(b)
by the Member States when carrying out activities which fall within the scope of Chapter 2 of
Title V of the TEU;
…
(d)
by competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, including the
safeguarding against and the prevention of threats to public security.
…’
13
Article 4 of that regulation provides:
‘For the purposes of this Regulation:
…
(2)
“processing” means any operation or set of operations which is performed on personal data or
on sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;
…’
14
Under Article 23(1) of that regulation:
‘Union or Member State law to which the data controller or processor is subject may restrict by way of
a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and
Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations
provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights
and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
15
(a)
national security;
(b)
defence;
(c)
public security;
(d)
the prevention, investigation, detection or prosecution of criminal offences or the execution of
criminal penalties, including the safeguarding against and the prevention of threats to public
security;
(e)
other important objectives of general public interest of the Union or of a Member State, in
particular an important economic or financial interest of the Union or of a Member State,
including monetary, budgetary and taxation matters, public health and social security;
(f)
the protection of judicial independence and judicial proceedings;
(g)
the prevention, investigation, detection and prosecution of breaches of ethics for regulated
professions;
(h)
a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of
official authority in the cases referred to in points (a) to (e) and (g);
(i)
the protection of the data subject or the rights and freedoms of others;
(j)
the enforcement of civil law claims.’
Under Article 94(2) of Regulation 2016/679: