Article 23
Restrictions

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 23 keyboard_arrow_down Hide the recitals of the Regulation related to article 23 keyboard_arrow_up

(8) Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Show the recitals of the Directive related to article 23 keyboard_arrow_down Hide the recitals of the Directive related to article 23 keyboard_arrow_up

(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;

(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;

The GDPR

Article 23 of the Regulation being directly inspired by Article 13 of the Directive states that the Member States may maintain or introduce statutory restrictions to the data subject rights under Articles 12 to 22 and Article 34 relating to the notification to the data subject about a breach of personal data and the principles set out in Article 5, provided that those restrictions comply with the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain interests that are listed exhaustively.

Compared to the Directive, there is an extension of these interests including protection against threats to public safety and the prevention of these, important objectives of public interests of the Union or a Member State including an economic or financial interest of the Union or of a Member State, including monetary, budgetary and fiscal areas, public health and social security, or even the protection of the independence of justice and of judicial proceedings or to enable the execution of applications of civil law.

Article 23 in fine provides however that the legislative restrictions introduced by the Member States should contain many specific provisions relating to purposes, categories of processing and personal data, the extent of the introduced restrictions, or also to the risks to the rights and freedoms of individuals and the right of the data subject to be informed about such restrictions.

The Directive

Under the Directive (Art. 13), the Member States were already allowed to limit the scope of the rights and obligations provided for in Article 6 on the quality of the data; in Articles 10 and 11 relating to the information to be provided to the data subject; Article 12 on the right to object and article 21 on the publicizing of processing. 

However such limitations are measures necessary for the implementation of exhaustively listed interests, for example, for ensuring the national security, defence, public security or prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics in the case of the regulated professions.

Potential issues

The possibilities of restrictions being extended, the room for maneuvering of the states increases, resulting in a risk of divergence of the protection systems, at the expense of the goal of harmonization of the new regulations. It is true that in return, the states will have to adapt them by more guarantees for the people, which can then be controlled by the Court of Justice.

CJEU caselaw

C-473/12 (7 november 2013)

Article 13(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that Member States have no obligation, but have the option, to transpose into their national law one or more of the exceptions which it lays down to the obligation to inform data subjects of the processing of their personal data.

The activity of a private detective acting for a professional body in order to investigate breaches of ethics of a regulated profession, in this case that of estate agent, is covered by the exception in Article 13(1)(d) of Directive 95/46.

Judgment of the Court

C-201/14 (1 october 2015)

Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.

Opinion of Advocate general

Judgment of the Court

Regulation
1e 2e

Art. 23

1.   Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or the rights and freedoms of others;

(j) the enforcement of civil law claims.

2.   In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction

1st proposal close

Art. 21

1.           Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:

(a)     public security;

(b)     the prevention, investigation, detection and prosecution of criminal offences;

(c)     other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;

(d)     the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(e)     a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);

(f)      the protection of the data subject or the rights and freedoms of others.

2nd proposal close

Art. 21

1.  Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in (...) Articles 12 to 20 and Article 32,  as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 20, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:

(aa) national security;

(ab) defence;

(a) public security;

(b) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties or the safeguarding against and the prevention of threats to public security;

(c) other important objectives of general public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including, monetary, budgetary and taxation matters, public health and social security,the protection of market stability and integrity;

(ca) the protection of judicial independence and judicial proceedings ;

(d) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (aa), (ab), (a), (b), (c) and (d);

(f) the protection of the data subject or the rights and freedoms of others;

(g) the enforcement of civil law claims

2. Any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to the purposes of the processing or categories of processing, the categories of personal data, the scope of the restrictions introduced, the specification of the controller or categories of controllers, the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing and the risks for the rights and freedoms of data subjects

.

 

Directive close

Art. 13

1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(g) the protection of the data subject or of the rights and freedoms of others.

2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.

Providing addresses to inform and interview data subjects

§ 8 DSG

(1) Unless otherwise expressly provided for by law, providing address data of a certain group of data subjects in order to inform or interview them shall require the consent of the data subjects.

(2) If, however, an infringement of the data subject’s interests in confidentiality is unlikely, considering the selection criteria for the group of data subjects and the subject of the information or interview, no consent shall be required

  1. if data from the same controller are processed, or
  2. in the case of an intended transfer of address data to third parties, if (a) there is also a public interest in the information or interview, or (b) none of the data subjects, after having received appropriate information on the reason and content of the transfer, has objected to the transfer within a reasonable period.

(3) If the requirements of para. 2 are not met and if obtaining the consent of the data subjects pursuant to para. 1 would require a disproportionate effort, the transfer of the address data shall be permissible with a permit of the Data Protection Authority pursuant to para. 4 if the data are to be transferred to third parties

  1. for the purpose of information or an interview due to an important interest of the data subject,
  2. due to an important public interest in the information or interview, or
  3. for an interview of the data subjects for scientific or statistical purposes.

(4) At the request of a controller processing address data, the Data Protection Authority shall grant the permit for their transfer if the controller has satisfactorily demonstrated that the requirements stipulated in para. 3 have been met and no overriding interests in confidentiality which deserve protection on the part of the data subjects represent an obstacle to the transfer. The Data Protection Authority shall issue the permit subject to terms and conditions, insofar as this is necessary to safeguard interests of the data subjects which deserve protection.

(5) The transferred address data shall only be processed for the permitted purpose and shall be erased as soon as they are no longer needed for information or interviews.

(6) If it is lawful pursuant to the aforementioned provisions to transfer the names and addresses of persons belonging to a certain group of data subjects, the processing required for selecting the address data to be transferred shall also be permitted.


Processing of personal data in case of emergency

§ 10 DSG

(1) In case of emergency, public-sector controllers and relief organisations shall be authorised to jointly process data to the extent that this is necessary to assist persons directly affected by a disaster, to locate and identify missing or deceased persons and to provide information to their relatives.

(2) Anybody who lawfully possesses personal data shall be permitted to transfer these data to public-sector controllers and relief organisations if these controllers and organisations need this personal data to manage a disaster for the purposes specified in para. 1.

(3) The transfer abroad of personal data is permitted insofar as this is absolutely necessary to fulfil the purposes mentioned in para. 1. Data that by themselves would make the data subject liable to criminal prosecution shall not be transferred unless they are absolutely necessary for identification in a particular case. The Data Protection Authority shall be informed immediately about the data transfers performed and about the circumstances of the motivating incident. The Data Protection Authority shall prohibit further data transfers if the interference with the fundamental right to data protection resulting from the data transfer is not justified by the special circumstances caused by a disaster.

(4) Based on a specific inquiry of a close relative of a person who has actually or presumably been directly affected by a disaster, controllers are authorised to transfer to the inquiring person personal data regarding the whereabouts of the data subject and on the progress of the search, if the relative satisfactorily demonstrates his or her identity and close relationship to the data subject.

Special categories of personal data (Article 9 of the General Data Protection Regulation) may be transferred to close relatives only if they prove their identity and their capacity as a relative and if the transfer is necessary to safeguard their rights or the rights of the data subject. The social insurance agencies and authorities are obliged to assist the public-sector controllers and relief organisations if this is necessary to verify the information provided by the inquiring person.

(5) Close relatives pursuant to this provision means parents, children, spouses, registered partners and companions in life of the data subjects. Other relatives may receive the aforementioned information under the same conditions as close relatives if they satisfactorily demonstrate a special close relationship to the person actually or presumably directly affected by a disaster.

(6) The personal data processed for the purposes of managing a disaster shall be deleted immediately if they are no longer required to fulfil the specific purpose.

 

Old law close

All of the following in force until May 25, 2018:


§ 26 DSG 2000

[...]

(2) The information shall not be given insofar as this is essential for the protection of the person requesting information for special reasons or insofar as overriding legitimate interests pursued by the controller or by a third party, especially overriding public interests, are an obstacle to furnishing the information. Overriding public interests can arise out of the necessity

1. to protect of the constitutional institutions of the Republic of Austria or

2. to safeguard of the operational readiness of the federal army or

3. to safeguard the interests of comprehensive national defence or

4. to protect important foreign policy, economic or financial interests of the Republic of Austria or the European Union or

5. to prevent and prosecute crimes.

The right to refuse information for the reasons stated in sub-paras. 1 to 5 is subject to control by the Data Protection Authority pursuant to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4.

[...]

(5) In the areas of the executive responsible for the fields described in para. 2 sub-para. 1 to 5, the procedure in a case where public interests require that no information be given shall be as follows:

In all cases where no information is given even when in fact no data on the person requesting information is used instead of giving a reason in substance, an indication shall be given that no data are being used which are subject to the right to information. The legality of such course of action is subject to review by the Data Protection Authority pursuant to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4.

[...]


§ 27 DSG 2000

[...]

(5) In the areas of the executive responsible for the fields described in § 26 para. 2 sub paras. 1 to 5, the following procedure shall be applied to applications for rectification or erasure, insofar as this is required to safeguard those public interests that require secrecy: The rectification or erasure shall be carried out if the demands of the data subject are justified in the opinion of the controller. The required information pursuant to para. 4 shall in all cases be that a check of the data files of the controller with regard to the application for rectification or erasure has been performed. The legality of this course of action is subject to review by the Data Protection Authority according to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4.

[...]


Right to Object

§ 28 DSG 2000

[...]

(3) § 27 para 4 to 6 shall also be applied in the cases of paras 1 and 2.

 

close