Article 90 GDPR

From GDPRhub
Revision as of 16:03, 16 December 2021 by FD (talk | contribs) (→‎Commentary)
Article 90 - Obligations of secrecy
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 90 - Obligations of secrecy

1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recitals

Recital 53: Processing Special Category Data for Health-related Purposes
Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

Recital 75: Risks to the Rights and Freedoms of Natural Persons
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Commentary

While privacy and data protection are closely related to the right to informational self-determination, i.e. the right, for an individual, to exercise control over the flow of information concerning him or her, professional secrecy is a concept that protects the community's interest in being able to trust and rely professionals in whom secrets are confided in the performance of their duties.

Professional secrecy as a moral principle or rule can already be traced back to the Hippocratic Oath, which was drafted circa AD 275. According to this oath, physicians must refrain from divulging information on their patients and should consider such information as "holy secrets".[1] Today, professional secrecy is still considered as an essential part of the organisation of modern life, as it guarantees the confidentiality of the communications between a person and a professional to whom sensitive information are being disclosed, such as a doctor, a lawyer or an accountant.[2]

Because information subject to professional secrecy may contain personal data, the GDPR could also apply to them. This means, inter alia, that DPAs could request from a professional to disclose confidential information in the course of an investigation, in accordance with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and obligations of professional secrecy on the other hand. More specifically, this provision mandates Member States with the task of regulating certain DPAs investigative powers when exercised against a controller or processor bound by professional secrecy.

(1) Data Protection and Professional Secrecy

Under Article 90 “Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject […] to an obligation of professional secrecy or other equivalent obligation”.

Professional Secrecy or Other Equivalent Obligation

The respective national regulation may only cover situations in which the controller or the processor is subject to professional secrecy or an equivalent obligation of confidentiality under Union Law or the Member State Law, or under an obligation issued by the competent national authorities. Examples of such professional secrecy obligations are not mentioned in the GDPR. However, they include the profession of attorney and doctor. Other professional groups likely to be affected are notaries, tax advisors or auditors.

As such, professional secrecy obligations must not have been recognized by law to fall within the scope of Article 90 GDPR; the national specifications can also relate to confidentiality obligations which have been issued by “national bodies”.[3] Typical examples of such national bodies could include, for example, a public institution controlling the financial sector, a bar association or a medical order. In line with Article 90 GDPR, such national bodies may also adopt rules on professional secrecy which are binding on their members and may limit the investigative powers of DPAs.[4]

Derogation to DPAs' General Powers

Article 90(1) GDPR provides that when a controller or a processor is subject to professional secrecy, Member States may adopt national measures limiting specific investigative powers of the competent DPA.[5]

The powers in question are provided for in Article 58(e) and (f) GDPR, under which the DPA has the can “obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks” as well as “access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law”.[6]

It seems clear that the two powers in question can create conflicts where the controller is subject to a professional or other secrecy obligation. In such circumstances, the EU legislator allows Member States to introduce specific rules for the exercise of the investigative powers. An attorney, for example, could resist the handing over of information subject to professional secrecy upon request of a DPA, if national law allows for such a derogation. The only condition is that the national measures adopted by the member State are both “necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy”. In the absence of precise indications in the text of the law, the case-law of the European courts on necessity and proportionality may provide guidance on how to balance those conflicting interests.[7]

(2) Notification of national implementation to the Commission

Under Article 90(2) GDPR, each Member State had the obligation to notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them. Such notifications were made by most Member States and are accessible on the website of the Commission.[8]

Decisions

→ You can find all related decisions in Category:Article 90 GDPR

References

  1. Hippocrates of Cos (1923). "The Oath". Loeb Classical Library. 147: 298–299. doi:10.4159/DLCL.hippocrates_cos-oath.1923.
  2. Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 90 GDPR, p. 662 (Wolters Kluwer 2018).
  3. Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (Beck 2018, 2nd ed.) (accessed 12 August 2021).
  4. Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020)
  5. Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 15 (Beck 2018, 2nd ed.) (accessed 12 August 2021).
  6. This means, inter alia, that specific rules adopted by Member States under Article 90 cannot exclude other information from the enforcement competences of the supervisory authority provided under points (e) and (f) of Article 58(1). Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 90 GDPR, p. 1255 and ss. (Oxford University Press 2020).
  7. CJEU, Commission v Germany, C-518/07, margin number 23 (available here); CJEU, Commission v. Austria, C-614/10, margin number 37 (available here); and CJEU, Commission v Hungary, C-288/12, margin number 48 (available here).
  8. https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu/eu-countries-gdpr-specific-notifications_en