Ch 9.12 - Restrictions

Restrictions of data subject rights

Despite the GDPR's prescriptive nature, Union or member-state law may restrict the scope of the obligations and rights in Articles 12 to 22 (and the Article 5 principles where they correspond). Such restrictions must respect fundamental rights and freedoms and be necessary to safeguard interests such as national security, defence or public security. How far member states use these caveats remains to be seen.

Union or member-state law may restrict the scope of the obligations and rights in Articles 12 to 22, and may also touch the Article 5 principles insofar as they correspond to those rights. Restrictions must respect fundamental rights and be necessary to safeguard interests like national security, defence or public security.

Limits on the limits

Restrictions are not a blank cheque - they must respect data subjects' fundamental rights and freedoms and be necessary and proportionate to the stated interest.

Key terms - quick answers

What is “Restrictions (Article 23)”?

National or Union law may limit the scope of rights in Articles 12–22 (and corresponding Article 5 principles) for specified, necessary purposes.

What is “National security / defence / public security”?

Example grounds on which member states may legislate to restrict data subject rights.

← Right not to be subject to solely automated decision-making Background - why security is an A-list principle →