EDSA: Gui­de­li­nes for restric­tions wit­hin the mea­ning of Art. 23 GDPR

The Euro­pean Data Pro­tec­tion Board EDSA has published the final ver­si­on of the Gui­de­li­nes on Restric­tions under Art. 23 GDPR (Gui­de­li­nes 10/2020 on restric­tions under Arti­cle 23 GDPR, Ver­si­on 2.0, Adop­ted on 13 Octo­ber 2021).

Accord­ing to Art. 23 GDPR Mem­ber Sta­tes of the EEA may pro­vi­de in natio­nal law for “restric­tions” to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on under Art. 12 et seq. and the rights of access, rec­ti­fi­ca­ti­on, era­su­re and restric­tion of pro­ces­sing, to object to pro­ces­sing and to esca­la­ti­on in the case of auto­ma­ted indi­vi­du­al deci­si­ons and the obli­ga­ti­on to noti­fy other reci­pi­ents of rec­ti­fi­ca­ti­ons, era­su­res and restric­tion of pro­ces­sing. Restric­tions must, howe­ver, ser­ve the objec­ti­ves of Art. 23 lit. a‑j and com­ply with the requi­re­ments of Art. 23(1) and (2) GDPR.

A lar­ge part of the gui­de­li­nes is addres­sed to the legis­la­tors of the Mem­ber Sta­tes. The­se gui­de­li­nes can ser­ve as a means of inter­pre­ting natio­nal law in the sen­se of an inter­pre­ta­ti­on in con­for­mi­ty with Euro­pean law. In addi­ti­on, howe­ver, the­re are also state­ments that rela­te more direct­ly to the app­li­ca­ti­on of the law:

  • The EDSA empha­si­zes the excep­tio­nal natu­re of restric­tions, which, accord­ing to To be inter­pre­ted nar­row­ly are.
  • Joint­ly respon­si­ble should also reflect any app­li­ca­ble restric­tions in their agreement.
  • Respon­si­ble par­ties should exp­lain the rea­sons for a restric­tion in a spe­ci­fic case as “good prac­ti­ce”. docu­ment (if app­li­ca­ble, also the app­li­ca­ti­on cri­te­ria and the dura­ti­on of the restriction).
  • Pro­vi­ded that a DPO is appoin­ted, he shall be infor­med of any restric­tion, and this shall also be documented.
  • If the rea­son for a restric­tion cea­ses to exist, the affec­ted person’s right to made up for be