Derogations in the GDPR

The GDPR aims to harmonise and streamline the privacy law in the entire EU. However, just like its predecessor, the Data Protection Directive, the GDPR still does allow for individual member states to intervene and introduce certain changes. Let’s find out what these changes are.

Few Options

There are few situations in which the Member States are allowed to make their choices. Most are regulated in Article 23. The states are permitted to make exceptions for certain GDPR stipulations, but never in a way that would go against the human freedoms and personal rights.

The exemptions from the GDPR all allowed when national security and public safety are at stake. It is also used in criminal investigations, regulatory investigations, judicial cases and in public interest.

Additionally, the member states are allowed to set tighter limits on data processing than those set out in the GDPR, except when it comes to children’s rights: the default threshold is 16 and can be reduced to 13. In all other cases, the states may only tighten the rules, such as provisions on data safeguards, purposes for processing, storage period, notification rights etc.

Specific Situations

Specific processing situations are also covered in Chapter IX of the GDPR.

Thus, Article 85 considers the freedom of information and the GDPR. Member states are given a bit of leeway to balance the rights of individuals with the right to freedom of the press. This rule is expected to be invoked only occasionally, since the European Commission must be informed if such derogations do occur.

Subsequent two articles, 86 and 87, give the rights to the public authorities to give out personal information if it is in public interest. Member states are also allowed to restrict processing of personal data like ID card numbers.

Article 88 deals with processing with regards to employment. Employees are a particularly vulnerable group of individuals since (potential) employers have so much power over them. Taking this into account, it is important to ensure the processing requirements for data on employees remain strong.

Other articles deal with the use of data for scientific purposes. Most often, scientists can use personal data in their research if they take reasonable measures to ensure the data is safe. Countries are allowed to make such processing legal if they fear scientific progress is in jeopardy.

Particular derogations can be made for secret data. The rationale is to balance out the right to secrecy and protection of personal data. Special conditions for churches and other religious organisations are also outlined.


These processing situations and derogations by far and large take away from the original goal of the GDPR to ensure the privacy laws remain equal in the entire EU. However, matters are not as bleak since there aren’t many of these derogations. It also isn’t hard to document the potential differences between the member states, so that companies do not have to sift through various laws and legal documents. We hope supervisory authorities will step up and help solve these issues.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s