Article 90 GDPR: Difference between revisions

From GDPRhub
Line 192: Line 192:


== Relevant Recitals==
== Relevant Recitals==
53
{{Recital/53 GDPR}} {{Recital/75 GDPR}}
 
75


== Commentary ==
== Commentary ==

Revision as of 10:17, 6 September 2021

Article 90 - Obligations of secrecy
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 90 - Obligations of secrecy


1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recitals

Recital 53: Processing Special Category Data for Health-related Purposes
Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

Recital 75: Risks to the Rights and Freedoms of Natural Persons
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Commentary

While privacy protects the individual's right to informational self-determination, i.e. to exercise control over the flow of information concerning him or her, professional secrecy is a concept that protects the community's interest in being able to trust and rely on a professional in the performance of their duties. The confidentiality of the relationship with the doctor, lawyer, accountant is in other words an essential part of the organisation of modern life.[1] This provision mandates Member States with the task of regulating certain DPAs investigative powers when they are exercised against a controller or processor bound by professional secrecy.

(1) Data protection and professional secrecy

Under Article 90 “Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation”.

Professional secrecy or other equivalent obligation

The respective national regulation may only cover situations in which the controller or the processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they include the profession of attorney and doctor. Other professional groups affected are likely to be notaries, tax advisors or auditors. However, it should be noted that not only statutory confidentiality obligations are included. The national specifications can also relate to confidentiality obligations that have been issued by “national bodies”.[2]

Derogations to DPAs general powers

Thus, where the controller or processor is subject to a secrecy obligation, Member States may adopt national measures limiting specific investigative powers of the supervisory authority.[3]

The powers in question are provided for in Article 58(e) and (f), under which the DPA has the can “obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks” as well as “access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law”.[4]

It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the European legislator recognises the power of Member States to introduce specific rules for the exercise of the investigative powers. Such measures must be “necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy”. Once again, in the absence of precise indications in the text of the law, it is necessary to look at the jurisprudence of the European courts to get some details on this balancing of interests.[5]

National implementations

You can help us fill in this section!

National competent bodies

The reference in Article 90 to rules on professional secrecy or other equivalent obligations of secrecy established by national competent bodies allow Member States to entrust competent bodies such as professional organisations, boards and committees with setting out-on the basis of national law the specific rules on secrecy applicable to a profession, sector or similar.[6]

(2) Measures must be communicated to the Commission

Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Decisions

→ You can find all related decisions in Category:Article 90 GDPR

References

  1. Riccio, Scorza, Belisario (a cura di), GDPR e normativa privacy – Commentario, Article 90, p. 662, Wolters Kluwer 2018
  2. Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (Beck 2018, 2nd ed.) (accessed 12.08.2021).
  3. Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (Beck 2018, 2nd ed.) (accessed 12.08.2021).
  4. This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)
  5. ECJ, Case C-518/07, Commission v Germany, para. 23; ECJ, Case C-614/10, Commission v. Austria, para. 37; and ECJ, Case C-288/12, Commission v Hungary, para. 48
  6. Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)