One of the main focuses of the General Data Protection Regulation (GDPR) is to give individuals back control over their data. This was instigated by giving data controllers rigorous obligations when it comes to protection and fulfillment of data subject rights.
Most data controllers are aware of obligations set in Article 13 to provide information where personal data are collected from the data subjects, and Article 14, where personal data are not obtained from the data subject.
However, the GDPR also allows the Member States to create their own exemption in certain situations.
These GDPR exemptions in no way represent the opportunity to misuse them in order to avoid or bypass GDPR requirements, rather a way to make requirements practical and flexible, when GDPR requirements would be impossible to execute or would represent a disproportionate effort.
So, when are you, as a data controller, exempt from the obligation to provide information to the data subjects about processing their data?
GDPR Exemption from the obligation to provide information to the data subject
Exemption from transparent processing is clarified in Article 14(5) in two cases:
1. Information to be provided where personal data are collected from the data subject
If personal data is collected directly from an individual, you are not obligated to provide additional processing information if the data subject already has that information or it is obvious that the data subject has the information.
However, you must still provide the data subject with any information the data subject does not already have. If you are unsure, the best practice is to provide all relevant information.
2. Information to be provided where personal data have not been obtained from the data subject
1. The data subject already possesses the information. If you have obtained information from a source other than the data subject, you will have to be able to demonstrate that the individual already possesses that information. The ICO advised checking the source of information to verify what information the individual has been provided with.
2. Where the obtaining or disclosure of the personal data is laid down by the EU or Member State law which the data controller is subject to, and which provides appropriate measures to protect the data subject’s legitimate interests.
3. Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by the European Union or Member State law, including a statutory obligation of secrecy.
4. Where the provision of information to the data subject proves to be impossible or would represent a disproportionate effort. In particular, where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
There is a lack of a clear definition of the term disproportionate effort in the GDPR, leaving the term open to different interpretations by the supervisory authority.
However, when conducting research or archiving take into account the number of data subjects who are involved, the age of the data, and any appropriate safeguards when determining whether the effort would be disproportionate.
To rely on this GDPR exemption, you should assess and document whether there is a proportionate balance between your effort to provide data subjects with privacy information and the effect that your use of their personal data will have on them.
As we mentioned before, these exemptions are not an opportunity to bend the rules and avoid your GDPR obligations, so be confident that you can document and justify your reason for using this GDPR exemption.
If you determine a disproportionate effort, you will have to publish the privacy information and carry out a data protection impact assessment –DPIA.
Example of interpretation of disproportionate effort by a supervisory authority
The Polish Data Protection Authority (UODO) issued a fine to a private company working with data from publicly available sources, for the failure to fulfill the information obligation in relation to over 6 million people.
The controller fulfilled the information obligation by providing the information required under Article 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal.
In the case of the remaining persons, the controller failed to comply due to high operational costs and instead presented the information on its website.
However, in the opinion of the President of the DPA such action was insufficient. The controller should have informed them of their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR.
The point is, be very careful when relying on exemptions, the high operational cost of providing the information to the data subjects may not be a justifiable reason.
What if it is not possible to provide information?
Using the exemption of the impossibility to provide information is not one to take lightly. The truth is, there are a very limited number of situations where this exemption is appropriate.
Impossibility is most likely to happen when there are no contact details about data subjects and there are no reasonable ways to obtain them. The ICO provides guidelines:
“If you determine that providing privacy information to individuals is impossible, you must publish the privacy information (eg on your website), and you should carry out a DPIA“
Remember, when using this exemption it should not be just inconvenient for you to provide information, but truly impossible.
Appropriate safeguards should always be put in place to protect legitimate interests and data subjects’ rights, including making the information publicly available, when processing data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. (Article 89 of the GDPR).
Those safeguards should ensure that technical and organizational measures are in place, in particular, implementation of data minimization or pseudonymization provided that those purposes can be fulfilled in that manner.
Example of the GDPR exemptions
Exemptions are a way to keep data protection laws practical and flexible, not oppressive, trying to strike a balance between the GDPR obligation and the cost of compliance for the controller.
Example 1: the data subject is a public persona, it is expected that there is a lot of information about this person. It seems quite non-sensical to inform that person that the organization is processing widely-known information about that person. However, the controller should always pay attention that there is no violation of data subjects’ privacy.
Example 2: a data controller is obligated to process personal information under the law. The controller collects personal data from third parties and is not obligated to notify the data subject in question, as long as he is mindful of the data subject’s privacy and provides sufficient safeguards for the protection of the data subject’s legitimate interest.
Restriction of the GDPR requirements by the Member State law
Regulations’ requirements of processing personal data in a fair and transparent way and providing the data subject with the necessary information, as described in Article 13 and Article 14, can be overridden by the Member States law. However, only under certain circumstances.
Article 23 of the GDPR states that the Union or Member State law may restrict the scope of the obligations and rights with respect of the fundamental rights and freedoms, if it is necessary, and proportionate measures are put in place.
Those Articles are related to transparent communication for the exercise of the rights of the data subject, right of access by the data subject, information to be provided where personal data are collected from the data subject or other sources, right to rectification, right to erasure, and other.
Reasons for restriction
- For the protection of national security
- Public security
- The prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
- Other important objectives of the general public interest of the Union or of a Member State. In particular, an important economic or financial interest of the Union or of a Member State, including monetary, budgetary, and taxation matters, public health, and social security
- The protection of judicial independence and judicial proceedings
- The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions
- Monitoring, inspection, or regulatory function connected to the exercise of official authority in the case of national security, other important objectives of general public interest, and prosecution of breaches of ethics for regulated professions
- The protection of the data subject or the rights and freedoms of others
- The enforcement of civil law claims.
Freedom of expression and information
The GDPR also allows an exemption for the purpose of journalism, academic, artistic, or literary expressions. Article 85 of the GDPR –Processing and freedom of expression and information.
“The Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”
Before relying on any of the GDPR exemptions from the obligation to provide information to the data subjects, you have to take into account the lawfulness, fairness, and transparency principles.
You will also have to think about implementing additional safeguards. Remember, GDPR exemptions only apply on a very few case-by-case bases.
If you are relying on disproportionate effort or impossibility, you will have to publish your privacy information and conduct a DPIA, in order to prove and document that the exemption used was appropriate and justified.