The European Data Protection Board has adopted guidelines clarifying the scope of Article 23 of the GDPR (the “Guidelines”).
By way of reminder Article 23 allows Member States to derogate from the transparency obligations and data subject rights. The UK already has specific measures and drafting in place under the Data protection Act 2018 which can be helpful for organisations. The derogations must be necessary and proportionate in a democratic society and “respect the essence of the fundamental rights and freedoms” in safeguarding one of the following:
- National security
- Public security
- The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties or breaches of ethics for regulated professions
- public interests, in particular economic or financial interests
- Protection of judicial independence and judicial proceedings
- The exercise of official authority in monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention
- The protection of the data subject or the rights and freedoms of others
- The enforcement of civil law claims
What has been clarified?
The Guidelines clarify how the legislative measures should be drafted, how to assess whether the restriction is necessary and proportionate and which rights of data subjects can be restricted.
The following can be restricted under Article 23:
- Rights concern the right to transparent information (privacy notice )
- Right to information
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to automated individual decision making.
The restricting legislation must be clear and precise, allowing individuals to understand when controllers can rely on a restriction. It will be interesting to see how the UK proposed data protection reforms impact on these provisions.