General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Audit functions

This exemption can apply if you process personal data for the purposes of discharging a function conferred by enactment on:

  • the Comptroller and Auditor General;
  • the Auditor General for Scotland;
  • the Auditor General for Wales; or
  • the Comptroller and Auditor General for Northern Ireland.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If it does not, you must comply with the GDPR as normal.

Bank of England functions
This exemption can apply if you process personal data for the purposes of discharging a function of the Bank of England:

  • in its capacity as a monetary authority;
  • that is a public function (within the meaning of Section 349 of the Financial Services and Markets Act 2000); or
  • that is conferred on the Prudential Regulation Authority by enactment.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If this is not so, the exemption does not apply.

Regulatory functions relating to legal services, the health service and children’s services
This exemption can apply if you process personal data for the purposes of discharging a function of:

  • the Legal Services Board;
  • considering a complaint under:
    • Part 6 of the Legal Services Act 2007,
    • Section 14 of the NHS Redress Act 2006,
    • Section 113(1) or (2), or Section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
    • Section 24D or 26 of the Children’s Act 1989, or
    • Part 2A of the Public Services Ombudsman (Wales) Act 2005; or
  • considering a complaint or representations under Chapter 1, Part 10 of the Social Services and Well-being (Wales) Act 2014.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If you can comply with these provisions and discharge your functions as normal, you cannot rely on the exemption.

Other regulatory functions
This exemption can apply if you process personal data for the purpose of discharging a regulatory function conferred under specific, listed legislation on any one of 14 bodies and persons. These are:

  • the Information Commissioner;
  • the Scottish Information Commissioner;
  • the Pensions Ombudsman;
  • the Board of the Pension Protection Fund;
  • the Ombudsman for the Board of the Pension Protection Fund;
  • the Pensions Regulator;
  • the Financial Conduct Authority;
  • the Financial Ombudsman;
  • the investigator of complaints against the financial regulators;
  • a consumer protection enforcer (other than the Competition and Markets Authority);
  • the monitoring officer of a relevant authority;
  • the monitoring officer of a relevant Welsh authority;
  • the Public Services Ombudsman for Wales; or
  • the Charity Commission.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your function. If this is not so, you must comply with these provisions as you normally would.

Parliamentary privilege
This exemption can apply if it is required to avoid the privileges of either House of Parliament being infringed.
It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling;
  • the communication of personal data breaches to individuals; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But if you can comply with these provisions without infringing parliamentary privilege, you must do so.

Judicial appointments, independence and proceedings
This exemption applies if you process personal data:

  • for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel;
  • as an individual acting in a judicial capacity; or
  • as a court or tribunal acting in its judicial capacity.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

Additionally, even if you do not process personal data for the reasons above, you are also exempt from the same provisions of the GDPR to the extent that complying with them would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointments
This exemption applies if you process personal data for the purposes of:

  • conferring any honour or dignity by the Crown; or
  • assessing a person’s suitability for any of the following offices:
    • archbishops and diocesan and suffragan bishops in the Church of England,
    • deans of cathedrals of the Church of England,
    • deans and canons of the two Royal Peculiars,
    • the First and Second Church Estates Commissioners,
    • lord-lieutenants,
    • Masters of Trinity College and Churchill College, Cambridge,
    • the Provost of Eton,
    • the Poet Laureate, or
    • the Astronomer Royal.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

Journalism, academia, art and literature
This exemption can apply if you process personal data for:

  • journalistic purposes;
  • academic purposes;
  • artistic purposes; or
  • literary purposes.

Together, these are known as the ‘special purposes’.
The exemption relieves you from your obligations regarding the GDPR’s provisions on:

  • all the principles, except the security and accountability principles;
  • the lawful bases;
  • the conditions for consent;
  • children’s consent;
  • the conditions for processing special categories of personal data and data about criminal convictions and offences;
  • processing not requiring identification;
  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling;
  • the communication of personal data breaches to individuals;
  • consultation with the ICO for high risk processing;
  • international transfers of personal data; and
  • cooperation and consistency between supervisory authorities.

But the exemption only applies to the extent that:

  • as controller for the processing of personal data, you reasonably believe that compliance with these provisions would be incompatible with the special purposes (this must be more than just an inconvenience);
  • the processing is being carried out with a view to the publication of some journalistic, academic, artistic or literary material; and
  • you reasonably believe that the publication of the material would be in the public interest, taking into account the special importance of the general public interest in freedom of expression, any specific public interest in the particular subject, and the potential to harm individuals.

When deciding whether it is reasonable to believe that publication would be in the public interest, you must (if relevant) have regard to:

  • the BBC Editorial Guidelines;
  • the Ofcom Broadcasting Code; and
  • the Editors’ Code of Practice.

We expect you to be able to explain why the exemption is required in each case, and how and by whom this was considered at the time. The ICO does not have to agree with your view – but we must be satisfied that you had a reasonable belief.

Research and statistics
This exemption can apply if you process personal data for:

  • scientific or historical research purposes; or
  • statistical purposes.

It does not apply to the processing of personal data for commercial research purposes such as market research or customer satisfaction surveys.
It exempts you from the GDPR’s provisions on:

  • the right of access;
  • the right to rectification;
  • the right to restrict processing; and
  • the right to object.

The GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.
But the exemption and the exceptions only apply:

  • to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the GDPR – among other things, you must implement data minimisation measures);
  • if the processing is not likely to cause substantial damage or substantial distress to an individual;
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research; and
  • as regards the right of access, the research results are not made available in a way that identifies individuals.

Additionally, the GDPR contains specific provisions that adapt the application of the purpose limitation and storage limitation principles when you process personal data for scientific or historical research purposes, or statistical purposes. See the Guide pages on these principles for more detail.

Archiving in the public interest
This exemption can apply if you process personal data for archiving purposes in the public interest. It exempts you from the GDPR’s provisions on:

  • the right of access;
  • the right to rectification;
  • the right to restrict processing;
  • the obligation to notify others regarding rectification, erasure or restriction;
  • the right to data portability; and
  • the right to object.

The GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.
But the exemption and the exceptions only apply:

  • to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the GDPR – among other things, you must implement data minimisation measures);
  • if the processing is not likely to cause substantial damage or substantial distress to an individual; and
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research.

Additionally, the GDPR contains specific provisions that adapt the application of the purpose limitation and storage limitation principles when you process personal data for archiving purposes in the public interest. See the Guide pages on these principles for more detail.

Health data – processed by a court
This exemption can apply to health data (personal data concerning health) that is processed by a court. It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies if the health data is:

  • supplied in a report or evidence given to the court in the course of proceedings; and
  • those proceedings are subject to certain specific statutory rules that allow the data to be withheld from the individual it relates to.

If you think this exemption might apply to your processing of personal data, see paragraph 3(2) of Schedule 3, Part 2 of the DPA 2018 for full details of the statutory rules.

Health data – an individual’s expectations and wishes
This exemption can apply if you receive a request (in exercise of a power conferred by an enactment or rule of law) for health data from:

  • someone with parental responsibility for an individual aged under 18 (or 16 in Scotland); or
  • someone appointed by the court to manage the affairs of an individual who is incapable of managing their own affairs.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with the request would disclose information that:

  • the individual provided in the expectation that it would not be disclosed to the requestor, unless the individual has since expressly indicated that they no longer have that expectation;
  • was obtained as part of an examination or investigation to which the individual consented in the expectation that the information would not be disclosed in this way, unless the individual has since expressly indicated that they no longer have that expectation; or
  • the individual has expressly indicated should not be disclosed in this way.

Health data – serious harm
This exemption can apply if you receive a subject access request for health data.
It exempts you from the GDPR’s provisions on the right of access regarding your processing of health data.
But the exemption only applies to the extent that compliance with the right of access would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for health data. You can only rely on this exemption if:

  • you are a health professional; or
  • within the last six months you have obtained an opinion from an appropriate health professional that the serious harm test for health data is met. Even if you have done this, you still cannot rely on the exemption if it would be reasonable in all the circumstances to re-consult the appropriate health professional.

If you think this exemption might apply to a subject access request you have received, see paragraph 2(1) of Schedule 3, Part 2 of the DPA 2018 for full details of who is considered an appropriate health professional.

Health data – restriction of the right of access
This is a restriction rather than an exemption. It applies if you receive a subject access request for health data.
It restricts you from disclosing health data in response to a subject access request, unless:

  • you are a health professional; or
  • within the last six months you have obtained an opinion from an appropriate health professional that the serious harm test for health data is not met. Even if you have done this, you must re-consult the appropriate health professional if it would be reasonable in all the circumstances.

This restriction does not apply if you are satisfied that the health data has already been seen by, or is known by, the individual it is about.
If you think this restriction could apply to a subject access request you have received, see paragraph 2(1) of Schedule 3, Part 2 of the DPA 2018 for full details of who is considered an appropriate health professional.

Social work data – processed by a court
This exemption can apply to social work data (personal data that isn’t health or education data) processed by a court. If you are unsure whether the data you process is social work data, see paragraphs 7(1) and 8 of Schedule 3, Part 3 of the DPA 2018 for full details of what this is.
The exemption relieves you from your obligations regarding the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies if the social work data is:

  • supplied in a report or evidence given to the court in the course of proceedings; and
  • those proceedings are subject to certain specific statutory rules that allow the social work data to be withheld from the individual it relates to.

If you think this exemption might apply to your processing of personal data, see paragraph 9(2) of Schedule 3, Part 3 of the DPA 2018 for full details of the statutory rules.

Social work data – an individual’s expectations and wishes
This exemption can apply if you receive a request (in exercise of a power conferred by an enactment or rule of law) for social work data concerning an individual from:

  • someone with parental responsibility for an individual aged under 18 (or 16 in Scotland); or
  • someone appointed by court to manage the affairs of an individual who is incapable of managing their own affairs.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with the request would disclose information that:

  • the individual provided in the expectation that it would not be disclosed to the requestor, unless the individual has since expressly indicated that they no longer have that expectation;
  • was obtained as part of an examination or investigation to which the individual consented in the expectation that the information would not be disclosed in this way, unless the individual has since expressly indicated that they no longer have that expectation; or
  • the individual has expressly indicated should not be disclosed in this way.

Social work data – serious harm
This exemption can apply if you receive a subject access request for social work data. It exempts you from the GDPR’s provisions on the right of access regarding your processing of social work data.
But the exemption only applies to the extent that complying with the right of access would be likely to prejudice carrying out social work because it would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for social work data.

Social work data – restriction of the right of access
This is a restriction rather than an exemption. It applies if you process social work data as a local authority in Scotland (as defined by the Social Work (Scotland) Act 1968), and you receive a subject access request for that data. It restricts you from disclosing social work data in response to a subject access request if:

  • the data came from the Principal Reporter (as defined by the Children’s Hearings (Scotland) Act 2011) in the course of his statutory duties; and
  • the individual whom the data is about is not entitled to receive it from the Principal Reporter.

If there is a question as to whether you need to comply with a subject access request in this situation, you must inform the Principal Reporter within 14 days of the question arising.
You must not disclose the social work data in response to the subject access request unless the Principal Reporter has told you they think the serious harm test for social work data is not met.

Education data – processed by a court
This exemption can apply to education data (personal data in an educational record) processed by a court. If you are unsure whether the data you process is ‘education data’, see paragraphs 13-17 of Schedule 3, Part 4 of the DPA 2018 for full details of what this is.
The exemption relieves you from your obligations regarding the GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies if the education data is:

  • supplied in a report or evidence given to the court in the course of proceedings; and
  • those proceedings are subject to certain specific statutory rules that allow the education data to be withheld from the individual it relates to.

If you think this exemption might apply to your processing of personal data, see paragraph 18(2) of Schedule 3, Part 4 of the DPA 2018 for full details of the statutory rules.

Education data – serious harm
This exemption can apply if you receive a subject access request for education data.
It exempts you from the GDPR’s provisions on the right of access regarding your processing of education data.
But the exemption only applies to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for education data.

Education data – restriction of the right of access
This is a restriction rather than an exemption. It applies if you process education data as an education authority in Scotland (as defined by the Education (Scotland) Act 1980), and you receive a subject access request for that data.
It restricts you from disclosing education data in response to a subject access request if:

  • you believe that the data came from the Principal Reporter (as defined by the Children’s Hearings (Scotland) Act 2011) in the course of his statutory duties; and
  • the individual whom the data is about is not entitled to receive it from the Principal Reporter.

If there is a question as to whether you need to comply with a subject access request in this situation, you must inform the Principal Reporter within 14 days of the question arising.
You must not disclose the education data in response to the subject access request unless the Principal Reporter has told you they think the serious harm test for education data is not met.

Child abuse data
This exemption can apply if you receive a request (in exercise of a power conferred by an enactment or rule of law) for child abuse data. If you are unsure whether the data you process is ‘child abuse data’, see paragraph 21(3) of Schedule 3, Part 5 of the DPA 2018 for a definition.
The exemption applies if the request is from:

  • someone with parental responsibility for an individual aged under 18; or
  • someone appointed by court to manage the affairs of an individual who is incapable of managing their own affairs.

It exempts you from the GDPR’s provisions on the right of access.
But the exemption only applies to the extent that complying with the request would not be in the best interests of the individual who the child abuse data is about.
This exemption can only apply in England, Wales and Northern Ireland. It cannot apply in Scotland.

Corporate finance
This exemption can apply if you process personal data in connection with a corporate finance service (e.g. if you underwrite financial instruments or give corporate finance advice to undertakings) that you are permitted to provide (as set out in the Financial Services and Markets Act 2000).
It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But the exemption only applies to the extent that complying with the provisions above would:

  • be likely to affect the price of an instrument; or
  • have a prejudicial effect on the orderly functioning of financial markets (or the efficient allocation of capital within the economy), and you reasonably believe that complying with the provisions above could affect someone’s decision whether to:
    • deal in, subscribe for or issue a financial instrument, or
  • act in a way likely to have an effect on a business activity (e.g. an effect on an undertaking’s capital structure, the legal or beneficial ownership of a business or asset or a person’s industrial strategy

Management forecasts
This exemption can apply if you process personal data for the purposes of management forecasting or management planning in relation to a business or other activity.
It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But the exemption only applies to the extent that compliance with the above provisions would be likely to prejudice the conduct of the business or activity.

Example
The senior management of an organisation is planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest before the management’s plans are announced).

Negotiations
This exemption can apply to personal data in records of your intentions relating to any negotiations with an individual.
It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But it only applies to the extent that complying with the above provisions would be likely to prejudice negotiations with that individual.

Example
An individual makes a claim to his insurance company. The claim is for compensation for personal injuries he sustained in an accident. The insurance company disputes the seriousness of the injuries and the amount of compensation it should pay. An internal paper sets out the company’s position on these matters including the maximum sum it would be willing to pay to avoid the claim going to court. If the individual makes a subject access request to the insurance company, it would not have to send him the internal paper – because doing so would be likely to prejudice the negotiations to settle the claim.

Confidential references
This exemption applies if you give or receive a confidential reference for the purposes of prospective or actual:

  • education, training or employment of an individual;
  • placement of an individual as a volunteer;
  • appointment of an individual to office; or
  • provision by an individual of any service.

It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

Example
Company A provides an employment reference in confidence for one of its employees to company B. If the employee makes a subject access request to company A or company B, the reference will be exempt from disclosure. This is because the exemption applies to the reference regardless of whether it is in the hands of the company that gives it or receives it.

Exam scripts and exam marks
This exemption can apply to personal data in exam scripts.
It exempts you from the GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But it only applies to the information recorded by candidates. This means candidates do not have the right to copies of their answers to the exam questions.
However, the information recorded by the person marking the exam is not exempt from the above provisions. If an individual makes a subject access request for this information before the results are announced, special rules apply to how long you have to comply with the request. You must provide the information:

  • within five months of receiving the request; or
  • within 40 days of announcing the exam results, if this is earlier.

Protection of the rights of others
Paragraphs 16 and 17 of Schedule 2, Part 3 of the DPA 2018 provide an exemption that can apply if you receive a subject access request for information containing the personal data of more than one individual.

Applications
To assist organisations in applying the requirements of the GDPR in different contexts, we are working to produce guidance in a number of areas. For example, children’s data, CCTV, big data, etc. This section will expand when our work on this guidance is complete.

People also ask this Questions

  1. What is the GDPR?
  2. When did the GDPR come into effect?
  3. To whom does the GDPR apply?
  4. What responsibilities do companies have under the GDPR?
  5. What kind of information does the GDPR apply to?
  6. What rules should businesses follow to ensure compliance?

Infocerts, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – https://www.infocerts.com

Linkedin - Free social media icons

Leave a Comment

Your email address will not be published. Required fields are marked *

Open Whatsapp chat
Whatsapp Us
Chat with us for faster replies.