Is your company exempt from the rules and regulations of the GDPR? Well, there's a longer answer than a simple yes or no.

The General Data Protection Regulation Act (GDPR) of the European Union was enacted in 2018 to protect the privacy of personal information during processing and transferring of the information.

The act applies not only to EU companies, but also to non-EU companies who collect or transfer data of EU residents. If the act can extend to companies all across the world, who or what is exempted?

There are many exemptions, but they are very specific. Make sure to pay attention to the fine print of each exemption and its requirements.


What are Exemptions?

While the GDPR has a long reach in regard to who falls under their restrictions and the data they protect, there are exemptions to the rules. There are certain instances when personal information does not need to be transmitted under their protections.

The determining factor for the exemptions is why you collect or process the data. Are you collecting the information for national security, research purposes, or for cookies for your site? The why is the most important thing to remember when looking into exemptions.

These exemptions, commonly called derogations, are not exhaustive, but the act does spell out specific instances. Article 23 of the GDPR includes many situations that fall within these derogations.

Countries may introduce these exemptions by their own EU member state laws for certain reasons, such as national security or judicial proceedings. An exemption can only be introduced if it respects the fundamental rights and freedoms of individuals.

Additional articles, Articles 85 through 91, include specific data processing circumstances and the derogations that apply to them. Examples of these include:

  • Freedom of speech
  • Employee data
  • National Identification Number
  • Scientific or historical research

How do Exemptions Work and What Should Your Company Pay Attention To?

As mentioned above, the main factor in determining whether you are exempted is the reason for collecting the private information.

Also something to pay close attention to is what is personal data. Under the GDPR, "personal data" can include name, location, ID, email address, and online ID. Their definition is extremely broad to allow full protection:

The GDPR seeks to protect the processing of information in business and economic circles. This would include companies such as Amazon or Apple who collect data for the use of cookies, products, and services:

Apple Privacy Policy: Collection and Use of Personal Information clause

The GDPR does not apply to personal or domestic reasons for collecting data. Sending data to your mom or dad wouldn't fall under the scope of the GDPR.

In addition to the specific examples given in Article 23 and 85 through 91, the GDPR also lays out other instances where your company or collection processes would be exempt. These exemptions only apply if complying with the GDPR rules would:

  • Prejudice the purpose of your company, or
  • Prevent or greatly hurt your ability to process the information collected

A note to remember, is that all of these exemptions should not be taken as having a blanket effect. Each company and situation should be taken on a case-by-case basis. Exemptions don't always apply to every new situation, even if they once applied before.

If your company decides to rely on an exemption, you should provide ample reasons for why you relied upon the exemption, along with documentation. Providing both of these will show compliance with the GDPR.

When your company falls under an exemption, maintaining clear and transparent provisions for your users is extremely important. The GDPR requires the relationship between users and companies to be unambiguous and transparent. This does not stop at exemptions.

Article 23 provides ample provisions companies must include to inform their users of their data protection and collection. These provisions include:

  • Purpose of processing and categories
  • Types of personal data
  • Scope of restrictions introduced
  • Safeguards to prevent misuse
  • Information regarding the controller or company
  • Storage of data
  • Rights and risks of users in regard to their data
  • Right to be informed

Examples of Types of Exemptions

Examples of Types of Exemptions

These exemptions, or derogations, should be viewed as individual situations. They may not always apply in every situation, but should be researched and analyzed on each case. This is not an exhaustive list, but includes commonly seen derogations.

National Security and Law Enforcement

The GDPR clearly lays out that the transmission of data for national security or defense reasons are exempt from the GDPR laws. Withstanding, that the collection and transmission of the data does not violate the fundamental rights and freedoms of individuals.

Public safety and the safeguarding of prevention, investigation, detection or prosecution of criminal offenses are also protected. If there is private, personal data collected or exchanged for these reasons, then they are exempt from the GDPR.

Certain Types of Personal Data

The definition of personal data is a sticky and sometimes confusing topic when it comes to the GDPR. The GDPR states if what is transmitted is considered personal data under its definition, then it falls under its scope.

The definition of personal data is intentionally construed to be broad, to catch all possible private information. It can even protect opinions and testing information. Examples of what the definition can include are:

  • Physical characteristics
  • Cultural identity
  • Credit card information
  • Location data
  • Addresses

On the other hand, the GDPR only applies to a natural, physical person. It does not apply to the information of corporations or partnerships.

Additionally, personal data that's transferred only between families or for personal use is not considered protected. For example, sending your birthday information to your cousin so she can update her calendar would not fall under the GDPR.

Journalism and Creative Expression

As journalism is based off of collecting personal and public information, Article 85 of the GDPR provides for an exception for journalistic reasons. The article states the exception only applies to one of the following reasons:

  • Journalism
  • Academic
  • Artistic
  • Literary expression

If your company or entity falls under one of these four, then you are exempt from certain requirements. Conditions such as consent, right to be informed, and maintaining specific data processing systems would not apply.

Journalists and writers will have to pay close attention to safeguards the GDPR has put into place even though their professions may enjoy a wider exception.

Scientific or Historical Research

There are exemptions that don't just pertain to financial or public safety, but to academia and medicine as well. The GDPR includes derogations for scientific and historical collection under Article 89.

Article 89 states if the collection of the data falls under the following instances then it would be exempt. They are:

  • Archiving purposes in public interest
  • Scientific or historical research
  • Statistical research

As with the other derogations, historic or scientific collection would be exempt from the normal regulations guidelines and rules. However, as with all of the GDPR exemptions, the act puts in place safeguards to protect the information.

This type of processing of information is only excused if:

  • Technical and organizational practices are in place to respect the private information
  • The GDPR rules would cause substantial harm to the controller's practices
  • Research doesn't identify individuals
  • Research and collection does not cause stress to the individual

Outside the Scope of EU Law

Not every company or controller falls under the rules of the GDPR. Only companies that are in the EU or non-EU companies that do business in the EU or collect EU residents' data are subject to the act's scope.

For example, if your company is in Kentucky and only does business in the state and doesn't ship outside of the U.S. or have clients in the EU, then you would not fall under the GDPR.

This is not so much an exemption as the GDPR simply does not apply. The GDPR still includes this in its exemptions and scope definitions. However, if your company does expand into the EU, then you will be forced to fully comply.

Information Not in a "Filing" System

In Article 2, the GDPR states that any personal data that is part of a "filing" system or intended to form part of a "filing" system is considered under its material scope. The GDPR constructed the rule to not only apply to electronically transmitted and stored processes, but also to hard copy and paper processing as well.

The "filing" system can include paper if this paper is part of a filing system. The main point of this definition is whether the filing is structured or unstructured. Under the definitions of the GDPR, a system is considered a "filing" system if it is a "structured set of personal data which are accessible according to specific criteria."

So what is structured and what is unstructured? Structured means if there is a proper filing system with an organization that would allow someone to easily look up information. An unstructured filing system would be loose papers on a desk which has no organizational system.

Summary

While the GDPR does apply to a broad range of data processing, there are some specific exemptions. These exemptions vary in genre, but they all must still respect the individual's rights to their data.

The exemptions to the GDPR shouldn't be construed as a regular occurrence or a blank exemption, but should be taken each situation at a time. Some of the commonly seen exemptions are for:

  • National security or law enforcement
  • Journalism and free speech
  • Historic and scientific research
  • Companies outside the EU that don't have customers or users in the EU (technically not an exemption, but included in the Articles)
  • Information not in a "filing" system