While the data itself is usually not the Schutzgut of the GDPR, this is different in the area of data security. Here it is about the integrity and confidentiality of the data.
The confidentiality of the data is in the interest of the data subject. It can be regarded as a sub-area of the general right of personality. Personal data must be protected against unauthorised processing, access, disclosure, loss, destruction or damage. However, confidentiality does not only refer directly to the data. A distinction must be made between:
- Confidentiality as a need for protection of personal data processed by controllers.
- Confidentiality of data processed by systems and services [see also Tile GL.04]
- Confidentiality of the word and the writing
- Confidentiality of persons entrusted with the processing of data
Regulations in the GDPR:
► Articles: 5 I f, 28 III b and 32 I b GDPR.
► Recitals: 39 (12), 75, 83 and 85 (1) GDPR.
The data protection officer must also maintain the confidentiality of the data:
► Art. 38 V GDPR
Data protection supervisory authorities must also maintain the confidentiality of the information they become aware of:
► Art. 54 II GDPR
The GDPR even regulates the confidentiality of non-personal data:
► Art. 76 I GDPR
Furthermore, it must be taken into account that in the area of employee data protection, the need for protection of confidentiality is already opened up in the case of the spoken word. According to Section 26 (7) BDSG (= German Data Protection Act), Sections 26 (1) to (6) BDSG are also applicable "if personal data, including special categories of personal data, are processed by employees without being processed or intended to be processed in a file system."
In the private context, which is excluded from the scope of the GDPR by the household exemption, confidentiality nevertheless applies as a requirement by Sections 201, 201a and 202 of the Criminal Code. This highlights the importance of confidentiality as an entitlement of the data subject.
It may also be a legitimate interest of the controller to protect the confidentiality of the data [Tile CO.25]:
► Rec. 49 (1) GDPR
Finally, data confidentiality is also part of information security, which is also a public interest:
► Rec. 163 GDPR
Increased confidentiality requirements still exist for data subject to professional secrecy or other special confidentiality obligations [Tile DS.16].
Conversely, however, expectations of confidentiality on the part of the controller or other persons may also conflict with the rights of the data subject [Tile DSR.05]. For example, the data subject's right to information and the data subject's right of access may conflict with the lawyer-client privilege [see § 29 I/II of the German Federal Data Protection Act]. The lawyer-client privilege in turn protects the rights of the client. In this case, the data subject's data protection rights conflict with the lawyer's duty of confidentiality and the client's expectations of confidentiality - an example of the multidimensionality of data processing that data protection law has to deal with. On the multidimensionality of fundamental rights, see in particular Tile CO.01.