1. Unless otherwise provided in this Regulation, information collected or obtained by a supervisory authority in cross-border cases under of Regulation (EU) 2016/679, including any document containing such information, shall not be communicated or made accessible by the supervisory authority in so far as it contains business secrets or other confidential information of any person.

2. Any information collected or obtained by a supervisory authority in cross-border cases under Regulation (EU) 2016/679, including any document containing such information, is excluded from access requests under laws on public access to official documents as long as the proceedings are ongoing.

3. When communicating preliminary findings to parties under investigation and providing for access to the administrative file on the basis of Article 20, the lead supervisory authority shall ensure that the parties under investigation to whom access is being given to information containing business secrets or other confidential information treat such information with utmost respect for its confidentiality and that such information is not used to the detriment of the provider of the information. Depending on the degree of confidentiality of the information, the lead supervisory authority shall adopt appropriate arrangements to give full effect to the rights of defence of the parties under investigation with due regard for the confidentiality of the information.

4. An entity submitting information that it considers to be confidential shall clearly identify the information which it considers to be confidential, giving reasons for the confidentiality claimed. The entity shall provide a separate non-confidential version of the submission.