One of the primary goals of the General Data Protection Regulation (GDPR) is to harmonize data protection laws across the European Union (EU). However, under the GDPR, EU Member States are allowed some flexibility to add or modify certain provisions of the GDPR to fit their local needs and laws. In total, there are over 50 provisions, which allow GDPR derogations by Member States.
Locating the GDPR Derogations
These GDPR derogations and exemptions exist primarily in two main areas — Article 23 and Articles 85-91.
Article 23 – Restrictions
Article 23 allows for Member States to introduce measures in specific situations. For instance, from transparency obligations and data subject rights, including in the interest of national security, prevention and detection of crime, freedom of expression, professional secrecy, the processing of employee data and other situations. But this GDPR derogation is permitted only where it “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard” these interests.
Articles 85-91 – Provisions relating to specific processing situations
Articles 85-91 include a variety of GDPR derogations, exemptions and powers for Member States to impose additional requirements on various specific types of processing activities, such as:
Processing for journalistic, academic, artistic or literary purposes, processing of personal data in official documents held by public bodies (Article 85);
Processing of national identification numbers (Article 87);
Processing in the employment context (Article 88);
Processing for archiving, scientific, historical research or statistical purposes (Article 89); and
Processing in the context of churches and religious associations (Article 91).
Other GDPR Derogations
Other areas where Member States have the option to deviate from, or supplement, the default rules set out in the GDPR include:
Adding rules regarding processing based on the legal bases of “necessary for compliance with a legal obligation” and “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6(2));
Lowering the age of consent in relation to the provision of information society services from 16 years to as low as 13 years (Article 8(1));
Prohibiting the use of explicit consent of data subjects as a legal basis for processing special categories of personal data (Article (9)(2));
Adding further conditions or limitations on the processing of genetic, biometric or health-related data (Article 9(4));
Requiring controllers to consult with and obtain prior authorization from supervisory authorities when processing is for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health) (Article 36(5));
Requiring controllers and/or processors to designate a data protection officer (DPO) in specific additional circumstances (Article 37(4));
Setting limits on international data transfers, in the absence of an adequacy decision, and where important for reasons of public interest (Article 49(5));
Granting additional powers to supervisory authorities (Article 58(6)); and
Making rules on whether and to what extent administrative fines may be imposed on public authorities and bodies (Article 83(7)).
In addition to these optional GDPR derogations, there are also specific provisions which require Member States to take action to supplement the GDPR, such as:
Providing by law for the establishment, structure and organization of supervisory authorities Article (54);
Making rules on other penalties for infringements, in particular for those not already subject to administrative fines (Article 84(1));
Reconciling data protection rights under the GDPR with the right to freedom of expression and information, including processing for journalistic, academic, artistic and literary purposes (Article 85); and
Providing for exemptions or derogations from Chapters II-VII and IX, with respect to processing carried out for journalistic, academic, artistic or literary purposes, if they are necessary to reconcile data protection rights with freedom of expression and information (Article 85(2).
To better understand these GDPR derogations, let’s examine the new laws enacted in Germany and Austria.
GDPR Derogations in Member State Legislation
Germany was the first EU Member State to enact a law designed to supplement the GDPR. The law itself will repeal the current Federal Data Protection Law in Germany, and includes an Amendment Act designed to supplement the GDPR.
The new law contains comprehensive rules on the processing of employee data and further specifies the GDPR’s requirement that consent be voluntary. It also allows for the processing of special categories of personal data in the employment context where such processing is required to exercise rights or comply with obligations under employment law, social law or social protection law, so long as there is no overriding interest of data subjects.
Further, under Article 4(11) of the GDPR, one of the requirements for consent to be valid is that it be freely given, and due to the unbalanced nature of the employment relationship, it is unclear whether consent can be freely given in this context. Under the new German law, however, consent may be considered freely given in the employment context in certain circumstances. For example, when the employee achieves some legal or economic advantage, or if the employer and the employee have the same interests.
The law also expands upon Article 6 of the GDPR by allowing for personal data to be processed for additional purposes that are incompatible with the original purpose, if it “is necessary to assert, pursue, or defend civil law claims” of the controller, so long as it is not overridden by the interests of data subjects. The law goes further in restricting data subject rights as well. For example, data controllers will not be required to fulfill a right of access request if the personal data is stored only for compliance with statutory or contractual retention obligations, or solely for the purpose of data security and data protection control. The right of erasure (“right to be forgotten”) is also restricted if erasure of the personal data would require an unreasonably high effort due to the specific type of storage.
The law also takes advantage of the flexibility found in Article 37(4) of the GDPR given to Member States to specify instances in which controllers and/or processors must designate a data protection officer (DPO). Specifically, the GDPR derogations require controllers to designate a DPO in the following circumstances:
When at least ten employees of a controller or processor regularly conduct automated processing of personal data;
When engaged in high-risk activities mandating a data protection impact assessment (DPIA) under Article 35 of the GDPR; or
When engaged in the processing of personal data on a commercial basis for the purposes of market or opinion research.
The law also includes criminal sanctions and increased prison sentences (up to three years) for violations of certain provisions. For example, for intentionally transferring or making available a large number of personal data, without authorization, to third parties with intent to make a profit.
Austria is the second country to enact a national law to supplement the GDPR. However, unlike Germany, Austria’s law takes a more limited approach to GDPR derogations.
The new law lowers the age at which a minor can consent to the processing of their personal data in relation to information society services without parental consent to 14 years old. The default set by the GDPR is age 16, but leeway is given to Member States to lower this to as low as 13.
It is yet to be seen how this will affect data controllers, but it is likely to present a challenge for the providers of these information society services in multiple Member States if they have different age limits to comply with. For instance, Germany opted not to change the age of consent; therefore, the default age of 16 set by the GDPR will apply. However, many other countries have proposed GDPR derogations to lower the age, including Finland, who proposed lowering the age to either 13 or 15; Ireland, to 13; and the UK to 13.
Another interesting area to note about the Austrian law is that it applies not only to natural persons (like the GDPR and other privacy laws), but to legal persons as well — a wording found in Austria’s constitutional right to data protection. This provision of the law is in direct contradiction with the GDPR, which applies only to the processing of personal data of natural persons. Therefore, this could potentially make for an interesting conflict of laws.
The law also provides that personal data relating to criminal convictions and offences may be processed on the legal basis of legitimate interests of the controller. This is significant given that Article 10 of the GDPR limits the processing of this category of data to instances where “under the control of official authority,” unless authorized by Member State law such as this. Controllers who use CCTV systems to monitor their facilities or who operate whistleblowing hotlines will thus be able to process this data in the legitimate interests of security. It will be interesting to see whether other Member States follow suit in exercising this GDPR derogation, as lobbying efforts to fill gaps like this are expected.
How to prepare for GDPR derogations
Organizations should take the following steps to prepare for applicable GDPR derogations implemented by Member States:
1. Identify Requirements
The first step is to determine which EU Member State jurisdictions are applicable to your organization’s processing activities. Therefore, it will be critical to have a solid understanding of your data — what types of personal data is collected (e.g., special categories), where the data is located, and where data subjects reside. Work already done on Article 30 data mapping initiatives will be incredibly useful here, as the information detailed in those records can be leveraged for these purposes.
2. Fill Gaps
After identifying what EU Member State laws apply, you can then begin a gap analysis to understand what work you need to do to update your various policies, procedures and business processes to ensure compliance with those applicable laws. In some areas, such as age of consent for processing related to information society services, standardization will not be possible due to the GDPR derogations, and thus flexibility in how personal data is processed will be needed, i.e., how you process a German data subject’s personal data may need to be different from how you process the personal data of an Austrian data subject.
3. Keep Things Current
So far, only two Member States have enacted laws to supplement the GDPR, but the others are close behind with their own GDPR derogations. It is also inevitable that amendments to these laws will take place. Therefore, it will be imperative to keep track of these changes, and ensure that your policies, procedures and business processes are flexible to change.