Article 90 GDPR: Difference between revisions
(merge category "GDPR" into "GDPR Articles") |
|||
Line 226: | Line 226: | ||
<references /> | <references /> | ||
[[Category:Article 90 GDPR]] [[Category:GDPR]] | [[Category:Article 90 GDPR]] [[Category:GDPR Articles]] |
Revision as of 14:31, 15 February 2022
Legal Text
Article 90 - Obligations of secrecy
1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.
2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Relevant Recitals
Commentary
While privacy and data protection are closely related to the right to informational self-determination, i.e. the right, for an individual, to exercise control over the flow of information concerning him or her, professional secrecy is a concept that protects the community's interest in being able to trust and rely professionals in whom secrets are confided in the performance of their duties.
Professional secrecy as a moral principle or rule can already be traced back to the Hippocratic Oath, which was drafted circa AD 275. According to this oath, physicians must refrain from divulging information on their patients and should consider such information as "holy secrets".[1] Today, professional secrecy is still considered as an essential part of the organisation of modern life, as it guarantees the confidentiality of the communications between a person and a professional to whom sensitive information are being disclosed, such as a doctor, a lawyer or an accountant.[2]
Because information subject to professional secrecy may contain personal data, the GDPR could also apply to them. This means, inter alia, that DPAs could request from a professional to disclose confidential information in the course of an investigation, in accordance with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and obligations of professional secrecy on the other hand. More specifically, this provision mandates Member States with the task of regulating certain DPAs investigative powers when exercised against a controller or processor bound by professional secrecy.
(1) Data Protection and Professional Secrecy
Under Article 90 “Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation”.
Professional Secrecy or Other Equivalent Obligation
The respective national regulation may only cover situations in which the controller or the processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law, or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they include the profession of attorney and doctor. Other professional groups likely to be affected are notaries, tax advisors or auditors.
As such, professional secrecy obligations must not have been recognized by law to fall within the scope of Article 90 GDPR; the national specifications can also relate to confidentiality obligations which have been issued by “national bodies”.[3] Typical examples of such national bodies could include, for example, a public institution controlling the financial sector, a bar association or a medical order. In line with Article 90 GDPR, such national bodies may also adopt rules on professional secrecy which are binding on their members and may limit the investigative powers of DPAs.[4]
Derogation to DPAs' General Powers
Article 90(1) GDPR provides that when a controller or a processor is subject to professional secrecy, Member States may adopt national measures limiting specific investigative powers of the competent DPA.[5]
The powers in question are provided for in Article 58(e) and (f) GDPR, under which the DPA has the can “obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks” as well as “access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law”.[6]
It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the EU legislator allows Member States to introduce specific rules for the exercise of the investigative powers. An attorney, for example, could resist the handing over of information subject to professional secrecy upon request of a DPA, if national law allows for such a derogation. The only condition is that the national measures adopted by the member State are both “necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy”. In the absence of precise indications in the text of the law, the case-law of the European courts on necessity and proportionality may provide guidance on how to balance those conflicting interests.[7]
(2) Notification of national implementation to the Commission
Under Article 90(2) GDPR, each Member State had the obligation to notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them. Such notifications were made by most Member States and are accessible on the website of the Commission.[8]
Decisions
→ You can find all related decisions in Category:Article 90 GDPR
References
- ↑ Hippocrates of Cos (1923). "The Oath". Loeb Classical Library. 147: 298–299. doi:10.4159/DLCL.hippocrates_cos-oath.1923.
- ↑ Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 90 GDPR, p. 662 (Wolters Kluwer 2018).
- ↑ Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (Beck 2018, 2nd ed.) (accessed 12 August 2021).
- ↑ Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)
- ↑ Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (Beck 2018, 2nd ed.) (accessed 12 August 2021).
- ↑ This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).
- ↑ CJEU, Commission v Germany, C-518/07, margin number 23 (available here); CJEU, Commission v. Austria, C-614/10, margin number 37 (available here); and CJEU, Commission v Hungary, C-288/12, margin number 48 (available here).
- ↑ https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu/eu-countries-gdpr-specific-notifications_en