COMMUNICATION RESTRICTIONS WITH A VIEW OF THE EDPB
by Mugurel Olariu, RPD protectie date
The EDPB adopted in the meeting of 13 October 2021, Guide 10/2020 on restrictions under Article 23 GDPR, version 2.0, after public consultation[1]. We mention that version 1.0 of Guide 10/2020 was adopted on 15 Dec. 2020, for public consultation. NAS reported the adoption of the Guide on its website, on 21.10.2021.
Guide 10/2020 is structured on nine chapters, as follows: Introduction, Meaning of restrictions, Requirements provided by art.23 par. (1) and respectively, paragraph (2) GDPR, Consultation with SA, Non-compliance with requirements, Specific elements for operators and authorized persons, Conclusions and an Annex with the Checklist.
The protection of individuals with regard to the processing of personal data is a fundamental right. Article 16 (2) of the Treaty on the Functioning of the European Union mandates the European Commission, the Parliament and the Council to lay down rules on the protection of personal data and the rules on the free movement of personal data. The GDPR protects the rights and freedoms of individuals and in particular their right to data protection.
In this context, Article 23 GDPR should be read and interpreted. This provision is called “restrictions”. It provides that, under Union or Member State law, the application of certain provisions of the Regulation, concerning the rights of data subjects and the obligations of operators, may be restricted in the situations listed therein. Restrictions should be seen as exceptions to the general rule that allows the exercise of rights and imposes the obligations enshrined in the GDPR[2]. As such, the restrictions should be interpreted narrowly, applied only under the case and limited specifically provided for in the circumstances and only when certain conditions are met.
The term restrictions is not defined in the GDRP. Article 23 and recital 73 of the GDRP list only the conditions under which restrictions may be applied.
Thus, the Guide defines the term restrictions [3]as any limitation of the scope of the obligations and rights set out in Articles 12 to 22 and 34 of the GDRP, as well as the corresponding provisions of Article 5 in accordance with Article 23 of the GDRP. A restriction on an individual right must protect important objectives, for example, the protection of the rights and freedoms of others or important objectives of general interest of the Union or a Member State which are listed in Article 23 (1) of the GDRP. Therefore, restrictions on the rights of data subjects can only arise when the listed interests are at stake[4] and these restrictions are aimed at protecting such interests.
In practice, the restriction of the scope of the obligations and rights set out in Articles 12 to 22 and Article 34 of the GDRP may take different forms, but may never reach the point of general suspension of all rights. Legislative measures imposing restrictions under Article 23 of the GDRP may also provide that the exercise of a right is delayed in time, that a right is exercised in part or limited to certain categories of data, or that a right may be exercised indirectly by a data authority. independent supervision.
Thus, the cases of restriction of the rights of the data subject, mentioned by art. 23 paragraph (1) of the GDRP are applicable when such a restriction respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society. The following is conditional on the possibility of adopting restrictions in order to ensure one of the ten limiting interest categories provided for and which relate to:
a) national security;
b) defense;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions, including protection against and prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or a Member State, including in the monetary, budgetary and fiscal fields and in the field of public health and social security ;
f) protection of judicial independence and judicial proceedings;
g) prevention, investigation, detection and criminal prosecution of ethics violations in the case of regulated professions;
h) the function of monitoring, inspection or regulation related, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
i) protection of the data subject or of the rights and freedoms of others;
j) implementation of civil law claims.
Another series of limitations refers to the specific minimum conditions of the legislative measure limiting the rights of the data subject, mentioned in paragraph (2) of art. 23 GDRP, respectively:
a) the purposes of the processing or of the processing categories;
b) the categories of personal data;
c) the scope of the restrictions introduced;
d) safeguards to prevent abuse or illegal access or transfer;
e) mentioning the operator or the categories of operators;
f) the storage periods and guarantees applicable taking into account the nature, scope and purposes of the processing or categories of processing;
g) the risks for the rights and freedoms of the data subjects; and
h) the right of the data subjects to be informed about the restriction, unless this may prejudice the purpose of the restriction.
The specific elements for controllers and processors refer to the Accountability principle, to Exercise of data subject’s rights after the lifting of the restriction and to Non-observation of a legislative measure imposing such restrictions by a controller. In essence, they aim to:
– Accountability principle:
In the light of the principle of accountability (Article 5 (2) GDRP) and although it is not part of the records required under Article 30 GDRP, it is good practice for the operator to document the application of restrictions on specific cases by keeping records of their application. This registration should include the reasons applicable to the restrictions, which of the reasons listed in Article 23 (1) of the GDRP applies (if the legislative measure allows restrictions for different reasons), its timing and the result of the necessity test. and proportionality. The records should be available upon request to the data protection supervisory authority.
– Exercise of data subject’s rights after the lifting of the restriction:
The operator should lift the restrictions as soon as the circumstances justifying them no longer apply. The data subjects must be informed of the application of the restriction. If the data subjects were not informed before the restriction was applied, they must be informed at the latest when the restriction is lifted. During the application of a restriction, data subjects may be allowed to exercise all their rights. In order to assess when the restriction may be partially or fully lifted, the necessity and proportionality test may be carried out several times during the application of a restriction.
– Non-observation of a legislative measure imposing such restrictions by a controller:
If legislative measures imposing restrictions on compliance with the GDRP pursuant to Article 23 of the GDRP are infringed by an operator, the SA may exercise its powers of advice, investigation and correction against it, as in any other case of non-compliance with GDRP rules.
————————————————————
[1] https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-102020-restrictions-under -article-23-gdpr_en
[2] These situations do not include scenarios in which Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with concerning the processing of personal data given by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, as well as on the free movement of such data, and repealing Framework Decision 2008/977 / JHA of the Council.
[3] Recital 8 of EDPB Guide 10/2020, version 2.0.
[4] These interests are exhaustively listed in Article 23 (1) GDPR.
