Article 23 of the General Data Protection Regulation deals with the issue of restrictions. Member states are thus permitted to introduce exceptions to certain provisions of the GDPR, mostly those regarding transparency requirements and personal rights. This must occur in a manner in which the fundamental rights and freedoms would be not be violated, as per the Court of Justice of the European Union.
There are a few situations in which the Member States are allowed such exemptions, and these include issues of national security, defence, public safety, criminal investigations, public interest (in public finance matters), regulatory inspections, enforcements of civil law claims, protection of judicial independence and the protection of personal freedoms. These exceptions are generally not meant to be used for the purpose of day-to-day data processing.
Article 6(2) of the GDPR also allows for the introduction of more specific provisions and rules in order to ensure lawful and fair processing of personal data.
Any such measures enacted by the Member States must include the specific provisions for the following, if applicable:
- The purposes of data processing
- Categories of personal data affected and the scope of the restrictions
- Any required safeguards that should be taken
- The specification of the controllers or categories of controllers
- Applicable storage periods
- Any risks to fundamental rights of the data subjects whose data is in question, and
- Their right to be notified of such restriction.
However, this is not all. The GDPR has more on special conditions of data processing, as found in the Chapter IX.
Chapter IX of the GDPR deals with the provisions relating to specific processing situations.
Article 85 concerns “processing and freedom of expression and information”. The GDPR states that the Member States must strike a balance between the right to freedom of expression and information (journalistic, academic, and artistic purposes) with personal rights to data protection and privacy.
Member States are allowed to provide derogations for Chapters II through VII and IX of the GDPR if required to “reconcile the right to the protection of personal data with the freedom of expression and information”. The European Commission must be notified of any such changes.
Article 86 applies to public bodies. They may disclose personal data in official documents in accordance with the applicable laws if it would be in public interest. Such disclosures are not trivial and the importance of public disclosure must be weighed against the interests of the individual.
Article 87 further allows the Member States to set their own provisions for the processing of national identifiers such as national identification numbers – usually more stringent, of course.
Article 88 applies to processing in context of employment, that is, concerns the employees’ private data. Member States are allowed to provide more specific rules concerning most categories of such data – from recruitment through organization of work to contract termination, among others.
This is very important since virtually all types of data and situations arising in the workplace may not necessarily be subject only to the provisions of the GDPR, but also to national laws that can differ significantly. Companies should exercise caution and ensure their knowledge of the applicable laws is up to date.
This is a more comprehensive article applying to “Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. Provisions allowing disclosures and processing in aforementioned cases are common in the GDPR, and this article further expands upon them.
It mandates the use of appropriate data safeguards and minimal use of such data, with the requirement to employ pseudonymisation whenever possible.
Member States may provide derogations for the processing for scientific or historical purposes from the rights in Articles 15, 16, 18, and 21, as long as such rights would seriously impede the specific purposes and overall scientific progress. We presume that the definition of ‘scientific progress’ is very broad and would include most scientific work. For archiving purposes, derogations from Articles 19 and 20 in addition to those mentioned above also apply.
Member States can introduce specific provisions regarding the rights of supervisory authorities with regards to data controllers or processors that are subject to an obligation of professional secrecy. This encompasses doctors, priests, lawyers etc. The aim is to reconcile the rights of the protection of personal data with the right to secrecy if such data has been received under such an obligation.
The European Commission must be notified of any changes under this Article by the Member States.
The GDPR also contains specific conditions for churches and religious organizations. Already existing rules for such organizations will stay in place, unless they differ from the GDPR. However, it mandates an establishment of an independent and possibly specific regulatory authority.
Unfortunately, while the existence of these derogations and special conditions is mostly necessary, it will partly undermine the main goal of the GDPR – to streamline and unify the privacy regulations in the single European market.
The data controllers and processors will therefore still have to determine whether the Member State they want to do business in has enacted any laws that restrict processing and ensure they follow them. The legislators and jurists will also have plenty of work to do as they check and analyse to ensure that the laws enacted by the Member States comply with the existing regulations and case law.
These complications are an obvious sign that not everything in the GDPR is perfect; however, compared with the current legislation, it is a major step forward. Viewed in this light, these exemptions (that may not necessarily even occur) are not such a major hurdle for the companies.