Data protection professionals regularly face challenges regarding GDPR's information requirements. While the law clearly defines when organizations must inform individuals about data processing, there are specific situations where this obligation doesn't apply. Let's explore when organizations can - and sometimes should - forego providing privacy notices.
When individuals already have the information
The GDPR exempts organizations from providing information that data subjects already possess. However, merely assuming someone has this information isn't enough - concrete evidence is essential. This requirement stems from the GDPR's accountability principle, which demands thorough documentation of compliance decisions.
Consider a typical business scenario: A regular customer who received complete privacy information when first engaging with a company returns for additional services. In this case, the organization need only communicate new or changed elements, such as:
Additional processing purposes,
Changes to data retention periods,
New categories of data recipients.
According to Article 13(4) and Article 14(5)(a) of the GDPR, organizations are exempt from providing information if the data subject already possesses it. However, proper documentation is necessary to prove compliance with the accountability principle. Organizations must have clear records showing when and what information was originally provided and evidence that this information remains current. Without such documentation, they may need to provide the complete privacy notice again.
Impossible situations and disproportionate effort
For data collected from sources other than the individual, the GDPR provides additional exemptions. Organizations may skip the information requirement in two specific circumstances:
First, when providing information is objectively impossible. This isn't about convenience or difficulty - it's a binary assessment. As per Article 14(5)(b) GDPR, organizations are not required to provide information when it is impossible or requires disproportionate effort, particularly in cases of scientific or historical research or statistical purposes.
For example, having no way to contact individuals because contact details are completely unavailable.
Second, when fulfilling the obligation would demand disproportionate effort. Organizations must evaluate:
The size of the affected population,
How long ago the data was collected,
Available contact methods,
Resources required to reach individuals.
Historical research provides a clear example: When researchers work with demographic records from decades ago involving thousands of individuals, attempting to notify each person would often be unreasonably burdensome and costly.
Legal exemptions from notification requirements
The GDPR waives information requirements when specific laws already govern data collection or disclosure. These laws must include appropriate safeguards for individual privacy rights.
This exemption is based on Article 14(5)(c) GDPR, which states that if data processing is required by law and appropriate safeguards exist, the obligation to provide information does not apply.
Check out: GDPR - what is personal data?
Tax administration offers a practical illustration: Tax authorities receive detailed salary information from employers as required by law. They don't need to separately inform employees about this data processing because:
Legal provisions explicitly authorize the data transfer,
Employees can reasonably expect this processing,
Statutory protections safeguard the information.
Professional confidentiality exceptions
Professional secrecy obligations can override GDPR information requirements. This particularly affects:
Healthcare providers,
Legal professionals,
Mental health practitioners,
Religious advisors.
Under Article 14(5)(d) GDPR, professional secrecy obligations override the requirement to provide privacy notices where such confidentiality is regulated by Union or Member State law.
Medical genetics highlights this principle effectively: When a patient shares family medical history, physicians neither need nor should inform relatives about processing their data. Medical confidentiality takes precedence over GDPR notification requirements in these situations.
Importantly, this exception only applies to legally mandated professional secrecy, not merely organizational policies or industry practices.
Practical implications
Organizations should treat these exemptions as exceptions rather than the rule. Each decision to withhold privacy information requires thorough documentation and solid justification.
These exemptions align with the GDPR's accountability principle (Article 5(2)), requiring organizations to justify their decisions with proper records.
Decision-makers must:
Document the specific grounds for exemption,
Demonstrate they've considered alternative approaches,
Show they've implemented appropriate privacy safeguards,
Maintain evidence supporting their decision.
The goal remains balancing transparency with practical limitations and legal obligations. While the GDPR provides these exemptions, they require careful consideration and robust documentation to demonstrate compliance.
Commentaires