The European Data Protection Board EDSA has published the final version of the Guidelines on Restrictions under Art. 23 GDPR (Guidelines 10/2020 on restrictions under Article 23 GDPR, Version 2.0, Adopted on 13 October 2021).
According to Art. 23 GDPR Member States of the EEA may provide in national law for “restrictions” to the obligation to provide information under Art. 12 et seq. and the rights of access, rectification, erasure and restriction of processing, to object to processing and to escalation in the case of automated individual decisions and the obligation to notify other recipients of rectifications, erasures and restriction of processing. Restrictions must, however, serve the objectives of Art. 23 lit. a‑j and comply with the requirements of Art. 23(1) and (2) GDPR.
A large part of the guidelines is addressed to the legislators of the Member States. These guidelines can serve as a means of interpreting national law in the sense of an interpretation in conformity with European law. In addition, however, there are also statements that relate more directly to the application of the law:
- The EDSA emphasizes the exceptional nature of restrictions, which, according to To be interpreted narrowly are.
- Jointly responsible should also reflect any applicable restrictions in their agreement.
- Responsible parties should explain the reasons for a restriction in a specific case as “good practice”. document (if applicable, also the application criteria and the duration of the restriction).
- Provided that a DPO is appointed, he shall be informed of any restriction, and this shall also be documented.
- If the reason for a restriction ceases to exist, the affected person’s right to made up for be