GDPR Exemptions


The General Data Protection Regulation will apply to EU-based companies and companies across the world with EU citizens as customers. It has a wide extraterritorial reach and potential fines of up to €20 million or 4% of annual turnover, whichever is greater. The fines will be decided on a case by case basis, taking many factors into consideration.

The GDPR does include derogations and special conditions, similar to the Data Protection Directive. Member States can introduce some derogations, for example for the prevention and detection of crime or for national security. Although the GDPR will be harmonising Data Protection laws across the EU, Member States will have the ability to introduce some supplemental laws for special purposes that will be specific to the country.

The derogations and exemptions are in two main areas regarding restrictions and specific processing situations. Article 23 of the GDPR allows Member States to introduce derogations on topics including national security, public security, the protection of judicial independence and proceedings, and the enforcement of civil law matters. Derogations must respect the right to data protection and be a necessary and proportionate measure.

Articles 85 to 91 contains specific data processing situations and the associated derogations, exemptions and powers to impose additional requirements. The specific data processing situations include:

  • Freedom of expression and information
  • Public access to official documents
  • National identification numbers
  • Employee data
  • Scientific and historical research purposes or statistical purposes
  • Archiving in the public interest
  • Obligations of secrecy
  • Churches and religious associations

The provisions allow Member States to introduce exemptions to the GDPR where necessary, set their own conditions or establish more specific rules. This recognises that some countries already have specific systems in place, such as national identification numbers, that do not need to be overhauled in order to comply with the GDPR. It also allows some flexibility in how the requirements are met. Some of the laws that are introduced by Member States, such as those under Article 88 regarding employee data, must be provided to the Commission before the GDPR comes into force.

show all latest breaches

Latest Breaches

Cybersecurity Salaries 7% Up In 2018 0

Salaries for cybersecurity specialists are set to rise by 7% this year, according to the Robert Walters 2018 Salary Survey. That will be the highest wage raise among IT professionals,

Read More

Web analytics outfit Mixpanel slurped surfers’ passwords 0

Library update slip means it’s time to reset the ‘Days since last big breach’ counter to Zero Website analytics outfit

Thought of the Day: Stolen data and online fraud 0

One of the purposes of data protection is to prevent accidental data losses and data being stolen. Why? There are

Thought of the Day: Krack attacks – How secure is WiFi? 0

It turns out that any device that uses WiFi could be susceptible to being accessed by attackers, who could eavesdrop

Thought of the Day: When will a major cyber-attack on the UK happen? 0

Ciaran Martin, head of the UK’s National Cyber Security Centre, has said that it is a matter of time before

Thought of the Day: What would a £400,000 fine be under the GDPR? 0

Carphone Warehouse has been fined £400,000 following a cyber attack in 2015. Hackers were able to access the personal data

Thought of the Day: Legacy IT Systems and Cybersecurity 0

Older operating systems like Windows XP are at a higher risk of being attacked than more recent operating systems. As

Data breach class actions – be careful what you Which? for 0

Should somebody tell the Consumer’s Association – the august campaigning charity and publisher of Which? – about the law of

ICO dishes out £400,000 fine to Carphone Warehouse 0

Carphone Warehouse has paid a high price for a catalogue of data governance failings after becoming only the second ever

Thought of the Day: How do I know if I’ve been hacked? 0

There have been a number of high-profile hacks in recent years, including Equifax in 2017 that exposed the social security

show all latest breaches