Article 90

Obligations of secrecy

General Data Protection Regulation · UE 2016/679

Obligations of secrecy

1.   Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2.   Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, Article 90 was explicitly transposed. The law of 1 August 2018 organising the CNPD adapts the authority's powers towards persons bound by professional secrecy (lawyers, notaries, doctors, financial sector professionals). In practice, when the CNPD seeks access to secrecy-covered data, specific arrangements apply (supervised intervention, possible presence of the relevant professional body). Banking secrecy under Article 41 of the law of 5 April 1993 on the financial sector also coexists with these rules.

Luxgap practice: for a law firm or a private bank, separate in your register the processing covered by secrecy from the rest, and prepare in advance the CNPD cooperation protocol tailored to your profession.