What Exemptions are there from GDPR?

The introduction of General Data Protection Regulation (GDPR), on 25 May 2018, is intended to bring consistency to the way in which data protection is dealt with across the EU. That being said, there will be situations where member states can implement their own laws.

Article 23 and Derogations

Despite a major motivation behind the GDPR being the harmonization of laws across EU member states, there are certain areas, covered by the GDPR’s Article 23, Restrictions, where each country is permitted to create derogations, which enable them to make rules outside of GDPR stipulations. Acceptable reasons for introducing derogations include: 

  • The security and defense of the country.
  • The enabling and securing of judicial independence.
  • The prevention, detection, investigation, or prosecution of a crime or a breach of ethics for regulated professions
  • The enabling of the enforcement of matters concerning civil law.
  • The protection of subjects critical to national interest e.g. budgetary matters, health, social matters.

Any derogation must be necessary, proportionate, and must still take data protection measures into account.

Articles 85 to 91 and Derogations

Article 23 of the GDPR is not the only area which deals with potential derogations to be created under national laws.

Articles 85 to 91 deal with many different situations where it may be appropriate for individual member states of the EU to create derogations, and make rules outside of GDPR stipulations. These situations include:

  • When freedom of expression and information is involved, particularly with regard to journalistic or academic, artistic, and literary expression.
  • When the public needs to have access to official documents.
  • When national identification numbers and other administrative purposes are involved.
  • When the situation involves dealing with the personal data of employees, which may also affect diversity, health and safety, and benefit rights.
  • When data is required for scientific or historical research.
  • When there is an obligation to secrecy, either national or professional.
  • When religious groups or churches are involved. These entities must update any data protection procedures to be GDPR compliant and submit to independent supervisory authorities.

Of course, member states still need to take data protection into account at all times but they can create further rules outside of GDPR in these situations. In most cases, the European Commission must be informed of the law or any changes made to it.

Some principles that are key throughout the GDPR, such as data minimization – only collecting or processing the absolute minimum data necessary to carry out the function – are still required to be followed.

It remains to be seen how far countries will go with creating these rules, although we do know that Germany already has many in place, in order to create a secure environment for the protection of personal data.

The protection of the rights and freedoms of individuals within the EU must always be addressed within the law and all necessary safeguards must be in place.