Skip to main content

Article 23 exemptions from GDPR for regulatory bodies




The incoming GDPR has been at the forefront of every agenda for the last few months. Whilst there is a lot published regarding the onerous obligations it will entail, it is important to bear in mind that the GDPR, if availed of appropriately, also provides certain opportunities. One such opportunity is that of Article 23 of the GDPR which stipulates certain limitations that can be placed on data subjects’ rights; i.e. allowing organisations to forgo certain requirements such as obtaining consent, right of access, erasure, rectification and portability. These limitations can only be applied where the measure used respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. Section 54 of the Bill sets out Ireland’s proposed approach in this regard. The relevant exemptions that are particularly applicable to regulatory bodies are found under Section 54 (7); namely the restrictions must be necessary:
  • to avoid obstructions to any official or legal inquiry, investigation or process, including any out-of-court redress procedure, proceedings pending or due before a court, tribunal of inquiry or commission of investigation;
  • to prevent, detect, investigate and prosecute breaches of discipline by, or the unfitness or incompetence of, persons authorised by law to carry on a profession or any other regulated activity and the imposition of sanctions for same;
  • to prevent, detect, investigate or prosecute breaches of ethics for regulated professions; and/or,
  • to take any action for the purposes of considering and investigating a complaint made to a regulatory body in respect of a person carrying out a profession or other regulated activity where the profession or activity is regulated by that body and the imposition of sanctions on foot of such a complaint.
The mechanism for invoking these exemptions is via the drafting of regulations. These regulations may be made pursuant to Section 54 (9) of the Bill and may be made by the Minister for Justice, following consultation with such other Minister of the Government and the Commission, or by any other Minister of the Government following consultation with the Minister for Justice, or such other Minister of the Government as he or she considers appropriate and the Commission. The scope of the GDPR and the extent to which it will impede on the ordinary performance of regulatory functions remains uncertain. One way of inviting a greater degree of caution is to employ the use of these regulations under section 54 of the Bill. Availing of these exemptions may assist regulatory bodies to continue to adequately perform their functions, in particular when considering complaints and carrying out investigations.