Art. 23 EU DSGVO sieht die Möglichkeit vor, dass die EU Mitgliedsstaaten die Rechte und Pflichten gemäss Art. 12 bis 22 EU DSGVO (Rechte der betroffenen Personen) sowie Art. 34 EU DSGVO (Benachrichtigung bei Data Braches) und Art. 5 EU DSGVO (Grundsätze für die Verarbeitung personenbezogener Daten) unter bestimmten Voraussetzungen beschränken können.
Diese Voraussetzungen hat der EDSA mit der oben erwähnten Guideline aktualisiert und wie folgt zusammengefasst (vgl. Conclusion/Kapitel 8):
a) Article 23 GDPR allows under specific conditions, a national or Union legislator to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 GDPR in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State.
b) Restrictions of data subjects’ rights need to observe the requirements stated in Article 23 GDPR. The Member States or the Union issuing the legislative measures setting those restrictions and the controllers applying them should be aware of the exceptional nature of these restrictions.
c) The proportionality test should be carried out before introducing in Union or Member State law restrictions on the rights of data subjects.
d) SAs should be consulted before the adoption of the legislative measures setting the restrictions and have the powers to enforce its compliance with the GDPR.
e) Once restrictions are lifted, data subjects must be allowed to exercise their rights by the controller.
Unter Kapitel 9 wurde ausserdem eine Checkliste mit dem Titel „Article 23 GDPR in a nutshell“ publiziert.
Michal Cichocki