GDPR Exemptions

Share this article on:

The soon-to-be-introduced General Data Protection Regulations (GDPR) will govern how organizations store and process personal data relating to people living in the European Union (EU), but some exemptions can be made under the new legislation. Coming into effect on May 25, 2018, there is still a certain amount of confusion relating to how the GDPR will work and how it will interact with member states’ laws. Below, we will try to clear up some of this confusion.

GDPR vs National Law

A chief aim of the GDPR is to harmonize the rules concerning data processing across the EU. Even with this as a goal, there will still be a certain amount of leeway and discretion permitted for each individual EU member state to legislate some aspects of how data management is policed.

GDPR Article 23, Restrictions, presents a set of acceptable reasons for which a member state may introduce a law restricting some of the rights otherwise granted in the other articles of the GDPR. These reasons include:

  • security and defense
  • prevention, detection, investigation, or prosecution of crime or breaches of ethics for regulated professions
  • protection of the judicial system
  • protection of important national public interests e.g. relating to budgets, public health, or social security

Any national legislation restricting GDPR rights can only be implemented with the caveat that the law must respect “the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society”.

A number of other exemptions are provided for in Articles 85, 86, 87, 88, 89, 90, and 91. Article 85, for example, Processing and freedom of expression and information,establishes the right for member states to introduce laws which balance the rights to privacy of personal data with the rights to freedom of expression for “journalistic […] and […] academic, artistic or literary expression”.

Article 86, Processing and public access to official documents, allows laws to be established that measure the right of “public access to official documents with the right to the protection of personal data”.

An important area for organizations in all member states will be Article 88, Processing in the context of employment. Laws regulating how employee data is to be processed may be introduced to allow for greater detail in areas such as equality and diversity in the workplace, health and safety, and employment benefits. Any such law must “include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights”, and the European Commission must be notified of the laws which are being enforced in the member state, as well as any amendments to them.

Other areas in which EU member states may introduce laws restricting or affecting the rights afforded under the GDPR include processing for national administrative reasons, such as for an identification number; processing for scientific or historical research; processing of statistics or archiving of data in the public interest; and state or professional secrets.

Churches and religious bodies which process data and which have rules governing data protection will be obliged to update their procedures to be in line with the GDPR, and they will be placed under the control of an independent supervisory authority.

In the case of most of these exemptions and exceptions, member states are required to notify the European Commission of their course of action and amendments they adopt; to enforce the principle of data minimization – only processing the minimum amount of personal data to fulfill a purpose; and to ensure that the exemptions and exceptions include sufficient protections and safeguards such that they will not have any undue impact on the rights and freedoms of the data subjects concerned.

Author: HIPAA Journal

Share This Post On