Author: Cristina Pauner
1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.
2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
A.Preliminary remarks
Art. 90 includes a derogation from a sector-specific data protection rule, since it enables EU Member States to enact their own national data protection legislation in respect of professional secrecy obligations and to adopt specific rules setting out the powers of the SAs as laid down in Art. 58.
Accordingly, recital 164 reads: “As regards the powers of the supervisory authorities to obtain from the controller or processor access to personal data and access to their premises, Member States may adopt by law, within the limits of this Regulation, specific rules to safeguard the professional or other equivalent secrecy obligations, in so far as necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy. This is without prejudice to existing Member State obligations to adopt rules on professional secrecy where required by Union law.”
Briefly, this provision takes into account the conflict between the protection of personal data and the obligation to maintain secrecy for those bound by professional secrecy under the laws of the Member States, such as lawyers, notaries, legal procurators, accountants, auditors, tax advisors, health professionals or journalists; and it gives EU Member States relatively broad discretion. Nevertheless, it is also limited, as it refers solely to the powers of the SAs to access commercial premises and personal data necessary for the fulfilment of the inspection-related tasks (lit. e and f of Art. 58 para. 1). The purpose of this provision is to ensure that the application of the Regulation does not jeopardize the legitimate interests of individuals when national or European law considers that they must be protected by the duty of professional secrecy.[1]
Confidentiality, duty of secrecy and obligations of professional secrecy. The title “Obligations of secrecy” of Art. 90 might be misleading since it does not refer to the duty of secrecy under Art. 28 para. 3 lit. b (→ mn. 29 et seq.) and Art. 38 para. 5 (→ mn. 20).[2] The duty of secrecy provided for in these provisions affects those involved at any stage of the personal data processing, maintaining the obligation even after finalisation of its connection with the responsible of the file (such as the processor, the controller, the DPO or the staff of the SAs).
Other differences between the two concepts can include: (a) the nature of duties and rights: a right and a duty of the professional in case of professional secrecy versus a duty of the professional and a right of the data subject in case of the obligation of confidentiality and (b) the nature of the information at hand: only confidential information versus personal, not only confidential, data respectively. That is, on the one hand, persons and institutions obliged under professional secrecy must not reveal information received by them in the course of performing their duties but only affecting to the disclosure of certain information which is classified as confidential[3]. On the other hand, for processors the obligation of confidentiality means that they may not disclose the data to third parties or other recipients without authorization and this obligation must be included in any contract between controllers and their processors. In addition, controllers and processors will have to take specific measures to establish a legal duty of confidentiality for their employees, normally achieved by including confidentiality clauses in the employee’s employment contract.
[…]
[1] Sandverg, ‘Art. 90’ in Kuner/Bygrave/Docksey, p. 1253.
[2]See also Art. 16 of the DPD and Art. 21 of the Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons about the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
[3]CJEU, Case T-462/12 R, Pilkington Group Ltd v. European Commission, Order of the President of the General Court, 11 March 2013, para. 44 and ECHR, Brito Ferrinho Bexiga Villa-Nova v. Portugal, 1 December 2015.