Who is Exempt from GDPR Requirements?

November 20, 2019 HIPAA News GDPR Advice Comments Off on Who is Exempt from GDPR Requirements?

The General Data Protection Regulation became enforceable on May 25, 2018 and from that date companies that gather or use the personal data of EU residents were obligated to require with the GDPR, although there are restricted GDPR exemptions and derogations.

Who Must Adhere with the Requirements of GDPR

GDPR is related to ensuring the privacy and data rights of EU residents are always safeguarded. GDPR may be EU legislation, but GDPR applies to all firms and groups. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is a must.

There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small companies, individuals, or companies whose websites are accessible in the European Union. Apart from limited GDPR exemptions, all firms – regardless of their size – must comply with GDPR if they offer free or paid goods or services to EU residents or review their behavior.

Who is Exempt from GDPR?

There are restricted GDPR exemptions linked to the processing of personal data as detailed here:

  • When data are processed during the course of an activity that falls outside of the remit of European Union legislation
  • GDPR does not apply to those who process data for personal or household activity
  • GDPR does not apply to government bodies and law enforcement when data are gathered and processed for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety
  • GDPR does not apply to the processing of personal data by Member States for activities incorporated in Chapter 2, Title V, of the Treaty on European Union.

While one of the targets of the GDPR is to harmonize data protection legislation across all EU Member States, it is possible for Member States to bring in derogations and supplemental laws for country-specific purposes, as detailed in Article 23 – Restrictions.

When derogations are brought in it is still necessary for the rights of EU residents to be adhered to and for their data to be protected. Derogations are acceptable in the following areas:

  • The security, defense and public security of a country
  • Allowing and securing judicial independence
  • The discovery, investigation and prosecution of crime and the prevention of criminal activity
  • To allow enforcement of civil law claims
  • The security of subjects critical to national interests such as budgetary, social and health issues

GDPR Articles 85-91: Derogations

Articles 85-91 of GDPR also includes situations were derogations may be appropriate for specific Member States. These relate to:

  • Freedom of expression and data
  • Public access to official documents and files
  • National Identification Number details
  • Personal data of staff
  • Data used for scientific or historical research
  • Archiving which is in the public interest
  • Obligations in relation to secrecy
  • Churches and all religious associations

In all instance, it is still required to ensure data are safeguarded.