1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) | national security; |
(b) | defence; |
(c) | public security; |
(d) | the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; |
(e) | other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; |
(f) | the protection of judicial independence and judicial proceedings; |
(g) | the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; |
(h) | a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); |
(i) | the protection of the data subject or the rights and freedoms of others; |
(j) | the enforcement of civil law claims. |
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
(a) | the purposes of the processing or categories of processing; |
(b) | the categories of personal data; |
(c) | the scope of the restrictions introduced; |
(d) | the safeguards to prevent abuse or unlawful access or transfer; |
(e) | the specification of the controller or categories of controllers; |
(f) | the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; |
(g) | the risks to the rights and freedoms of data subjects; and |
(h) | the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction. |
Article 23 of the GDPR allows governments or the EU to restrict some of the rights and obligations under the GDPR, but only in very specific circumstances. These restrictions must be established by law and can only be applied when necessary to protect important public interests. At its core, Article 23 ensures that the balance between individual data rights and broader societal or legal needs is maintained.
Exceptions under Article 23 apply in situations where fulfilling GDPR rights—such as access, deletion, or data portability—could undermine critical goals of national security, maintaining public safety, enabling effective law enforcement, protecting public health, ensuring financial stability, or defending the rights and freedoms of others, such as mentioned in Article 23(1), litra a-j.
For example, during a criminal investigation, authorities may restrict access to data to prevent interference with the case. Similarly, governments may limit data deletion requests if retaining the information is essential for regulatory compliance, such as in tax or anti-fraud investigations.
These exceptions apply across various contexts, including law enforcement, public health emergencies, regulated industries, and other areas where societal interests outweigh individual data rights.
In practical terms, Article 23 means that there are circumstances where individuals’ GDPR rights may be limited. For instance, a person might not be allowed to delete their data if it is part of an ongoing legal process, or they may not be informed about certain uses of their data if it would compromise public safety. However, even in such cases, the entity handling the data must ensure it is secure, used appropriately, and only within the bounds of the law.
Restrictions must be clearly justified and proportionate, ensuring they do not go beyond what is necessary to achieve their objective. Transparency is key where possible, though there are instances where informing the individual about the restriction might defeat its purpose—such as in covert investigations.
Article 23(2) of the GDPR outlines the specific requirements that any law restricting data subjects’ rights must meet. Its purpose is to ensure that such restrictions are clearly defined, legally justified, and accompanied by safeguards to prevent abuse.
Once you have submitted your details, you’ll be our top priority!
