EDPB adopts guidelines on restrictions of data subject rights under the EU’s GDPR

During its October plenary, the European Data Protection Board (EDPB) has adopted new guidelines on restrictions of data subject rights under Art. 23 of the EU’s General Data Protection Regulation (GDPR) following a public consultation. The guidelines aim to recall the conditions surrounding the use of such restrictions by member states and EU institutions in light of the Charter of Fundamental Rights and the GDPR. They provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 of the GDPR. Additionally, the guidelines analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Art. 23(1) of the GDPR, and the obligations and rights which may be restricted.