Who May Be Exempted from GDPR Requirements?

GDPR Exemptions That Provide Leeway to EU Member State Laws

The enforcement of the General Data Protection Regulation in the EU began on May 25, 2018. Companies collecting or processing the private information of EU residents need to conform to the GDPR, although there are some GDPR exemptions and derogations.

The goal of the GDPR is to ensure the protection of EU residents’ privacy and data rights. While GDPR is EU legislation, it is applicable to all businesses whatever their location. Regardless of whether the business is located in an EU or non-EU country, GDPR compliance is compulsory.

The GDPR is applicable to small and large organizations, persons, or companies with websites accessible in the European Union. Besides limited GDPR exemptions, every company offering free or paid products or services to EU citizens that keep track of consumer behavior need to comply with GDPR.

Who May Be Exempted from GDPR?

There are some GDPR exemptions associated with personal data processing as specified below:

  • Data that are processed through the course of an activity falling beyond the regulation of the EU
  • GDPR is not applicable to persons processing information for personal or household use only
  • GDPR is not applicable to government organizations and authorities when they collect or process data for the deterrence, investigation, identification, or prosecution of criminal acts or the execution of criminal charges or for preventing threats
  • GDPR is not applicable to the processing of Member States’ personal data used for activities covered by Chapter 2, Title V, of the Treaty on European Union.

GDPR Article 23: Derogations

It is a fact that GDPR aims to harmonize data protection legislation across all EU Member States. Nevertheless, Member States can present derogations and supplemental laws that have country-specific purposes, as detailed in Article 23 – Restrictions.

When introducing derogations, it is essential to respect the rights of EU residents and ensure their data are protected. The following areas allow the introduction of derogations:

  • The security, defense, and public security of countries
  • Allowing and protecting judicial independence
  • The identification, investigation, and prosecution of criminal offenses and the prohibition of criminal activity
  • To enforce civil law claims
  • The protection of subjects crucial to state interests like social, budgetary and health concerns.

GDPR Articles 85-91: Derogations

Articles 85-91 of GDPR additionally cover cases where derogations might be befitting of individual Member States. These correspond to:

  • Public access to official records
  • Freedom of expression and information
  • National identification numbers
  • Information for historical or scientific research studies
  • Employees’ personal data
  • Archiving in the public interest
  • Obligations of confidentiality
  • Churches and other religious groups

In all instances, it is still important to protect data.