Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Exemptions

by Adam Brogden
in Blog

11-Oct-2019 10:57

The GDPR and the Data Protection Act 2018 set out exemptions from some of the rights and obligations in some circumstances, whether or not you can rely on an exemption often depends on why you process personal data. You should not routinely rely on exemptions; you should consider them on a case-by-case basis and you should justify and document your reasons for relying on an exemption. If no exemption covers what you do with personal data, you need to comply with the GDPR as normal.

There are several different exemptions; these are detailed in Schedules 2-4 of the DPA 2018. They add to and complement a number of exceptions already built in to certain GDPR provisions.

This part of the Guide focuses on the exemptions in Schedules 2-4 of the DPA 2018. We give guidance on the exceptions built into the GDPR in the parts of the Guide that relate to the relevant provisions.

The exemptions in the DPA 2018 can relieve you of some of your obligations for things such as:

  • The right to be informed

  • The right of access

  • Dealing with other individual rights

  • Reporting personal data breaches

  • Complying with the principles

Some exemptions apply to only one of the above, but others can exempt you from several things.

Some things are not exemptions. This is simply because they are not covered by the GDPR. Here are some examples:

  • Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the GDPR.

  • Law enforcement – the processing of personal data by competent authorities for law enforcement purposes is outside the GDPR’s scope (e.g. the Police investigating a crime). Instead, this type of processing is subject to the rules in Part 3 of the DPA 2018.

  • National security – personal data processed for the purposes of safeguarding national security or defence is outside the GDPR’s scope. However, it is covered by Part 2, Chapter 3 of the DPA 2018 (the ‘applied GDPR’), which contains an exemption for national security and defence.

How do exemptions work?

Whether or not you can rely on an exemption generally depends on your purposes for processing personal data.

Some exemptions apply simply because you have a particular purpose. But others only apply to the extent that complying with the GDPR would:

  • Be likely to prejudice your purpose (e.g. have a damaging or detrimental effect on what you are doing)

  • Prevent or seriously impair you from processing personal data in a way that is required or necessary for your purpose.

Exemptions should not routinely be relied upon or applied in a blanket fashion. You must consider each exemption on a case-by-case basis.

If an exemption does apply, sometimes you will be obliged to rely on it (for instance, if complying with GDPR would break another law), but sometimes you can choose whether or not to rely on it.

In line with the accountability principle, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance.

If you cannot identify an exemption that covers what you are doing with personal data, you must comply with the GDPR as normal.

For more information, click here to take a look at the ICO's list of exemptions or call us on 01772 217800 anytime to discuss.

Many thanks