This Act shall not apply to:
(1) the collection, use, or disclosure of Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only;
(2) operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
(3) a Person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest;
(4) The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
(5) trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
(6) operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.
The exceptions to apply all or parts of the provisions of this Act to any Data Controller in any manner, business or entity, in a similar manner to the Data Controller in paragraph one, or for any other public interest purpose, shall be promulgated in the form of the Royal Decree.
The Data Controller under paragraph one (2), (3), (4), (5), and (6) and the Data Controller of the entities that are exempted under the Royal Decree in accordance with paragraph two shall also put in place a security protection of Personal Data in accordance with the standard.