The European Data Protection Board (EDPB) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation. Article 23 permits the EU Member States to impose restrictions on data subject rights, as long as they maintain the essence of the fundamental rights and freedoms of individuals and are necessary and proportionate.
According to the guidelines, the restrictions must be set out in a clear and precise legislative measure, which should also adequately indicate the circumstances and conditions in which the restrictions will apply. In addition, the guidelines require that the restrictions pass both a necessity test and a proportionality test. The necessity test checks whether the objective to be safeguarded by the restriction is identified in sufficient detail. The proportionality test checks whether the restriction is an appropriate means of achieving legitimate objectives. The guidelines further state that the restrictions do not necessarily have to be limited to a specific timeframe (e.g., where the restriction is intended to protect judicial proceedings).
The guidelines set out a list of additional actions that organizations should undertake when relying on restrictions, such as documenting how the restrictions were applied, including the applicability of the necessity and proportionality test.
CLICK HERE to read Guidelines 10/2020 on Restrictions Under Article 23 GDPR.