EDSA: Gui­de­lines for rest­ric­tions within the mea­ning of Art. 23 GDPR

The Euro­pean Data Pro­tec­tion Board EDSA has published the final ver­si­on of the Gui­de­lines on Rest­ric­tions under Art. 23 GDPR (Gui­de­lines 10/2020 on rest­ric­tions under Artic­le 23 GDPR, Ver­si­on 2.0, Adopted on 13 Octo­ber 2021).

Accor­ding to Art. 23 GDPR Mem­ber Sta­tes of the EEA may pro­vi­de in natio­nal law for “rest­ric­tions” to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on under Art. 12 et seq. and the rights of access, rec­ti­fi­ca­ti­on, era­su­re and rest­ric­tion of pro­ce­s­sing, to object to pro­ce­s­sing and to escala­ti­on in the case of auto­ma­ted indi­vi­du­al decis­i­ons and the obli­ga­ti­on to noti­fy other reci­pi­en­ts of rec­ti­fi­ca­ti­ons, era­su­res and rest­ric­tion of pro­ce­s­sing. Rest­ric­tions must, howe­ver, ser­ve the objec­ti­ves of Art. 23 lit. a‑j and com­ply with the requi­re­ments of Art. 23(1) and (2) GDPR.

A lar­ge part of the gui­de­lines is addres­sed to the legis­la­tors of the Mem­ber Sta­tes. The­se gui­de­lines can ser­ve as a means of inter­pre­ting natio­nal law in the sen­se of an inter­pre­ta­ti­on in con­for­mi­ty with Euro­pean law. In addi­ti­on, howe­ver, the­re are also state­ments that rela­te more direct­ly to the appli­ca­ti­on of the law:

• The EDSA empha­si­zes the excep­tio­nal natu­re of rest­ric­tions, which, accor­ding to To be inter­pre­ted nar­row­ly are.
• Joint­ly respon­si­ble should also reflect any appli­ca­ble rest­ric­tions in their agreement.
• Respon­si­ble par­ties should explain the rea­sons for a rest­ric­tion in a spe­ci­fic case as “good prac­ti­ce”. docu­ment (if appli­ca­ble, also the appli­ca­ti­on cri­te­ria and the dura­ti­on of the restriction).
• Pro­vi­ded that a DPO is appoin­ted, he shall be infor­med of any rest­ric­tion, and this shall also be documented.
• If the rea­son for a rest­ric­tion cea­ses to exist, the affec­ted person’s right to made up for be