Exemptions to the obligation to provide information
The GDPR has its own exemptions (no national law needed) and permits member states to create more. For Article 13 (direct collection) there is essentially one own-exemption: where the data subject already has the information. Article 14 (indirect collection) has more: already-has-it; obtaining/disclosure laid down by law with safeguards; professional secrecy; and the big one - impossible or disproportionate effort (Art 14(5)(b)), especially for archiving/research, or where provision would seriously impair the processing's objectives. Article 23 lets member states restrict these duties for things like national security and crime prevention. Exemptions are construed restrictively.
| Exemption | Article 13 (direct) | Article 14 (indirect) |
|---|---|---|
| Data subject already has the information | Yes (Art 13(4)) | Yes (Art 14(5)(a)) |
| Obtaining/disclosure expressly laid down by law with safeguards | No | Yes (Art 14(5)(c)) |
| Data must stay confidential under professional secrecy | No | Yes (Art 14(5)(d)) |
| Provision is impossible or disproportionate effort (esp. archiving/research), or would seriously impair the objectives | No (not available) | Yes (Art 14(5)(b)) |
Where the impossible / disproportionate effort route is used, the controller must take appropriate measures to protect the subject - including making the information publicly available. The WP29 says this exemption should not be routinely relied upon outside research/archiving, the effort must relate to collection from a source other than the subject, and the assessment must be documented. Impossibility is absolute - 'there are no degrees of impossibility'.
There is no disproportionate-effort or impossibility exemption in Article 13. That route exists only under Article 14(5)(b) because the difficulty must stem from the data being collected from a source other than the data subject.
Article 23 separately allows member states to restrict these duties by legislative measure for aims such as national security, defence, public security, crime prevention/investigation, important public-interest objectives, judicial independence, and enforcement of civil claims - where necessary and proportionate and respecting the essence of fundamental rights. Even a controller relying on an exemption must still answer a data subject's request for information and access (Chapter 9), and exemptions are applied restrictively.