Article 90: Obligations of secrecy

To meet the article 90: obligations of secrecy requirement, you must (1) identify where your organization is bound by professional secrecy or equivalent confidentiality duties, and (2) implement a documented procedure for responding to supervisory authority requests that may be restricted under Member State rules. Operationalize it by mapping secrecy obligations to datasets/systems, defining an escalation path, and retaining defensible decision records. (Regulation (EU) 2016/679, Article 90)

Key takeaways:

• Article 90 is a Member State “overlay” on GDPR supervisory authority powers when professional secrecy applies. (Regulation (EU) 2016/679, Article 90)
• Your core control is a repeatable intake-to-decision workflow for regulator requests, with Legal/CCO sign-off and a documented rationale. (Regulation (EU) 2016/679, Article 90)
• Evidence is the point: keep scope decisions, request logs, and disclosure decision records tied to each event. (Regulation (EU) 2016/679, Article 90)

Article 90 is easy to misread because it does not impose a universal “new secrecy rule” on every controller and processor. It allows EU Member States to adopt specific rules that shape how supervisory authorities can exercise certain investigative powers where an organization is already subject to professional secrecy or equivalent secrecy obligations under Union or Member State law. (Regulation (EU) 2016/679, Article 90)

For a Compliance Officer, CCO, or GRC lead, the operational problem is practical: when a supervisory authority asks for access to information (including personal data) during an inquiry, your team must know whether any portion of that information is constrained by professional secrecy rules, and how to respond without obstructing the regulator or unlawfully disclosing protected information. Article 90 pushes you to build a defensible bridge between privacy compliance and sector-specific confidentiality regimes (for example, legal privilege, medical confidentiality, banking secrecy, statutory audit confidentiality, or regulated professional codes), where applicable. (Regulation (EU) 2016/679, Article 90)

This page gives you a requirement-level playbook: applicability test, step-by-step operating procedure, evidence to retain, audit questions, common failure modes, and an execution plan you can put in motion immediately.

Requirement: Article 90 — Obligations of secrecy (GDPR)

What the requirement is (plain English):
If your organization is subject to professional secrecy or an equivalent legal duty of confidentiality, your Member State may have special rules that define how the supervisory authority can exercise certain powers to obtain information from you. Your job is to understand whether those rules apply, then respond to supervisory authority requests through a controlled process that reconciles data protection oversight with secrecy obligations. (Regulation (EU) 2016/679, Article 90)

Why this matters operationally:
Regulator requests are time-sensitive, high-stakes events. The failure modes are symmetric:

• Over-disclosure: you hand over information that your organization is legally required to keep secret.
• Under-disclosure / obstruction: you refuse or delay without a defensible legal basis, creating enforcement and reputational exposure.

Article 90 is the “decision discipline” requirement that forces you to do this consistently. (Regulation (EU) 2016/679, Article 90)

Regulatory text

Article 90 provides that Member States may adopt specific rules to set out the supervisory authority powers in Article 58(1)(e) and (f) as they apply to controllers/processors that are bound by professional secrecy or equivalent secrecy obligations, where necessary and proportionate to reconcile data protection with secrecy. (Regulation (EU) 2016/679, Article 90)

Operator translation (what you must do):

1. Determine whether your organization is subject to professional secrecy (or equivalent) for any processing context. This is not a generic GDPR exercise; it depends on sector, role, and jurisdiction. (Regulation (EU) 2016/679, Article 90)
2. Identify the Member State rule(s) that govern supervisory authority access in that secrecy-bound context, and encode them into an operating procedure your teams can execute during an inquiry. (Regulation (EU) 2016/679, Article 90)
3. Run each supervisory authority request through a controlled decision workflow that: (a) scopes the requested materials, (b) classifies secrecy constraints, (c) documents the legal basis for disclosure or restriction, and (d) produces an auditable record. (Regulation (EU) 2016/679, Article 90)

Who it applies to

Entity scope: Any organization acting as a controller or processor that is subject to professional secrecy or equivalent obligations under Union or Member State law (or rules established by national competent bodies). (Regulation (EU) 2016/679, Article 90)

Operational contexts where Article 90 frequently becomes relevant:

• Responding to a supervisory authority information request, including requests that might involve access to records, systems, or data extracts.
• Handling regulated-confidential datasets that may be subject to profession-based secrecy obligations (for example, legal, health, finance, or other regulated professions), depending on Member State implementations. (Regulation (EU) 2016/679, Article 90)

Practical applicability test (use this internally):

• Are we operating in a Member State with rules limiting or conditioning regulator access due to professional secrecy? (Regulation (EU) 2016/679, Article 90)
• Do we process categories of data where a secrecy regime plausibly attaches (client files, patient records, audit workpapers, regulated advisory records)?
• Do we have roles (employees or third parties) governed by a professional code with confidentiality duties?
  If “yes” to any, treat Article 90 as in-scope and build the workflow below.

What you actually need to do (step-by-step)

1) Build a role-and-scope register (foundation)

Create a living register that ties secrecy obligations to operations. Minimum fields:

• Controller/processor role by processing activity
• Data categories and business purpose
• Systems and repositories where the data lives
• Secrecy obligation type (professional secrecy / equivalent) and jurisdictional trigger
• Owner (Business), Privacy, Legal, and Security contacts
• Third parties involved (processors/sub-processors) and where secrecy obligations flow down

This prevents “we didn’t realize that dataset was covered” during an inquiry. (Regulation (EU) 2016/679, Article 90)

2) Define a requirement-specific SOP for supervisory authority requests

Write a short SOP that your teams can follow under stress. Include:

• Trigger events: any contact/request from a supervisory authority; on-site visit; request for system access; request for copies/extracts.
• Intake channel: single mailbox/ticket queue owned by Privacy/Compliance.
• Triage and scoping: what exactly was requested, deadlines, format, affected jurisdictions.
• Secrecy classification step: map requested materials to the role-and-scope register; flag professional secrecy/equivalent constraints. (Regulation (EU) 2016/679, Article 90)
• Decision authority: named approvers (typically Legal + DPO/Privacy + CCO, with Security for access mechanics).
• Response patterns: disclose, disclose with redactions, provide controlled access, or refuse/limit with written rationale per applicable Member State rule. (Regulation (EU) 2016/679, Article 90)
• Communications control: who can speak to the authority; how you document oral interactions.

3) Run a “request-to-response” workflow every time (repeatable execution)

For each supervisory authority request, execute and record:

1. Log the request (date received, authority, scope, deadline, request type).
2. Identify data sets and systems implicated.
3. Apply secrecy overlay (professional secrecy or equivalent):
   • Is the information covered?
   • If partially covered, what portion can be separated or redacted? (Regulation (EU) 2016/679, Article 90)
4. Choose a disclosure method that matches the least-risk path:
   • Controlled read-only access under supervision
   • Secure transfer of a narrowly scoped extract
   • Redaction or segregation of secrecy-bound elements
5. Document the decision: rationale, approvals, and what was shared (or not shared), including any conditions.
6. Close-out review: lessons learned, register updates, and any remediation actions.

4) Extend controls to third parties (processors and advisors)

Where third parties host or process affected data, your procedure must cover:

• Contractual obligations to support regulatory inquiries
• A rapid coordination path for collection, export, redaction, and access controls
• A rule for “who decides” when secrecy applies across controller/processor boundaries

Operationally, this belongs in third-party due diligence and contract management: you need confidence you can retrieve and appropriately filter information under time pressure. (Regulation (EU) 2016/679, Article 90)

Where Daydream fits: Daydream is useful here as the system-of-record for (a) the role-and-scope register, (b) the SOP with named owners and trigger events, and (c) evidence packets per supervisory authority request, so you can answer “show me” questions without reconstructing the story from email.

Required evidence and artifacts to retain

Maintain an “Article 90 evidence packet” that you can produce during audits, customer diligence, or regulatory follow-ups:

Standing artifacts (always current):

• Role-and-scope register for secrecy-bound processing
• Article 90 SOP (current version + change history)
• Responsibility matrix (RACI) for regulator interactions
• Third-party inventory mapping to affected systems and datasets

Event artifacts ¹:

• Request log entry and full correspondence record
• Data/system scoping worksheet
• Secrecy classification notes (what is covered and why)
• Approval record (Legal/DPO/CCO/Security as applicable)
• Final response package (files provided, redactions applied, access method)
• Post-event review notes and remediation tickets

This is what makes your decision defensible months later. (Regulation (EU) 2016/679, Article 90)

Common exam/audit questions and hangups

Auditors and regulators tend to probe these points:

• “Show your process for responding to supervisory authority requests where confidentiality constraints apply.” (Regulation (EU) 2016/679, Article 90)
• “Who can approve withholding or redacting information, and what’s the documented legal basis?”
• “How do you ensure consistent treatment across business units and jurisdictions?”
• “How do you coordinate with processors/sub-processors for data retrieval and filtering?”
• “Show the last request you received and the evidence trail from intake to response.”

Hangup to anticipate: Teams confuse Article 90 with a blanket right to refuse requests. Article 90 is conditional and depends on Member State rules designed to reconcile competing obligations. (Regulation (EU) 2016/679, Article 90)

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating Article 90 as “legal-only.”
   Fix: Put the workflow in your operational GRC system and run tabletop exercises with Privacy, Legal, Security, and the business.

2. Mistake: No system mapping, so secrecy review is guesswork.
   Fix: Maintain the role-and-scope register and link it to systems of record and third-party services. (Regulation (EU) 2016/679, Article 90)

3. Mistake: Ad hoc redactions without a rationale trail.
   Fix: Require a short decision memo template for every restriction or redaction decision, with named approvers.

4. Mistake: Processor dependency discovered during the inquiry.
   Fix: Pre-negotiate inquiry support terms and test data extraction and secure sharing paths with key third parties.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not list case citations.

Risk still concentrates in predictable places:

• Regulatory relationship risk: inconsistent, undocumented responses make you look evasive even when you had a legitimate secrecy constraint.
• Cross-regime breach risk: over-disclosure can create liability under sector confidentiality laws or professional conduct rules, depending on your jurisdictional context. (Regulation (EU) 2016/679, Article 90)

Practical execution plan (30/60/90)

Use this as an operator checklist, not a calendar promise.

First 30 days (Immediate stabilization)

• Assign owners: DPO/Privacy lead, Legal lead, Security lead, and an exec approver (CCO or GC).
• Inventory secrecy-bound contexts: draft the role-and-scope register for highest-risk functions first.
• Publish a draft SOP for supervisory authority request intake, triage, and approvals.
• Stand up the evidence packet structure (folder/ticket template) so every event is captured consistently.

By 60 days (Operational hardening)

• Extend system mapping and third-party mapping for all in-scope datasets.
• Add contract and playbook clauses for key processors on inquiry support and secure extraction.
• Run a tabletop exercise: simulate a regulator request that touches secrecy-bound data; refine SOP and templates based on friction points.

By 90 days (Prove repeatability)

• Implement recurring control checks: verify the register is current, owners are still correct, and third-party contacts are valid.
• Test evidence retrieval: confirm you can produce a complete packet quickly.
• Integrate into broader governance: align with incident response, legal hold, and records retention practices so the “regulator request” motion does not conflict with other workflows.

Frequently Asked Questions

Does Article 90 apply to every GDPR controller and processor?

No. It is triggered where a controller or processor is subject to professional secrecy or equivalent secrecy obligations, and where Member State rules set specific conditions for supervisory authority powers in that context. (Regulation (EU) 2016/679, Article 90)

What should my team do the moment a supervisory authority requests access to records?

Route the request through a single intake process, scope the requested materials to systems and datasets, then perform a secrecy classification check before producing any data. Record the decision and approvals in an evidence packet. (Regulation (EU) 2016/679, Article 90)

Can we refuse to provide information because it’s “confidential”?

Treat “confidential” as a classification, not a legal basis. Article 90 contemplates professional secrecy or equivalent obligations, typically implemented through Member State rules that specify how reconciliation works, so your response should be based on documented legal analysis and a controlled disclosure method. (Regulation (EU) 2016/679, Article 90)

How do we handle regulator requests when a processor hosts the data?

Your SOP should include processor coordination steps: identify the processor systems, define who collects and filters the data, require Legal/DPO approvals for any restriction or redaction, and retain the processor’s export and transfer logs as part of the evidence packet. (Regulation (EU) 2016/679, Article 90)

What evidence is most persuasive in an audit?

Auditors look for repeatability: a current scope register, a written SOP with named owners, and request-by-request records showing scoping, secrecy assessment, approvals, and what was actually disclosed. (Regulation (EU) 2016/679, Article 90)

How should we document decisions to redact or limit production?

Use a short decision record that states what was requested, what secrecy obligation applies, what subset is restricted, what alternative access or narrowed disclosure you offered, and who approved it. Store it with the request log and the final response materials. (Regulation (EU) 2016/679, Article 90)

Footnotes

1. Regulation (EU) 2016/679, Article 90