GDPR Exemptions


The General Data Protection Regulation will apply to EU-based companies and companies across the world with EU citizens as customers. It has a wide extraterritorial reach and potential fines of up to €20 million or 4% of annual turnover, whichever is greater. The fines will be decided on a case by case basis, taking many factors into consideration.

The GDPR does include derogations and special conditions, similar to the Data Protection Directive. Member States can introduce some derogations, for example for the prevention and detection of crime or for national security. Although the GDPR will be harmonising Data Protection laws across the EU, Member States will have the ability to introduce some supplemental laws for special purposes that will be specific to the country.

The derogations and exemptions are in two main areas regarding restrictions and specific processing situations. Article 23 of the GDPR allows Member States to introduce derogations on topics including national security, public security, the protection of judicial independence and proceedings, and the enforcement of civil law matters. Derogations must respect the right to data protection and be a necessary and proportionate measure.

Articles 85 to 91 contains specific data processing situations and the associated derogations, exemptions and powers to impose additional requirements. The specific data processing situations include:

  • Freedom of expression and information
  • Public access to official documents
  • National identification numbers
  • Employee data
  • Scientific and historical research purposes or statistical purposes
  • Archiving in the public interest
  • Obligations of secrecy
  • Churches and religious associations

The provisions allow Member States to introduce exemptions to the GDPR where necessary, set their own conditions or establish more specific rules. This recognises that some countries already have specific systems in place, such as national identification numbers, that do not need to be overhauled in order to comply with the GDPR. It also allows some flexibility in how the requirements are met. Some of the laws that are introduced by Member States, such as those under Article 88 regarding employee data, must be provided to the Commission before the GDPR comes into force.

show all latest breaches

Latest Breaches

Should the GDPR expect companies to know if they’ve had a data breach? 0

There have been a number of big data breaches in recent years, including Yahoo, TalkTalk and, most recently, Equifax. In each of these cases, it seems the companies were not

Read More

Data Breaches – Are we all doomed? 0

As the Equifax data breach and associated insider trading fiasco continues to evolve, it threatens to be the most damaging

What kind of penalty would Equifax have faced under the GDPR? 0

Following a massive data breach at US company Equifax, it is estimated that the personal details of up to 44

If Yahoo couldn’t prevent a massive breach, then who can? 0

It took years for Yahoo to identify the breach of over a billion users during 2013 and 2014. Given that

The world post-GDPR: Yahoo data breach of over a billion users 0

The General Data Protection Regulation is expected to have a huge impact on data privacy standards across the EU, and

To report or not report? 0

Imagine next year, after the General Data Protection Regulation is enforced, a company identifies that there has been a data

Can breaches through hacking really be prevented? 0

‘Hackers vs cybersecurity’ is like an evolutionary arms race between cats and mice. As the mice become faster and better

Can RegTech keep up with FinTech and Data Protection requirements? 0

FinTech refers to ‘Financial Technology’ that has been growing over the previous decades. In the past, people had to go

ICO warns UK firms to respect customers’ data wishes as it fines Flybe and Honda 2

ICO warns UK firms to respect customers’ data wishes as it fines Flybe and Honda Two companies have been fined

Sweden leaked every car owners’ details last year, then tried to hush it up 0

In a slowly-unfolding scandal in Sweden, it’s emerged that the country’s transport agency bungled an outsourcing deal with IBM, putting

show all latest breaches