Skip to main content
Data Protection / GDPR

Confidentiality obligation

The confidentiality obligation requires employees entrusted with processing personal data to keep it confidential, prohibiting them from processing or disclosing such data without authorisation.

The confidentiality obligation (in German law historically referred to as the "Datengeheimnis") is the duty of persons employed by a controller or processor to process personal data solely on instruction and within the scope of their tasks, and to maintain secrecy about all data that comes to their knowledge. It is a personal duty of confidentiality that, independently of technical and organisational safeguards, ensures the human link in the processing chain does not become a weak point.

Unlike under the former German Federal Data Protection Act, which set out an explicit "Datengeheimnis" in the old Section 5 BDSG, the obligation today follows from Art. 29 and Art. 32(4) GDPR together with Section 53 BDSG: employees may process personal data only on the controller's instructions, and the controller must ensure by appropriate measures that persons acting under its authority do not process the data without authorisation. In practice this is regularly implemented through a written commitment to confidentiality, ideally signed before work begins and combined with an instruction or briefing.

The obligation continues beyond the employment relationship and remains binding after it ends. It forms part of the accountability principle under Art. 5(2) GDPR: the controller must be able to demonstrate that its employees were bound to confidentiality. Breaches can lead to consequences under employment law, claims for compensation by data subjects under Art. 82 GDPR and, in particularly serious cases, criminal liability under Section 42 BDSG. The confidentiality obligation is thus a central building block for safeguarding the integrity and confidentiality of processing.

Legal Basis

Art. 29, Art. 32(4) GDPR; Section 53 BDSG (formerly Section 5 BDSG, old version)

Practical Example

A new employee joins the HR department of a mid-sized company and gains access to application files, salary data and medical certificates. Before her first working day, the data protection coordinator presents her with a confidentiality commitment to sign, explains with concrete examples which information she must not pass on to colleagues or third parties, and documents the briefing in the record of processing activities. When a department head later asks her informally about a colleague's salary, she refers to her commitment and reports the request to the data protection officer.

FAQ

The explicit old Section 5 BDSG ceased to apply when the GDPR took effect. The substantive duty nevertheless persists and now follows from Art. 29 and Art. 32(4) GDPR as well as Section 53 BDSG. Committing employees to confidentiality therefore remains necessary.
The GDPR does not prescribe a specific form, but the accountability principle in Art. 5(2) GDPR means the controller must be able to demonstrate the commitment. A written or documented confidentiality commitment is therefore strongly recommended, ideally combined with a briefing before work begins.
The duty of confidentiality continues beyond the end of the employment relationship. Even after leaving, former employees must not disclose or use the personal data that came to their knowledge.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Technical and Organisational Measures (TOMs) Integrity and confidentiality Accountability Data Processing Agreement (DPA) Employee data protection
Back to Glossary