Menu

Exemptions from registration requirements

All controllers and processors must maintain an entry in the register of controllers and processors unless the only processing of personal data falls within the registration exemptions set out in Part 3 of Schedule 7 to the Implementing Regulations 2018.  

The registration requirements (and the Applied GDPR) do not apply to personal data processed purely for personal or household activities.

NOTE: there is no exemption from registration where personal data is processed for marketing purposes.

Staff administration exemption

To claim this exemption the processing must meet all the criteria set out in paragraph 16 of Part 3 of Schedule 7 to the Implementing Regulations.

In summary:

Controllers and processors must be able to demonstrate, and explain to staff in transparency information, why it is necessary to:

This exemption cannot be claimed in respect of the provision of staff administration services for third parties.

Accounts and records exemption

To claim this exemption the processing must meet all the criteria set out in paragraph 17 of Part 3 of Schedule 7 to the Implementing Regulations. 

In summary:

Controllers and processors must be able to demonstrate, and explain to customers and suppliers in transparency information, why it is necessary to:

This exemption cannot be claimed in respect of the provision of accounting or bookkeeping services.

Non profit-making organisations exemption

To claim this exemption the processing must meet all the criteria set out in paragraph 18 of Part 3 of Schedule 7 to the Implementing Regulations.

In summary:

Controllers and processors must be able to demonstrate, and explain to customers and suppliers in transparency information, why it is necessary to:

This exemption from registration cannot be claimed in respect of the processing of personal data by non profit-making organisations for any other purpose, for example CCTV or direct marketing.  

Note: In any case where exemption from registration can be claimed, the controller or processor must still comply with the remaining provisions of the law.