Home Privacy Law GDPR Article 23 GDPR (Restrictions)

Article 23 GDPR (Restrictions)

Article 23 of GDPR: Restrictions to individual rights and GDPR principles

Having defined the principles of data protection and privacy (Article 5) along with the individual rights (Articles 12 to 22), Article 23 allows for those principles and rights to be restricted.

In essence, under Article 23 of GDPR, EU member countries to adopt laws and regulations to restrict the rights granted under GDPR.

EU member countries have power to restrict GDPR rights and principles (Article 23(1) GDPR)

GDPR provides the ability to EU member countries to adopt laws and regulations to restrict the GDPR principles and data subject rights in the following instances:

  1. For national security (Article 23(1)(a) GDPR)
  2. For national defence (Article 23(1)(b) GDPR)
  3. For public security (Article 23(1)(c) GDPR)
  4. To protect against crimes and threats to public security (Article 23(1)(d) GDPR)
  5. For important objectives of the general public interest such as monetary, budgetary, taxation, public health and social security (Article 23(1)(e) GDPR)
  6. To project judicial independence (Article 23(1)(f) GDPR)
  7. To protect against breach of ethics by regulated professions (Article 23(1)(g) GDPR)
  8. For official authority functions (Article 23(1)(h) GDPR)
  9. To protect individuals and the rights and freedoms (Article 23(1)(i) GDPR)
  10. To enforce a civil claim (Article 23(1)(j) GDPR)

The data subject rights that may be restricted are the following:

  1. Companies’ obligation in communicating information in a transparent way to individuals (Article 12 GDPR)
  2. Nature of information companies must provide individuals to collect their data (Article 13 GDPR)
  3. Nature of information companies must provide individuals if they collect their data from another source (Article 14 GDPR)
  4. Access rights to personal data (Article 15 GDPR)
  5. Rectification rights (Article 16 GDPR)
  6. Right to erasure or right to be forgotten (Article 17 GDPR)
  7. Right to restrict company processing personal data (Article 18 GDPR)
  8. Companies’ notification obligation when rectifying or erasing data (Article 19 GDPR)
  9. Portability rights (Article 20 GDPR)
  10. Objection rights (Article 21 GDPR)
  11. Right not to be subject to automated decision-making, including profiling (Article 22 GDPR)

The principles that EU member countries can restrict are the following:

  1. Lawfulness, fairness and transparency 
  2. Purpose limitation 
  3. Data minimisation 
  4. Accuracy 
  5. Storage limitation 
  6. Integrity and confidentiality 
  7. Accountability

Legal specification requirements (Article 23(2) GDPR)

When adopting laws and regulations to restrict the data subject rights or the principles under GDPR, the EU member countries must ensure to specify the following in their legislative content:

  1. The purpose of processing personal data or a special category of personal data (Article 23(2)(a) GDPR)
  2. The category of personal data (Article 23(2)(b) GDPR)
  3. The scope of the intended restrictions (Article 23(2)(c) GDPR)
  4. How to protect against abuse, illegal access or transfer of data (Article 23(2)(d) GDPR)
  5. The specification of the controllers (Article 23(2)(e) GDPR)
  6. For how long personal data can be stored and how to protect them (Article 23(2)(f) GDPR)
  7. The risks associated to the individual rights and freedoms (Article 23(2)(g) GDPR)
  8. The right for individuals to be informed unless this can compromise the purpose of the restriction (Article 23(2)(h) GDPR)

Recitals applicable to Article 23 of GDPR

Relevant Recitals: 73

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 23 or relevant recitals

None

GDPR Text: Article 23 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

Squeeze Out In Business (Explained: All You Need To Know)

Squeeze Out In Business (Explained: All You Need To Know)

Financial Restructuring (Explained: All You Need To Know)

Financial Restructuring (Explained: All You Need To Know)

Troubled Debt Restructuring (Explained: All You Need To Know)

Troubled Debt Restructuring (Explained: All You Need To Know)

Organizational Restructuring (All You Need To Know)

Organizational Restructuring (All You Need To Know)

What Is The Hospitality Industry (Explained: All You Need To Know)

What Is The Hospitality Industry (Explained: All You Need To Know)

Editor's Picks

Corp to Corp vs W2 (Meaning And Differences: All You Need To Know)

Corp to Corp vs W2 (Meaning And Differences: All You Need To Know)

Equity Multiplier (Overview: Definition, Formula, Ratio, Analysis)

Equity Multiplier (Overview: Definition, Formula, Ratio, Analysis)

Qualified Investor (Definition: All You Need To Know)

Qualified Investor (Definition: All You Need To Know)

What Is Crown Jewel Defense (Explained: All You Need To Know)

What Is Crown Jewel Defense (Explained: All You Need To Know)

How To Start A Business In Indiana [Step-By-Step Ultimate Guide]

How To Start A Business In Indiana [Step-By-Step Ultimate Guide]