HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Exemptions: Who is Exempt from GDPR Requirements?

The General Data Protection Regulation comes into force on May 25, 2018 and companies that collect or process the personal data of EU residents are required to comply with the GDPR, although there are limited GDPR exemptions and derogations.

Who Must Comply with the Requirements of GDPR

GDPR is concerned with ensuring the privacy and data rights of EU residents are protected. GDPR may be an EU law, but GDPR applies to all companies. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is mandatory.

There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small businesses, individuals, or companies whose websites are accessible in the EU. Apart from limited GDPR exemptions, all companies – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents or monitor their behavior.

Who is Exempt from GDPR?

There are limited GDPR exemptions related to the processing of personal data as detailed below:

  • When data are processed during the course of an activity that falls outside of the law of the European Union
  • GDPR does not apply to individuals that process data for personal or household activity
  • GDPR does not apply to government agencies and law enforcement when data are collected and processed for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety
  • GDPR does not apply to the processing of personal data by Member States for activities under the scope of Chapter 2, Title V, of the Treaty on European Union.

GDPR Article 23: Derogations

While one of the aims of the GDPR is to harmonize data protection laws across all EU Member States, it is possible for Member States to introduce derogations and supplemental laws for country-specific purposes, as detailed in Article 23 – Restrictions.

When derogations are introduced it is still necessary for the rights of EU residents to be respected and for their data to be protected. Derogations are acceptable in the following areas:

  • A country’s security, defense, and public security
  • Enabling and securing judicial independence
  • The detection, investigation, and prosecution of crime and the prevention of criminal activity
  • To enable enforcement of civil law claims
  • The protection of subjects critical to national interests such as budgetary, social, and health matters.

GDPR Articles 85-91: Derogations

Articles 85-91 of GDPR also cover situations were derogations may be appropriate for individual Member States. These relate to:

  • Freedom of expression and information
  • Public access to official documents
  • National Identification Numbers
  • Personal data of employees
  • Data for scientific or historical research
  • Archiving in the public interest
  • Obligations of secrecy
  • Churches and other religious associations

In all cases, it is still necessary to ensure data are protected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.