GDPR : Article 90 - Obligations of Secrecy

by Sneha Naskar

The General Data Protection Regulation (GDPR), implemented in May 2018, brought significant changes to the way organizations handle personal data. Article 90 of the GDPR, often overlooked, plays a crucial role in ensuring the protection of individuals' privacy. This article dives deep into the "Obligations of Secrecy" as outlined in Article 90 of the GDPR, exploring its importance, implications, and how organizations can comply with this often misunderstood requirement.

Compliance with Article 90

The Essence of Article 90

Article 90 of the GDPR underscores the paramount importance of maintaining confidentiality and secrecy throughout the entire lifecycle of personal data. It signifies that responsible data handling goes beyond mere compliance during active processing phases; it extends indefinitely, even after processing activities conclude. This article highlights the enduring commitment required to protect personal data, emphasizing that data custodians must uphold confidentiality not just as a regulatory requirement but as a fundamental ethical obligation. Mishandled data can have lasting consequences, emphasizing the need for perpetual vigilance. Article 90 elevates the standards for data custodians, reinforcing the GDPR's core principles of transparency, integrity, and respect for individuals' rights and stressing their relevance throughout the entire data lifecycle.

Who is Bound by Article 90?

Article 90 of the GDPR imposes obligations of secrecy on a broad range of entities and individuals involved in personal data processing. It applies to data controllers, data processors, employees, and third parties who access personal data during their duties. Data controllers responsible for determining data processing purposes must ensure data secrecy. Data processors, those handling data on behalf of controllers, are also bound by Article 90. Moreover, all employees with access to personal data, regardless of their role, are subject to its provisions. Even third-party service providers involved in data processing must comply with the confidentiality requirements stipulated in Article 90 of the GDPR.

The Scope of Secrecy

Secrecy, as defined in Article 90, goes beyond the traditional notion of simply refraining from disclosing personal data to unauthorized parties. It also encompasses the obligation to ensure the utmost security of personal data. This entails taking appropriate technical and organizational measures to prevent data breaches, unauthorized access, and inadvertent data exposure.

Duration of Obligations

One of the distinctive aspects of Article 90 is the duration of the obligations of secrecy. While many other provisions within the GDPR pertain to specific phases of data processing, Article 90 stands out by extending the obligation indefinitely. In practical terms, this means that individuals who have been involved in the processing of personal data must continue to respect the confidentiality and security of that data even after their direct involvement has ceased.

Implications of Article 90

The implications of Article 90 within the GDPR are significant and far-reaching. Non-compliance with its obligations of secrecy and confidentiality can lead to severe consequences for organizations. This includes legal actions, substantial fines, and potential compensation claims from affected data subjects. Moreover, failure to uphold the secrecy of personal data can result in data breaches, endangering individuals' privacy and trust. The ensuing reputational damage can be long-lasting and detrimental to an organization's standing. Compliance with Article 90, therefore, is not merely a legal requirement but a fundamental ethical responsibility, vital for safeguarding data, avoiding legal repercussions, and maintaining public trust.

Data Breach Risks

Failure to maintain the secrecy and security of personal data can result in data breaches. Data breaches not only jeopardize individuals' privacy but can also lead to significant financial losses for organizations. Article 90 reinforces the need for organizations to take proactive and robust measures to prevent data breaches.

Legal Consequences

Non-compliance with Article 90 can have serious legal consequences. Data subjects whose personal data is mishandled due to a breach of secrecy obligations have the right to take legal action against the responsible parties. This may result in substantial fines, compensation claims, and a tarnished legal record.

Reputational Damage

In the age of digital transparency and interconnectedness, public trust is an invaluable asset. Any breach of secrecy or data security can lead to a loss of trust among customers, clients, and partners. Reputational damage can be long-lasting and challenging to recover from, making compliance with Article 90 a critical business concern that goes beyond legal implications.

GDPR Implementation Toolkit

Compliance With Article 90

Compliance with Article 90 requires a multifaceted approach:

  • Training and Awareness: Ensure that all employees and contractors who handle personal data are not only aware of their obligations of secrecy but also understand the profound importance of data confidentiality and security.
  • Access Controls: Implement stringent access controls to limit access to personal data strictly to those who need it for legitimate purposes, thereby reducing the risk of unauthorized disclosures.
  • Encryption and Security Measures: Employ robust encryption and security measures to protect personal data from unauthorized access, breaches, and tampering.
  • Data Retention Policies: Develop and adhere to data retention policies that specify how long personal data will be retained and, equally vital, how it will be securely destroyed when it is no longer needed.
  • Monitoring and Auditing: Regularly monitor and audit data processing activities to ensure compliance with secrecy obligations. Such proactive measures can help identify and rectify potential breaches before they escalate.
  • Employee Exit Procedures: Implement comprehensive procedures for when employees or contractors leave the organization to ensure they no longer have access to personal data. This includes not only revoking system access but also educating departing personnel about their ongoing obligations regarding data secrecy.


Article 90 of the GDPR serves as a poignant reminder of the fundamental importance of maintaining secrecy and confidentiality when handling personal data. It transcends legal compliance to become a core ethical responsibility in the digital age. Organizations that prioritize and actively uphold these secrecy obligations not only meet legal requirements but also build and maintain trust with their customers and stakeholders. Compliance with Article 90 is not just a legal obligation; it is a cornerstone of responsible data governance and protection in a world increasingly driven by data privacy concerns. In the era of data-driven economies and interconnected societies, safeguarding personal information is paramount, and Article 90 provides a robust framework for doing so effectively.

GDPR Implementation Toolkit