GDPR Exemption from the obligation to provide information to the data subject

One of the main focuses of the General Data Protection Regulation (GDPR) is to give individuals back control over their data, this was instigated by giving data controller rigorous obligations when it comes to protection and fulfillment of data subjects’ rights.

Most data controllers are aware of obligations set in Article 13 to provide information where personal data are collected from the data subjects, and Article 14, where personal data are not obtained from the data subject.

However, the GDPR allows exemption from these requirements and enables the Member States to create their own exemption in certain situations.

These GDPR exemptions in no way represent the opportunity to misuse them in order to avoid or bypass GDPR requirements, rather a way to make requirements practical and flexible, when GDPR requirements would be impossible to execute or would represent a disproportionate effort.

So, when are you, as a data controller, exempt from the obligation to provide information to the data subjects about processing their data?

GDPR Exemption from the obligation to provide information to the data subject

Exemption from the transparent processing is clarified in Article 14(5) in two cases: where personal data are collected from the data subject Article 13, and where personal data are obtained from a source other than the data subject Article 14.

1. Information to be provided where personal data are collected from the data subject

If personal data is collected directly from an individual, you are not going to be obligated to provide additional processing information if the data subject already has that information or it is obvious that the data subject has the information.

However, you must still provide the data subject with any information data subject does not already have. If you are unsure, the best practice is to provide all relevant information.

If you opt to provide individuals with privacy information, you will be obligated to do so within a reasonable period and no later than one month.

2. Information to be provided where personal data have not been obtained from the data subject

1. The data subject already possesses the information. If you have obtained information from a source other than the data subject, you will have to be able to demonstrate that the individual already possesses that information. The ICO advised checking the source of information to verify what information the individual has been provided with.

2. Where the obtaining or disclosure of the personal data is expressly laid down by the EU or Member State law which the data controller is subject to, and which provides appropriate measures to protect the data subject’s legitimate interests.

3. Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by the European Union or Member State law, including a statutory obligation of secrecy.

4. Where the provision of information to the data subject proves to be impossible or would represent a disproportionate effort. In particular, where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Request Data Privacy Manager demo

Disproportionate effort

There is a lack of clear definition of the term disproportionate in the GDPR, leaving the term open to different interpretations by the supervisory authority.

However, when conducting reasearch or archiving take into account the number of data subjects who are involved, the age of the data and any appropriate safeguards when determining whether the effort would be disproportionate.

disproportionate effort in the GDPR exemption

To rely on this GDPR exemption, you should assess and document whether there is a proportionate balance between your effort to provide data subjects with privacy information and the effect that your use of their personal data will have on them.

As we mentioned before, these exemptions are not an opportunity to bend the rules and avoid your GDPR obligations, so be confident that you can document and justify your reason for using this GDPR exemption.

If you determine a disproportionate effort, you will have to publish the privacy information and carry out a DPIA.

gdpr exemptions

Example of interpretation of disproportionate effort by a supervisory authority

The Polish Data Protection Authority (UODO) issued a fine to a private company working with data from publicly available sources, for the failure to fulfill the information obligation in relation to over 6 million people.

The controller fulfilled the information obligation by providing the information required under Article 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In the case of the remaining persons, the controller failed to comply due to high operational costs and instead presented the information on its website.

However, in the opinion of the President of the DPA such action was insufficient. The controller should have informed them of their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR. The DPA did not take into account the fact that

The point is, be very careful when relying on exemptions, not even high operational cost of providing the information to the data subjects is a justifiable reason.

gdpr exemptions

Impossibility to provide information

Using the exemption of the impossibility to provide information is not one to take lightly. The truth is, there are a very limited number of situations where this exemption is appropriate.

Impossibility is most likely to happen when there are no contact details about data subjects and there are no reasonable ways to obtain them. The ICO provides guidelines:

“If you determine that providing privacy information to individuals is impossible, you must publish the privacy information (eg on your website), and you should carry out a DPIA

What is a DPIA and how to conduct it? [Video & Infographics]

Remember, when using this exemption it should not be just inconvenient for you to provide information, but truly impossible.

Appropriate safeguards

Appropriate safeguards should always be put in place to protect legitimate interests and data subjects’ rights, including making the information publicly available, when processing data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. (Article 89 of the GDPR).

Those safeguards should ensure that technical and organizational measures are in place, in particular, implementation of data minimization or pseudonymization provided that those purposes can be fulfilled in that manner.

Example of the GDPR exemptions

Exemptions are a way to keep data protection laws practical and flexible, not oppressive, trying to strike a balance between the GDPR obligation and the cost of compliance for the controller.

For instance, if a data controller has obtained information from other sources, it can be quite difficult to provide information to the data subject.

Example 1: the data subject is a public persona, it is expected that there is a lot of information about this person in a lot of organizations. It seems quite non-sensical to inform that person that the organization is processing widely-known information about that person. However, the controller should always pay attention there is no violation of data subjects’ privacy.

Example 2: a data controller is obligated to process personal information under the law. The controller collects personal data from third parties and is not obligated to notify the data subject in question, as long as he is mindful of data subject’s privacy and provides sufficient safeguards for protection of the data subject’s legitimate interest.

Restriction of the GDPR requirements by the Member State law

Regulations’ requirements of processing personal data in a fair and transparent way and providing the data subject with the necessary information, as described in Article 13 and Article 14, can be overridden by the Member States law. However, only under certain circumstances.

Article 23 of the GDPR states that the Union or Member State law may restrict the scope of the obligations and rights with legislative measures when such a restriction respects the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society.

The rights referred to above are described in Articles 12 to 22 and Article 34 (as well as Article 5 if its provisions correspond to the rights and obligations provided for in Articles 12 to 22).

Those Articles are related to transparent communication for the exercise of the rights of the data subject, right of access by the data subject, information to be provided where personal data are collected from the data subject or other sources, right to rectification, right to erasure, and other.

The restriction can be a measure of safeguarding:

 

Restriction of the GDPR requirements by the Member State law

1. For the protection of national security

2. Defense

3. Public security

4. The prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

5. Other important objectives of the general public interest of the Union or of a Member State. In particular, an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health, and social security

6. The protection of judicial independence and judicial proceedings

7. The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions

8. Monitoring, inspection or regulatory function connected to the exercise of official authority in the case of national security, other important objectives of general public interest and prosecution of breaches of ethics for regulated professions

9. The protection of the data subject or the rights and freedoms of others

10. The enforcement of civil law claims.

Freedom of expression and information

The GDPR also allows an exemption for the purpose of journalism, academic, artistic or literary expressions. Article 85 of the GDPRProcessing and freedom of expression and information.

“The Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”

Conclusion

Before relying on any of these GDPR exemptions from the obligation to provide information to the data subjects, you have to take into account the lawfulness, fairness, and transparency principles. You will also have to think about implementing additional safeguards. Remember, GDPR exemptions only apply in very few case-by-case bases.

If you are relying on disproportionate effort or impossibility, you will have to publish your privacy information and conduct a DPIA (Data Protection Impact Assessment), in order to prove and document that the exemption used was an appropriate one.

Let us know if we can help you manage all your GDPR obligations and automate your compliance processes:

data privacy manager demonstration