The General Data Protection Regulation (GDPR) is widely known for strengthening the rights of individuals over their personal data. Articles 12–22 of the GDPR outline these rights in detail, including access, rectification, erasure, restriction, portability, objection, and protection against automated decision-making. However, GDPR is not an absolute framework where data subject rights always apply without exception.
Article 23 of the GDPR introduces an important balance mechanism. It allows EU Member States and, in some cases, the European Union itself to restrict certain GDPR rights and obligations under specific, narrowly defined conditions. These restrictions exist to protect broader societal interests such as national security, criminal investigations, public safety, and judicial independence.
What Is GDPR Article 23?
GDPR Article 23 is titled:
“Restrictions”
In simple terms, Article 23 allows lawmakers to limit how certain GDPR rights and obligations apply when exercising those rights would undermine important public interests.
These restrictions are not automatic. They must be:
- Introduced through law
- Clearly defined
- Necessary and proportionate
- Respect the essence of fundamental rights and freedoms
Article 23 does not give companies or authorities the freedom to arbitrarily deny data subject rights. Instead, it allows legislative restrictions under strict conditions.
Why Article 23 Exists
GDPR was designed to protect individuals, but lawmakers recognized that absolute transparency and access could sometimes cause harm. For example:
- Allowing a suspect full access to their data during a criminal investigation could compromise evidence
- Revealing intelligence records could endanger national security
- Providing unrestricted access to court deliberations could undermine judicial independence
Article 23 exists to balance individual data protection rights with legitimate public interests.
Which Rights Can Be Restricted Under Article 23?
Article 23 allows restrictions on specific GDPR provisions, including:
- Transparency obligations (Articles 12–14)
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making (Article 22)
- Certain controller and processor obligations
Importantly, not all GDPR principles can be restricted. Core principles such as lawfulness, data minimization, security, and accountability must still be respected.
Legitimate Grounds for Restrictions (Article 23(1))
Article 23 lists specific public interests that may justify restrictions. These include:
- National security
- Defense
- Public security
- Prevention, investigation, detection, or prosecution of criminal offenses
- Protection of judicial independence and court proceedings
- Protection of important economic or financial interests of a Member State or the EU
- Monitoring, inspection, or regulatory functions
- Protection of the data subject or the rights and freedoms of others
- Enforcement of civil law claims
Restrictions must directly relate to one or more of these interests. Broad or vague justifications are not permitted.
Legal Requirements for Article 23 Restrictions
1. Restrictions Must Be Established by Law
Article 23 does not allow ad-hoc decisions by controllers. Restrictions must be defined in:
- National legislation
- EU law
Internal company policies or contractual clauses are not sufficient.
2. Necessity and Proportionality
Any restriction must be:
- Necessary to achieve a legitimate aim
- Proportionate, meaning it goes no further than required
If the same goal can be achieved with less intrusive means, the restriction is unlawful.
3. Respect the Essence of Fundamental Rights
Even when rights are restricted, their core essence must remain intact. For example:
- Total denial of all access rights without oversight would likely violate Article 23
- Indefinite restrictions without review mechanisms are unacceptable
4. Safeguards Must Be Included
Article 23(2) requires laws introducing restrictions to include safeguards, such as:
- Purpose of processing
- Categories of personal data involved
- Scope of restrictions
- Safeguards to prevent abuse
- Storage periods
- Risks to data subjects
- Right to be informed about restrictions (where possible)
Who Can Apply Article 23?
Article 23 primarily applies to:
- Law enforcement authorities
- Intelligence agencies
- Regulatory bodies
- Courts and judicial systems
- Certain public sector entities
Private companies can only rely on Article 23 if a law explicitly allows it. They cannot independently decide to restrict rights.
Common Misunderstandings About Article 23
“Companies can refuse data access under Article 23”
❌ Incorrect
Only laws can introduce restrictions, not companies.
“Article 23 overrides GDPR entirely”
❌ Incorrect
It only allows limited restrictions on specific rights.
“Article 23 applies automatically”
❌ Incorrect
Restrictions must be justified, documented, and lawful.
Example 1: Criminal Investigation and Right of Access
A person suspected of financial fraud submits a data access request to a financial intelligence unit requesting all personal data held about them.
The authority refuses to provide full access during the investigation.
Why Article 23 applies:
- Providing access could reveal investigative methods
- Disclosure could lead to destruction of evidence
- The restriction is based on criminal procedure law
Key safeguards:
- Restriction is temporary
- Judicial oversight exists
- Access may be granted after the investigation concludes
This is a classic and lawful application of Article 23.
Example 2: National Security and Surveillance Data
An individual requests access to all personal data processed by a national intelligence service.
The request is denied.
Why Article 23 applies:
- Disclosure could compromise national security
- Intelligence activities are protected by law
- Risks extend beyond the data subject to society at large
Safeguards in place:
- Parliamentary or judicial oversight
- Independent supervisory bodies
- Internal compliance controls
Article 23 allows such restrictions provided oversight exists.
Example 3: Court Proceedings and Judicial Independence
A litigant demands access to internal court deliberations and judicial notes under GDPR.
The court refuses.
Why Article 23 applies:
- Judicial independence must be preserved
- Disclosure could undermine impartial decision-making
- Court confidentiality is protected by law
Important note:
The refusal does not eliminate all rights. Administrative data (e.g., case registration details) may still be accessible.
Example 4: Regulatory Investigation by a Financial Authority
A financial regulator investigates a company for market manipulation. An employee requests access to internal investigation records containing their personal data.
Access is partially restricted.
Why Article 23 applies:
- Disclosure could compromise regulatory enforcement
- Investigation integrity must be protected
- Economic interests of the state are involved
Safeguards used:
- Partial disclosure instead of full denial
- Redaction of sensitive information
- Review once investigation concludes
This demonstrates proportional restriction rather than blanket denial.
Example 5: Protection of Third-Party Rights
An employee requests access to HR investigation records related to workplace harassment.
The employer provides limited access, redacting witness identities.
Why Article 23 applies:
- Disclosure could violate rights of other individuals
- Protection of freedoms of others is a valid ground
- Restriction is limited to specific data fields
Key takeaway:
Article 23 allows balancing between competing rights, not absolute refusal.
Relationship Between Article 23 and Transparency
While Article 23 allows restricting transparency, it does not eliminate accountability. Controllers must still:
- Document the legal basis for restrictions
- Be able to justify decisions to supervisory authorities
- Apply restrictions consistently and fairly
In many cases, delayed transparency is preferable to permanent denial.
Supervisory Authority Oversight
Data protection authorities retain the power to:
- Review the legality of restrictions
- Investigate misuse of Article 23
- Impose sanctions if restrictions are excessive or unlawful
Article 23 does not shield organizations from regulatory scrutiny.
Practical Compliance Considerations
Organizations affected by Article 23 should:
- Clearly identify applicable laws
- Define internal procedures for restricted requests
- Train staff on lawful refusal handling
- Document necessity and proportionality assessments
- Periodically review whether restrictions are still justified
Failing to do so increases legal and regulatory risk.
Key Takeaways
- GDPR Article 23 allows limited restrictions on data subject rights
- Restrictions must be law-based, necessary, and proportionate
- Core GDPR principles remain intact
- Article 23 protects public interests without eliminating individual rights
- Abuse or overuse of Article 23 can lead to enforcement action
Final Thoughts
GDPR Article 23 is often misunderstood or misused. It is not a loophole, nor is it a shortcut for avoiding transparency. Instead, it is a carefully designed legal tool that ensures GDPR functions effectively in complex real-world situations involving security, justice, and public interest.
When applied correctly, Article 23 preserves both fundamental rights and societal stability. When applied incorrectly, it undermines trust and exposes organizations to serious legal consequences.