iCompaas Support

Overview

This article allows limitations on certain data subject rights under GDPR for specific purposes, such as national security, public safety, or criminal investigations. Any restrictions must be necessary, proportionate, and respect the fundamental rights of the individuals concerned.

Key Principles

• Lawful Restrictions: Data subject rights can be limited only when justified by law for specific public interest purposes.

• Necessity and Proportionality: Restrictions must be limited to what is essential for the intended purpose.

• Fundamental Rights: Measures must respect the core rights and freedoms of data subjects.

• Transparency: Organizations should document and justify the application of restrictions.
  
  

Organizational Applicability

This article applies to all organizations processing personal data within the EU, particularly where legal restrictions apply:

• Public authorities and government agencies performing national security, law enforcement, or public safety functions.

• Private sector entities involved in processing under specific legal obligations or regulatory requirements.

• Teams responsible for compliance, legal affairs, or oversight of restricted data processing activities.
  
  

Implementation Requirements

• Identify circumstances where GDPR rights may be restricted lawfully.

• Apply restrictions only to the extent necessary and document justifications.

• Ensure appropriate safeguards to protect the rights of data subjects.

• Maintain records demonstrating lawful application of restrictions.
  
  

Implementation Guidance

• Review applicable national laws and regulatory requirements before applying restrictions.

• Implement access controls and logging for restricted processing activities.

• Train staff to recognize situations where restrictions are justified.

• Periodically audit restricted processing to ensure compliance and proportionality.
  
  

Periodic Review

• Frequency: Annually or upon changes in applicable law or restricted processing activities.

• Responsible Role: Data Protection Officer (DPO), Compliance Team, or legal authority.

• Outcome: Confirm restrictions are applied correctly, proportionately, and in compliance with GDPR.
  
  

Non-Compliance Risks

• Fines: Up to €20 million or 4% of global annual turnover for unlawful restrictions.

• Legal Exposure: Enforcement actions or complaints if rights are improperly limited.

• Reputational Damage: Loss of trust due to misuse or over-application of restrictions.

• Operational Risk: Improper restriction may lead to regulatory scrutiny or legal challenges.