Section 56 stipulates an obligation of the Data Protection Authority to exclude from the file inspection information that constitute trade secrets or bank secrets or any similar types of secrets, copyrighted works, and information protected by secrecy obligations under special laws, if the file is inspected by a person who did not provide such protected information. The Data Protection Authority is only authorised to get acquainted with information protected by professional secrecy of attorneys with consent and upon presence of a representative of the Czech Bar Association.
Employees of the Data Protection Authority are bound by an obligation of secrecy which extends beyond the termination of their employment relationship with the DPA (Section 57).
§ 7(3) permits data processing by healthcare professionals bound by secrecy;
§ 24 binds DPOs to secrecy.
The current proposal replicates the provisions on professional secrecy under the existing law.
According to the proposed Data Protection Act, the Data Protection Ombudsman has, regardless of the obligations of secrecy, free access to the information necessary for the performance of his duties.
Yes - § 22 FDPA permits the processing of sensitive data if the processing is necessary for the purpose of, for example, preventive medicine, employee working capacity assessments, medical diagnosis, health and social care treatments, management of systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). However, such processing is only possible if certain safeguards are taken to protect such data ("suitable and specific" safeguards).
§ 29(2) FDPA states that where, in the context of a client-lawyer relationship, the data of third persons are transferred to persons subject to a legal obligation of professional secrecy, the right to be informed does not apply unless the individual has an overriding interest to be informed.
§ 29(3) FDPA protects persons subject to professional secrecy obligations and limits DPA access requests;
§ 13(4) FDPA binds the Federal Commissioner to secrecy.
According to the Data Protection Act, the data subject's right to information and access to personal data does not apply to personal data subject to professional secrecy. Furthermore, a controller, who is not a public authority, may refuse to provide information/access in cases comparable to those referred to in the Freedom of Information and Official Secrets Act (SFS 2009:400).
The Act also clarifies that processing of sensitive personal data (in the field of medicine or health and social care) is permitted where it is necessary for certain specified purposes and provided that the processing is undertaken by or under responsibility of a professional subject to the obligation of professional secrecy.
The Data Protection Act 2018 includes two provisions in Schedule 1 that specifically implement Article 9(2)(h) and Article 9(2)(i). Both of these permit processing for purposes that broadly mirror the wording of the relevant articles, and do not establish clear additional restrictions on the use of data.
Health purposes: a list of health purposes is carried over from the GDPR. The safeguard in relation to professional secrecy is contained in Section 11(1), which states that article 9(h) will be available where it is carried out:
"by or under the responsibility of a health professional or a social work professional, or … by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law."
Both "health professional" and "social work professional" are specifically defined in Section 195. Both definitions call out to professionals under registration.
Public Health: the purpose must be "necessary for reasons of public interest in the area of public health" but not further examples are given. The safeguard for professional secrecy simply repeats the formulation in Section 11(1) (i.e. that processing must be under the responsibility of a health or social work professional or another person who owes a duty of confidentiality).
In Paragraph 19 of Schedule 2, controllers are exempted from rights under Articles 13, 14, 15 and the first three principles of the Act (lawfulness and fairness, purpose limitation and data minimisation) where the data are subject to legal professional privilege (or confidentiality of communications in legal proceedings, as this is known in Scotland).
Certain other exemptions apply to maintain secrecy in (typically public sector) records, including in certain health, education and child abuse records disclosed in court proceedings, and records where disclosure is prohibited under law. This can be found in the latter parts of Schedule 2.
Sections 131 and 132 of the Data Protection Act 2018 address secrecy of communications with the ICO. Section 131 requires the ICO to have consent, necessary public interest or other duty to disclose the data under its functions or under law. The ICO is particularly required to propose guidance on how it will handle privileged communications that are shared with it under its functions.
Privilege during enforcement activity
Controllers and processors are not required to divulge communications subject to legal advice privilege or litigation privilege. This is specifically included in the sections on information and assessment notices, both of which allow access to documents and premises in certain circumstances, and to Schedule 15 on powers of entry and inspection.