The General Data Protection Regulation (GDPR), which goes into effect on May 28th 2018, applies to all businesses based in the European Union. However, even companies which are not based in a member state of the EU may be obliged to comply with the new regulation. An organisation which wishes to process the data of customers who reside in, or are citizens of, European Union countries must be GDPR compliant.
So to whom do these regulations not apply? Who needs not to concern themselves with the stiff penalties of GDPR?
Article 23 outlines the process for EU member states to petition for exemptions based on specific matters. Articles 85 and 91 also outline where and when exemptions apply.
The other consideration is one of overlooking the restrictions outlined to protect citizens’ data. Specifically, these exemptions apply to European Union member states. They must present their request for exemption and may do so only if those rights and freedoms of individuals might pose a threat to the member state.
Examples of when these situations might occur include threats to:
- Defence
- The security of the member state’s citizens
- The need to prevent a crime
- The need to conduct a criminal investigation
- The prosecution of an individual or group
- National security
- Financial security of the member state and/or its citizens
- Budgetary matters of the member state
- Taxation concerns
- Ethics or morals of the member state
- Public health of the citizens of the member state
- Judicial protection
- Protection of individual rights of other citizens
- Civil law enforcement
- Freedom of information
Member states are not limited to the protections for its citizens described by GDPR. They may institute additional safeguards within their jurisdiction.
Countries like Germany have already put additional protections for the data of its citizens into place. The goal for these additional measures is to protect the personal data of its citizens by providing a secure environment.