Comments on the EDPB’s draft “Guidelines 10/2020 on restrictions under Article 23 GDPR”

Feb 12, 2021


Download PDF

The EFDPO appreciates the opportunity to present its comments to the recently published EDPB draft Guidelines 10/2020.

General comments

The problem of instructions addressed to national parliaments

In general, we very much welcome that EDPB publishes its views on the interpretation of Article 23 of the GDPR. We fully agree with most of the EDPB’s conclusions presented in this proposal. It cannot be, however, overlooked that the EDPB, in addition to the EU legislators[1], mainly addresses the parliaments of individual Member States (although, as the EDPB rightly points out, Article 23 allows derogations to be adopted by national law instruments other than parliamentary laws).

National parliaments are the supreme representation bodies of citizens in the individual Member States. Although the supremacy of European law over national law is widely acknowledged and some powers of national parliaments have been transferred to the EU level, this does not change the fact that parliaments in the Member States remain the highest legislative body adopting national law. It is important to bear in mind that the GDPR is directly and immediately applicable.

Parliaments are empowered to enact legal acts at their own discretion (of course in compliance with the Member State’s obligations under international law and treaties as well as with the requirements of European law).

From this point of view, it must be examined whether an EU (administrative) body can issue guidelines that are binding on national parliaments and have legal effect. Article 70 (1) GDPR defines the tasks of the Committee. In addition to monitoring and advisory tasks, these also include the provision of guidelines (lit. d, f, g, h, i, j, m) as well as the issuing of opinions. In our opinion, guidelines should therefore not be understood as “soft law”.  From this point of view, the chosen form of the EDPB document, i.e. guidelines within the meaning of Article 70 (1) (e) of the GDPR, appears to be a potentially appropriate legal instrument.

We believe that Article 70 of the GDPR cannot be interpreted or applied in a way that would entitle the EDPB to influence the activities of national parliaments under soft law. If the European legislator intended to confer such a power on the EDPB, even if the Treaties allowed so, it would certainly be expressly stated in Article 70 (in the light of the doubts set out above). Purely consultative role of the national supervisory authorities in the national legislative procedure is regulated in Article 36 (4) of the GDPR.

The conflict of fundamental rights

Furthermore, we would like to provide general comments to the argumentation relying on Article 52 of the EU Charter of Fundamental Rights, as stated, for example, in point 2 of the Guidelines. We believe that Article 52 (1) of the Charter cannot be applied in the sense indicated by the EDPB where there is a conflict between several equally important fundamental rights. In such circumstances, equally strong and important interests need to be balanced. This may apply to the discussed Article 23 of the GDPR, e.g. under paragraph 1 (i) or (j). This may be particularly restrictive, for example, to the requirement to comply with the notion of “strictly necessary” mentioned in point 42 of the proposal.

General public interest requirement

The guidelines seem to link the exemptions under Article 23 (1) solely with the notion of “general interest” or “general public interest” (see, for example, point 39 or 42). It should be noted that some of the exceptions under Article 23 (1) do not have to be aimed at protecting the “general interest” but rather the interest of the individual (see Article 23 (1) (i) (j) of the GDPR).

Requirements for Member States’ authorities compared to the practice of the EU institutions

We generally agree with EDPB’s interpretation of Article 23 (2) and the requirements set out therein. However, we must point out that it would be appropriate to align the requirements under Article 23 (2) of the GDPR with the practice of some EU institutions in limiting the rights of data subjects under Article 25 of EU Regulation 2018/1725 (as declared in the acts published in Official Journal). Decisions regarding these restrictions are in some cases formulated in a very general way and without further additional information value for data subjects. The references to the general public interest thus seem unsubstantiated.

Comments on individual points:

Point 33. We do not consider the example given here to be appropriately chosen, as it rather aims at the matters regulated (except for whistleblowing) by EU Directive 2016/680. We believe that it would be more appropriate to use another example, which would better demonstrate the difference between matters regulated by the GDPR and matters regulated by EU Directive 2016/680 (as correctly stated, for example, in point 24 of the proposal by reference to rec. 19 of the GDPR).

Point 66: In our view the documentation under Art. 5 (2) GDPR shall include documentation of restrictions based on Art. 23 GDPR. However, we disagree with the idea that the documentation according to Art. 5 (2) GDPR shall be made available to the SA. The respective consideration in point 66 is not an aspect of Art. 23 GDPR and therefore out of the scope of Guideline 10/2020. Moreover, this view collides with the fundamental right against self-incrimination.

Point 67. We consider the full involvement of the DPO in the Art. 23 compliance process appropriate. It is the DPO’s very own task to monitor and control compliance with data protection rights. With functioning processes, an unnecessary administrative burden is not to be assumed. Furthermore, the comprehensive involvement of the DPO, in addition to quality assurance, also serves to minimise risk for the data subject and consequently also for the controller with regard to its functioning processes.

We are grateful for the opportunity to provide our comments on the draft guideline. 

[1] We leave aside the impact of the restriction according to Article 23 on legislative activity at EU level, where the GDPR as a regulation can of course be amended by another regulation (as the EDPB also focuses in its draft guidelines on exemptions provided for by national law).

EFDPO contacts:

EFDPO Press Office, phone +49 30 20 62 14 41, email:
President: Thomas Spaeing (Germany)
Vice Presidents: Xavier Leclerc (France), Judith Leschanz (Austria), Inês Oliveira (Portugal), Vladan Rámiš (Czech Republic)


The European Federation of Data Protection Officers (EFDPO) is the European umbrella association of data protection and privacy officers. Its objectives are to create a European network of national associations to exchange information, experience and methods, to establish a continuous dialogue with the political sphere, business representatives and civil society to ensure a flow of information from the European to the national level and to proactively monitor, evaluate and shape the implementation of the GDPR and other European privacy legal acts.  In doing so, the EFDPO aims to strengthen data protection as a competitive and locational advantage for Europe. The new association is based in Brussels.

Effective members:

  • Austria: – Verein österreichischer betrieblicher und behördlicher Datenschutzbeauftragter
  • Czech Republic: Spolek pro ochranu osobních údajů
  • France: UDPO, Union des Data Protection Officer – DPO
  • Germany: Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e. V.
  • Greece: Hellenic Association for Data Protection and Privacy (HADPP)
  • Liechtenstein: in Liechtenstein
  • Portugal: APDPO PORTUGAL Associação dos Profissionais de Proteção e de Segurança de Dados
  • Slovakia: Spolok na ochranu osobných údajov
  • Switzerland: Data Privacy Community

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more