Overview

This article allows Member States to adopt rules enabling supervisory authorities to reconcile the protection of personal data with professional secrecy obligations. These rules apply only to personal data obtained through activities covered by secrecy obligations and must be necessary and proportionate.


Key Principles

  • Professional Secrecy: Respect confidentiality obligations inherent to specific professional activities.

  • Data Protection Alignment: Ensure personal data protection is maintained even under secrecy rules.

  • Necessity and Proportionality: Any rules or measures adopted must be strictly necessary and proportionate.

  • Limited Scope: Applies solely to personal data obtained through activities subject to professional secrecy.

  • Accountability: Supervisory authorities must document and justify any measures taken under these rules.

Organizational Applicability

This article applies to:

  • Member State supervisory authorities handling data subject to professional secrecy.

  • Controllers and processors interacting with confidential personal data under secrecy obligations.

  • Legal and compliance teams ensuring adherence to secrecy rules and GDPR.

  • Relevant public or private sector entities processing sensitive personal data.

Implementation Requirements

  • Define national rules balancing GDPR obligations with professional secrecy requirements.

  • Ensure measures are necessary, proportionate, and documented.

  • Limit application to personal data obtained via activities covered by secrecy obligations.

  • Maintain records demonstrating compliance with both GDPR and secrecy obligations.

Implementation Guidance

  • Train supervisory authority staff on handling personal data under secrecy rules.

  • Establish clear procedures for documenting, accessing, and processing confidential data.

  • Periodically review secrecy rules and their alignment with GDPR principles.

  • Coordinate with legal teams to ensure measures comply with national law and GDPR.

Periodic Review

  • Frequency: Annually or when national secrecy rules or GDPR requirements change.

  • Responsible Role: Compliance Team, Data Protection Officer (DPO), or Legal.

  • Outcome: Ensure effective reconciliation of professional secrecy obligations with GDPR compliance.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover for GDPR violations.

  • Legal Exposure: Liability for breaches of confidentiality or personal data protection obligations.

  • Reputational Damage: Loss of trust due to mishandling of sensitive or confidential data.

  • Operational Risk: Inadequate procedures may compromise professional secrecy and data subject rights.