The General Data Protection Regulation (GDPR) was implemented with a number of aims. These include harmonising data protection law across the 28 member states of the EU and to take account of the changes in technology and data processing activities since the 1995 Data Protection Directive. To many, the GDPR resulted in big changes – but it was more evolutionary than revolutionary. It is also not always all encompassing either. There are restrictions in scope and exemptions which apply in certain circumstances. The GDPR exemptions can be complex and require an understanding of the local laws, such as the Data Protection Act 2018 here in the UK, so if you’ve been struggling to get to grips with them, you can be forgiven for wanting to join Kermit here!
We’ll look at some of these, such as the ‘prevention and detection of crime’ exemption in a future blog. In this blog, we’ll cover situations where the GDPR simply doesn’t apply because the personal data processing activity is out of the scope of the regulation.
GDPR Exemption or Out of Scope?
The topics covered in this blog are activities that are out of scope of GDPR. These aren’t strictly GDPR exemptions – they are situations in which the GDPR doesn’t apply.
Although the difference might not be obvious, the key thing to understand is that GDPR will not apply at all where the data processing activity is out of scope of the regulation.
In the case of actual GDPR exemptions, the GDPR will apply but certain provisions (e.g. the obligation to prove information about processing) may not apply in certain situations (e.g. for the prevention or detection of crime).
The ICO website provides a comprehensive list of the actual GDPR exemptions. Crime and taxation exemptions are the most commonly applied. These are not absolute, though, and require a judgement to be made by the controller and still only apply to specific Articles and clauses of the GDPR and not the whole thing (a common mistake).
Processing for domestic purposes is outside the scope of the GDPR. This is processing that is carried out in the course of a purely personal or household activity. This might be sharing personal photos, blogging, writing letters, posting on social media and keeping an address book.
Law Enforcement Processing
Processing of personal data for law enforcement purposes falls outside the scope of GDPR but is covered by the Data Protection Act 2018 which incorporates the EU Law Enforcement Directive.
Processing for National Security Reasons
Personal data processed for the purposes of safeguarding national security or defence is outside the scope of the GDPR but is within the scope of the Data Protection Act 2018, which adds to the GDPR through a concept referred to as the ‘applied GDPR’. These provisions include an exemption for national security and defence.
Not Part of a Filing System
GDPR applies to personal data which is or is intended to be part of a ‘filing system’. Article 4 defines a filing system as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.
Based on this definition, unstructured manual information which is not intended to go into a filing system is outside the scope of GDPR. As such, personal data in written notes or loose sheets of printed documents which are not to be filed are likely to be outside the scope of the regulation.
Not Natural Persons
GDPR applies to personal data of natural persons. These are living human beings, not bodies corporate (e.g. companies) or animals and not deceased persons. If you’re one of these, you’re out of scope!
Anonymised Personal Data
Anonymised personal data is not within the definition of ‘personal data’ because it should not allow for the direct or indirect identification of a natural person. All identifiers should have been removed. This means that processing anonymous personal information is outside the scope of GDPR.
Be careful, however, not to confuse anonymised personal data with pseudonymised data. Anonymised personal data removes all personal identifiers in such as way that they cannot be restored. Pseudonymised personal data has the identity of the data subject hidden. This helps protect the data (and is a method of reducing risks to data subjects), but it is still personal data and is in the scope of GDPR.
The topic of GDPR exemptions can be complex and we’ve only really touched on the scope of the GDPR in this blog (we’ll address example GDPR exemptions in a future blog). Whether you’re in scope or can rely on a GDPR exemption really does depend on the nature of your processing and the context of your activities.
If you need assistance demystifying this topic, we can help. Please contact us; and just to clarify, we provide data protection consultancy, not therapy (not presently, anyway…).