The GDPR became UK law on 25 May 2018. The regulation contains a number of derogations, where EU member states can exercise a degree of discretion (flexibility) over how certain provisions will apply.
In September 2017 the UK Government published a new Data Protection Bill, which will implement derogations and exemptions from the GDPR. The Bill is likely to be highly scrutinised and undergo changes as it progresses through parliament.
Key derogations can be found in the following articles of the GDPR:
Processing of Data
Article 6 – lawfulness of processing
Article 8 – processing of children’s data by one services
Article 18 – right to restriction of processing
Article 28 – processor
Article 29 – processing under the authority of the controller of processor
Article 32 – security of processing
Article 35 – data protection impact assessment
Article 37 – designation of the data protection officer
Article 86 – processing and public access to official documents
Article 87 – processing of the national identification number
Article 88 – processing in the context of employment
Demonstrating compliance
Article 40 – Codes of conduct
Article 42 – certification
Article 43 – certification bodies
Data Protections officers
Article 4 – definitions
Article 37 – designation of the data protection officer
Article 38 – position of the data protection officer
Rights and Remedies
Article 17 – right to erasure
Article 22 – automated individual decision-making, including profiling
Article 26 – joint controllers
Article 80 – representation of data subjects
Third country transfers
Article 49
Sensitive personal data and exceptions
Article 9 – processing of special categories of data
Supervisory Authority
Article 51 – Supervisory Authority
Article 53 – General conditions for the members of the supervisory authority
Article 54 – Rules on the establishment of the supervisory authority
Article 58 – powers
Article 59 – activity reports
Article 62 – Joint operations of supervisory authorities
Article 90 – obligations of secrecy
Sanctions
Article 36 – prior consultation
Article 58 – powers
Article 83 – general conditions for imposing administrative fines
Article 84 – penalties
Criminal convictions
Article 10 – processing of personal data relating to criminal convictions and offences
Freedom of Expression in the Media
Article 85
Archiving and Research
Article 89
GDPR Restrictions
Article 23 allows members states to legislate national measures which restrict the application of various rights and duties under the Regulation. The restrictions may apply to all of the individual rights in Articles 12-22, and to the data protection principles in Article 5 in so far as they correspond to the Article 12-22 rights.
October 2017
Copyright DPN
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.