The General Data Protection Regulation (GDPR) does not apply in several specific circumstances:
- Personal or Household Activities: GDPR does not cover personal data processing that is purely personal or household-related with no connection to professional or commercial activities. Examples include writing to friends, family, or private social networking. However, if the activity affects people outside one's private life (e.g., filming public areas), the exemption may not apply.
- Law Enforcement and National Security: Processing of personal data by competent authorities for law enforcement or by intelligence services is outside the GDPR's scope, as these are governed by separate laws.
- Non-Personal Data: GDPR applies only to personal data that can identify living individuals. It does not cover processing of non-personal or anonymized data.
- No Territorial or Business Connection to the EU: GDPR does not apply if an organization neither offers goods or services to EU residents nor monitors their behavior.
- Certain Exemptions: There are specific exemptions, such as processing for the prevention and detection of crime or for tax purposes where informing individuals might prejudice those purposes. Some other exemptions relate to journalism, education, and unstructured manual data processing.
- Manual, Unstructured Data: Processing unstructured personal data not intended to form part of a filing system may be exempt.
These exemptions mean GDPR should not be applied as a blanket rule but considered case-by-case based on purpose and context. Organizations should document their reasoning for exemption and maintain data security even if exempted.
