On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.
According to the Guidelines, the relevant restriction must be set out in a clear and precise legislative measure and its potential application must be foreseeable (i.e., obvious) to those subject to it. In