Who is Exempt from GDPR Requirements?

by | Nov 20, 2019

The General Data Protection Regulation became enforceable on May 25, 2018 and from that date companies that gather or use the personal data of EU residents were obligated to require with the GDPR, although there are restricted GDPR exemptions and derogations.

Who Must Adhere with the Requirements of GDPR

GDPR is related to ensuring the privacy and data rights of EU residents are always safeguarded. GDPR may be EU legislation, but GDPR applies to all firms and groups. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is a must.

There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small companies, individuals, or companies whose websites are accessible in the European Union. Apart from limited GDPR exemptions, all firms – regardless of their size – must comply with GDPR if they offer free or paid goods or services to EU residents or review their behavior.

Who is Exempt from GDPR?

There are restricted GDPR exemptions linked to the processing of personal data as detailed here:

  • When data are processed during the course of an activity that falls outside of the remit of European Union legislation
  • GDPR does not apply to those who process data for personal or household activity
  • GDPR does not apply to government bodies and law enforcement when data are gathered and processed for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety
  • GDPR does not apply to the processing of personal data by Member States for activities incorporated in Chapter 2, Title V, of the Treaty on European Union.

While one of the targets of the GDPR is to harmonize data protection legislation across all EU Member States, it is possible for Member States to bring in derogations and supplemental laws for country-specific purposes, as detailed in Article 23 – Restrictions.

When derogations are brought in it is still necessary for the rights of EU residents to be adhered to and for their data to be protected. Derogations are acceptable in the following areas:

  • The security, defense and public security of a country
  • Allowing and securing judicial independence
  • The discovery, investigation and prosecution of crime and the prevention of criminal activity
  • To allow enforcement of civil law claims
  • The security of subjects critical to national interests such as budgetary, social and health issues

GDPR Articles 85-91: Derogations

Articles 85-91 of GDPR also includes situations were derogations may be appropriate for specific Member States. These relate to:

  • Freedom of expression and data
  • Public access to official documents and files
  • National Identification Number details
  • Personal data of staff
  • Data used for scientific or historical research
  • Archiving which is in the public interest
  • Obligations in relation to secrecy
  • Churches and all religious associations

In all instance, it is still required to ensure data are safeguarded.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy