Statement on restrictions on data subject rights in connection to the state of emergency in Member States
1 Statement on restrictions on data subject rights in connection to the state of emergency 1 in Member States Adopted on 2 June 2020 The European Data Protection Board has adopted the following statement: 1. The EDPB has been informed of the adoption by the Hungarian government of the Decree 179/2020 of 4 May 2020 on the derogations from certain data protection and access to information provisions during the state of danger 2 . Under Article 1, this Decree provides that, with respect to…
How it connects
Related across sources
Full text 18 sections
Statement on restrictions on data subject rights in connection to the state of emergency 1 in Member States Adopted on
June 2020 The European Data Protection Board has adopted the following statement: 1 The EDPB has been informed of the adoption by the Hungarian government of the Decree 179/2020 of 4 May 2020 on the derogations from certain data protection and access to information provisions during the state of danger 2 . Under Article 1, this Decree provides that, with respect to personal data processing for the purpose of pr eventing, understanding, detecting the coronavirus disease and impeding its further spread, including the organisation of the coordinated operation of State organs in relation to it , all measures following data subject’s request exercisi ng the rights based on Articles 15 to 22 of the GDPR are suspended until the end of the state of danger promulgated by Decree 40/2020 3 , and the starting date of such measures shall be the day following the day after the termination of the state of danger. Article 5 of the Decree 179/2020 provides that such suspension is also applicable to all requests to exercise the referred data subject rights, which were already pending at t he date of entry into force of the Decree. The data subject has to be notified about this restriction without delay after the end of the state of danger and at the latest within ninety days after the request is received. 2 As previously stated by the EDPB, data protection does not impede the fight against the COVID - 19 pandemic. The GDPR remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law, including 1 For the purpose of the statement, "state of emergency" means any kind of exceptional state adopted at national level to fight against pandemic s, independently from its specific name under national law. 2 Decree 179/2020 (V. 4.) Korm. rendelet a veszélyhelyzet idején az egyes adatvédelmi és adatigénylési rendelkezésektől való eltérésről (https://net.jogtar.hu/jogszabaly?docid=a2000179.kor).
This information is based on the information received from the Hungarian Supervisory Authority, from NGOs and from publicly available sources. The Decree 40/2020 does not provide for any time limit to the state of danger. 2 rel evant applicable national law, already enables data processing operations necessary to contribute to the fight against the spread of a pandemic, such as the COVID - 19 pandemic. 3 Article 23 of the GDPR allows under specific conditions, a national legislator to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Mem ber Sta te, in particular public health.
The EDPB recalls that, even in these exceptional times, the protection of personal data must be upheld in all emergency measures, including restrictions adopted at national level, as per Article 23 of the GDPR thus c ontributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded: on the one hand, any measure taken by Member States must respect the general principles of law, the essence of the fundamen tal rights and freedoms, and must not be irreversible and, on the other hand, data controllers and processors must continue to comply with data protection rules.
Any restriction must respect the essence of the right that is being restricted . Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified. If the essence of the right is compromised, the restriction must be considered unlawful, without the need to further assess whether it serves an objective of general interest or satisfies the necessity and proportionality criteria.
The processing of personal data should be designed to serve humankind and, within this context, one of the main objectives of data protection law is to enhance data subjects’ control over their data.
In order to guarantee this control, data subjects have a number of rights within the right to data protection. The right of access and the right to rectification are enshrined in Article 8 of the Chart er of Fundamental Rights of the European Union (‘Charter’). The GDPR contains those rights and complements them with a number of additional rights, such as the right to object, the right to erasure, and other new ones, such as the right to portability. The importance of the rights of data subjects cannot be underestimated. They are at the core of the fundamental right to data protection and their application should be the general rule. It is again st this background that Article 23 of the GDPR should be read and interpreted.
According to Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter must be ‘provided for by law’ . This echoes the expression ‘in accordance with the law’ in Article 8(2) of the European Convention of Human Rights 4 , which means not only 4 See in particular, ECtHR, 14 September 2010, Sanoma Uitg evers B.V. v. The Netherlands, EC:ECHR:2010:0914JUD003822403, para . 83: “Further, as regards the words “in accordance with the law” and “prescribed by law” which appear in Articles 8 to 11 of the Convention, the Court observes that it has always understood the term “law” in its “substantive” sense, not its “formal” one; it has included both “written law”, encompassing enactments of lower ranking statutes and regulatory measures taken by professional regulatory bodies under independent rule - making powers del egated to them by Parliament, and unwritten law. “Law” must be understood to include both statutory law and judge - made “law”. In sum, the “law” is the provision in force as the competent courts have interpreted it”. On the notion of ‘provided for by law’, the criteria developed by the European Court of Human Rights should be used as suggested in CJEU Advocates General opinions in joined cases C - 203/15 and C - 698/15, Tele2 Sverige AB, ECLI:EU:C:2016:572, paragraphs 137 - 154 or in case C - 70/10, Scarlet Extended , ECLI:EU:C:2011:255, paragraph 99. 3 compliance with domestic law, but also relates to the quality of that law, requiring it to be compatible with the rule of law. In particular, the domestic law must be sufficiently clear in its term s to give citizens an adequate indication as to the circumstances in and conditions on which controllers are empowered to resort to any such restrictions. The same strict standard should be applied for any restrictions that could be imposed by Member State s .
In line with the GDPR and the case law of the Court of Justice of the European Union and of the European Court of Human Rights, it is indeed essential that legislative measures 5 , which seek to restrict the scope of data subject rights, are foreseeable to persons subject to them , including with regard to their duration in time. In this regard, in particular where restrictions are adopted in the context of a state of emergency to safeguard public health, the EDPB considers that restrictions, imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
Furthermore, restrictions are exceptions to the general rule and, as such, should be applied only in limited circumstances. As laid down in Article 23 of the GDPR, restrictions must be a necessary and proportionate measure in a democratic society to safeguard an important objective of general public interest of the Union or of a Member State such as public health.
The foreseen restrictions must genuinely meet an important objective of general public interest of the Union or of a Member State to be safeguarded , i.e. in the case of the current state of emergency in some Member States, public heal th. This link between the foreseen restrictions and the objective pursued must be clearly established and demonstrated. The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restrictio n on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the Union or of a Member State.
In addition, it needs to be emphasised that in the light of the case law of the Court of Justice of the European Union, all restrictions of the rights of data subjects must apply only in so far as it is strictly necessary and proportionate to safeguard such objective of public health 6 . The emergency state, adopted in a pand emic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions do not exceed the limits of what is necessary and proportionate in order to safeguard the public health objective.
Therefore, if res trictions contribute to safeguarding public health in a state of emergency, the EDPB considers that the restrictions must still be strictly limited in scope (e.g. as to the data subject rights concerned or the categories of controllers concerned) and in ti me. In particular, it must be limited to the emergency state period. Data subject rights ca n be restricted but not denied.
In addition, the guarantees provided for under Article 23(2) of the GDPR must fully apply, in particular when it comes to the need to have specific provisions as to the purposes of the processing , the categories of personal data, the scope of the restrictions, the safeguards to prevent abuse or unlawful 5 Recital 41 of the GDPR: “Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant t o the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case - law of the Court of Jus tice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights”. 6 See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C – 345/17 (Buivids) paragraph 64. 4 access or transfer, the specification of the controller or categories of controllers concerned or the risks to the rights and freedoms of data subjects.
The EDPB takes the view that restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to d ata controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms. Moreover, the handling of a request to exercise the right s of data subjects, for instance concerning the right to object under Article 21 of the GDPR , must be processed timely to be meaningful and effective. Therefore, in this context, the postponement or suspension - without any specific limit in time - of the handling, by the controller, of the data subject requests would amount to a complete obstacle against the exercise of the rights themselves.
In accordance with Article 57(1)(c) of the GDPR, the national supervisory authority should be con sulted in the process in due time by national authorities contemplating restrictions under Article 23 of the GDPR and should be empowered to monitor the application of such restrictions. The EDPB supports the endeavour of the national supervisory authoriti es to ensure that the restrictions, provided for under national legislative measures to the fundamental right to personal data protection, to safeguard public health in relation to the fight against the pandemic, apply only in so far as they are strictly n ecessary and proportionate to safeguard this objective.
The EDPB recalls that the European Commission, as Guardian of the Treaties, has the duty to monitor the application of EU primary and secondary law and to ensure its uniform application throughout th e EU, including by taking actions where national measures would fail to comply with EU law. The EDPB remains available to provide advice to the European Commission in accordance with Article 70 of the GDPR as deemed necessary.
The EDPB will issue more com prehensive guidelines on the implementation of Article 23 of the GPDR in the coming months. For the European Data Protection Board The Chair (Andrea Jelinek)