Article 90
Obligations of secrecy

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 90 keyboard_arrow_down Hide the recitals of the Regulation related to article 90 keyboard_arrow_up

(164) As regards the powers of the supervisory authorities to obtain from the controller or processor access to personal data and access to their premises, Member States may adopt by law, within the limits of this Regulation, specific rules in order to safeguard the professional or other equivalent secrecy obligations, in so far as necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy. This is without prejudice to existing Member State obligations to adopt rules on professional secrecy where required by Union law.

There is no recital in the Directive related to article 90.

The GDPR

For the record, pursuant to Article 58, paragraph 1, points e) and f), the supervisory authorities have investigative powers allowing them access to the processed data, the processing means, and to the premises of the controller which can cause difficulties when the controller or the intended processor is subject to a duty of professional secrecy.

It is therefore logical that Article 90 allows Member States to adopt specific rules to protect the professional secret or other equivalent obligations of secrecy in such cases.

Each Member State must consider if such rules are necessary and proportionate for reconciling the right to personal data protection and the obligation of secrecy.

The rules on confidentiality that can be adopted by the Member States in order to define the powers of the supervisory authorities are limited to the personal data that the controller or the processor has received or obtained as part of an activity covered by the obligation of secrecy.

Finally, Article 90 (2) imposes on the Member States the obligation to notify the Commission of the rules adopted pursuant to this provision within two years after the publication of the Regulation in the Official Journal of the European Union; any subsequent amendment to these rules must be notified without delay to the Commission.

The Directive

The Directive included no similar provision.

Potential issues

Again, there is no harmonisation of the law made by the Regulation as it is up to the Member States to define such rules as they see fit.

Retour au sommaire
Regulation
1e 2e

Art. 90

1.   Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2.   Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

1st proposal close

Art. 84 

1. Within the limits of this Regulation, Member States may adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.

2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

2nd proposal close

Art. 84 

1. (…) Member States may adopt specific rules to set out the (…) powers by the supervisory authorities laid down in points (da) and (db) of Article 53(1) in relation to controllers or processors that are subjects under Union or Member State law or rules established by national competent bodies to an obligation of professional secrecy, other equivalent obligations of secrecy or to a code of professional ethics supervised and enforced by professional bodies, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.

2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

Directive close

No specific provision

Hungary close

Data processing and confidentiality

§ 71 Data Protection Act

(1) In its proceedings the Authority shall be entitled to process - to the extent and for the duration required - those personal data, and classified information protected by law and secrets obtained in the course of professional activities, which are related to the given proceedings, or which are to be processed with a view to concluding the procedure effectively.

(2) The Authority may use the data obtained in the course of conducting its examination for administrative proceedings.

(3) In its proceedings provided for in this Act, the Authority shall have access to data specified in Paragraphs a)-f) and i) of Subsection (1), Subsection (2), Paragraphs c)-f) of Subsection (3), Paragraphs c)-g) of Subsection (4), and Paragraph d) of Subsection (5) of Section 23 of Act CXI of 2011 on the Commissioner of Fundamental Rights (hereinafter referred to as “FRA”) as defined in Subsection (7) of Section 23 of the FRA.

(3a) The Authority shall have access to data specified in Paragraph e) of Subsection (3), Paragraph f) of Subsection (4) and Paragraph d) of Subsection (5) of Section 23 of the FRA, Subsection (3) notwithstanding, if it is required in:

a) formal investigation procedures,

b) administrative proceedings for data protection, or

c) administrative proceedings for the control of secrets,

opened for the protection of personal data of persons covertly cooperating.

(3b) The Authority shall have access to data specified in Paragraph f) of Subsection (3) and Paragraph g) of Subsection (4) Section 23 of the FRA, Subsection (3) notwithstanding, which allow for the identification of individuals using means and methods for covert information gathering operations, if it is required in:

a) formal investigation procedures,

b) administrative proceedings for data protection, or

c) administrative proceedings for the control of secrets,

opened for the protection of personal data of those individuals.

(3c) If the document the Authority plans to examine contains any data which the Authority is entitled to access only within the context of Subsection (3), the data that cannot be disclosed shall be blacked out before the Authority is allowed access to the document in question.

(4) In proceedings related to the processing of classified information the Vice-President of the Authority, including executive officers and examiners shall - in possession of a personal security certificate of appropriate level of clearance - be allowed access to classified information without the authorization prescribed in the Act on the Protection of Classified Information for use.

(5) The President and Vice-President of the Authority, and persons currently or formerly employed by the Authority as civil servants or in any other work-related relationship shall keep confidential any personal data, classified information, secrets protected by law and secrets obtained in the course of professional activities they may have learnt in relation to the operation and actions of the Authority as well as any other data, fact or circumstance that the Authority is not required to make available to the public - except for any disclosure or supply of data to other organizations under the relevant legislation -, during the term of their employment and after the termination thereof.

(6) According to the confidentiality requirement, the persons mentioned in Subsection (5) may not disclose unlawfully any data, facts or circumstance they obtained in connection with the performance of their official duties, nor shall they be allowed to use or reveal such information to third persons.

close