest of a monitoring, inspecting or regulating the exercise of official authority in such fields as national security, defence and public security.
Finally, the laws of the European Union and its Member States may restrict the scope of the rights and obligations in order to protect the data subjects or the rights and freedoms of others and to enforce civil law claims. This can be the case when there is a necessity to protect public health or to respond to humanitarian crises.
Legislative measures containing restrictions are required to contain certain provisions where this is relevant. Such provisions must relate to the purpose of the processing or the categories of processing, the categories of personal data, the scope of the restrictions in question, the safeguards for preventing abuse or unlawful access or transfer, the specification of the controllers or categories of controllers, the storage periods and relevant safeguards, possible risks to the rights and freedoms of data subjects, the rights of data subjects to be informed about the restrictions (if this is not prejudicial to the purpose of the restrictions).
© University of Groningen