Skip main navigation


Rights of data subjects can be restricted under the GDPR. Evgeni Moyakine discusses these restrictions in this article.
© University of Groningen

Now that we have looked into the rights of natural persons, or data subjects, under the GDPR, it is important to consider possible restrictions of the scope of these rights, as laid down in Article 23 GDPR.

It is allowed under the EU law or the law of Member States to restrict the scope of rights as provided in Articles 12 to 22 and Article 34 of the GDPR. Also, the reach of Article 5 GDPR concerning the principles of data processing can be restricted if its provisions correspond to the rights and obligations found in Articles 12 to 22 GDPR.

The European Union and its Member States cannot simply impose restrictions addressed in Article 23 GDPR when they wish to. These restrictions must respect the essence of the fundamental rights and freedoms and be in line with the requirements of the EU Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. In addition, they are required to constitute necessary and proportionate measures in a democratic society meaning that there must be a pressing social need to adopt these legal instruments and that they must be proportionate to the pursued legitimate aim. Also, they must be aiming to safeguard certain important interests. So, laws adopted by the EU of its Members States that seek to restrict the scope of data subjects’ rights are required to be necessary and proportionate and must protect various interests discussed below.

The interests protected by imposing restrictions could be those relating to national security, defence and public security. These interests are, for instance, at stake when States engage in intelligence gathering activities in the field of national security and process personal data.

Also, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties fall under these important interests and they include safeguarding against threats to public security and preventing them.

Furthermore, there are other significant objectives of general public interest of the European Union or its Member States, such as important economic or financial interests of both the Union or its Member States, which include monetary, budgetary and taxation matters, public health and social security. In this regard, you can think of the processing of personal data for the purposes of keeping certain public registers, such as those relating to real estate, that are maintained for general public interest.

In addition, the protection of judicial independence and judicial proceedings and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, such as lawyers and doctors, should be mentioned here. Importantly, there is also an interest of a monitoring, inspecting or regulating the exercise of official authority in such fields as national security, defence and public security.

Finally, the laws of the European Union and its Member States may restrict the scope of the rights and obligations in order to protect the data subjects or the rights and freedoms of others and to enforce civil law claims. This can be the case when there is a necessity to protect public health or to respond to humanitarian crises.

Legislative measures containing restrictions are required to contain certain provisions where this is relevant. Such provisions must relate to the purpose of the processing or the categories of processing, the categories of personal data, the scope of the restrictions in question, the safeguards for preventing abuse or unlawful access or transfer, the specification of the controllers or categories of controllers, the storage periods and relevant safeguards, possible risks to the rights and freedoms of data subjects, the rights of data subjects to be informed about the restrictions (if this is not prejudicial to the purpose of the restrictions).

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education