EDPB Adopts Guidelines for Restrictions on Data Subject Rights

Certain rights are afforded to data subjects, in particular under Articles 12–22 GDPR, including:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability; and
• the right to object.

These rights are not absolute but rather may be lawfully restricted by way of a specific legislative provision introduced by the EU or individual Member States in accordance with Article 23 GDPR.

 Where a legislative provision seeks to restrict the rights of data subjects, it must meet all of the requirements of Article 23 GDPR, otherwise it may not be lawfully relied upon. It must constitute a proportionate measure, which is necessary to safeguard an interest of public importance such as public security, defence, criminal investigations, the protection of data subjects or the rights and freedoms of others. The relevant law must also clearly state the link between the proposed restriction and the objective pursued.

Member State laws commonly provide that a data subject’s right of access may be lawfully restricted if the release of their data would constitute a breach of another person’s rights, such as their right to privacy.

Rights can be “restricted but not denied”

Data controllers must demonstrate that any restriction it applies to a data subject’s right is: (a) grounded in a clear legislative provision and (b) necessary and proportionate in the circumstances. For example, the EDPB has considered that it may be necessary to restrict a data subject’s right of access in the context of an inquiry, disciplinary proceedings or workplace investigation. Such restrictions should only be applied to the degree necessary to ensure the integrity of the investigation or to protect the rights of a witness or “whistleblower” at a particular point in time. The EDPB also makes clear that any such interference with a data subject’s fundamental rights must respect the essence of the right it seeks to restrict. In addition it must not operate to undo the effect of that right and essentially render it void.

In addition to the necessity and proportionality elements of criteria above, the EDPB advice indicates that these criteria must be met for the duration of the application of the restriction. The duration of any restriction is, therefore, central to its lawfulness. Referencing case law of the CJEU, the EDPB again relies on the example of an ongoing investigation to illustrate that a restriction will not be lawful if it is applied for longer than is necessary.  Once it is no longer possible for the release of information to compromise an ongoing investigation, for example, any restriction applied on those grounds should be lifted.

Right to be Informed

The EDPB acknowledges that when applying a restriction, such as in the context of an ongoing criminal inquiry or workplace investigation, notifying the data subject may serve to undo the effect of the restriction. For example, notifying an individual that their rights have been restricted because of an ongoing investigation may have the effect of notifying them of the investigation – exactly the opposite of the intention of the restriction. In “extraordinary circumstances”, therefore, the data controller may undertake an assessment to determine whether notifying the data subject of the restriction would be “prejudicial to the purpose of the restriction”.

Recommendations for Data Controllers

Given the guidance from the EDPB described above, data controllers exploring how data subject rights may be subject to limitations in specific circumstances should take account of the following:

• When relying on a legislative measure permitting the restriction of data subject rights, it must be applied in a manner that is proportionate and only to the extent and for the time necessary to achieve a stated objective.
• In accordance with the principle of accountability, a data controller should document that it has applied a restriction, the legislative basis for same and the outcome of any test relating to its necessity and proportionality. Once it is deemed that the restriction is no longer necessary, the lifting of the restriction should also be documented.
• The DPO should be advised of, and provided with documentation relating to, the factual and legal context in which the restriction is being applied by the data controller. Such DPO involvement should also be documented.
• Once the circumstances necessitating the restriction no longer apply, the data controller must lift the restriction. This may require the repeated application of the necessity and proportionality test by the data controller in order to incrementally remove the restriction – perhaps first informing the data subject of the restriction being applied to their right of access before then completely removing the restriction.

The application of a restriction when it is not necessary or proportionate, including a failure to lift a restriction when it is no longer necessary, may result in a complaint against the data controller to the Supervisory Authority.

The EDPB guidance highlights the complexity of responding to data subject rights requests, particularly where it is necessary to restrict those rights. The Trilateral Research Data Protection and Cyber Risk Team can help your organisation respond to such requests from data subjects, including the lawful application of restrictions. Please feel free to contact our advisors, who will be more than happy to help your organisation meet its compliance obligations.