The European Union’s GDPR serves as a shield, safeguarding EU citizens’ personal data by streamlining data handling. Its extraterritorial reach enables global consistency of data protection and prevents the circumvention of the law by transferring it to other countries.
Though GDPR applies to almost all organisations including nonprofits, conglomerates and small businesses, it also carves out some exemptions. Explore whether your organisation falls under GDPR exemptions, and what its implications and requirements are.
What is GDPR?
The General Data Protection Regulation monitors the handling of personal data in the European Union. It recognises the privacy rights of data subjects such as the right to rectification or the right to be forgotten and prevents businesses from unauthorised use of their personal data.
Businesses processing European personal data are required to follow certain data protection standards prescribed by the GDPR.
The following are the key GDPR obligations:
- Provide an easily accessible and understandable privacy policy
- Limit the collection and use of personal data to the necessary purpose
- Do not process personal data without a legal basis, for example, user consent
- Establish appropriate safeguards to protect the confidentiality of personal data
- Enable convenient methods to exercise data subject rights
- Honour data subject requests promptly
- Record and document compliance measures
- Obtain cookie consent for websites using non-essential or third-party cookies
- Provide a cookie policy that describes the categories, use, and retention period of cookies
- Have a contractual agreement with service providers and third parties
- Notify serious breaches to authorities within 72 hours
- Ensure adequate data protection while engaging in data transfers to third countries
- Conduct data protection impact assessments if you engage in data processing involving high risks such as special categories of data/sensitive data processing
The authority to enforce GDPR is entrusted to the European Data Protection Board (EDPB) and Data Protection Authorities(DPAs). They can impose non-compliance fines of up to 20 Million Euros or 4% of the annual gross revenue.
If your business operates in the European union or serves European customers, understanding GDPR compliance is essential.
Who does GDPR apply to?
The European data privacy law, GDPR, applies to organisations that engage in automated personal data processing or non-automated personal data processing in an organised manner (filing systems).
The territorial scope of GDPR is not based on a monetary threshold like US privacy laws such as CCPA. Instead, it has an expanded scope and accommodates almost all organisations including small businesses if they meet the following criteria:
- Organisations located within the European Union regardless of whether the data processing takes place
- Organisations located outside the European Union offering goods/services to EU citizens or monitoring their behaviour within the union.
- Non-EU organisations that are bound by member state laws under public international law. Examples include member states’ diplomatic missions or consular posts.
Does GDPR apply to small businesses?
The short answer is yes, it does. From start-ups to global corporations, GDPR has something for all business kinds.
However, it also offers some derogations for small businesses from record-keeping obligations or appointing a Data Protection Officer (DPO). Record-keeping includes documenting data processing activities, categories of personal data, specific purposes, and data recipients.
Therefore, if your organisation has fewer than 250 employees, only engages in data processing occasionally, does not process special categories of personal data, or does not pose a risk to the rights and freedoms of individuals, you are likely exempted from some GDPR requirements.
What are GDPR exemptions and how do they work?
Data protection is a fundamental right in the European Union and GDPR contributes to its enforcement. Despite its extensive scope, GDPR relieves some of its strict compliance requirements. Here are some of the notable GDPR exemptions.
#1 Does not process personal data
The scope of GDPR extends to data controllers handling the personal data of EU citizens. As GDPR primarily focuses on the protection of personal data, it does not apply to businesses or other organisations that only handle non-personal data.
Personal data means any data capable of identifying a living individual directly or indirectly. Examples of personal data include:
- Name
- Location data
- Identification numbers
- Debit card or credit card information
- Email address
- Phone number
- Racial or ethnic identity
- Genetic data
- Online identifiers
The term “Online identifier” has a broader meaning and can include information about an individual’s device, application or tools. Internet cookies, IP addresses, pixels, beacons, and other tracking technologies fall under this category.
Therefore, if your website having EU customers deploys cookies or similar technologies on user devices, it must stay GDPR-compliant. This includes providing cookie banners and GDPR policies, obtaining cookie consent, implementing security measures, etc.
Have customers from the EU?
Prioritise GDPR-compliance by implementing consent management with CookieYes
Try for free14-day free trialCancel anytime
The law also exempts the processing of anonymous data from its scope. These are the information which no longer identifies or is capable of identifying a living individual.
However, this does not mean that pseudonymous data are exempted as they can be attributed to a natural person using additional information.
#2 Data processing outside the scope of the EU
The territorial scope of GDPR extends to data processing activities in the course of activity within the scope of the European Union and includes organisations that:
Offer goods or services to the EU data subjects
Determining whether you have a connection mostly depends upon your intention. To illustrate an example, an American company marketing their products in languages specific to the European Union such as Irish or Catalan, or including pricing in Euros shows their intention to offer goods or services to EU citizens.
Monitor the behaviour of EU citizens
This includes tracking the online activities of EU data subjects, particularly for creating their profiles and using them for purposes such as marketing and behavioural advertising. Therefore, even if you are a Canadian business with a website having visitors from France or Norway, you likely fall under the scope of GDPR. However, if your business has no connection with Europe or with the EU personal data, you might be exempted from the GDPR requirements.
#3 Personal data of deceased persons
GDPR’s application is limited to the personal data of living persons. Therefore, a deceased person’s personal data falls outside the scope of the law.
Since businesses must maintain the accuracy of personal data and keep them updated, it is recommended to update your database by removing a deceased individual’s data and stop sending them emails or other marketing promotions.
#4 Data processing in the personal or household context
The GDPR exemption applies to the processing of personal data within a personal or household context, as distinguished from a commercial or professional context. Look at these examples for a better picture:
- Adding contacts to one’s address book
- Sending emails to friends
- Sharing contact details with family and friends
- Creating personal photo albums
#5 Personal data of legal persons
The European privacy law does not apply to the personal data of legal persons such as corporations, nonprofit organisations and partnerships.
This means that data that are otherwise considered personal such as names, phone numbers, or email addresses wouldn’t be considered personal data if they belong to corporations or partnerships.
#6 National security and criminal prosecution
GDPR does not apply to data processing for security purposes or for preventing, investigating, detecting, or prosecuting criminal offences. The exemption applies if you can prove that complying with relevant rules endangers national security. Moreover, these activities are already monitored by separate regulations.
#7 Derogation for special processing activities
GDPR recognises that there must be a balance between privacy and fundamental freedoms or public interest. As a result, the law allows some derogations for the following types of processing activities. Member states can determine specific rules and derogations if needed.
- For data processing carried out for journalistic, academic, or artistic purposes such as in audiovisual fields like television or films and news archives
- Enabling public access to personal data held by public authorities to carry out public interest
- Processing employee information can be carried out based on specific rules enacted by member states or agreements that determine the conditions for processing personal data in an employment context
- Using personal data for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes
Implications of GDPR exemptions for businesses
The exemptions or the scope of derogations under GDPR provides respite for certain kinds of businesses such as small or medium enterprises or those who only process personal data occasionally. This reduces compliance costs and the need for resources, which can turn out to be a financial burden for some businesses.
At the same time, it can also create risks if businesses misinterpret the exemptions resulting in non-compliance fines and reputational loss. Thus it is essential that businesses understand the exemptions clearly and carefully determine whether they are exempted.
Take a look at some of the ways businesses similar to yours use:
- Consult with legal professionals who are experts in the privacy-legal landscape
- Take your time and analyse the circumstances under which certain organisations are relieved from strict obligations
- Ensure that you have records and documents to justify and demonstrate the exemption applicable to your business
- It is equally important that you stay updated with the evolving data privacy landscape, including GDPR amendments, if any
How to determine if your business qualifies for exemption?
Some businesses qualify for GDPR exemptions, here is how you can determine if you are one of them.
Assess your business activities
Evaluate your core business activities and determine the types of data you process and how often you process personal data.
Identify the exemptions
Recognise relevant exemptions based on your assessments. Some of the most common exemptions include businesses that do not process personal data of living persons, businesses that have no connection with the European Union, derogations for businesses with less than 250 employees, or data processing primarily for personal/household activities.
Certain types of processing
Determine whether you use personal data exclusively for archiving purposes, scientific, research or journalistic purposes.
Expert advice
Seek legal advice from privacy professionals to ensure whether you qualify for the GDPR exemptions. They can provide you with tailored advice and recommendations and help you navigate the law.
Documentation and compliance requirements for GDPR exemptions
While securing a GDPR exemption can provide significant relief, your responsibilities do not conclude there. It requires continuous attention and compliance efforts even if you are exempted.
Document your reasoning for why you fall outside the scope of GDPR. Suppose it is because you do not offer your products or services to EU citizens, you should be able to demonstrate it by proving that your marketing initiatives are not in a language specific to Europe or that you have no intention to conduct business with Europeans.
Here is the key tip. Always ensure that you have established robust security measures at technical and organisational levels to protect the personal data you handle, regardless of any exemption. This will not only save your bank account from facing serious financial repercussions but also foster customer trust.
FAQ on GDPR exemption
GDPR is the European Union’s data privacy legislation that recommends regulatory standards for personal data processing. It grants rights to data subjects to authorise them with power over their data. The law enforcement is carried out by the European Data Protection Board and Data Protection Authorities of EU member states.
If you are an organisation based in Europe or process the personal data of EU citizens except in a personal or household context, you are likely bound by the law. To know whether you need to be GDPR-compliant, identify your data processing activities, understand the legal requirements, or consult a legal professional.
The GDPR is famous for its stringent demands and efforts to comply, but it does make some exemptions for specific types of businesses. Certain exemptions under the GDPR involve exceptions from the requirement to document compliance or designate a data protection officer for small businesses with fewer than 250 employees. It also excludes the processing of personal data in a personal or household context, as well as those who do not engage in personal data processing.
No, US companies are not exempt from GDPR obligations if they meet the required thresholds.
CCPA is the US equivalent of GDPR since there are no unified federal laws in the US, and both share many similarities. However, there are many differences between CCPA and GDPR as well.