The Information Commissioner's Office has expanded its guidance on exemptions in its guide to GDPR.
The Information Commissioner’s Office has expanded its guidance on exemptions in its Guide to GDPR. The General Data Protection Regulation and the Data Protection Act 2018 set out exemptions from some of the rights and obligations in particular circumstances. The expanded guidance states that:
Whether or not you can rely on an exemption often depends on why you process personal data.
You should not routinely rely on exemptions; you should consider them on a case-by-case basis.
You should justify and document your reasons for relying on an exemption.
If no exemption covers what you do with personal data, you need to comply with the GDPR as normal.
The Guidance goes on to list available exemptions by reference to particular topics, such as: information required to be disclosed by law or in connection with legal proceedings, legal professional privilege, immigration, audit functions, corporate finance and subject access requests