GDPR Exemptions That Provide Leeway to EU Member State Laws
Come May 25, 2018, the General Data Protection Regulations (GDPR) will set the pace as to how personal data of people living in the European Union (EU) will be stored and processed. There is still confusion regarding how GDPR works. This article will try to shed light on the unclear issues of GDPR.
The primary objective of the GDPR is to unify the data processing rules across the EU. But individual EU member states are allowed to implement policies dealing with certain aspects of data management provided there is an acceptable reason. Article 23, Restrictions, of the GDRPR lists this set of acceptable reasons.
- security and defense
- protection of the judicial system
- protection of important national public interests such as relating to budgets, public health, or social security
- prevention, detection, investigation, or prosecution of crime or breaches of ethics for regulated professions
Any national law limiting GDPR rights can only be followed with the condition that the law should respect “the core of the basic rights and freedoms and is a required and proportionate measure in a democratic society.” The following articles mention other exemptions that allow the introduction of national laws:
- Article 85, Processing and freedom of expression and information,allows member states to introduce laws that balance the rights to privacy of personal data with the rights to freedom of expression for “academic, journalistic, artistic or literary expression.”
- Article 86, Processing and public access to official documents, allows laws that balances the right of “public access to official documents with the right to the protection of personal data.”
- Article 88, Processing in the context of employment, allows laws that regulate how employee data is to be processed so that details such as equality and diversity in the workplace, health and safety, and employment benefits are all considered.
There are other areas that EU member states can introduce laws that affect the rights stipulated under the GDPR. These include processing of
- data for national administrative reasons i.e. for an identification number
- data for scientific or historical research
- statistics or archiving data for public interest
- state or professional secrets
Religious bodies and churches that process data need to update their procedures to align with the GDPR. Any law that is introduced based on the above exemptions must include measures that safeguard the data subject’s fundamental rights, human dignity, and legitimate interests. Data minimization must be observed so only the minimum amount personal data must be processed to fulfill a purpose. The member state that enforces specific laws must notify the European Commission regarding the laws including any amendments to them.