Professional secrecy

Last reviewed
Professional secrecy

Austria 05.06.2018 The ADPA does not provide for specific regulations in this regard. However, the ADPA contains the following principles:

Data secrecy:

Sec 6 ADPA provides for a general principle of data secrecy and obliges all data controllers, processors and their employees to keep all personal data strictly confidential.

Further, Sec 5 ADPA provides for a specific obligation for Data Protection Officers to keep all received information strictly confidential.

Trade secrets:

Data subjects have no right of access when this would jeopardize a trade or company secret of controller or a third party (Sec 4 (6) ADPA).
Belgium 08.10.2018

BPA does not contain any rules to reconcile the right of personal data protection with obligations of secrecy. These were included in the Act of 3 December 2017 on the creation of the Data Protection Authority (the "DPAA") which sets out the powers of the Belgian supervisory authority and the appropriate (procedural) safeguards for individuals.

That Act introduces a specific exception for medical data covered by professional secrecy. As a general rule, the DPAA states that investigative measures can give rise to an official report establishing an infringement. Such report has evidential value until proven otherwise and in principle, other inspection services or administrative supervisory authorities may use the material findings from the reports while preserving their evidential value. However, with respect to medical data, the DPAA states that such information may only be communicated and used in accordance with the relevant rules on medical professional secrecy.

Secondly, professional secrecy in general is taken into account in the context of on-site investigations. When there is a reason to believe that the principles of personal data protection have been violated, the inspectors of the Belgian DPA are entitled to enter the company, the service or any other premises to conduct on-site investigations. An exception is introduced for the premises of a professional that is under a duty of professional secrecy and for whom a legal arrangement is foreseen for on-site investigations and access to their premises. In such case, the inspectors are only allowed to access the premises in the presence of a representative of the professional association, except in case of prior written approval of the data subject or with an authorization of the investigating judge.

Czech Republic 13.09.2018

Section 56 stipulates an obligation of the Data Protection Authority to exclude from the file inspection information that constitute trade secrets or bank secrets or any similar types of secrets, copyrighted works, and information protected by secrecy obligations under special laws, if the file is inspected by a person who did not provide such protected information. The Data Protection Authority is only authorised to get acquainted with information protected by professional secrecy of attorneys with consent and upon presence of a representative of the Czech Bar Association.

Employees of the Data Protection Authority are bound by an obligation of secrecy which extends beyond the termination of their employment relationship with the DPA (Section 57).

Denmark 06.09.2018

§ 7(3) permits data processing by healthcare professionals bound by secrecy;

§ 24 binds DPOs to secrecy.

Finland 13.11.2018

The scope of the secrecy obligations set in the Data Protection Act includes information regarding characteristics, personal circumstances, economic situation and trade secrets.

According to the Data Protection Act, the Data Protection Ombudsman has free access to the information necessary for the performance of his duties, irrespective of the obligations of secrecy.

France 11.02.2019 Article 44. Controllers and processors are not required to disclose information falling under a lawyer-client relationship, the anonymity of journalistic sources or medical confidentiality. Medical confidentiality applies to processing activities necessary for the purposes of carrying out preventive medicine, medical research, medical diagnoses, for the administration of care and treatment or for the management of health services. The disclosure of health data can occur only under the CNIL’s authority and in the presence of a doctor.
Germany 23.05.2018

Yes - § 22 FDPA permits the processing of sensitive data if the processing is necessary for the purpose of, for example, preventive medicine, employee working capacity assessments, medical diagnosis, health and social care treatments, management of systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). However, such processing is only possible if certain safeguards are taken to protect such data ("suitable and specific" safeguards). 

§ 29(2) FDPA states that where,  in the context of a client-lawyer relationship, the data of third persons are transferred to persons subject to a legal obligation of professional secrecy, the right to be informed does not apply unless the individual has an overriding interest to be informed.

§ 29(3) FDPA protects persons subject to professional secrecy obligations and limits DPA access requests; 

§ 13(4) FDPA binds the Federal Commissioner to secrecy. 

Hungary 01/04/2019 Covered by legislation on certain professions.
Ireland  7.06.2018  Section 168 of the Act allows for disclosures by the Central Bank of Ireland to the Data Protection Commission.
Italy 25.10.2018 On Journalistic sources, Section 138 IDPA restricts the data subject's right of access insofar that the data subject cannot request the source of the personal data.
Netherlands 17.09.2018 Art. 34 of the GDPR (on the duty to report data breaches to the data subject) shall not apply to financial undertakings that qualify as such under the Dutch Financial Supervision Act (art 42 UAVG), as these have own notification obligations under sector-specific legislation.

In art. 39 UAVG, it is stressed that a DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure.
Poland 16.05.2018 The PUODO's right of access to information and personal data will be limited by professional secrets.
Slovakia 13.09.2018  Controllers and processors are required to ensure that any individual persons who they let into contact with personal information are bound by a confidentiality obligation which must continue even after the termination of the work (employment) or other contract with such person (Article 79 of the New DPA). This requirement for a confidentiality obligation being valid after termination of the relevant relationship goes beyond GDPR confidentiality obligation requirements.
Spain 05.03.2018 Article 5 of the SDPA states that the data controller, data processor and any person involved in any phase of the processing are subject to a duty of confidentiality even once the data subject relationship with the data controller or processor is over.

Additionally, Article 28.2. a) of the SDPA provides that both the controller and the processor shall take into account the potential loss of confidentiality of personal data subject to professional confidentiality in order to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.
Sweden 06.09.2018

Data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy.

UK 23.05.2018 Conditions for processing sensitive data

The Data Protection Act 2018 includes two provisions in Schedule 1 that specifically implement Article 9(2)(h) and Article 9(2)(i). Both of these permit processing for purposes that broadly mirror the wording of the relevant articles, and do not establish clear additional restrictions on the use of data.

Health purposes: a list of health purposes is carried over from the GDPR. The safeguard in relation to professional secrecy is contained in Section 11(1), which states that article 9(h) will be available where it is carried out:
"by or under the responsibility of a health professional or a social work professional, or … by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law."

Both "health professional" and "social work professional" are specifically defined in Section 195. Both definitions call out to professionals under registration.

Public Health: the purpose must be "necessary for reasons of public interest in the area of public health" but not further examples are given. The safeguard for professional secrecy simply repeats the formulation in Section 11(1) (i.e. that processing must be under the responsibility of a health or social work professional or another person who owes a duty of confidentiality).


In Paragraph 19 of Schedule 2, controllers are exempted from rights under Articles 13, 14, 15 and the first three principles of the Act (lawfulness and fairness, purpose limitation and data minimisation) where the data are subject to legal professional privilege (or confidentiality of communications in legal proceedings, as this is known in Scotland).

Certain other exemptions apply to maintain secrecy in (typically public sector) records, including in certain health, education and child abuse records disclosed in court proceedings, and records where disclosure is prohibited under law. This can be found in the latter parts of Schedule 2.

Secrecy of communications to the ICO

Sections 131 and 132 of the Data Protection Act 2018 address secrecy of communications with the ICO. Section 131 requires the ICO to have consent, necessary public interest or other duty to disclose the data under its functions or under law.  The ICO is particularly required to propose guidance on how it will handle privileged communications that are shared with it under its functions. 

Privilege during enforcement activity

Controllers and processors are not required to divulge communications subject to legal advice privilege or litigation privilege. This is specifically included in the sections on information and assessment notices, both of which allow access to documents and premises in certain circumstances, and to Schedule 15 on powers of entry and inspection.