The introduction of General Data Protection Regulation (GDPR), on 25 May 2018, is intended to bring consistency to the way in which data protection is dealt with across the EU. That being said, there will be situations where member states can implement their own rules.
Article 23 and Derogations
There are certain areas, covered by Article 23 of GDPR, where EU member states can create derogations, which enable them to make rules outside of GDPR stipulations. These areas include:
- The security of the country.
- The enabling and securing of judicial independence.
- The enabling of the enforcement of matters concerning civil law.
Any derogation must be necessary and must still take into account data protection.
Articles 85 to 91 and Derogations
Article 23 of the GDPR is not the only one which deals with potential derogations.
Articles 85 to 91 deal with different situations where it may be appropriate for individual member states of the EU to create derogations, and make rules outside of GDPR stipulations. These situations include:
- When freedom of expression and information is involved.
- When the public needs to have access to official documents.
- When national identification numbers are involved.
- When the situation involves dealing with the personal data of employees.
- When data is required for scientific or historical research.
- When there is an obligation to secrecy.
- When religious groups or churches are involved.
Of course, member states still need to take into account data protection at all times. But, they can create further rules outside of GDPR in these situations. It remains to be seen how far countries will go with creating these rules, although we do know that Germany already has many in place, in order to create a secure environment for the protection of personal data.