On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

Under certain circumstances, Article 23 of the EU General Data Protection Regulation (the “GDPR”) allows for national derogations to data subject rights where necessary and proportionate in a democratic society to safeguard important objectives of general public interest of the EU or Member States, including public health. The Statement is a response to the Hungarian government’s decree on May 4, 2020 suspending, until the state of emergency is revoked in Hungary, measures following data subjects’ requests to exercise their rights with respect to personal data processing for the purpose of preventing, understanding, detecting and impeding the spread of COVID-19.

In the Statement, the EDPB emphasizes that the GDPR remains applicable and allows for an efficient response to the COVID-19 pandemic, while also protecting individuals’ rights and freedoms. The Statement reiterates the main principles related to the restrictions on data subject rights in connection with the state of emergency in Member States, including:

  • General, extensive or intrusive restrictions that void a fundamental right of its basic content cannot be justified;
  • Limitations to data subjects’ requests to exercise their rights and freedoms must be provided by a law that is sufficiently clear as to the circumstances in, and conditions on, which companies are allowed to use any such restrictions;
  • Restrictions to the scope of data subject rights must be foreseeable, including with respect to their duration;
  • Restrictions should only be applied in limited circumstances and should genuinely meet an important objective of general public interest. This means that restrictions must be a necessary and proportionate measure in a democratic society to safeguard an important objective of general public interest of the EU or a Member State. According to the EDPB, the mere existence of a pandemic is not a sufficient reason to provide for any kind of restriction on data subject rights. Instead, restrictions must clearly and genuinely contribute to the safeguard of an important general public interest. All restrictions must only apply to the extent strictly necessary and proportionate to safeguard such objective of public health;
  • According to the EDPB, restrictions contributing to the safeguard of public health in a state of emergency must be interpreted narrowly;
  • The guarantees provided for under Article 23 (2) of the GDPR must fully apply. In particular, any legislative measure introducing restrictions to data subject rights must contain specific provisions as to, inter alia, the processing purposes and categories of processing, categories of personal data, scope of the restrictions, safeguards to prevent abuse or unlawful access or transfer, specification of the controller or categories of controllers concerned, and the risks to the rights and freedoms of data subjects;
  • Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights should be clearly limited in time. Otherwise, the restriction would equate a de facto blanket suspension of those rights and would not be considered compatible with the essence of fundamental rights and freedoms; and
  • In line with Article 57 (1) (c) of the GDPR, national supervisory authorities should be consulted by national authorities, in due time, when contemplating the introduction of restrictions under Article 23 of the GDPR.

The EDPB also announced that it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months. Read the EDPB’s Statement.