Once marketing and operations teams learn that GDPR exemptions exist, it can be tempting to want to apply them too broadly. Teams can make the mistake of assuming they meet exemption criteria when in fact the exemption is narrower than expected or does not apply at all.
This article explains what GDPR exemptions are and provides information about when they may apply, and what your responsibilities are whether or not they do.
At a glance
- GDPR exemptions are specific conditions under which EU GDPR requirements may not apply to an organization’s data processing in part or at all.
- Scope exemptions cover situations where the GDPR does not apply at all, including purely personal and household activities, national security and law enforcement, processing outside the EU, and deceased persons.
- Partial GDPR exemptions apply to small and medium-sized enterprises (SMEs); journalistic, academic, artistic, and literary purposes; research and archiving in the public interest; and special category data for employment, health, and social protection.
- Data protection exemptions balance privacy rights with legitimate public or private interests and are applied on a case-by-case basis.
- After a careful assessment, if a GDPR exemption applies, organizations must generally still uphold the core GDPR principles and should adopt best practices like providing clear notice and, where appropriate, obtaining consent to maintain visitor trust.
What Are GDPR Exemptions?
GDPR exemptions are the particular circumstances under which specific requirements in the EU’s General Data Protection Regulation (GDPR) do not apply. The GDPR has some of the strictest requirements for the collection and use of personal data, and can impose considerable GDPR penalties in the event of non-compliance.
A GDPR exemption is limited to certain parts of the regulation. It does not mean that everything in the GDPR does not apply to an organization. In most cases, the rights and obligations stated in the data protection law are still mandatory, including:
- Identifying and documenting a valid lawful basis for processing (which may include obtaining consent)
- Having a privacy policy that clearly explains how the personal data is processed
- Following all seven GDPR principles, including purpose limitation and data minimization
- Having GDPR-compliant contracts with vendors and third parties for data sharing
- Appointing a Data Protection Officer (DPO) where required under Art. 37 GDPR for GDPR compliance monitoring and risk management
- Having a GDPR data breach protocol to notify the supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to individuals’ rights and freedoms
The Seven Main GDPR Exemption Scenarios
There are seven broad scenarios for GDPR exceptions:
1. No personal data is processed
If an organization does not collect any personal data and does not monitor individual behavior, it falls outside the scope of the GDPR.
2. Personal data is processed outside EU jurisdiction
GDPR requirements do not apply where personal data belongs exclusively to individuals located outside the EU/EEA. What matters is the location of the data subjects, not that of the organization itself.
3. Processing personal data of deceased persons
The GDPR protects the personal data of living individuals only; processing personal data belonging to deceased persons therefore falls outside its scope.
4. Processing personal data within personal and household contexts
The GDPR applies to commercial or professional contexts only. Processing carried out by an individual for purely personal or household activity, such as maintaining a private contacts list or sharing photos within a family group, falls under the GDPR household exemption defined in Art. 2(2)(c) GDPR.
5. Processing personal data for research or journalistic purposes
Partial GDPR exceptions apply to journalistic, academic, and literary activity in support of freedom of expression, and to research conducted in the public interest.
6. Activity for security purposes and criminal prosecution
GDPR scope and applicability can be relaxed in cases involving national security and the prevention, investigation, detection, or prosecution of criminal offences.
7. Special derogations
In some areas, including foreign policy and law enforcement, GDPR clauses allow EU Member States to apply their local laws. In those cases, organizations should comply with the applicable national law.
While some of these scenarios are scope exemptions — rare examples when the GDPR doesn’t apply at all — most fall under the category of obligation exemptions — specific relaxed requirements that do not remove an organization’s broader GDPR responsibilities.
Scope Exemptions: When the GDPR Does Not Apply at All
GDPR scope exemptions are specific conditions under which the GDPR does not apply, either to certain types of processing or to certain categories of data.
According to Art. 2(2) GDPR, these scenarios include:
- Activity that falls outside the scope of EU law
- Activity that is regulated by the specific provisions of the common foreign and security policy under the Treaty on the European Union (TEU)
- Processing data for a purely personal or household activity
- Activity by a competent authority for the purpose of the prevention, investigation, detection or prosecution of criminal offences
Additionally, Recital 27 GDPR states that the GDPR does not apply to the personal data of deceased persons. The sections below clarify which scenarios fall outside the GDPR’s scope and under what conditions.
Processing Outside the EU
Art. 3 GDPR defines the territorial scope of the law as the “processing of personal data … in the Union, regardless of whether the processing takes place in the Union or not.” This means it covers processing by organizations established in the EU, regardless of where the processing physically occurs.
The provision applies in two directions. First, it covers organizations outside the EU if they collect or process personal data belonging to individuals located in the EU/EEA. Second, it can also apply to EU-based organizations processing personal data of individuals outside the EU/EEA, where that processing is carried out in the context of their EU establishment’s activities.
The scope exemption applies when a non-EU company processes personal data of non‑EU data subjects only. Otherwise, an organization will likely need to comply with the GDPR if it collects, stores, analyzes, or discloses the personal data of individuals located in the EU/EEA, or if it is itself located in the EU/EEA.
National Security and Law Enforcement
National security and law enforcement are limited situations in which the GDPR may not apply in full.
The GDPR includes several national security scenarios as exemptions. Under Art. 23 GDPR, European Union and Member State laws may restrict specific GDPR rights and obligations for purposes related to national security, defence, and foreign and public security. These GDPR exceptions are targeted restrictions, not a blanket exemption from the regulation.
Processing carried out by competent authorities for the prevention, investigation, detection, or prosecution of criminal offences generally falls outside the GDPR’s scope and is governed instead by the Law Enforcement Directive and national law.
Purely Personal or Household Activity
The GDPR regulates personal data processing for professional or commercial activity. The GDPR does not apply to processing carried out by an individual for purely personal or household activity, such as managing a private family chat or keeping a personal contacts list. Taking photos on a personal device for private use falls under the same exemption.
The GDPR does apply when personal data collection goes beyond private or household use to include commercial interests. For example, if taking photos becomes a business or a personal blog includes monetization, the GDPR would apply. Any processing of data for marketing or other business purposes falls within the GDPR’s scope, and the relevant obligations apply.
Deceased Persons
The GDPR regulates the processing of personal data belonging to living individuals only. The personal data of deceased persons is outside of its scope. National laws on posthumous data protection and medical confidentiality may still apply, however.
Partial GDPR Exemptions: The Cases for Relaxed Obligations
Most GDPR exemptions are applied on a case-by-case basis. They refer to specific obligations and do not remove an organization’s broader GDPR responsibilities. The GDPR small business exemption, activity of journalists and researchers, and some social protection data are examples of partial GDPR exceptions.
Small and Medium-Sized Enterprises (SMEs)
Art. 30 GDPR states that maintaining a record of processing activities “shall not apply to an enterprise or an organisation employing fewer than 250 persons,” unless the processing is likely to result in a risk to data subjects’ rights and freedoms, is not occasional, or involves special categories of data.
Journalistic, Academic, Artistic, and Literary Purposes
For journalistic, academic, artistic and literary expression, Art. 85 GDPR allows member states to create exemptions or derogations from certain parts of the regulation. Those exceptions apply only where they are “necessary to reconcile the right to the protection of personal data with the freedom of expression and information.”
Research and Archiving in the Public Interest
Art. 89 GDPR provides limited derogations for processing carried out for archiving in the public interest, scientific or historical research, or statistical purposes. To rely on those derogations, the organization must implement appropriate safeguards, including technical and organizational measures that support data minimization and, where possible, pseudonymization.
The partial exemptions may limit certain data subject rights, including the right to access, rectify, restrict processing, and object.
It is unlikely that collecting data for marketing research is within the scope of this exemption, unless the organization can demonstrate that it serves the public interest and that rigorous scientific methodology is applied.
Special Category Data for Employment, Health, and Social Protection
Art. 9 GDPR generally prohibits processing special categories of personal data — including health data, racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic and biometric data, among others — but it lists some possible exceptions:
- Employment data: Processing is permitted where it is necessary for employment, social security, or social protection law, such as managing sick leave or administering social insurance.
- Health data: Processing is permitted for preventive or occupational medicine, assessment of a person’s ability to work, or the provision of health or social care. A duty of confidentiality applies when processing this type of data.
- Public health and broader social protection: Processing is permitted in the interest of public health, including cross-border health threats and the maintenance of health standards.
Explicit consent may also be required as a condition for processing sensitive personal data.
Common GDPR Exemption Mistakes Businesses Make
Misunderstanding the scope of GDPR exemptions can create significant compliance risk. The following are some of the most common errors organizations make when assessing whether an exemption applies to their processing activities.
Assuming Company Size Creates a Broad Exemption
The GDPR applies to all organizations regardless of size. The partial SME exemptions are narrow and refer to specific obligations only, such as the requirement to maintain written records of processing activities (RoPA) under Art. 30 GDPR and, in some cases, the obligation to appoint a DPO. They do not reduce an organization’s broader GDPR responsibilities.
Confusing Anonymized Data With Pseudonymized Data
Even where data appears de-identified, IP addresses and cookie IDs remain personal data under the GDPR, as they can identify an individual when combined with other data the organization holds. Truly anonymized data — where re-identification is not possible by any means — falls outside the GDPR’s scope. Pseudonymized data does not. The presence of re-identification risk determines the level of legal responsibility that applies.
Assuming a Non-EU Headquarters Means the GDPR Does Not Apply
The GDPR applies to any organization that processes the personal data of individuals located in the EU/EEA, regardless of where the organization itself is headquartered or established. Location of the data subject, not the organization, is the determining factor.
Not Documenting the Basis for Relying on an Exemption or Derogation
Organizations must be able to demonstrate and justify the reasons for their data processing activities, including where they rely on an exemption or derogation. Accountability is a core GDPR principle and applies even where certain obligations are relaxed.
Applying a Member State Derogation Without Verifying Local Adoption
Where the GDPR permits Member States to limit certain rights or obligations, that permission does not mean every Member State has exercised it. Organizations should verify whether the relevant country has actually adopted the restriction in national law before relying on it.
Legitimate Interests as a GDPR Flexibility Mechanism
Art. 6 GDPR sets out six lawful bases for personal data processing, of which legitimate interests is one of the most frequently used. The European Data Protection Board’s (EDPB) Guidelines 1/2024 define legitimate interests as covering a wide range of operational and commercial activities that are vital to an organization’s existence, provided they do not override the fundamental rights and freedoms of the data subject.
GDPR legitimate interests cannot, however, be treated as a default mechanism to avoid obtaining consent where it would otherwise be required. Organizations must conduct a three-part Legitimate Interest Assessment (LIA) and document the outcome for accountability purposes.
Where data subject rights are at risk, the legitimate interests basis does not apply, and another valid lawful basis must be established before processing can proceed.
The following are common cases where legitimate interests may conflict with data subject rights:
- Direct marketing to consumers: Direct marketing does not generally fall within the scope of individuals’ reasonable expectations, making it likely to fail the LIA and attract objections from affected data subjects.
- Online tracking and profiling: The EDPB defines continuous tracking and monitoring as a high-risk activity that may increase the risk of a data subject’s identity being exposed, which conflicts with the definition of legitimate interests.
- Processing children’s data: Art. 6 GDPR requires that children’s data receive specific protection, and such protections frequently outweigh a legitimate interest claim.
- Fraud prevention: Preventing fraud is a recognized legitimate interest, but safeguards for data minimization and purpose limitation must still apply.
- Network security: Protecting network security may qualify as a legitimate interest where it passes the LIA.
- Limited B2B direct marketing: B2B marketing may qualify as a legitimate interest where it passes the LIA. Highly targeted, limited campaigns are more likely to pass than broad consumer profiling.
Even where an organization passes the LIA, GDPR legitimate interests should not be treated as a blanket substitute for consent across all processing activities.
What Still Applies Even When Exemptions Are in Effect
Accountability, appropriate safeguards, and proper documentation remain required even where exemptions from certain GDPR obligations apply. It is rare for an organization to be able to demonstrate that the GDPR does not apply at all.
In most cases, organizations must still uphold data subject rights and the core principles of the GDPR, including lawfulness, fairness, transparency, and purpose limitation, regardless of which exemptions are in effect.
First-Party Data and Consent: Why Most Marketers Can’t Rely on Exemptions
GDPR exemptions are narrow, and the circumstances in which the GDPR does not apply at all are narrower still. Exemptions cannot be treated as a reliable mechanism for meeting GDPR obligations.
For commercial marketing in particular, the probability that processing activities will pass the legitimate interests test is low. A more defensible approach is to establish a clear lawful basis under Art. 6 GDPR.
Obtaining visitor consent provides a reliable and transparent lawful basis for personal data processing. A cookie banner helps communicate the purpose of data collection and gives visitors clarity over how their data is used. Consent management tools help organizations respect visitor decisions automatically, supporting compliance with the GDPR in areas where exemptions don’t apply.
GDPR Exemptions: Know Where You Stand
GDPR exemptions rarely remove an organization’s responsibility to uphold the GDPR scope and accountability principles. Understanding who is exempt from the GDPR, which exemptions may apply, and what obligations remain in effect is essential for any organization that handles personal data.
Even an organization that falls outside the GDPR’s scope can benefit from adopting privacy-conscious data practices, as clear communication with individuals about how their data is handled supports credibility and long-term relationships.
Usercentrics supports organizations in managing their GDPR obligations through a visitor-first approach to consent, including:
- Automated consent management
- Up-to-date audit trails
- Multi-regulation support to help meet requirements across jurisdictions
- Server-side capabilities for compliant data activation
Even where the GDPR does not apply, keeping individuals informed about their rights and about how their personal data is processed remains a sound operational and reputational practice.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
