Article 90 GDPR: Difference between revisions

From GDPRhub
m (1 revision imported)
 
Line 192: Line 192:


== Relevant Recitals==
== Relevant Recitals==
''You can help us fill this section!''
53
 
75


== Commentary ==
== Commentary ==


''You can help us fill this section!''
While privacy protects the individual's right to informational self-determination, i.e. to exercise control over the flow of information concerning him or her, professional secrecy is a concept that protects the community's interest in being able to trust and rely on a professional in the performance of their duties. The confidentiality of the relationship with the doctor, lawyer, accountant is in other words an essential part of the organisation of modern life.<ref>Riccio, Scorza, Belisario (a cura di), ''GDPR e normativa privacy – Commentario'', Article 90, p. 662, Wolters Kluwer 2018</ref> This provision mandates Member States with the task of regulating certain DPAs investigative powers when they are exercised against a controller or processor bound by professional secrecy.
 
=== (1) Data protection and professional secrecy ===
Under Article 90 “''Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation''”.
 
==== Professional secrecy or other equivalent obligation ====
The respective national regulation may only cover situations in which the controller or the processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they include the profession of attorney and doctor. Other professional groups affected are likely to be notaries, tax advisors or auditors. However, it should be noted that not only statutory confidentiality obligations are included. The national specifications can also relate to confidentiality obligations that have been issued by “national bodies”.<ref>''Piltz'' in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 12.08.2021).</ref>
 
==== Derogations to DPAs general powers ====
Thus, where the controller or processor is subject to a secrecy obligation, Member States may adopt national measures limiting specific investigative powers of the supervisory authority.<ref>''Piltz'' in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 12.08.2021).</ref>
 
The powers in question are provided for in Article 58(e) and (f), under which the DPA has the can “''obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks''” as well as “''access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law''”.<ref>This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)</ref>
 
It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the European legislator recognises the power of Member States to introduce specific rules for the exercise of the investigative powers. Such measures must be “''necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy''”. Once again, in the absence of precise indications in the text of the law, it is necessary to look at the jurisprudence of the European courts to get some details on this balancing of interests.<ref>ECJ, Case C-518/07, Commission v Germany, para. 23; ECJ, Case C-614/10, Commission v. Austria, para. 37; and ECJ, Case C-288/12, Commission v Hungary, para. 48</ref>
 
==== National implementations ====
''You can help us fill in this section!''
 
==== National competent bodies ====
The reference in Article 90 to rules on professional secrecy or other equivalent obligations of secrecy established by national competent bodies allow Member States to entrust competent bodies such as professional organisations, boards and committees with setting out-on the basis of national law the specific rules on secrecy applicable to a profession, sector or similar.<ref>''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)</ref>
 
=== (2) Measures must be communicated to the Commission ===
Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.


== Decisions ==
== Decisions ==

Revision as of 14:51, 12 August 2021

Article 90 - Obligations of secrecy
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 90 - Obligations of secrecy


1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recitals

53

75

Commentary

While privacy protects the individual's right to informational self-determination, i.e. to exercise control over the flow of information concerning him or her, professional secrecy is a concept that protects the community's interest in being able to trust and rely on a professional in the performance of their duties. The confidentiality of the relationship with the doctor, lawyer, accountant is in other words an essential part of the organisation of modern life.[1] This provision mandates Member States with the task of regulating certain DPAs investigative powers when they are exercised against a controller or processor bound by professional secrecy.

(1) Data protection and professional secrecy

Under Article 90 “Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation”.

Professional secrecy or other equivalent obligation

The respective national regulation may only cover situations in which the controller or the processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they include the profession of attorney and doctor. Other professional groups affected are likely to be notaries, tax advisors or auditors. However, it should be noted that not only statutory confidentiality obligations are included. The national specifications can also relate to confidentiality obligations that have been issued by “national bodies”.[2]

Derogations to DPAs general powers

Thus, where the controller or processor is subject to a secrecy obligation, Member States may adopt national measures limiting specific investigative powers of the supervisory authority.[3]

The powers in question are provided for in Article 58(e) and (f), under which the DPA has the can “obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks” as well as “access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law”.[4]

It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the European legislator recognises the power of Member States to introduce specific rules for the exercise of the investigative powers. Such measures must be “necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy”. Once again, in the absence of precise indications in the text of the law, it is necessary to look at the jurisprudence of the European courts to get some details on this balancing of interests.[5]

National implementations

You can help us fill in this section!

National competent bodies

The reference in Article 90 to rules on professional secrecy or other equivalent obligations of secrecy established by national competent bodies allow Member States to entrust competent bodies such as professional organisations, boards and committees with setting out-on the basis of national law the specific rules on secrecy applicable to a profession, sector or similar.[6]

(2) Measures must be communicated to the Commission

Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Decisions

→ You can find all related decisions in Category:Article 90 GDPR

References

  1. Riccio, Scorza, Belisario (a cura di), GDPR e normativa privacy – Commentario, Article 90, p. 662, Wolters Kluwer 2018
  2. Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (Beck 2018, 2nd ed.) (accessed 12.08.2021).
  3. Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (Beck 2018, 2nd ed.) (accessed 12.08.2021).
  4. This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)
  5. ECJ, Case C-518/07, Commission v Germany, para. 23; ECJ, Case C-614/10, Commission v. Austria, para. 37; and ECJ, Case C-288/12, Commission v Hungary, para. 48
  6. Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)