Do Governmental organizations have less obligations under GDPR than NGO?

Question

As I understood it Governmental organizations do not have as great obligations under GDPR than NGOs but according to the Danish Datatilsynet I was just told that:>The DPA can inform you that according to GDPR, controllers &ndash; whether be a public body or private company &ndash; are obligated to follow the same set of rules. There are some rules that only apply to certain types of controllers, such as GDPR article 6(e), which is only applicable to public bodies. These differences do not entail that public bodies have fewer obligations under the GDPR, than private companies.Does anyone have any links to articles, arguments that Governmental organizations have less of an obligation than NGOs? I am wondering if I have just asked my question poorly and been told something that is technically correct but in practice will turn out to be somewhat different?

konha · Accepted Answer

The answer from your DPA mentions article 6, which states:
"Processing shall be lawful only if and to the extent that at least one of the following applies: [...] (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"
While this might apply to everyone, only governmental organizations will be able to convincingly base the lawfulness of their processing on that. (Guessing - IANAL)

BjoernKW · Answer

Unfortunately, governmental organizations and public authorities in general for the most part are exempt from obligations under GDPR, the most easily applicable loophole being that they can always argue legitimate interest or that they're simply legally required to store PII.It's next to impossible to successfully contest that argument in court.