Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

GDPR exemptions from the obligation to provide information

GDPR Exemption from the obligation to provide information to the data subject

One of the main focuses of the General Data Protection Regulation (GDPR) is to give individuals back control over their data. This was instigated by giving data controllers rigorous obligations when it comes to protection and fulfillment of data subject rights.

[RELATED TOPIC: What are 8 Data Subject rights according to the GDPR]

Most data controllers are aware of obligations set in Article 13 to provide information where personal data are collected from the data subjects, and Article 14, where personal data are not obtained from the data subject.

However, the GDPR also allows the Member States to create their own exemption in certain situations.

These GDPR exemptions in no way represent the opportunity to misuse them in order to avoid or bypass GDPR requirements, rather a way to make requirements practical and flexible, when GDPR requirements would be impossible to execute or would represent a disproportionate effort.

So, when are you, as a data controller, exempt from the obligation to provide information to the data subjects about processing their data?

GDPR Exemption from the obligation to provide information to the data subject

Exemption from transparent processing is clarified in Article 14(5) in two cases:

1. Information to be provided where personal data are collected from the data subject

If personal data is collected directly from an individual, you are not obligated to provide additional processing information if the data subject already has that information or it is obvious that the data subject has the information.

However, you must still provide the data subject with any information the data subject does not already have. If you are unsure, the best practice is to provide all relevant information.

2. Information to be provided where personal data have not been obtained from the data subject

1. The data subject already possesses the information. If you have obtained information from a source other than the data subject, you will have to be able to demonstrate that the individual already possesses that information. The ICO advised checking the source of information to verify what information the individual has been provided with.

2. Where the obtaining or disclosure of the personal data is laid down by the EU or Member State law which the data controller is subject to, and which provides appropriate measures to protect the data subject’s legitimate interests.

3. Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by the European Union or Member State law, including a statutory obligation of secrecy.

4. Where the provision of information to the data subject proves to be impossible or would represent a disproportionate effort. In particular, where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

Request Data Privacy Manager demo

Disproportionate effort

There is a lack of a clear definition of the term disproportionate effort in the GDPR, leaving the term open to different interpretations by the supervisory authority.

However, when conducting research or archiving take into account the number of data subjects who are involved, the age of the data, and any appropriate safeguards when determining whether the effort would be disproportionate.

disproportionate effort in the GDPR exemption

To rely on this GDPR exemption, you should assess and document whether there is a proportionate balance between your effort to provide data subjects with privacy information and the effect that your use of their personal data will have on them.

As we mentioned before, these exemptions are not an opportunity to bend the rules and avoid your GDPR obligations, so be confident that you can document and justify your reason for using this GDPR exemption.

If you determine a disproportionate effort, you will have to publish the privacy information and carry out a data protection impact assessment –DPIA.

gdpr exemptions

Example of interpretation of disproportionate effort by a supervisory authority

The Polish Data Protection Authority (UODO) issued a fine to a private company working with data from publicly available sources, for the failure to fulfill the information obligation in relation to over 6 million people.

The controller fulfilled the information obligation by providing the information required under Article 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal.

In the case of the remaining persons, the controller failed to comply due to high operational costs and instead presented the information on its website.

However, in the opinion of the President of the DPA such action was insufficient. The controller should have informed them of their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR.

The point is, be very careful when relying on exemptions, the high operational cost of providing the information to the data subjects may not be a justifiable reason.

gdpr exemptions

What if it is not possible to provide information?

Using the exemption of the impossibility to provide information is not one to take lightly. The truth is, there are a very limited number of situations where this exemption is appropriate.

Impossibility is most likely to happen when there are no contact details about data subjects and there are no reasonable ways to obtain them. The ICO provides guidelines:

“If you determine that providing privacy information to individuals is impossible, you must publish the privacy information (eg on your website), and you should carry out a DPIA

What is a DPIA and how to conduct it? [Video & Infographics]

Remember, when using this exemption it should not be just inconvenient for you to provide information, but truly impossible.

Appropriate safeguards

Appropriate safeguards should always be put in place to protect legitimate interests and data subjects’ rights, including making the information publicly available, when processing data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. (Article 89 of the GDPR).

Those safeguards should ensure that technical and organizational measures are in place, in particular, implementation of data minimization or pseudonymization provided that those purposes can be fulfilled in that manner.

Example of the GDPR exemptions

Exemptions are a way to keep data protection laws practical and flexible, not oppressive, trying to strike a balance between the GDPR obligation and the cost of compliance for the controller.

Example 1: the data subject is a public persona, it is expected that there is a lot of information about this person. It seems quite non-sensical to inform that person that the organization is processing widely-known information about that person. However, the controller should always pay attention that there is no violation of data subjects’ privacy.

Example 2: a data controller is obligated to process personal information under the law. The controller collects personal data from third parties and is not obligated to notify the data subject in question, as long as he is mindful of the data subject’s privacy and provides sufficient safeguards for the protection of the data subject’s legitimate interest.

Restriction of the GDPR requirements by the Member State law

Regulations’ requirements of processing personal data in a fair and transparent way and providing the data subject with the necessary information, as described in Article 13 and Article 14, can be overridden by the Member States law. However, only under certain circumstances.

Article 23 of the GDPR states that the Union or Member State law may restrict the scope of the obligations and rights with respect of the fundamental rights and freedoms, if it is necessary, and proportionate measures are put in place.

The rights referred to above are described in Articles 12 to 22 and Article 34 (as well as Article 5 if its provisions correspond to the rights and obligations provided for in Articles 12 to 22).

Those Articles are related to transparent communication for the exercise of the rights of the data subject, right of access by the data subject, information to be provided where personal data are collected from the data subject or other sources, right to rectification, right to erasure, and other.

Reasons for restriction 


Restriction of the GDPR requirements by the Member State law

  1. For the protection of national security
  2. Defense
  3. Public security
  4. The prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
  5. Other important objectives of the general public interest of the Union or of a Member State. In particular, an important economic or financial interest of the Union or of a Member State, including monetary, budgetary, and taxation matters, public health, and social security
  6. The protection of judicial independence and judicial proceedings
  7. The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions
  8. Monitoring, inspection, or regulatory function connected to the exercise of official authority in the case of national security, other important objectives of general public interest, and prosecution of breaches of ethics for regulated professions
  9. The protection of the data subject or the rights and freedoms of others
  10. The enforcement of civil law claims.

Freedom of expression and information

The GDPR also allows an exemption for the purpose of journalism, academic, artistic, or literary expressions. Article 85 of the GDPRProcessing and freedom of expression and information.

“The Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”


Before relying on any of the GDPR exemptions from the obligation to provide information to the data subjects, you have to take into account the lawfulness, fairness, and transparency principles.

You will also have to think about implementing additional safeguards. Remember, GDPR exemptions only apply on a very few case-by-case bases.

If you are relying on disproportionate effort or impossibility, you will have to publish your privacy information and conduct a DPIA, in order to prove and document that the exemption used was appropriate and justified.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top