EU GDPR – Article 23 (Restrictions on Data Subject Rights)

Abstract

EU GDPR Article 23 allows the European Union or its Member States to restrict certain data subject rights under specific and justified circumstances. While the GDPR is designed to strengthen transparency and individual control over personal data, Article 23 acknowledges that these rights are not absolute. Through legislative measures, governments may limit rights contained in Articles 12 to 22 when necessary to protect public interests such as national security, crime prevention, public safety, or judicial independence. This article explores Article 23 in detail, explaining its purpose, scope, legal conditions, and real-world applications, while emphasizing the importance of proportionality, accountability, and safeguards.

Explanation

Article 23 of the GDPR provides a legal exception framework that permits restrictions on data subject rights when required by Union or Member State law. These restrictions can apply to rights such as access, rectification, erasure, restriction of processing, data portability, and objection.

However, such limitations are not arbitrary. They must be introduced through legislative measures, meaning formal laws, not internal policies or ad-hoc decisions. The core principle behind Article 23 is balancing individual privacy rights with broader societal interests.

For example, unrestricted access rights could compromise criminal investigations, national security operations, or public health responses. In such cases, Article 23 allows lawmakers to temporarily or partially limit individual rights to ensure effective governance, law enforcement, and public protection.Importantly, even when restrictions apply, the essence of fundamental rights and freedoms must be respected. The restriction must be necessary, proportionate, and clearly defined by law.

Key Points

1. Article 23 applies to Articles 12–22 (data subject rights).
2. Restrictions must be established through Union or Member State legislation.
3. The purpose of the restriction must serve a legitimate public interest.
4. Limitations must be necessary and proportionate.
5. The essence of fundamental rights cannot be undermined.
6. Safeguards must be in place to prevent misuse or abuse.
7. Restrictions are often context-specific and time-bound.

General Activation Steps

To lawfully activate restrictions under Article 23, several structured steps must be followed:

1. Legislative Basis: A formal law must explicitly define the restriction. Organizations cannot independently decide to limit rights without legal authorization.
2. Purpose Identification: The law must clearly state the objective, such as national security, crime prevention, public health, or protection of judicial proceedings.
3. Necessity Assessment: Legislators must assess whether restricting data subject rights is genuinely required to achieve the stated purpose.
4. Proportionality Check: The restriction must be the least intrusive option available and should not exceed what is strictly necessary.
5. Safeguard Definition: Laws must include safeguards, such as oversight mechanisms, access controls, retention limits, and remedies for misuse.
6. Transparency Where Possible: Even under restriction, data subjects should be informed where doing so does not compromise the objective.

Use Cases

Article 23 is commonly applied in the following scenarios:

1. Law Enforcement and Criminal Investigations: Authorities may restrict access or erasure rights to avoid compromising active investigations or evidence integrity.
2. National Security and Defense: Intelligence agencies may limit disclosure of personal data processing to protect classified operations.
3. Public Health Emergencies: During pandemics or health crises, governments may temporarily restrict certain rights to enable contact tracing or disease control.
4. Judicial Independence: Courts and prosecutors may restrict rights to ensure fair trials and protect judicial proceedings.
5. Financial Regulation and Tax Enforcement: Tax authorities may limit access or objection rights to prevent fraud, evasion, or obstruction of audits.

These use cases demonstrate that Article 23 is not about reducing privacy but ensuring operational effectiveness in critical areas.

Dependencies

Article 23 does not operate in isolation. Its application depends on and interacts with several GDPR principles and provisions:

1. Article 5 (Principles of Processing): Even under restriction, data must be processed lawfully, fairly, and securely.
2. Article 6 (Lawfulness of Processing): A valid legal basis must still exist for processing personal data.
3. Article 32 (Security of Processing): Appropriate technical and organizational security measures remain mandatory.
4. Article 52 of the EU Charter of Fundamental Rights: Any limitation on rights must respect necessity and proportionality standards.

Additionally, national constitutional laws and human rights frameworks influence how Article 23 is implemented at the Member State level.

Tools and Technologies

Organizations operating under Article 23 restrictions rely on specific tools and technologies to ensure compliance and accountability:

1. Access Control Systems: Limit who can view, modify, or disclose restricted personal data.
2. Audit Logs and Monitoring Tools: Track access and usage of personal data to detect misuse.
3. Legal Compliance Management Software: Document legislative justifications, risk assessments, and safeguards.
4. Data Classification Tools: Identify sensitive datasets subject to legal restrictions.
5. Encryption and Secure Storage Solutions: Protect restricted data from unauthorized access or breaches.

These tools help organizations enforce restrictions responsibly while maintaining GDPR alignment.

Let’s Wrap

EU GDPR Article 23 highlights a crucial reality: data protection rights are fundamental but not absolute. By allowing carefully regulated restrictions through law, the GDPR ensures that privacy rights coexist with public safety, justice, and societal stability.

The strength of Article 23 lies in its safeguards, restrictions must be lawful, justified, proportionate, and transparent wherever possible. Organizations and authorities must treat these limitations as exceptions, not norms, and apply them with caution and accountability.

Ultimately, Article 23 reinforces the GDPR’s balanced approach: protecting individuals while enabling governments and institutions to perform essential functions responsibly in a complex, data-driven world.

---

For further reading:

• EU GDPR – Article 22 (Automated Individual Decision-Making, Including Profiling)
• EU GDPR – Article 21 (Right to Object)
• EU GDPR – Article 20 (Right to Data Portability)
• EU GDPR – Article 19 (Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing)
• EU GDPR – Article 18 (Right to Restriction of Processing)
• EU GDPR – Article 17 (Right to Be Forgotten)
• EU GDPR – Article 16 (Right to Rectification)
• EU GDPR – Article 15 (Right of Access by the Data Subject)
• EU GDPR – Article 14 (Information to Provide When Personal Data Is Not Obtained from the Data Subject)
• EU GDPR – Article 13 (Information to Be Provided Where Personal Data Are Collected From the Data Subject)
• EU GDPR – Article 12 (Transparent Information, Communication, and Modalities for Exercising Data Subject Rights)
• EU GDPR – Article 11 (Processing Which Does Not Require Identification)
• EU GDPR – Article 10 (Processing Personal Data Related to Criminal Convictions and Offenses)
• EU GDPR – Article 9 (Processing Special Categories of Personal Data)
• EU GDPR – Article 8 (Conditions Applicable to Child’s Consent in Information Society Services)
• EU GDPR – Article 7 (Conditions for Consent)
• EU GDPR – Article 6 (Lawfulness of Processing)