Restrictions on rights

Regulation 140 of the GDPR and LED Implementing Regulations 2018 (Data subject’s rights and other prohibitions and restrictions) states:

(1) An enactment or rule of law prohibiting or restricting the disclosure of information, or authorising the withholding of information, does not remove or restrict the obligations and rights provided for in the provisions listed in paragraph (2).
(2) The provisions providing obligations and rights are, —
(a) Chapter III of the applied GDPR (rights of the data subject); and
(b) Chapter 4 of Part 3 of these Regulations (law enforcement processing: rights of the data subject).

The rights of data subjects are not, therefore, restricted in any way unless prescribed in the data protection legislation. 

Article 23 of the Applied GDPR permits rights to be restricted "when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard..." a particular concern or area "by way of a legislative measure".

The "legislative measure" is the GDPR and LED Implementing Regulations 2018 and restrictions on rights are contained in Regulation 22 (National security) and Schedule 9 of those Regulations. The restrictions on rights are summarised in the document below.

Applying restrictions on rights

Article 12(2) requires controllers to "facilitate the exercise of data subject rights" and Article 24 makes it the responsibility of controllers to demonstrate that processing is performed in accordance with the Applied GDPR. 

Controllers must also be able to demonstrate (or explain), therefore, why they were entitled to restrict any rights exercised by data subjects through the application of restrictions or exemptions, i.e. how the application of that exemption or restriction in the particular circumstances was justified and necessary. In the event that a complaint is received by the Commissioner, that explanation will usually be sought.


Schedule 9 is complex and paragraphs not only includes restrictions on all rights, but also exemptions from compliance with principles.  How these provisions apply to restrictions on rights is, in some cases, very confusing and controllers should therefore exercise caution when reading and applying the provisions of Schedule 9 until such time as they are revised or replaced. 

Specific guidance on paragraph 8 of Schedule 9 - "Protection of the rights of other" in respect of its application in the context of complying with the right of access ("third party information"), has been published and is available below.