The last article of the Rights of the Data Subject section discusses specific restrictions to help safeguard certain areas that might be put in jeopardy if the other rights of the data subject are realized. This includes the rights outlined in articles 12 through 22, 34, and 5 (See GDPR for the content over these articles).

Article 23: Restrictions

Union or Member State law to which the controller or processor is subject may restrict the scope of the obligations outlined in Articles 12 through 22, 34, and 5 when exercising these rights results in a compromise of:

1. National Defense
2. National Security
3. Public Security
4. The prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including threats to public safety.
5. Other important interests of the Union or Member State, such as economic, financial, or taxation matters.
6. The protection of judicial independence or judicial proceedings.
7. The prevention, investigation, detection, and procsecution of breaches of ethics for regulated professions.
8. A monitoring , inspection, or regulatory function connected to exercising the official authority in the cases of points (1) through (5) and (7).
9. The protection of the data subject or the rights and freedoms of others.
10. The enforcement of civil law claims.

Any legislature measure referred to in the above paragraph shall contain specific provisions, where relevant, as to:

1. The purposes or catagories of processing
2. Categories of personal data
3. Scope of restrictions included
4. Safeguards to prevent abuse
5. Specification of the controller(s) or categories of controller(s)
6. Storage periods of data and applicable safeguards that take into account the natur, purpose, and scope of the processing
7. Risks to rights and freedoms to the data suject
8. The right of the data subject to be informed of the restriction, unless this is prejudicial to the purpose of the restriction

---

How does this apply to You and Me?

For the most part, this doesn’t apply as much as the other 11 articles in this segment of the regulation. This one outlines the instances in which restrictions would apply to instances in the other articles. For example, if you requesting specific data from a controller that would cause concern to the national security of the Union or Member State, the request most likely isn’t going to be fulfilled. You, the data subject, are still entitled to the reason for which the request wasn’t fulfilled, but you also don’t get your data.

In most cases, you requesting your data to be deleted from a company wouldn’t constitute a matter of national security, but it tries its best to prohibit further crime. For instance, an international criminal may request the deletion of their data from a telephone company. Because of their status and imminent threat to the Union/Member State, the request is most likely going to be forwarded to the regulatory body and not fulfilled. These cases are very rare when taking into account the grand total of requests made for actions upon data subject data. For every 100,000 requests, approximately 0.001% or 0.0001%, or 100 or 10, of all requests are related to matters of national security or the protection of judicial independence.

---

MICHELLE ROSS

Let’s say, Michelle’s information is collected by a company that is working with the government to uncover a plot to overthrow the government. Let’s assume the government is democratic and respectful towards its citizens and a revolt is not in the majority’s best interest (in fact, the only people who benefit will be the few in the revolt for conversation’s sake). Now, is the unwarranted collection of Michelle’s data lawful or permissible? If Michelle is a member of the terrorist group, collection of her data is permissible, according to GDPR, as a matter of national security and defense. We would want the bad people to be found out and captured so they don’t harm others or take what doesn’t;t belong to them. If Michelle is one of them, then it is within Union law to collect her information without her consent (maybe if she read DPP, she’d know not to let her data out on the internet).

If Michelle is not a member of the terrorist group and is just a common citizen, then the data controller would need another valid reason for collecting her information, or PII as we often refer. Others would be for economic or financial interests of the whole, historical research, or other instances cited in Article 9. Otherwise, the data controller would be dancing with the devil of GDPR as it pertains to unlawful data collection. And even if the collection was for a legitimate purpose, and Michelle wasn’t a terrorist, the data controller would have to delete her information upon closure of the case, per data minimization standards.

---

This article is shorter than the others and wraps up Chapter 3 (Rights of the Data Subject) of our GDPR series. DPP will be taking a short break (as of this writing) from this series to focus on developing other content.

If you stumbled upon this article several months after the publishing date, forget all about the paragraph right before this one and keep on reading!

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.

Join the Party Today!