Important Blogs

Article 2 of the EU Artificial Intelligence Act

Article 23 : Restriction

Article 23 of the EU General Data Protection Regulation (GDPR) outlines the limitations on data protection rights and obligations. It provides exceptions and restrictions regarding the processing of personal data for specific purposes. Let's examine each sub-article of Article 23 with a relevant example:


Article 23(1) of EU GDPR is a provision that allows the Union or Member States to impose certain restrictions on the obligations and rights of data controllers, processors, and subjects, under specific conditions and for specific purposes. The GDPR is a regulation that aims to protect the personal data and privacy of individuals in the European Union and the European Economic Area.

The article states that the Union or Member State law may restrict, by way of a legislative measure, the scope of the obligations and rights provided for in:

Articles 12 to 22: These articles specify the rights of the data subjects, such as the right to access, rectify, erase, restrict, port, and object to the processing of their personal data, as well as the right not to be subject to automated decision-making, including profiling

Article 34: This article requires the data controller to communicate a personal data breach to the data subject, unless the breach is unlikely to result in a high risk to the rights and freedoms of the data subject

Article 5: This article lays down the principles relating to the processing of personal data, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability

Article 23 also says that these limitations must not go against the basic human rights and freedoms, and must be necessary and reasonable for a democratic society to protect:

It says that sometimes, the government or other organizations can limit the rights of people to access, change, or delete their personal data, or to know how their data is used. But they can only do this for very important reasons, such as:

For Article 23(1)(a) National Security 

For Article 23(1) )(b) Defense

For Article 23(1) )(c) Public Security

For Article 23(1) )(d) the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, or the protection of the rights and freedoms of others;

For Article 23(1)(e) important economic or financial interests of the EU or a member country, such as monetary, budgetary, or taxation matters, or the regulation and supervision of financial markets;

Article 23(1)(f) the protection of judicial independence and judicial proceedings;

For the Article 23(1)(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

For the Article 23(1)(h) for monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

For the Article 23(1)(i) the protection of the data subject or the rights and freedoms of others;

For the Article 23(1)(j) the enforcement of civil law


ARTICLE 23 (2)

Article 23(2)(a) of EU GDPR is a part of a law that protects the privacy of people in Europe. It says that when the government or other organization limits the rights of the people to access, change or delete their personal data or to know how their data is used, they must explain why and how they do it. They must also specify 

Article 23(2) (a) the purpose of processing or categories of processing, which means the reason and type of using data 

Article 23(2) (b) the categories of personal data; 

Article 23(2) (c) They must also specify the scope of the restriction, which means the extent and limits of the interference with the rights and obligation of then data subject and controllers.

An example of a legislative measure that contains specific provisions as to the scope of the restrictions is the UK Data Protection Act 2018, which provides for exemptions from certain provisions of the GDPR for the purposes of national security, defense, crime and taxation, immigration, judicial functions, regulatory functions, journalism, academic research, archiving, and health and social care3. The act also specifies the scope of the exemptions, such as the circumstances in which they apply, the conditions that must be met, and the safeguards that must be observed.

Article 23(2) (d) of EU GDPR is a part of a law that protects the privacy of people in Europe. It says that when the government or other organizations limit the rights of people to access, change, or delete their personal data, or to know how their data is used, they must explain why and how they do it. They must also specify the safeguards to prevent abuse or unlawful access or transfer, which means the measures and mechanisms to ensure that the data is not misused, stolen, or disclosed without authorization

An example of a legislative measure that contains specific provisions as to the safeguards to prevent abuse or unlawful access or transfer is the UK Data Protection Act 2018, which provides for exemptions from certain provisions of the GDPR for the purposes of national security, defence, crime and taxation, immigration, judicial functions, regulatory functions, journalism, academic research, archiving, and health and social care3. The act also specifies the safeguards to prevent abuse or unlawful access or transfer, such as the requirement of a warrant or an authorisation, the oversight by an independent commissioner, the review by a tribunal, and the notification to the data subject where possible3.


Article 23(2) (e) of EU GDPR is a part of a law that protects the privacy of people in Europe. It says that when the government or other organizations limit the rights of people to access, change, or delete their personal data, or to know how their data is used, they must explain why and how they do it. They must also specify the controller or category of controller, which means the person or organization who decides how and why the data is processed.

An example of a legislative measure that contains specific provisions as to the specification of the controller or category of controller is the UK Data Protection Act 2018, which provides for exemptions from certain provisions of the GDPR for the purposes of national security, defence, crime and taxation, immigration, judicial functions, regulatory functions, journalism, academic research, archiving, and health and social care3. The act also specifies the controller or category of controller who may apply the exemptions, such as the Secretary of State, the Director of Public Prosecutions, the Information Commissioner, or any person who exercises functions of a public nature3.


Article 23(2) (f) of EU GDPR is a part of a law that protects the privacy of people in Europe. It says that when the government or other organizations limit the rights of people to access, change, or delete their personal data, or to know how their data is used, they must explain why and how they do it. They must also specify the storage periods and the applicable safeguards, which means the duration and the measures to keep the data secure and accurate, depending on the nature, scope and purposes of the processing or categories of processing, which means the characteristics, extent and reasons of using the data12.

An example of a legislative measure that contains specific provisions as to the storage periods and the applicable safeguards is the UK Data Protection Act 2018, which provides for exemptions from certain provisions of the GDPR for the purposes of national security, defence, crime and taxation, immigration, judicial functions, regulatory functions, journalism, academic research, archiving, and health and social care3. The act also specifies the storage periods and the applicable safeguards, such as the requirement to delete or destroy the data as soon as the purpose of the processing is fulfilled, the obligation to review the necessity and proportionality of the processing at regular intervals, and the duty to comply with the data protection principles and the rights of the data subjects as far as possible.

Article 23(2)(g) of EU GDPR is a part of a law that protects the privacy of people in Europe. It says that when the government or other organizations limit the rights of people to access, change, or delete their personal data, or to know how their data is used, they must explain why and how they do it. They must also specify the risks to the rights and freedoms of data subjects, which means the potential negative impacts or harms that the limitation may cause to the people whose data is processed.

An example of a legislative measure that contains specific provisions as to the risks to the rights and freedoms of data subjects is the UK Data Protection Act 2018, which provides for exemptions from certain provisions of the GDPR for the purposes of national security, defence, crime and taxation, immigration, judicial functions, regulatory functions, journalism, academic research, archiving, and health and social care3. The act also specifies the risks to the rights and freedoms of data subjects, such as the possibility of discrimination, identity theft, fraud, financial loss, damage to reputation, loss of confidentiality, or any other significant economic or social disadvantage.

Article 23(2) (h) of EU GDPR is a part of a law that protects the privacy of people in Europe. It says that when the government or other organizations limit the rights of people to access, change, or delete their personal data, or to know how their data is used, they must explain why and how they do it. They must also specify the right of data subjects to be informed about the restriction, unless that may be harmful to the reason for the restriction, which means the people whose data is processed should be notified about the limitation, unless that may interfere with the purpose of the limitation.

An example of a legislative measure that contains specific provisions as to the right of data subjects to be informed about the restriction is the UK Data Protection Act 2018, which provides for exemptions from certain provisions of the GDPR for the purposes of national security, defense, crime and taxation, immigration, judicial functions, regulatory functions, journalism, academic research, archiving, and health and social care. The act also specifies the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction, such as the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties.

For implementation please reach at lawyersera2023@gmail.com


Comments