GDPR Exemptions That Provide Leeway to EU Member State Laws

GDPR Exemptions That Provide Leeway to EU Member State Laws

Come May 25, 2018, the General Data Protection Regulations (GDPR) will set the pace as to how personal data of people living in the European Union (EU) will be stored and processed. There is still confusion regarding how GDPR works. This article will try to shed light on the unclear issues of GDPR.

The primary objective of the GDPR is to unify the data processing rules across the EU. But individual EU member states are allowed to implement policies dealing with certain aspects of data management provided there is an acceptable reason. Article 23, Restrictions, of the GDRPR lists this set of acceptable reasons.

  • security and defense
  • protection of the judicial system
  • protection of important national public interests such as relating to budgets, public health, or social security
  • prevention, detection, investigation, or prosecution of crime or breaches of ethics for regulated professions

Any national law limiting GDPR rights can only be followed with the condition that the law should respect “the core of the basic rights and freedoms and is a required and proportionate measure in a democratic society.” The following articles mention other exemptions that allow the introduction of national laws:

  • Article 85, Processing and freedom of expression and information,allows member states to introduce laws that balance the rights to privacy of personal data with the rights to freedom of expression for “academic, journalistic, artistic or literary expression.”
  • Article 86, Processing and public access to official documents, allows laws that balances the right of “public access to official documents with the right to the protection of personal data.”
  • Article 88, Processing in the context of employment, allows laws that regulate how employee data is to be processed so that details such as equality and diversity in the workplace, health and safety, and employment benefits are all considered.

There are other areas that EU member states can introduce laws that affect the rights stipulated under the GDPR. These include processing of

  • data for national administrative reasons i.e. for an identification number
  • data for scientific or historical research
  • statistics or archiving data for public interest
  • state or professional secrets

Religious bodies and churches that process data need to update their procedures to align with the GDPR.  Any law that is introduced based on the above exemptions must include measures that safeguard the data subject’s fundamental rights, human dignity, and legitimate interests. Data minimization must be observed so only the minimum amount personal data must be processed to fulfill a purpose. The member state that enforces specific laws must notify the European Commission regarding the laws including any amendments to them.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: