Article 90 of the GDPR: Obligations of secrecy

Article 90 of the GDPR allows Member States to impose on controllers and processors an obligation of professional secrecy or confidentiality, particularly in sensitive areas such as health, justice or religion.

Article 90 of the GDPR explained

Concretely:

Member States may maintain or establish confidentiality rules applicable to data processing;
These rules may prohibit or restrict the communication of personal information in certain contexts;
This applies in particular to processing carried out by professions subject to secrecy (doctors, lawyers, priests...).

Why is this article important for your GDPR compliance?

He recalls that the protection of personal data is also part of a framework pre-existing ethical or legal. Professionals subject to secrecy must be extra vigilant in the management of sensitive data.

How to comply with Article 90 of the GDPR?

Identify professional confidentiality obligations applicable in your sector;
Adapt processing processes to meet these requirements (restricted access, limited communication);
Integrate these rules into your privacy policy and internal training;
Prepare specific procedures for processing access or communication requests.

Examples of application of Article 90 of the GDPR

A doctor does not transmit any information about his patients without their explicit consent;
A lawyer keeps his clients' data in a secure system inaccessible to the rest of his firm;
A religious organization applies strict rules on the management of faithful data.