Article 90 GDPR: Difference between revisions

Latest revision as of 12:26, 29 April 2022

← Article 90 - Obligations of secrecy →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 90 - Obligations of secrecy

1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recitals

Recital 53: Processing Special Category Data for Health-related Purposes

Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

Recital 75: Risks to the Rights and Freedoms of Natural Persons

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Commentary

While privacy and data protection are closely related to the right to informational self-determination, i.e. the right for an individual to exercise control over the flow of information concerning them, professional secrecy is a concept that protects the community's interest in being able to trust and rely professionals in whom secrets are confided in the performance of their duties.

Professional secrecy as a moral principle or rule can already be traced back to the Hippocratic Oath, which was drafted circa AD 275. According to this oath, physicians must refrain from divulging information on their patients and should consider such information as "holy secrets".^[1] Today, professional secrecy is still considered as an essential part of the organisation of modern life, as it guarantees the confidentiality of the communications between a person and a professional to whom sensitive information are being disclosed, such as a doctor, a lawyer or an accountant.^[2]

Because information subject to professional secrecy may contain personal data, the GDPR could also apply to it. This means, inter alia, that DPAs could request from a professional to disclose confidential information in the course of an investigation, in accordance with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and obligations of professional secrecy on the other. More specifically, this provision mandates Member States with the task of regulating certain DPAs investigative powers when exercised against a controller or processor bound by professional secrecy.

(1) Data Protection and Professional Secrecy

Under Article 90 “Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation”.

Professional Secrecy or Other Equivalent Obligation

National regulation may only cover situations in which the controller or processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law, or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they presumably include the profession of attorney, doctor, notary, tax advisor and auditor. As such, professional secrecy obligations must not have been recognised by law to fall within the scope of Article 90 GDPR; the national specifications can also relate to confidentiality obligations which have been issued by “national bodies”.^[3] Typical examples of such national bodies include public institutions controlling the financial sector, bar associations or medical orders. In line with Article 90 GDPR, such national bodies may also adopt rules on professional secrecy which are binding on their members and may limit the investigative powers of DPAs.^[4]

Derogation to DPAs' General Powers

Article 90(1) GDPR provides that when a controller or a processor is subject to professional secrecy, Member States may adopt national measures limiting specific investigative powers of the competent DPA. ^[5] The powers in question are provided for in Article 58(e) and (f) GDPR, under which the DPA can “obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks” as well as “access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law”.^[6] It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the EU legislator allows Member States to introduce specific rules for the exercise of the investigative powers. For example, an attorney could resist the handing over of information subject to professional secrecy upon request of a DPA, if national law allows for such a derogation. The only condition is that the national measures adopted by the Member State are both “necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy”. In the absence of precise indications in the text of the law, European case-law on necessity and proportionality may provide guidance on how to balance these conflicting interests.^[7]

(2) Notification of national implementation to the Commission

Under Article 90(2) GDPR, each Member State has the obligation to notify to the Commission the rules adopted pursuant to paragraph 1, by the 25^th May 2018 and, without delay, any subsequent amendment affecting them. Such notifications were made by most Member States and are accessible on the website of the Commission.^[8]

Decisions

→ You can find all related decisions in Category:Article 90 GDPR

References

↑ Hippocrates of Cos (1923). "The Oath". Loeb Classical Library. 147: 298–299. doi:10.4159/DLCL.hippocrates_cos-oath.1923.
↑ Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 90 GDPR, p. 662 (Wolters Kluwer 2018).
↑ Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (C.H. Beck 2018, 2^nd edition).
↑ Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).
↑ Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (C.H. Beck 2018, 2^nd edition).
↑ This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).
↑ CJEU, Commission v Germany, C-518/07, margin number 23 (available here); CJEU, Commission v. Austria, C-614/10, margin number 37 (available here); and CJEU, Commission v Hungary, C-288/12, margin number 48 (available here).
↑ Available here.

[1] Hippocrates of Cos (1923). "The Oath". Loeb Classical Library. 147: 298–299. doi:10.4159/DLCL.hippocrates_cos-oath.1923.

[2] Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 90 GDPR, p. 662 (Wolters Kluwer 2018).

[3] Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (C.H. Beck 2018, 2^nd edition).

[4] Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).

[5] Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (C.H. Beck 2018, 2^nd edition).

[6] This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).

[7] CJEU, Commission v Germany, C-518/07, margin number 23 (available here); CJEU, Commission v. Austria, C-614/10, margin number 37 (available here); and CJEU, Commission v Hungary, C-288/12, margin number 48 (available here).

[8] Available here.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

@@ Line 185: / Line 185: @@
 == Legal Text ==
-<br /><center>'''Article 90 - Obligations of secrecy'''</center><br />
+<br /><center>'''Article 90 - Obligations of secrecy'''</center>
 <span id="1">1.   Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.</span>
@@ Line 192: / Line 192: @@
 == Relevant Recitals==
+{{Recital/53 GDPR}} {{Recital/75 GDPR}}
 == Commentary ==
-While privacy protects the individual's right to informational self-determination, i.e. to exercise control over the flow of information concerning him or her, professional secrecy is a concept that protects the community's interest in being able to trust and rely on a professional in the performance of their duties. The confidentiality of the relationship with the doctor, lawyer, accountant is in other words an essential part of the organisation of modern life.<ref>Riccio, Scorza, Belisario (a cura di), ''GDPR e normativa privacy – Commentario'', Article 90, p. 662, Wolters Kluwer 2018</ref> This provision mandates Member States with the task of regulating certain DPAs investigative powers when they are exercised against a controller or processor bound by professional secrecy.
+While privacy and data protection are closely related to the right to informational self-determination, i.e. the right for an individual to exercise control over the flow of information concerning them, professional secrecy is a concept that protects the community's interest in being able to trust and rely professionals in whom secrets are confided in the performance of their duties.
-=== (1) Data protection and professional secrecy ===
-Under Article 90 “''Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation''”.
-==== Professional secrecy or other equivalent obligation ====
-The respective national regulation may only cover situations in which the controller or the processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they include the profession of attorney and doctor. Other professional groups affected are likely to be notaries, tax advisors or auditors. However, it should be noted that not only statutory confidentiality obligations are included. The national specifications can also relate to confidentiality obligations that have been issued by “national bodies”.<ref>''Piltz'' in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 12.08.2021).</ref>
-==== Derogations to DPAs general powers ====
-Thus, where the controller or processor is subject to a secrecy obligation, Member States may adopt national measures limiting specific investigative powers of the supervisory authority.<ref>''Piltz'' in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 12.08.2021).</ref>
-The powers in question are provided for in Article 58(e) and (f), under which the DPA has the can “''obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks''” as well as “''access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law''”.<ref>This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)</ref>
+Professional secrecy as a moral principle or rule can already be traced back to the Hippocratic Oath, which was drafted circa AD 275. According to this oath, physicians must refrain from divulging information on their patients and should consider such information as "''holy secrets''".<ref>Hippocrates of Cos (1923). "The Oath". Loeb Classical Library. 147: 298–299. doi:10.4159/DLCL.hippocrates_cos-oath.1923.</ref> Today, professional secrecy is still considered as an essential part of the organisation of modern life, as it guarantees the confidentiality of the communications between a person and a professional to whom sensitive information are being disclosed, such as a doctor, a lawyer or an accountant.<ref>Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 90 GDPR, p. 662 (Wolters Kluwer 2018).</ref>
-It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the European legislator recognises the power of Member States to introduce specific rules for the exercise of the investigative powers. Such measures must be “''necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy''”. Once again, in the absence of precise indications in the text of the law, it is necessary to look at the jurisprudence of the European courts to get some details on this balancing of interests.<ref>ECJ, Case C-518/07, Commission v Germany, para. 23; ECJ, Case C-614/10, Commission v. Austria, para. 37; and ECJ, Case C-288/12, Commission v Hungary, para. 48</ref>
+Because information subject to professional secrecy may contain personal data, the GDPR could also apply to it. This means, ''inter alia'', that DPAs could request from a professional to disclose confidential information in the course of an investigation, in accordance with [[Article 58 GDPR|Article 58(1) GDPR]]. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and obligations of professional secrecy on the other. More specifically, this provision mandates Member States with the task of regulating certain DPAs investigative powers when exercised against a controller or processor bound by professional secrecy.
+=== (1) Data Protection and Professional Secrecy ===
+Under Article 90 “''Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation''”.
-==== National implementations ====
+==== Professional Secrecy or Other Equivalent Obligation ====
-''You can help us fill in this section!''
+National regulation may only cover situations in which the controller or processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law, or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they presumably include the profession of attorney, doctor, notary, tax advisor and auditor. As such, professional secrecy obligations must not have been recognised by law to fall within the scope of Article 90 GDPR; the national specifications can also relate to confidentiality obligations which have been issued by “''national bodies''”.<ref>''Piltz'' in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (C.H. Beck 2018, 2<sup>nd</sup> edition).</ref> Typical examples of such national bodies include public institutions controlling the financial sector, bar associations or medical orders. In line with Article 90 GDPR, such national bodies may also adopt rules on professional secrecy which are binding on their members and may limit the investigative powers of DPAs.<ref>''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).</ref>
-==== National competent bodies ====
+==== Derogation to DPAs' General Powers ====
-The reference in Article 90 to rules on professional secrecy or other equivalent obligations of secrecy established by national competent bodies allow Member States to entrust competent bodies such as professional organisations, boards and committees with setting out-on the basis of national law the specific rules on secrecy applicable to a profession, sector or similar.<ref>''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)</ref>
+Article 90(1) GDPR provides that when a controller or a processor is subject to professional secrecy, Member States may adopt national measures limiting specific investigative powers of the competent DPA. <ref>''Piltz'' in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (C.H. Beck 2018, 2<sup>nd</sup> edition).</ref> The powers in question are provided for in Article 58(e) and (f) GDPR, under which the DPA can “''obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks''” as well as “''access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law''”.<ref>This means, ''inter alia'', that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).</ref> It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the EU legislator allows Member States to introduce specific rules for the exercise of the investigative powers. For example, an attorney could resist the handing over of information subject to professional secrecy upon request of a DPA, if national law allows for such a derogation. The only condition is that the national measures adopted by the Member State are both “''necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy''”. In the absence of precise indications in the text of the law, European case-law on necessity and proportionality may provide guidance on how to balance these conflicting interests.<ref>CJEU, Commission v Germany, C-518/07, margin number 23 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=007838634D1C615E440398C84951803B?text=&docid=79752&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=4374391 here]); CJEU, Commission v. Austria, C-614/10, margin number 37 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=128563&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=4374519 here]); and CJEU, Commission v Hungary, C-288/12, margin number 48 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=150641&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4374635 here]).</ref>
-=== (2) Measures must be communicated to the Commission ===
+=== (2) Notification of national implementation to the Commission ===
-Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
+Under Article 90(2) GDPR, each Member State has the obligation to notify to the Commission the rules adopted pursuant to paragraph 1, by the 25<sup>th</sup> May 2018 and, without delay, any subsequent amendment affecting them. Such notifications were made by most Member States and are accessible on the website of the Commission.<ref>Available [https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu/eu-countries-gdpr-specific-notifications_en here].</ref>
 == Decisions ==
@@ Line 228: / Line 219: @@
 <references />
-[[Category:Article 90 GDPR]] [[Category:GDPR]]
+[[Category:Article 90 GDPR]] [[Category:GDPR Articles]]