Article 85: Processing and freedom of expression and information

Article 85 requires you to identify when your processing serves freedom of expression (journalistic, academic, artistic, or literary purposes) and then apply the specific Member State “derogations” that reconcile GDPR rights with that expression. Operationally, you need a documented scope decision, a repeatable review/approval workflow, and evidence showing why and how you applied (or did not apply) local exemptions. (Regulation (EU) 2016/679, Article 85)

Key takeaways:

• Article 85 is implemented through Member State law; your job is to map your activities to the relevant national rules and document the decision. (Regulation (EU) 2016/679, Article 85)
• Treat “freedom of expression processing” as a defined use case with an intake, legal review, and controls for access, disclosure, and retention. (Regulation (EU) 2016/679, Article 85)
• Keep an audit-ready decision record for each qualifying workflow (and each refusal), tied to systems, datasets, and owners. (Regulation (EU) 2016/679, Article 85)

“Article 85: processing and freedom of expression and information requirement” is easy to misread as a generic GDPR balancing statement. For operators, it is more concrete: GDPR tells each EU/EEA Member State to pass laws that reconcile data protection with freedom of expression, specifically calling out journalistic purposes and academic, artistic, or literary expression. (Regulation (EU) 2016/679, Article 85)

That means the compliance task is not to invent your own exemption. It is to (1) determine whether any of your processing falls into these expression-related purposes, (2) identify which Member State laws apply based on establishment and targeting, and (3) implement a controlled way to apply the relevant derogations (for example, modified handling of access requests, erasure requests, or transparency obligations where local law permits). (Regulation (EU) 2016/679, Article 85)

This page is written for a Compliance Officer, CCO, or GRC lead who needs to operationalize the requirement quickly: define scope, set ownership, build a workflow, and retain evidence that will stand up in regulator inquiries or customer due diligence.

Regulatory text

Excerpt (operator-relevant): Member States must “reconcile the right to the protection of personal data” with “freedom of expression and information,” including processing for “journalistic purposes” and for “academic, artistic or literary expression.” (Regulation (EU) 2016/679, Article 85)

What this means for you as an operator

• Article 85 is a routing requirement: if a processing activity is for expression/information purposes, you must route it through the applicable Member State framework that reconciles GDPR obligations with expression rights. (Regulation (EU) 2016/679, Article 85)
• Your deliverable is defensible decisioning: a documented determination of whether Article 85-type processing is in scope, which national rules apply, and how your controls implement those rules in day-to-day workflows. (Regulation (EU) 2016/679, Article 85)

Plain-English interpretation

You need a disciplined way to handle content and publishing-style processing that involves personal data (names, images, quotes, identifiers, contact details, etc.) where the purpose is to inform the public or express ideas. In those cases, local law may allow you to limit or tailor certain GDPR duties to protect free expression. Article 85 tells you that these “tailored rules” exist through Member State law; it does not tell you which ones apply. (Regulation (EU) 2016/679, Article 85)

Who it applies to (entity and operational context)

Applies to:

• Any organization acting as a controller or processor that handles personal data in activities that can qualify as journalistic, academic, artistic, or literary expression. (Regulation (EU) 2016/679, Article 85)
• Media organizations, publishers, broadcasters, documentary producers, investigative research groups, universities, think tanks, authors, artists, platforms with editorial teams, and non-profits producing reports that identify individuals.

Common operational contexts:

• Publishing articles, newsletters, reports, or documentaries that name or depict people.
• Maintaining source/whistleblower intake channels.
• Archiving published content with personal data.
• Research outputs that include identifiable individuals (interviews, case studies).
• Artistic projects that incorporate identifiable persons (photography, film, exhibitions). (Regulation (EU) 2016/679, Article 85)

Third parties matter here If you outsource editing, transcription, hosting, analytics, content moderation, or archival services, those third parties can affect how you apply Article 85-related derogations and how you protect source confidentiality. Your operating procedure should explicitly cover third-party involvement and contractual guardrails.

What you actually need to do (step-by-step)

Step 1: Build a role-and-scope register for Article 85 processing

Create a register entry (or a tagged subset of your RoPA) for each workflow that might qualify:

• Controller vs. processor role ¹.
• Purpose statement (journalistic, academic, artistic, literary).
• Data categories (identifiers, contact details, special category data if present).
• Systems involved (CMS, DAM, email, case management, cloud drives).
• Typical disclosures (publication, syndication, social sharing, archiving).
• Third parties involved and their functions. (Regulation (EU) 2016/679, Article 85)

Deliverable: an “Article 85 scope list” that a regulator or auditor can read without interpretation.

Step 2: Define the “expression processing” intake and approval workflow

Implement a short, repeatable workflow that triggers early, before publication or release:

1. Trigger event: new story/project, new dataset, investigative research file, new archive initiative, or republishing older content.
2. Intake form: what is being published, who is identified, why identification is necessary, and which jurisdictions are implicated.
3. Legal/GRC review: determine whether the activity qualifies for the Member State expression regime and whether any GDPR obligations are modified under applicable local law. (Article 85 is the GDPR anchor, but the actual derogations come from Member State law.) (Regulation (EU) 2016/679, Article 85)
4. Decision outcome: “Qualifies,” “Does not qualify,” or “Qualifies in part,” with rationale.
5. Controls checklist: apply required safeguards (see Step 3).
6. Approval: named owner signs off (Editorial lead plus Privacy/Legal, as appropriate).
7. Record retention: save the evidence packet (see below). (Regulation (EU) 2016/679, Article 85)

Step 3: Translate the decision into concrete controls

You need controls that work for publishing realities. Use a checklist format tied to each workflow:

A. Data minimization for publication

• Confirm necessity of naming/identifying individuals for the expression purpose.
• Consider redaction, initials, pixelation/blur, or aggregating details where feasible.

B. Source and contributor confidentiality

• Restrict access to source identities (role-based access).
• Separate source identity data from working drafts where practical.
• Document who can approve disclosure of source information.

C. Rights request handling playbook (tailored) Create a specific procedure for DSAR/erasure/objection requests that involve published or journalistic-like content:

• Triage: “content/expression related” vs. “standard business processing.”
• Escalation: editorial + legal review for expression-related requests.
• Decision record: rationale for granting/denying/partially granting, mapped to applicable Member State law that implements Article 85. (Regulation (EU) 2016/679, Article 85)

D. Retention and archiving

• Define when working files (raw interviews, recordings) are retained, archived, or deleted.
• For archives, document purpose (historical record, research archive) and access controls.

E. Third-party controls

• Ensure contracts and instructions reflect your confidentiality and access requirements.
• Verify that third parties do not repurpose content data for their own aims without authorization.

Step 4: Train the teams who trigger the risk

Training must be role-specific:

• Editorial/research: what triggers the intake, how to document necessity, how to handle source information.
• Customer support/legal ops: how to route rights requests involving published content.
• IT/security: secure collaboration patterns for drafts and sensitive sources. (Regulation (EU) 2016/679, Article 85)

Step 5: Prove it works with a recurring evidence cadence

On a recurring cadence, sample:

• A set of recent publications/projects tagged as expression-related.
• A set of rights requests involving expression content. Confirm that each has an evidence packet and that decisions match your procedure. (Regulation (EU) 2016/679, Article 85)

Required evidence and artifacts to retain

Keep these artifacts organized by workflow/project:

• Article 85 scope register (workflows, roles, systems, third parties). (Regulation (EU) 2016/679, Article 85)
• Intake and decision records (qualifies/does not qualify; rationale; approver).
• Jurisdiction mapping memo (which Member State rules were consulted and why they apply).
• Rights request case files tagged “expression-related” with final response rationale.
• Access control evidence for sensitive source data (role definitions, permission snapshots, audit logs where available).
• Third-party contract excerpts relevant to confidentiality, processing instructions, and sub-processing.
• Exception log (where normal GDPR workflows were adjusted) with remediation notes.

Practical tip: store these as “evidence packets” per project/story so audits do not become a scavenger hunt.

Common exam/audit questions and hangups

Expect variations of:

• “Which of your processing activities rely on freedom of expression derogations, and how do you decide?” (Regulation (EU) 2016/679, Article 85)
• “Show me a recent access/erasure request involving published content. Who approved the response and why?”
• “How do you separate editorial/journalistic processing from marketing or subscriber analytics?”
• “How do you control access to sources and unpublished drafts?”
• “Which third parties touch pre-publication materials, and what are their instructions?”

Hangup: teams often cannot show the decision trail that links a particular publication workflow to the local Article 85 implementation.

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 85 as automatic permission to deny DSARs.
   Fix: require a documented jurisdiction + purpose analysis for each denial, and route through a defined escalation path. (Regulation (EU) 2016/679, Article 85)

2. Over-scoping “journalistic purposes” to routine corporate comms.
   Fix: define qualifying criteria and exclude marketing, HR communications, and standard customer communications unless legal review documents a basis.

3. No separation between editorial systems and general collaboration tools.
   Fix: implement access controls and compartmentalization for sources and sensitive drafts.

4. Third-party blind spot.
   Fix: include third parties in the scope register and require contractual + operational safeguards for confidentiality and access.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied sources, so you should plan based on supervisory authority expectations: they test whether you can demonstrate lawful decisioning, controlled exceptions, and consistent operations. Article 85 raises reputational and regulatory risk because it sits at the intersection of publication harms (defamation-like impacts, exposure of vulnerable individuals, source protection) and individual privacy rights. Your defensibility depends on documentation quality and consistent workflow execution. (Regulation (EU) 2016/679, Article 85)

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Assign an accountable owner (Privacy/Legal) and an operational co-owner (Editorial/Research ops).
• Build the Article 85 role-and-scope register for the highest-risk workflows first (investigations, whistleblower intake, documentary production). (Regulation (EU) 2016/679, Article 85)
• Implement a lightweight intake/decision template and require it for new projects.

By 60 days (Controls in production)

• Publish the operating procedure: triggers, approvers, SLAs for internal review, and evidence requirements.
• Implement the rights-request triage category “expression-related” with an escalation path and decision record template.
• Tighten access controls for source identity data and sensitive drafts; document the model.

By 90 days (Assurance and audit readiness)

• Run a tabletop exercise: a DSAR/erasure request targeting a published piece plus a request to identify a source.
• Perform an internal sample test of recent projects for evidence packet completeness and approval consistency.
• Close gaps with a tracked remediation plan and update training.

How Daydream fits (without adding process friction)

Daydream is useful here as the system of record for (1) the Article 85 scope register, (2) the operating procedure with named owners and triggers, and (3) evidence packets tied to each workflow and exception. That combination is what teams need when a regulator or enterprise customer asks, “Show me how you apply Article 85 in practice.” (Regulation (EU) 2016/679, Article 85)

Frequently Asked Questions

Does Article 85 apply only to news organizations?

No. It covers processing for journalistic purposes and for academic, artistic, or literary expression, which can exist in many organizations and projects. You still need to map to applicable Member State law to know what derogations exist. (Regulation (EU) 2016/679, Article 85)

Can we deny access or erasure requests because we publish content?

Not automatically. You need a documented assessment that the request relates to expression processing and that applicable Member State law permits limiting certain GDPR obligations in that context. Keep the decision record with the case file. (Regulation (EU) 2016/679, Article 85)

How do we separate “journalistic” processing from marketing content?

Define qualifying criteria and route borderline cases through the same intake workflow. If the primary purpose is promotion, lead generation, or standard corporate communications, treat it as normal GDPR processing unless legal review documents otherwise. (Regulation (EU) 2016/679, Article 85)

What evidence should we keep per story or project?

Keep an intake form, the Article 85 qualification decision (with rationale and approver), a list of systems and third parties involved, and any rights-request handling decisions tied to that content. Store it as a single evidence packet per project for audit efficiency. (Regulation (EU) 2016/679, Article 85)

We have multiple EU audiences. Which Member State laws apply?

Article 85 points you to Member State law, so applicability depends on your establishment and how your processing is carried out and targeted. Treat jurisdiction mapping as a required step in the intake workflow and document the reasoning for each cross-border project. (Regulation (EU) 2016/679, Article 85)

Does Article 85 change our security obligations?

Article 85 addresses reconciling rights and obligations with freedom of expression; it does not remove the need for appropriate protection of sensitive materials. In practice, source confidentiality and draft controls should be stricter, not looser, for expression-related workflows. (Regulation (EU) 2016/679, Article 85)

Footnotes

1. Regulation (EU) 2016/679, Article 85