5 of 5: Article 23 — Restrictions on Data Subject Rights and What They Mean for Your Business
Article 23 of the UK GDPR allows certain restrictions on data subject rights — but only in defined cases. Learn when this applies and how your company must respond.
Most GDPR rights — including the right to access, object, and erase — are strong and enforceable. However, Article 23 of the UK GDPR gives the UK Government power to restrict these rights in specific cases to safeguard important interests like national security or crime prevention.
🔒 When Can Rights Be Restricted?
Under Article 23(1), the government may restrict certain GDPR rights — such as access, rectification, or objection — when necessary to:
- Protect national security or defence
- Prevent or detect crime
- Safeguard public interests like taxation or economic policy
- Protect judicial independence or legal proceedings
- Enforce civil law matters
These restrictions must be laid out in domestic law — for the UK, they’re primarily detailed in the Data Protection Act 2018. Companies cannot apply these restrictions arbitrarily — they must rely on lawful grounds and follow government guidance.
🏢 What This Means for Your Business
While Article 23 is aimed mainly at public authorities and regulated industries (like finance or law enforcement), private companies may also be affected if they handle data for government contracts, compliance reporting, or fraud detection.
For example, a background screening company may be required to limit access to certain data if it involves intelligence-related concerns. Similarly, businesses cooperating with regulatory or tax investigations may be required to restrict access to data temporarily.
🧭 How to Apply Article 23 Properly
If you believe a restriction under Article 23 might apply, you must:
- Ensure there’s a clear legal basis for the restriction (e.g. a court order, regulatory obligation)
- Document the decision and rationale
- Notify the individual unless doing so would undermine the purpose of the restriction
- Review the restriction periodically
Failure to follow due process may result in a breach of GDPR, even if the intention was lawful.
🧠 Example: A Practical Use Case
Your company is performing compliance checks on a politically exposed person (PEP) under anti-money laundering laws. A subject access request is submitted during an ongoing investigation. You may have legal grounds to restrict access temporarily — but this must be assessed case by case, with legal input.
💡 Tip:
If you work with regulators or handle sensitive investigations, review your internal policy on subject rights. Include a decision matrix for when rights may be restricted and who must approve it — ideally in consultation with your DPO or legal counsel.