DSGVO Wissen
GDPR Art. 9

C. Exceptions – overview

The ten exceptions to the prohibition of processing under Art. 9(2) GDPR at a glance – application logic and principles.

Back to the Art. 9 GDPR overview | B. The prohibition of processing

At a Glance

Art. 9(2) lists ten exceptions ((a)–(j)) that can lift the prohibition of processing. The list is exhaustive: anything not covered by (a)–(j) remains prohibited – there are no gaps that may be filled creatively.

The ten exceptions at a glance

ExceptionBrief description
(a)The data subject has given explicit consent
(b)Processing is necessary for employment-law purposes
(c)Protection of vital interests, where the person is unable to consent
(d)Processing by a non-profit organisation concerning its members
(e)The data subject has manifestly made the data public
(f)Processing for the establishment, exercise or defence of legal claims
(g)Substantial public interest (with a legal basis)
(h)Healthcare and medicine (+ professional secrecy obligation under para. 3)
(i)Public health – e.g. fighting epidemics
(j)Archiving, research, statistics in the public interest

Conditions: What must always be fulfilled?

Even if an exception applies, that alone is not enough. All three conditions must be present:

  • a) An exception under Art. 9(2)(a)–(j) applies
  • b) A legal basis under Art. 6(1) is also present
  • c) The principles of Art. 5 GDPR are observed (data minimisation, purpose limitation, storage limitation)

How the exceptions are to be interpreted

Narrow, but not too narrow

The exceptions must be interpreted narrowly – after all, they deviate from a prohibition. But they must not be understood so narrowly that important areas such as healthcare or science become practically impossible.

The guiding principle is always: the interference with privacy must be proportionate – suitable, necessary and appropriate.

Data minimisation and purpose limitation

Even within an exception, the following applies:

  • Only as much sensitive data as necessary may be processed
  • The data may only be used for the permitted purpose
  • As soon as the purpose ceases to apply, the data must be erased

Which exceptions refer to national law?

Several exceptions in Art. 9(2) require a legal basis in national law:

ExceptionNational law required
(b)Employment and social law
(g)Law on public interest
(h)Professional law for healthcare staff
(i)National health law
(j)Conditions and safeguards by law

What Member States may and may not do

Member States may specify and restrict the exceptions, but may not extend them to new situations not provided for in the catalogue. A national legislator who invents a new exception not covered by (a)–(j) violates EU law.

Frequently Asked Questions (FAQ)

Can I rely on several exceptions at the same time? Yes. It is possible for several exceptions to apply simultaneously – this increases legal certainty but does not change the other requirements.

What happens if no exception applies? Then the processing is prohibited – full stop. There is no "general clause" or possibility of analogy.

Is the exception alone sufficient? No. In addition to the exception under Art. 9(2), a legal basis under Art. 6(1) is always also required.

Next:

B.III The individual categories

Each of the eight sensitive data categories under Art. 9(1) GDPR explained – with everyday examples.

C – Explicit consent ((a))

Art. 9(2)(a) GDPR – When and how consent allows the processing of sensitive data, and what to bear in mind.

On this page

At a GlanceThe ten exceptions at a glanceConditions: What must always be fulfilled?How the exceptions are to be interpretedNarrow, but not too narrowData minimisation and purpose limitationWhich exceptions refer to national law?What Member States may and may not doFrequently Asked Questions (FAQ)