This article in CPO Magazine, written by Andrew Clearwater, CIPP/US, and Brian Philbrook, CIPP/US, CIPP/E, CIPM, CIPT, offers insight on the more than 50 derogations in the EU General Data Protection Regulation. It looks at the GDPR implementation laws passed in Austria and Germany to offer further perspective on how member states are handling the derogations.
GDPR Derogations and How to Prepare for Member State Variation

CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 2
Related Stories
Summary of GDPR derogations in the UK Data Protection Bill
This table from the Open Rights Group sets out the flexibilities and derogations in the GDPR, the article of the GDPR to which it corresponds, and the U.K.’s reason(s) for choosing, if applicable, to deviate from the GDPR’s default position.
Click to View (PDF)...
Derogations and special conditions
Bird & Bird offers an overview of special conditions in the EU General Data Protection Regulation, where member states may (or are required to) implement supplemental laws. The guidance also includes a checklist to help controllers ensure compliance.
Click to View (PDF)...
Malta added to IAPP GDPR derogations tracker
A couple of weeks back, we announced the IAPP's new EU Member State GDPR Derogation Implementation Tracker looking at specific provisions in the EU General Data Protection Regulation whereby member states are required to, or may, create rules specific to that country — commonly referred to as deroga...
Analysis: The Danish Data Protection Act and its GDPR derogations
The Danish Parliament approved the Data Protection Act, May 23, 2018. The law brings the country's data protection regime in line with the EU General Data Protection Regulation.
The lawmaking process
The preparation for the act went on for two years and included several committees and working grou...
Opice Blum – Identifying and reacting to security incidents
This resource, published by Opice Blum Advogados, provides companies with guidance on incident response in Brazil with observance of General Data Protection Law requirements....