Understanding GDPR exemptions: Do they apply to your business?

The General Data Protection Regulation (GDPR) aims to strengthen data protection and safeguard the information of people located in the European Union (EU) and European Economic Area (EEA). To do this, the regulation sets strict rules for how businesses can collect, process, and store personal data.

While the GDPR applies broadly across industries and borders, the regulation does include a few narrowly defined exemptions where full compliance may not be necessary, practical, or in the public interest.

Knowing when and how these exceptions apply can help businesses avoid legal missteps and unnecessary financial loss. This guide will help you understand the key GDPR exemptions and determine whether your business qualifies for one.

Key takeaways

• GDPR applies to any organization processing personal data of EU/EEA residents, regardless of company size or location.
• Compliance is based on seven core GDPR principles.
• GDPR exemptions are narrowly defined situations where specific parts of the regulation do not apply in full.
• Exemptions exist to balance privacy rights with legitimate public or private interests.
• Exemptions are applied on a case-by-case basis and are not blanket exceptions.
• Key GDPR exemptions relate to: special purposes (archiving, research, statistics), household and personal use, law enforcement and crime prevention, and national and public security.
• Even if an exemption applies, organizations must generally still uphold the core GDPR principles.
• Organizations should assume GDPR applies unless a careful assessment clearly proves an exemption applies to a specific activity.
• Usercentrics Consent Management Platform (CMP) supports businesses in achieving and maintaining GDPR compliance via obtaining, managing, and signaling users’ consent choices across the marketing ecosystem.

Who has to comply with the GDPR?

Under Art. 3 GDPR, any organization that engages in monitoring of activities or processing of personal data that belongs to natural persons in the EU/EEA must comply with the regulation.

The size of your company and where you’re headquartered don’t influence how the GDPR applies to your organization. Rather, the focus falls purely on where the subjects of the data you process and collect are located.

In other words, regardless of whether your business has a physical presence in the EU, you’ll likely need to follow the GDPR’s rules if you collect, store, analyze, or disclose personal data of individuals located in the EU/EEA. 

While there are certain exceptions that soften the requirements for some types of entities, most organizations must always adhere to the seven core GDPR principles: 

1. Lawfulness, fairness, and transparency: There must be a legal basis (from the six specified options) for collecting and processing personal data, communicated in plain language, of which data subjects are made aware.
2. Purpose limitation: Data can only be collected for the specified, legitimate purposes shared with the data subject when consent was requested.
3. Data minimization: Only data that is necessary and adequate to fulfill the purposes for which consent was given should be collected.
4. Accuracy: Data must be kept accurate and up to date, including via data subject request, and reasonable steps must be taken to rectify or erase inaccurate data.
5. Storage limitation: Personal data must be retained only for as long as it’s necessary to fulfill the purposes for which it was collected.
6. Integrity and confidentiality: Personal data held by an entity must receive appropriate safeguards to protect it from loss, alteration, or unauthorized access.
7. Accountability: Data handlers must be able to demonstrate compliance with these principles, in part by maintaining records of processing activities (RoPAs).

These broad, far-reaching principles have been put in place to regulate conduct of businesses and mitigate safety risks due to the vulnerable and valuable nature of personal data. 

Data breaches come at a great cost to businesses. Data Protection Authorities (DPAs) have been stringent in enforcing compliance, handing down GDPR penalties totaling nearly EUR 5.65 billion since the regulation came into force in 2018. 

Are small businesses exempt from the GDPR?

Many small businesses assume that the GDPR only applies to large corporations, but that’s a misconception. Just because enforcement actions against smaller organizations don’t make headlines doesn’t mean they’re not happening.

All organizations that engage in personal data processing involving individuals located in the EU/EEA must abide by the regulation, regardless of their size, maturity, annual revenue, or structure. What might differ for smaller entities, however, is the scope of their legal obligation. 

For example, a small charity that collects volunteer details for events must still process that information lawfully and protect it appropriately. However, it may not be required to appoint a data protection officer (DPO) or maintain full documentation, as its processinhttps://usercentrics.com/knowledge-hub/gdpr-for-charities/g activities are limited and low-risk.

What are GDPR exemptions?

Exemptions to the GDPR are narrowly defined situations where specific parts of the regulation don’t apply in full to certain businesses. 

They exist to balance individual privacy rights with legitimate public or private interests, like processing data for purely personal use, national security needs, crime prevention, journalistic or artistic purposes, or academic research.

Broadly speaking, an organization’s operations will only fall outside of the GDPR’s scope if it doesn’t process the data of any individuals located in GDPR countries. 

So even if your company only processes the information of a few EU/EEA residents or citizens, you still need to adhere to all the principles of the regulation, from the transparency principle to the purpose limitation principle and everything in between. 

As a result, it’s usually best to err on the side of caution and put mechanisms in place to compliantly collect and effectively protect the data you process.

What to know about GDPR exemptions

Exemptions under the GDPR are applied on a case-by-case basis and must serve a clearly defined, lawful purpose. There are no blanket exceptions, and any departure from the GDPR must be necessary, proportionate, and transparently recorded. 

Exemptions are usually permitted where the purpose of the data collection or processing activity could be undermined if every GDPR rule were to be applied. But organizations that meet the requirements for an exemption, like those involved in crime prevention, academic research, or journalism, must still generally apply the core GDPR principles. 

For example, a news outlet publishing findings from a public interest investigation may be exempt from certain restrictions to protect its journalistic freedom, but it must still process data in a way that prevents unjustified adverse effects on the data subjects featured in the article. Additionally, the data shared must be accurate and up to date.

What exemptions does the GDPR offer?

Art. 23 GDPR sets out defined exemptions which recognize that, in limited circumstances, certain entities may require partial or conditional relief from specific provisions of the GDPR.

The exemptions are tightly framed and apply only where necessary to protect a legitimate private or public interest while upholding data subjects’ legal rights. This includes situations related to national security, criminal investigations, or freedom of expression.

Special purposes

Special categories of data collection practices are granted limited exemptions from specific GDPR obligations under Art. 89 GDPR and Rec. 153 GDPR. This includes activities like: 

• Archiving in the public interest
• Collecting data for scientific or historical research purposes
• Conducting statistical analysis

For example, a university conducting a long-term medical study may be permitted to retain participants’ data beyond the usual limits set by the regulation, provided that it’s securely stored and used solely for the stated research purposes.

These carve-outs exist because applying every rule under the GDPR could make the specified work impractical or even impossible. They permit research and knowledge creation to continue responsibly, while keeping safeguards like pseudonymization and restricted access in place.

Household and personal use

Art. 2(2)(c) GDPR exempts data processing carried out purely for personal or household activities from the regulation’s scope.

This exemption recognizes that individuals acting in a private capacity are not expected to meet the same compliance standards as organizations. That’s because the GDPR is intended to regulate only professional or commercial data processing.

For example, storing the home addresses of family and friends on your mobile phone does not trigger GDPR compliance obligations. Nor does using them to send holiday cards. This distinction helps to ensure that the privacy law remains practical by targeting organizational and public uses of data rather than personal, day-to-day activities.

Law enforcement and crime prevention

Under Art. 2(2)(d) GDPR, data processing carried out by public authorities for law enforcement or crime prevention purposes is largely exempt from the regulation’s scope. 

These activities fall instead under the Law Enforcement Directive (EU 2016/680), which provides a separate framework for protecting personal data in the context of policing and criminal justice.

The rationale is that applying full GDPR rules could interfere with investigations, prosecutions, or the activities of judicial authorities. For example, authorities handling data on criminal convictions must be able to collect and share information efficiently without undermining security or obstructing justice.

Similarly, data processing by courts or bodies acting in a regulatory function, or in connection with legal services or legal proceedings, is treated differently to preserve judicial authority and independence.

A real-world example would be a national fraud agency processing personal data to investigate financial crimes. While exempt from standard GDPR obligations, these agencies must still put security measures in place to protect personal data wherever possible.

National and public security

National and public security are considered to be essential to a state’s sovereignty and are typically governed by national laws rather than the GDPR. As such, they’re excluded from some requirements of the regulation under Art. 2(2)(a) GDPR.

This exemption applies to intelligence and defence agencies, enabling them to collect and process personal data where necessary to protect citizens, prevent terrorism, and respond to major threats. For example, a national intelligence service monitoring cyberattacks that are targeting government infrastructure would operate under this exemption.

How to determine if your business qualifies for a GDPR exemption

As there are no blanket exemptions to the GDPR’s requirements, it’s necessary to carry out a careful assessment to guide your analysis:

1. Define your data processing activities: Identify what personal data you collect, why you collect it, and how it’s used.
2. Map against GDPR applicability: Compare your activities to the criteria in Art. 2 and Art. 3 of the regulation.
3. Assess whether exemptions apply fully or partially: Review Art. 2(2), Art. 23, Art. 89, and Rec. 153 to determine if any of your operations might be exempt.
4. Consider cross-border implications: Understand where your customers are located, as you’ll likely be subject to the GDPR if any are based in the EU.
5. Document your decision-making process: Record your reasoning, evidence, and safeguards in case of a data subject access request (DSAR) or regulatory audit.

It’s always best to assume that the GDPR applies to your business unless your assessment clearly proves otherwise. Taking a more cautious approach will help to avoid potential issues and penalties further down the line.

“GDPR exemptions are narrow and context-dependent, so don’t assume your organization’s size or nonprofit status excludes you. Assess data types, scale, and purposes against the law’s text. Document your reasoning and build minimum viable controls for consent, transparency, and security, even if an exemption might apply.” ”

Celestine Bahr

— Director Legal, Compliance & Data Privacy at Usercentrics

How Usercentrics helps businesses navigate GDPR obligations and exemptions

GDPR exemptions are intentionally narrow and carefully defined. While some entities may be able to collect personal data and make data transfers outside of GDPR restrictions in certain circumstances, most will still need to comply with the regulation’s core obligations. 

Partial exemptions are more common than full ones, but businesses should never assume they’re excluded from the regulation’s requirements. Even when exemptions apply, data controllers should maintain lawful, transparent, and secure data protection practices and records. 

Usercentrics helps simplify GDPR compliance, seamlessly integrating consent management into your workflows so it’s not a burden on your team. Our consent management platform (CMP) helps you collect and store GDPR-compliant consent, so you’re always ready for inquiries or an audit from a data protection authority. 

In addition to enabling you to achieve privacy compliance, Usercentrics helps foster user trust so you can build lasting customer relationships and a strong brand reputation. 

William Newmark

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Newsletter

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy