GDPR Compliance Guide

GDPR Articles

GDPR Compliance Guide
Chapter 1
General Provisions (Art. 1 – 4)
Chapter 2
Principles (Art. 5 – 11)
Chapter 3
Rights of the data subject (Art. 12 – 23)
Chapter 4
Controller and processor (Art. 24 – 43)
Chapter 5
Transfers of personal data to third countries or international organizations (Art. 44 – 50)
Chapter 6
Independent supervisory authorities (Art. 51 – 59)
Chapter 7
Cooperation and consistency (Art. 60 – 76)
Chapter 8
Remedies, liability and penalties (Art. 77 – 84)
Chapter 9
Provisions relating to specific processing situations (Art. 85 – 91)
Chapter 10
Delegated acts and implementing acts (Art. 92 – 93)
Chapter 11
Final provisions (Art. 94 – 99)

Chapter 3   >   Article 23

Article 23: Restrictions

  1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

    (a) national security;

    (b) defence;

    (c) public security;

    (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

    (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

    (f) the protection of judicial independence and judicial proceedings;

    (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

    (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

    (i) the protection of the data subject or the rights and freedoms of others;

    (j) the enforcement of civil law claims.

  2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

    (a) the purposes of the processing or categories of processing;

    (b) the categories of personal data;

    (c) the scope of the restrictions introduced;

    (d) the safeguards to prevent abuse or unlawful access or transfer;

    (e) the specification of the controller or categories of controllers;

    (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

    (g) the risks to the rights and freedoms of data subjects; and

    (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

Relevant Recitals: 73

GDPR Articles

Article 22: Automated individual decision-making, including profiling

GDPR Articles

Article 24: Responsibility of the controller