GDPR Exemptions


The General Data Protection Regulation applies to EU-based companies and companies across the world with EU citizens as customers. It has a wide extraterritorial reach and potential fines of up to €20 million or 4% of annual turnover, whichever is greater. The fines will be decided on a case by case basis, taking many factors into consideration.

The GDPR does include derogations and special conditions, similar to the Data Protection Directive. Member States can introduce some derogations, for example for the prevention and detection of crime or for national security. Although the GDPR harmonises Data Protection laws across the EU, Member States will have the ability to introduce some supplemental laws for special purposes that will be specific to the country.

The derogations and exemptions are in two main areas regarding restrictions and specific processing situations. Article 23 of the GDPR allows Member States to introduce derogations on topics including national security, public security, the protection of judicial independence and proceedings, and the enforcement of civil law matters. Derogations must respect the right to data protection and be a necessary and proportionate measure.

Articles 85 to 91 contains specific data processing situations and the associated derogations, exemptions and powers to impose additional requirements. The specific data processing situations include:

  • Freedom of expression and information
  • Public access to official documents
  • National identification numbers
  • Employee data
  • Scientific and historical research purposes or statistical purposes
  • Archiving in the public interest
  • Obligations of secrecy
  • Churches and religious associations

The provisions allow Member States to introduce exemptions to the GDPR where necessary, set their own conditions or establish more specific rules. This recognises that some countries already have specific systems in place, such as national identification numbers, that do not need to be overhauled in order to comply with the GDPR. It also allows some flexibility in how the requirements are met. Some of the laws that are introduced by Member States, such as those under Article 88 regarding employee data, must be provided to the Commission before the GDPR comes into force.

show all latest breaches

Latest Breaches

Marriott: FBI investigating after up to 500m guest records exposed in Starwood hotel database breach 0

Top London landmarks, such as Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly, are among the properties hit. 17:23, UK, The FBI is investigating after the details of

Read More

Is GDPR compliance essential? 0

Ignoring the EU’s new online privacy rules could be a big gamble In recent weeks, you may have noticed an

GDPR, how privacy is changing 0

On May 25th 2018 the GDPR (General Data Protection Regulation) officially came into force: a regulation on data protection proposed

Thought of the Day: The end of online passwords? 0

WebAuthn, short for Web Authentication, is a new web standard that is expected to end the use of passwords. Instead

Thought of the Day: How much could Facebook be fined? 0

With Facebook’s privacy practices being investigated, it’s a good time to ask how much the company could potentially be fined.

EU warns US on data control flaws 0

The European Commission has warned America that its data controls should be significantly strengthened. Vera Jourova, the EU’s Justice Commissioner,

Thought of the Day: How was Facebook breached? 0

It doesn’t seem like Facebook was secretly hacked by cybercriminals – so what happened? The company Cambridge Analytica created a

Thought of the Day: The ICO investigates the Facebook breach 0

Cambridge Analytica managed to harvest the data of tens of millions of Facebook users. This was done using an app

Thought of the Day: Will all personal data breaches need to be reported to the ICO? 0

Currently, most personal data breach reporting is best practice but not compulsory. Under the General Data Protection Regulation, it will

Thought of the Day: Data Protection and the Internet of Things 0

The Internet of Things (IoT) refers to the internet moving beyond traditional computer devices like laptops and phones, and connecting

show all latest breaches