What derogations does the GDPR permit?

Article 23 enables Member States to introduce derogations to the GDPR in certain situations.

Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only where the restriction respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

  • national security;
  • defence;
  • public security;
  • the prevention, investigation, detection or prosecution of criminal offences;
  • other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
  • the protection of judicial independence and proceedings;
  • breaches of ethics in regulated professions;
  • monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
  • the protection of the individual, or the rights and freedoms of others; or
  • the enforcement of civil law matters.

What about other Member State derogations or exemptions?

Chapter IX provides that Member States can provide exemptions, derogations, conditions or rules in relation to specific processing activities. These include processing that relates to:

  • freedom of expression and freedom of information;
  • public access to official documents;
  • national identification numbers;
  • processing of employee data;
  • processing for archiving purposes and for scientific or historical research and statistical purposes;
  • secrecy obligations; and
  • churches and religious associations.