„Our employees are doing perfectly well; they do not need training."
Are you sure about that?
Article 23 GDPR
Restrictions
P: 73
1. Union law or the law of the Member State to which the controller or processor is subject may, by means of a legislative act, limit the scope of the obligations and rights provided for in Articles 12–22 and Article 34, as well as in Article 5—provided that its provisions correspond to the rights and obligations provided for in Articles 12–22 — provided that such a restriction does not undermine the essence of fundamental rights and freedoms and is, in a democratic society, a necessary and proportionate measure aimed at:
(a) national security;
b) obronie;
(c) public safety;
(d) the prevention of crime, the preparation of proceedings, the detection or prosecution of prohibited acts or the execution of penalties, including protection against and prevention of threats to public security;
(e) other important objectives in the general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and fiscal matters, public health and public security;
(f) protecting the independence of the courts and the judicial process;
(g) preventing, prosecuting, detecting and prosecuting breaches of ethics in regulated professions;
(h) control, inspection or regulatory functions relating, even sporadically, to the exercise of public authority in the cases referred to in points (a) and (g);
(i) the protection of the data subject or of the rights and freedoms of others;
(j) enforcement of civil claims.
2. In particular, the legal act referred to in paragraph 1 must contain detailed provisions at least, if applicable, on:
(a) the purposes of processing or categories of processing;
(b) categories of personal data;
(c) the scope of the restrictions imposed;
(d) safeguards against abuse or unlawful access or transfer;
(e) the definition of the administrator or categories of administrators;
(f) storage periods and applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing;
(g)
*
the risks to the rights or freedoms of the data subject; and(h)
**
the right of data subjects to be informed of the restrictions, provided that this does not undermine the purpose of the restriction.*Article 23 (2) (g) as amended by correction of 23 May 2018 (EU Decree L, 2018, No 127, paragraph 2) which shall enter into force on 23 May 2018.
**Article 23 (2) (h) as amended by correction of 23 May 2018 (EU L, 2018), No 127, paragraph 2), which shall enter into force on 23 May 2018.
