GDPR Exemptions

The General Data Protection Regulations (GDPR) came into force in the EU on May 25th 2018. The regulations have introduced sweeping changes to how businesses operate, not only in Europe but across the world. Before GDPR, EU citizens little control over their data. Furthermore, despite the increased threat of data breaches, existing regulations were deemed inadequate to deal with advances in technology. GDPR was created to give individuals in the EU control over their data by changing how the data can be collected, used, and stored by those who handle the information.

There has been much confusion over which organisations are required to comply with GDPR, and which are exempt. This article gives an overview of who may not be required to comply with the regulations, and where information about GDPR’s derogations may be found in the text.

It is important to note that while GDPR protects the data of people within the EU, its scope is beyond Europe’s borders. Most organisations that handle personal data collected within the EU must comply with GDPR regardless of the physical location of their headquarters.

GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.

Who is Exempt from GDPR?

While the majority of organisations that fit the above criterion are expected to comply with GDPR, there are limited exceptions.

Circumstances relating to the processing of personal data which warrant GDPR exemptions include:

  • Organisationsthatprocessdataduringanactivitythatfallsoutsideofthelawofthe European Union
  • Individualsthatprocessdataforpersonalorhouseholdactivity
  • Governmentagenciesandlawenforcementwhendataarecollectedandprocessedfor the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties or for preventing threats to public safety
  • MemberStatesprocessingpersonaldataforactivitiesunderthescopeofChapter2, Title V, of the Treaty on European Union

    GDPR Article 23: Derogations

Although GDPR attempted to introduce EU-wide standards for the processing of personal data, Member States may introduce derogations and supplemental laws for country- specific purposes, as detailed in Article 23 – Restrictions.

Although Member States can introduce derogations, these exceptions cannot infringe on the rights of EU residents. Organisations must still ensure that personal data is respected and all of the appropriate safeguards are in place.

Derogations are acceptable in the following areas:

  • Acountry’ssecurity,defence,andpublicsecurity
  • Enablingandsecuringjudicialindependence
  • Thedetection,investigation,andprosecutionofcrimeandthepreventionofcriminal activity
  • Toenableenforcementofcivillawclaims
  • Theprotectionofsubjectscriticaltonationalinterestssuchasbudgetary,social,and health matters

    GDPR Articles 85-91: Derogations

    Articles 85-91 of GDPR also cover situations were derogations may be appropriate for the individual Member States. These relate to:

    • Freedomofexpressionandinformation• Publicaccesstoofficialdocuments
    • NationalIdentificationNumbers
    • Personaldataofemployees

    • Dataforscientificorhistoricalresearch
    • Archivinginthepublicinterest
    • Obligationsofsecrecy
    • Churchesandotherreligiousassociations

    As above, Member States must still ensure that the integrity of personal data is maintained during processing.