Some uses of personal data are exempt from the rules of the General Data Protection Regulation.
The majority of these are the same as those that were exempt under older data protection law. There are slight changes.
What is an exemption?
An exemption is a use for personal data where some or all requirements or rights are changed. Some exemptions are full, i.e. don’t require the organisation to collect, store or process the data according to GDPR and data protection law at all, and some are partial, i.e. allow the data controller or processor not to follow some rules, provided others are followed.
For example, some of the rights and obligations that might not exist for certain uses include:
- the right to be informed
- the right of access
- reporting personal data breaches
- following the principles
Generally, exemptions exist where there is a national or public interest that is greater than the interests of the individual. However, often the extent of the exemption can be relied on only if it would otherwise be unfeasible to uphold the rights and principles under GDPR.
Data and uses that fall outside the scope of GDPR are not exemptions. For example, these might be when the data is not personal data, or when the user is not a business or an organisation. Uses not covered by GDPR include use as data in the investigation of a crime or enforcement of the law, and in national security interests.
When does an exemption apply?
Whether an exemption applies depends of the reason for processing the information.
Sometimes, the purpose exempts the processor from the rules of GDPR completely. Other exemptions depend on an assessment of whether complying would:
- have a detrimental effect on the ability to process personal data
- prevent or seriously impair the processing of data in a way that is necessary or required for the purpose
Exemptions might not apply all the time, in all situations. There is a requirement to consider whether an exemption is likely to reasonably apply on a case by case basis. If it does, the user or processor might choose to rely on it. In some cases, an exemption could exist, but it might not be followed.
Where a business or organisation decides that it can rely on an exemption, it should document the situation and the reasons for reliance. This allows it to demonstrate compliance if asked.
What are the exemptions under GDPR?
Please note that the following is not a complete list. We will update it over time.
Crime prevention and collection of taxes and duties
Acting against crime
If personal information is being used for the prevention and detection of crime, apprehension or prosecution of offenders, or assessment or collection of a tax or a duty, and if complying with GDPR would be likely to prejudice the purpose of processing, then there the processor is exempt from the provisions relating to the right for the data subject to be informed.
This includes the requirement to notify the data subject of a breach, the lawfulness, fairness and transparency principle, and the purpose limitation principle.
Risk assessment of crime being committed
If personal information is being used for risk assessment by a government or local authority department, and where the purpose of the assessment is collection of taxes or duties, or the prevention, detection or prosecution of people using public funds unlawfully, then there are exemptions on the right of access and the right to be informed.
An exemption only applies if the compliance with GDPR would prevent the risk assessment from being carried our effectively.
Example
An employer suspects that an employee has made a number of fraudulent payments from the company bank account to his own. The company reports the employee to the police. The company decides that it cannot inform the employee about the report, because if it were to do so, it might allow the employee to cover up his crime.
Requirements under law
If an organisation is compelled by law to make your personal data publically available, then you don’t have the right to be informed or any other rights, except those related to automated decision making. The exemption only applies in so far as meeting the legal requirement to disclose the information.
The organisation does not have to comply with the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful, nor the purpose limitation principle.
Example
For example, the Registrar of Companies is required to publish the names and addresses of company directors online. A director has no right to be informed when this information is published, nor would the Registrar be required to remove it if requested. However, other rights, such as for the information to be correct, still apply.
If the organisation is compelled by law to disclose personal data to a third party (but not publically), the same exemptions apply, but only in so far as compliance with the Regulation would prevent the organisation from meeting that legal obligation.
If it is necessary for an organisation to disclose personal data in order to obtain legal advice, or establish or defend legal proceedings or legal rights, then similarly, the same exemptions apply, but only in so far as compliance with the Regulation would prevent the organisation from disclosing the information.
Legal professional privilege
If there is a duty of confidentiality between you and your legal adviser, then you and your adviser are exempt from providing information about other individuals under the right to be informed or the right to access, or any other, in so far as it applies to the other two rights mentioned here.
Self incrimination
If complying with GDPR would incriminate you as having committed an offence, and disclosure would lead to proceedings against you, then you are not obliged to respond to requests under the right to be informed or the right to access, or any other, in so far as it applies to the other two rights mentioned here.
However, this exemption does not apply for offences under data protection law or for false statements made under oath.
Information provided by an organisation in response to a subject access request is not admissible against the organisation in proceedings for an offence.
Immigration
If your personal information is processed to maintain control over immigration, including investigating your claims to be eligible to immigrate, then the authoritative body is exempt from provisions regarding your rights to be informed, of access, to erasure, to restrict processing, and to object. All principles so far as they relate to these rights do not have be applied.
The exemption applies to the extent that if it didn’t, it would be likely to prejudice processing.
Acts of Parliament
There are five exemptions that apply to personal information and that prohibit or restrict disclosure as a result of other law. These exempt the right of access and all other principles in so far as they relate to the right of access.
The Acts cover:
- human fertilisation and embryology
- adoption
- special educational needs
- parental orders
- children’s hearings in courts
Functions that aim to protect the public
If powers are conferred on someone or a public body to protect the public, then that person or organisation is exempt from GDPR to the extent that compliance would be likely to prejudice the function. There is no exemption in relation to the rights concerning automated decision making.
The six functions are as follows. Most are conferred by law, sometimes on specific bodies. The first four could be carried out by members of the public, if the function was carried out in the public interest.
- to protect the public against financial loss due to the seriously improper conduct (or unfitness, or incompetence) of financial services providers, or in the management of bodies corporate, or due to the conduct of bankrupts
- to protect the public against seriously improper conduct (or unfitness, or incompetence)
- to protect charities or community interest companies against misconduct or mismanagement in their administration, to protect the property of charities or community interest companies from loss or misapplication, or to recover the property of charities or community interest companies
- to secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work
- to protect the public from maladministration, or a failure in services provided by a public body, or from the failure to provide a service that it is a function of a public body to provide
- to protect members of the public from business conduct adversely affecting them, to regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position.
Functions of regulatory bodies
Bodies that carry out regulatory functions, where those powers have been enacted under law have exemptions from GDPR – if compliance would be likely to prejudice the functions. There is no exception in relation to the rights concerning automated decision making.
Regulatory bodies include:
- the central bank
- a supervisory audit body, such as an Auditor General or a Comptroller and Auditor General
- information commissioners
- supervisory bodies for legal services, public service providers, charities and those in respect of pensions and of financial investments
- consumer protection enforcers
- other bodies considering a complaint under law relating to provision of legal services, provision of healthcare, provision of social care, or provision of care to children
Parliamentary privilege
The privileges of Parliament are prioritised over those of individuals. If necessary, there is an exemption on all rights except those relating to automated decision making. Parliamentary privilege removes the requirement to communicate personal data breaches.
Appointments to public positions
Provisions relating to all individual rights, except those related to automated individual decision-making, and all the principles relating to these rights do not have to be followed if personal data is processed in the course of assessing suitability for, or to appoint individuals to public positions, or to confer honours. These include:
- appointments to a judicial office or the Bar
- conference of judicial capacity
- conference of any honour or dignity or position by a sovereign
- appointment to certain religious offices
Use in the public interest
An exemption exists if your data is processed for special purposes.
Special purposes are where the data is used for journalism, academia, art or literature.
The exemption removes the requirement for there to be any legal basis for processing, all of the principles except security and accountability, and all rights except those related to automated decision making.
In addition, the controller does not have to communicate breaches to individuals, consult with the supervisory authority, or control international transfers of data.
However, the exemption only applies if compliance is otherwise incompatible, that the aim of processing is publication in the public interest with a consideration of the freedom of expression and harm to individuals.
Editorial guidelines and broadcasting codes can help someone make a decision about whether the exemption applies or not. A supervisory authority does not have to agree with the decision provided that reasonable consideration was made.
Research and statistics
If personal data is processed for non-commercial scientific, statistical or historical research purposes then the processor is exempt from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object. There are exceptions on provisions on the right to be informed and the right to erasure.
The exemption does not apply if the use is commercial, such as market research.
The exemptions and exceptions only apply if compliance would prevent or seriously impair the outcome, if there are safeguards in place such as data minimisation, processing is unlikely to cause significant damage and if individuals are identified in the research results.
There are also specific provisions that adapt the application of the purpose limitation and storage limitation principles.