Article 76 GDPR

From GDPRhub
Revision as of 10:24, 8 March 2022 by Gb (talk | contribs) (style consistency)
Article 76 - Confidentiality
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 76 - Confidentiality

1. The discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure.

2. Access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council (21).

Relevant Recitals

Recital 164: Professional and Other Equivalent Secrecy Obligations of the Controller
As regards the powers of the supervisory authorities to obtain from the controller or processor access to personal data and access to their premises, Member States may adopt by law, within the limits of this Regulation, specific rules in order to safeguard the professional or other equivalent secrecy obligations, in so far as necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy. This is without prejudice to existing Member State obligations to adopt rules on professional secrecy where required by Union law.

Commentary

This article presents an interesting example of how the GDPR balances different interests at stake. On the one hand, European authorities must act transparently to ensure that their actions can be verified. On the other hand, a space of confidentiality must be preserved to allow them to act effectively. The result is Article 76 which, partly through its own provisions, partly through reference to other areas of legislation, including the EDPB's rules of procedure, seeks to regulate this issue.

(1) Confidentiality, Where Necessary

Under Article 76(1), “The discussions of the Board shall be confidential where the Board deems it necessary”. The rule, therefore, is that Board discussions are publicly accessible unless it is necessary to impose secrecy on them. In turn, the criteria for defining cases of secrecy are laid down in the EDPB's internal rules. (“as provided for in its rules of procedure”).

Confidentiality in the EDPB Rules of Procedure.

Article 33(1) of the Rules of procedure (“RoP”) stipulates that in “accordance with Art 76 (1) GDPR”, discussions of the Board and of expert subgroups shall be confidential when:

a. they concern a specific individual;

b. they concern the consistency mechanism;

c. the Board decides that the discussions on a specific topic shall remain confidential for instance when the discussions concern international relations and/or where the absence of confidentiality would seriously undermine the institution's decision-making process, unless there is an overriding public interest in disclosure.

(2) Access to Documents

Article 76(2) GDPR provides that access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 on public access to EU documentation.

Under Article 2(3) of that Regulation, all documents held by an institution, that is to say, “documents drawn up or received by it” are under the scope of the access. In this regard, Paragraph 2 of Article 76 GDPR significantly reduces the scope of the access only to “documents submitted to [and therefore, “received by”] members of the Board, experts and representatives of third parties”.

It follows that documents drawn up by the Board itself are not intended to be covered by the access right unless other more specific GDPR provisions apply. For instance, opinions and resolutions of the Board are published under Article 64(5)(b) and Article 65(5) and Article 70(3) and (4) GDPR.

Decisions

→ You can find all related decisions in Category:Article 76 GDPR

References