European Data Protection Board (“EDPB”) has recently adopted a statement regarding restrictions on data subject rights put in place in Hungary for the period of state of danger in context of COVID-19 (“Statement”). The Statement includes that explanatory points to be noted in regard to the regime of restricting data subject rights.
Basis of the Restrictions
According to Article 23 of the General Data Protection Regulation (EU) (2016/679) (“GDPR”), a Member State is entitled to restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, by way of a legislative measure, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State, in particular public health. As per Recital 73 of the GDPR, such restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
The Scope of the Restrictions in Hungary
According to the Statement, the restrictions in Hungary adopted by the Decree 179/2020 of 4 May 2020 of the Hungarian government suspends the application of data subject rights enshrined from Article 15 to 22 of the GDPR limited to processing activities made for the purpose of preventing, understanding, detecting the coronavirus disease and impeding its further spread, including the organization of the coordinated operation of State organs in relation to it, until the end of the state of danger which is yet to be clear. However, according to the recent updates, Hungary may lift the state of danger after the date of June 16, 2020.
Highlights of EDPB’s Statement
In the Statement issued by the chair of the EDPB, it is stated that the GDPR is still applicable and any measure taken by Member States must respect the general principles of law and the essence of the fundamental rights and freedoms and must not be irreversible.
First of all, according to Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognized by the Charter must be ‘provided for by law’. Therefore, the EDPB highlights that not only compliance with domestic law but also the compatibility with the rule of law has to be achieved. Moreover, foreseeability of such restrictions must be achieved by Member States upon defining the scope of the restrictions and providing adequate indication including their timelines.
Secondly, restrictions must genuinely meet an important objective of general public interest and be necessary and proportionate for such public interest. Accordingly, if such restriction does not necessary or proportionate to safeguard such public interest, it shall be unlawful.
General, extensive and intrusive restrictions which compromise the essence of the right shall be deemed unlawful even they serve an objective of general interest or satisfies the necessity and proportionality criteria.
At this point, the EDPB underlines that indefinite timelines shall not be deemed compatible with the essence of the fundamental rights and freedoms. Such restrictions must be foreseeable for data subjects including their duration in time. Furthermore, in this context the EDPB also recalls that suspension of right to object contradicts the nature of such right which requires to be processed timely in order to apply efficiently.
The EDPB also reminds that European Commission has the duty to monitor the application of EU primary and secondary law and to ensure its uniform application throughout the EU. Guidelines from the EDPB on the implementation of Article 23 of the GPDR is expected in upcoming months.
Aslı Naz Ünlü