Last reviewed
Professional secrecy

Austria 05.06.2018 The ADPA does not provide for specific regulations in this regard. However, the ADPA contains the following principles:

Data secrecy:

Sec 6 ADPA provides for a general principle of data secrecy and obliges all data controllers, processors and their employees to keep all personal data strictly confidential.

Further, Sec 5 ADPA provides for a specific obligation for Data Protection Officers to keep all received information strictly confidential.

Trade secrets:

Data subjects have no right of access when this would jeopardize a trade or company secret of controller or a third party (Sec 4 (6) ADPA).
Belgium 08.10.2018 The BPA itself does not contain any rules to reconcile the right of personal data protection with obligations of secrecy. These were included in the Act of 3 December 2017 on the creation of the Data Protection Authority (the "DPAA") which sets out the powers of the Belgian supervisory authority and the appropriate (procedural) safeguards for individuals.

Firstly, the Act introduces a specific exception for medical data covered by professional secrecy. As a general rule, the DPAA states that investigative measures can give rise to an official report establishing an infringement. Such report has evidential value until proven otherwise and in principle, other inspection services or administrative supervisory authorities may use the material findings from the reports while preserving their evidential value. However, with respect to medical data, the DPAA states that such information may only be communicated and used in accordance with the relevant rules on medical professional secrecy.

Secondly, professional secrecy in general is taken into account in the context of on-site investigations. When there arises a reason to believe that the principles of personal data protection have been violated, the inspectors of the Belgian DPA are entitled to enter the company, the service or any other premises to conduct on-site investigations. An exception is introduced for the premises of a professional that is under a duty of professional secrecy and for whom a legal arrangement is foreseen for on-site investigations and access to their premises. In such case, the inspectors are only allowed to access the premises in the presence of a representative of the professional association, except in case of prior written approval of the data subject or with an authorization of the investigating judge.
Czech Republic 13.09.2018

Section 56 stipulates an obligation of the Data Protection Authority to exclude from the file inspection information that constitute trade secrets or bank secrets or any similar types of secrets, copyrighted works, and information protected by secrecy obligations under special laws, if the file is inspected by a person who did not provide such protected information. The Data Protection Authority is only authorised to get acquainted with information protected by professional secrecy of attorneys with consent and upon presence of a representative of the Czech Bar Association.

Employees of the Data Protection Authority are bound by an obligation of secrecy which extends beyond the termination of their employment relationship with the DPA (Section 57).

Denmark 06.09.2018

§ 7(3) permits data processing by healthcare professionals bound by secrecy;

§ 24 binds DPOs to secrecy.

Finland 17.05.2018

The current proposal replicates the provisions on professional secrecy under the existing law.

According to the proposed Data Protection Act, the Data Protection Ombudsman has, regardless of the obligations of secrecy, free access to the information necessary for the performance of his duties.

France 22.05.2018 The New Data Protection Act modifies the applicable conditions on professional secrecy. Article 44 states that professional secrecy cannot be opposed to the CNIL’s agents unless for information protected by professional secrecy applicable to a lawyer-client relation, by the secrecy of journalistic sources or by medical secrecy.

Medical secrecy applies to processing activities necessary for the purposes of carrying out preventive medicine, medical research, medical diagnoses, for the administration of care and treatment or for the management of health services. The disclosure of health data can occur only under the CNIL’s authority and with the presence of a physician.
Germany 23.05.2018

Yes - § 22 FDPA permits the processing of sensitive data if the processing is necessary for the purpose of, for example, preventive medicine, employee working capacity assessments, medical diagnosis, health and social care treatments, management of systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). However, such processing is only possible if certain safeguards are taken to protect such data ("suitable and specific" safeguards). 

§ 29(2) FDPA states that where,  in the context of a client-lawyer relationship, the data of third persons are transferred to persons subject to a legal obligation of professional secrecy, the right to be informed does not apply unless the individual has an overriding interest to be informed.

§ 29(3) FDPA protects persons subject to professional secrecy obligations and limits DPA access requests; 

§ 13(4) FDPA binds the Federal Commissioner to secrecy. 

Hungary 17.05.2018 n/a
Ireland  7.06.2018  Section 168 of the Act allows for disclosures by the Central Bank of Ireland to the Data Protection Commission.
Italy 17.05.2018 In relation to professional secrecy in the journalistic profession, Section 138 IDPA, as amended by means of Section 11 of the Scheme, restricts the data subject's right to obtain from the controller the information referred to under Section 15 GDPR - the data subject cannot request to be informed of the source of the personal data in this instance.
Netherlands 17.09.2018 Art. 34 of the GDPR (on the duty to report data breaches to the data subject) shall not apply to financial undertakings that qualify as such under the Dutch Financial Supervision Act (art 42 UAVG), as these have own notification obligations under sector-specific legislation.

In art. 39 UAVG, it is stressed that a DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure.
Poland 16.05.2018 The PUODO's right of access to information and personal data will be limited by professional secrets.
Slovakia 13.09.2018  Controllers and processors are required to ensure that any individual persons who they let into contact with personal information are bound by a confidentiality obligation which must continue even after the termination of the work (employment) or other contract with such person (Article 79 of the New DPA). This requirement for a confidentiality obligation being valid after termination of the relevant relationship goes beyond GDPR confidentiality obligation requirements.
Spain 07.09.2018 Article 5 of the Spanish Data Protection Draft Bill states that the data controller, data processor and any person involved in any phase of the data processing are subject to the duty of confidentiality even once the data subject relationship with the data controller or processor is finished.

Additionally, Article 28.2. a) of the Spanish Data Protection Draft Bill provides that the data controller and data processor shall take into account any loss of confidentiality of data bound by professional secrecy and implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR.
Sweden 06.09.2018

According to the Data Protection Act, the data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy. Furthermore, a controller, who is not a public authority, may refuse to provide information/access in cases comparable to those referred to in the Freedom of Information and Official Secrets Act (SFS 2009:400).

The Act also clarifies that processing of sensitive personal data (in the field of medicine or health and social care) is permitted where it is necessary for certain specified purposes and provided that the processing is undertaken by or under responsibility of a professional subject to the obligation of professional secrecy.

UK 23.05.2018 Conditions for processing sensitive data

The Data Protection Act 2018 includes two provisions in Schedule 1 that specifically implement Article 9(2)(h) and Article 9(2)(i). Both of these permit processing for purposes that broadly mirror the wording of the relevant articles, and do not establish clear additional restrictions on the use of data.

Health purposes: a list of health purposes is carried over from the GDPR. The safeguard in relation to professional secrecy is contained in Section 11(1), which states that article 9(h) will be available where it is carried out:
"by or under the responsibility of a health professional or a social work professional, or … by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law."

Both "health professional" and "social work professional" are specifically defined in Section 195. Both definitions call out to professionals under registration.

Public Health: the purpose must be "necessary for reasons of public interest in the area of public health" but not further examples are given. The safeguard for professional secrecy simply repeats the formulation in Section 11(1) (i.e. that processing must be under the responsibility of a health or social work professional or another person who owes a duty of confidentiality).


In Paragraph 19 of Schedule 2, controllers are exempted from rights under Articles 13, 14, 15 and the first three principles of the Act (lawfulness and fairness, purpose limitation and data minimisation) where the data are subject to legal professional privilege (or confidentiality of communications in legal proceedings, as this is known in Scotland).

Certain other exemptions apply to maintain secrecy in (typically public sector) records, including in certain health, education and child abuse records disclosed in court proceedings, and records where disclosure is prohibited under law. This can be found in the latter parts of Schedule 2.

Secrecy of communications to the ICO

Sections 131 and 132 of the Data Protection Act 2018 address secrecy of communications with the ICO. Section 131 requires the ICO to have consent, necessary public interest or other duty to disclose the data under its functions or under law.  The ICO is particularly required to propose guidance on how it will handle privileged communications that are shared with it under its functions. 

Privilege during enforcement activity

Controllers and processors are not required to divulge communications subject to legal advice privilege or litigation privilege. This is specifically included in the sections on information and assessment notices, both of which allow access to documents and premises in certain circumstances, and to Schedule 15 on powers of entry and inspection.