- What does the GDPR say about exemptions?
- How do we apply the exemptions when processing children’s personal data?
Article 23 of the GDPR enables member States to introduce exemptions from the principles at Article 5, the transparency obligations and individual rights. But only where the restriction respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society in certain circumstances. For further detail of these circumstances please see our Guide to the GDPR.
Chapter IX of the GDPR provides that Member States can provide exemptions, derogations, conditions or rules in relation to specific processing activities
The specific detail of the exemptions is provided in Schedule 2, 3 and 4 to the Data Protection Act 2018. For further information please see our Guide to the Data Protection Bill.
The exemptions may allow you to process children’s personal data in ways which the GDPR would not otherwise allow, if certain conditions are met.
Each of the exemptions applies in a very specific set of circumstances requiring you to work your way through a specific test in each case. This is no different with children’s personal data than with adult’s personal data. You need to consider the exact wording of the individual exemption in question and decide if it applies to your processing.
So if you think you should be able to process children’s personal data in a way that doesn’t appear to be allowed by the GDPR, you should check the exemptions that are available in Article 23 and Chapter IX of the GDPR and at Schedules 2, 3 and 4 of the Data Protection Act 2018.
Further guidance on the exemptions will be added to the Guide to the GDPR once in due course.