Further Reading: Derogations

Although there are a number of references to derogations or exemptions throughout GDPR, there are two broad areas that require specific mention:

  1. Restrictions on the obligations as they relate to data protection rights (For example a response to a SAR or communication to an individual following a breach)
  2. Data Processing in certain specific situations

Restrictions on obligations

Restrictions may be applied in relation to the obligation for transparency but only where they

  1. Respect the essence of the fundamental rights and freedoms and
  2. Are necessary and proportionate in a democratic society.

Restrictions may relate to:

  • national security
  • defence
  • public security
  • the prevention, investigation, detection or prosecution of criminal offence, and breaches of ethics for regulated professions
  • important public interests (ie economic, financial, public health and social security)
  • judicial independence and judicial proceedings
  • exercise of official authority in the monitoring, inspection of regulator functions relating to the exercise of official authority of matters listed above
  • protection of the individual, or the rights and freedoms of others
  • enforcement of civil law matters

Restrictions must include:

The data protection act 2018

The Data Protection Act 2018 is a complicated piece of legislation made up of 7 parts and 20 schedules. The four main areas covered in the Act are:

  • general data processing,
  • law enforcement data processing,
  • data processing by the intelligence services and
  • regulatory oversight and enforcement.

As a Regulation, GDPR is automatically enforceable in all Member States of the EU and there is no requirement for it to be transposed into statute. The DPA 2018, therefore, supplements GDPR, and must be read alongside it.

In contrast, the Law Enforcement Directive is a Directive and is transposed into UK law thereby making it enforceable. The LED forms Part 3 of the Act. The LED and processing by the intelligence services is out of scope of this training

The 7 Parts of the DPA can be identified as follows:

  • Part 1
    Provides an overview of the Act, including key terms
  • Part 2
    This Part deals with general personal data processing and also extends the regime to areas otherwise not covered by GDPR.
  • Part 3
    Transposes the Law Enforcement Directive into UK law
  • Part 4
    Deals with Intelligence Service Processing
  • Part 5
    Sets out the functions of the Information Commissioner both here and internationally
  • Part 6
    Deals with enforcement
  • Part 7
    Provides supplementary provision relating to information about offences, the Tribunal, territorial applications of the Act and further definitions


Articles 5, 23, 85 -91

Recitals 73, 153 – 164

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/exemptions/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/exemptions/immigration-exemption/



The Data Protection Act 2018

ICO guidance on the Data Protection Act/Bill
https://ico.org.uk/for-organisations/data-protection- act-2018/

and also