The GDPR itself hardly contains Exceptions to the data subject rights such as the right to information, the right of access or the right to be informed about data security breaches, apart from Art. 12 para. 5 GDPR (manifestly unfounded or excessive requests). However, Member States may provide for exceptions and limitations based on Art. 23 GDPR, provided that their law complies with Art. 23. Germany, for example, has made use of this in §§ 32 ff. BDSG and provided for an exception to the obligation to inform and provide information for private data controllers, for example, if the fulfillment of these obligations would impair the assertion, exercise or defense of legal claims and the interests of the data controller outweigh those of the data subject.
The European Data Protection Board (EDSA) has now published draft guidelines on Art. 23 GDPR (Guidelines 10/2020 on restrictions under Article 23 GDPR, version 1.0, December 15, 2020.). Comments will be accepted until February 12, 2021. The guidelines primarily comment on the requirements for the corresponding Member State law from Art. 23 GDPR.
Practically important are the following notes from EDSA:
Responsible persons must documentif they invoke an exception (accountability principle, Art. 5(2) GDPR):
In light of the accountability principle (Article 5(2) GDPR), the controller should document the application of restrictions on concrete cases by keeping a record of their application. This record should include the applicable reasons for the restrictions, which grounds among those listed in Article 23(1) GDPR apply (where the legislative measure allows for restrictions on different grounds), its timing and the outcome of the necessity and proportionality test. The records should be made available on request to the data protection supervisory authority (SA).
In case the controller has a data protection officer (DPO), the DPO should be informed without undue delay whenever data subject rights are restricted in accordance with the legislative measure. The DPO should be given access to the associated records and any documents concerning the factual or legal context in which the restriction takes place. The involvement of the DPO in the application of restrictions should also be documented.
In addition, those responsible are to Catching up on the fulfillment of data subject rights, if the exceptional reason is no longer fulfilled:
During the application of a restriction, data subjects may be allowed to exercise certain rights, if not all their rights need to be restricted. In order to assess when the restriction can be partially or integrally lifted, a necessity and proportionality test may be performed several times during the application of a restriction.
When the restriction is lifted – which should be documented in the record mentioned in point 5 -, data subjects can exercise all their rights.
If the controller does not allow data subjects to exercise their rights after the restriction has been lifted, the data subject can submit a complaint to the SA against the controller, in accordance with Article 57(1)(f) GDPR.