GDPR Derogations and How to Prepare for Member State Variation

One of the primary goals of the General Data Protection Regulation (GDPR) is to harmonize data protection laws across the European Union (EU). However, under the GDPR, EU Member States are allowed some flexibility to add or modify certain provisions of the GDPR to fit their local needs and laws. In total, there are over 50 provisions, which allow GDPR derogations by Member States.

Locating the GDPR Derogations

These GDPR derogations and exemptions exist primarily in two main areas — Article 23 and Articles 85-91.

Article 23 – Restrictions

Article 23 allows for Member States to introduce measures in specific situations. For instance, from transparency obligations and data subject rights, including in the interest of national security, prevention and detection of crime, freedom of expression, professional secrecy, the processing of employee data and other situations. But this GDPR derogation is permitted only where it “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard” these interests.

Articles 85-91 – Provisions relating to specific processing situations

Articles 85-91 include a variety of GDPR derogations, exemptions and powers for Member States to impose additional requirements on various specific types of processing activities, such as:

  • Processing for journalistic, academic, artistic or literary purposes, processing of personal data in official documents held by public bodies (Article 85);
  • Processing of national identification numbers (Article 87);
  • Processing in the employment context (Article 88);
  • Processing for archiving, scientific, historical research or statistical purposes (Article 89); and
  • Processing in the context of churches and religious associations (Article 91).
Before you continue reading, how about a follow on LinkedIn?

Other GDPR Derogations

Other areas where Member States have the option to deviate from, or supplement, the default rules set out in the GDPR include:

  • Adding rules regarding processing based on the legal bases of “necessary for compliance with a legal obligation” and “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6(2));
  • Lowering the age of consent in relation to the provision of information society services from 16 years to as low as 13 years (Article 8(1));
  • Prohibiting the use of explicit consent of data subjects as a legal basis for processing special categories of personal data (Article (9)(2));
  • Adding further conditions or limitations on the processing of genetic, biometric or health-related data (Article 9(4));
  • Requiring controllers to consult with and obtain prior authorization from supervisory authorities when processing is for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health) (Article 36(5));
  • Requiring controllers and/or processors to designate a data protection officer (DPO) in specific additional circumstances (Article 37(4));
  • Setting limits on international data transfers, in the absence of an adequacy decision, and where important for reasons of public interest (Article 49(5));
  • Granting additional powers to supervisory authorities (Article 58(6)); and
  • Making rules on whether and to what extent administrative fines may be imposed on public authorities and bodies (Article 83(7)).

In addition to these optional GDPR derogations, there are also specific provisions which require Member States to take action to supplement the GDPR, such as:

  • Providing by law for the establishment, structure and organization of supervisory authorities Article (54);
  • Making rules on other penalties for infringements, in particular for those not already subject to administrative fines (Article 84(1));
  • Reconciling data protection rights under the GDPR with the right to freedom of expression and information, including processing for journalistic, academic, artistic and literary purposes (Article 85); and
  • Providing for exemptions or derogations from Chapters II-VII and IX, with respect to processing carried out for journalistic, academic, artistic or literary purposes, if they are necessary to reconcile data protection rights with freedom of expression and information (Article 85(2).

To better understand these GDPR derogations, let’s examine the new laws enacted in Germany and Austria.

GDPR Derogations in Member State Legislation


Germany was the first EU Member State to enact a law designed to supplement the GDPR. The law itself will repeal the current Federal Data Protection Law in Germany, and includes an Amendment Act designed to supplement the GDPR.

The new law contains comprehensive rules on the processing of employee data and further specifies the GDPR’s requirement that consent be voluntary. It also allows for the processing of special categories of personal data in the employment context where such processing is required to exercise rights or comply with obligations under employment law, social law or social protection law, so long as there is no overriding interest of data subjects.

Further, under Article 4(11) of the GDPR, one of the requirements for consent to be valid is that it be freely given, and due to the unbalanced nature of the employment relationship, it is unclear whether consent can be freely given in this context. Under the new German law, however, consent may be considered freely given in the employment context in certain circumstances. For example, when the employee achieves some legal or economic advantage, or if the employer and the employee have the same interests.

Leave a Reply

Please Login to comment
Notify of

Follow CPO Magazine