How to Demonstrate Compliance With GDPR Article 23

GDPR Compliance Software

Book a demo

close,up,top,view,of,african,american,young,man,typing

GDPR Article 23 deals with the concept of data protection principles, data subject rights and controller obligations as not being set in stone.

Each of the above factors are able to be limited or amended by the governing authority (either a Member State, or the Secretary of State in UK Law).

This does, however, carry caveats. Limitations still need to adhere to the requirements set out in Article 23 GDPR.

GDPR Article 23 Legal Text

UK GDPR Version

Restrictions

  1. The Secretary of State may restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
    • public security;
    • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
    • other important objectives of general public interest, in particular an important economic or financial interest of the United Kingdom, including monetary, budgetary and taxation a matters, public health and social security;
    • the protection of judicial independence and judicial proceedings;
    • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
    • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
    • the protection of the data subject or the rights and freedoms of others;
    • the enforcement of civil law claims.

  2. In particular, provision made in exercise of the power under paragraph 1 shall contain specific provisions at least, where relevant, as to:
    • the purposes of the processing or categories of processing;
    • the categories of personal data;
    • the scope of the restrictions introduced;
    • the safeguards to prevent abuse or unlawful access or transfer;
    • the specification of the controller or categories of controllers;
    • the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
    • the risks to the rights and freedoms of data subjects; and
    • the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

  3. The Secretary of State may exercise the power under paragraph 1 only by making regulations under section 16 of the 2018 Act.
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

EU GDPR Version

Restrictions

  1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
    • national security;
    • defence;
    • public security;
    • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
    • other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
    • the protection of judicial independence and judicial proceedings;
    • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
    • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
    • the protection of the data subject or the rights and freedoms of others;
    • the enforcement of civil law claims.

  2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
    • the purposes of the processing or categories of processing;
    • the categories of personal data;
    • the scope of the restrictions introduced;
    • the safeguards to prevent abuse or unlawful access or transfer;
    • the specification of the controller or categories of controllers;
    • the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
    • the risks to the rights and freedoms of data subjects; and
    • the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

Technical Commentary

The qualifying reasons for restrictions are outlined in paragraph 1:

  • national security, defence and public security;
  • the prevention, investigation and/or prosecution of criminal offences;
  • economic and financial interests;
  • judicial independence;
  • ethical breaches;
  • exercise of official authority;
  • protection of individual rights and freedoms;
  • the enforcement of civil law;

Any restrictions placed must also fall in line with the following criteria:

  • Essence – A general exclusion of data subjects’ rights with regard to all processing operations would not respect the essence.
  • Foreseeability – Restrictions must be specified in law.
  • Limited in scope.
  • Necessity and proportionality – The enactment of measures need to demonstrate an underlying need for doing so.

How ISMS.online Helps

Whether you’re just starting to look at data privacy, or an expert looking to integrate multiple standards and regulations, our features are easy to use and you’ll make progress the instant you log on. By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27701 and ISO 27001 at the click of a button.

Find out how much time and money you’ll save on your journey to a combined ISO 27701 and 27001 certification using ISMS.online by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Explore ISMS.online's platform with a self-guided tour - Start Now