🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 23 of the GDPR: Limitations on the rights of data subjects

Home GDPR articles decrypted Article 23 of the GDPR: Limitations on the rights of data subjects

Article 23 of the GDPR allows Member States or the European Union to restrict certain rights data subjects, when these limitations are justified by clearly defined objectives of general interest.

Article 23 of the GDPR explained

The rights provided for in Articles 12 to 22 (and Article 34) may be subject to limitations by law, provided that these restrictions:

  • Respect the essence of fundamental rights and freedoms;
  • Constitute a necessary and proportionate measure in a democratic society.

Among the legitimate objectives that may justify these limitations:

  • National security, defense, public safety;
  • Prevention, investigation, detection or prosecution of criminal offenses;
  • Other important objectives of general public interest (economy, public health, etc.).

Why is this article important for your GDPR compliance?

This article introduces a flexibility essential for reconciling data protection and imperatives of general interest. It justifies certain cases where a data controller can temporarily limit people's rights if a law authorizes it.

How to comply with Article 23 of the GDPR?

  • Identify whether your activity or treatments benefit from one legal exemption provided for by national or European law.
  • Have one available legal documentation justifying the restriction applied.
  • Inform data subjects transparently when their rights are restricted (unless specifically prohibited).
  • Keep track of decisions made on this basis.

Examples of application of Article 23 of the GDPR

  • A judicial authority restricts an individual's right of access in the context of a criminal investigation.
  • An emergency health measure temporarily limits the right to object to certain processing of medical data.
  • A public operator restricts the erasure of data to comply with a legal obligation linked to national security.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

Request a demo with an expert

Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

GDPR: Self-assess now

Other articles
on the same subject