”
Starting point: GDPR and the Church’s own internal data protection order
\n\n
Since the General Data Protection Regulation (GDPR) has been in force, churches and church institutions have also been faced with the question of which bodies of rules are to be used to assess the processing of personal data. In this context, it must be taken into account that, in Germany, religious communities may, under certain conditions, exercise a constitutionally protected right of self-determination. This also concerns the handling of personal data insofar as church bodies act on their own responsibility.
\n
Constitutional framework of the Church’s right of self-determination
\n
Guarantee under state law
\n\n
The Church’s right of self-determination is anchored in the German legal order as a legal position recognized by the state. It gives religious communities the possibility to independently regulate and administer their affairs within the limits of the laws that apply to everyone. This can also include enacting and applying internal data protection rules for the church sector.
\n
Scope and limitations
\n\n
Self-regulation does not mean a general exemption from data protection requirements. What is decisive is the areas in which church bodies operate, which data processing operations are concerned, and whether the respective rules meet the requirements of EU law, in particular the conditions of the GDPR.
\n
GDPR: Opening for church data protection rules
\n
Continued applicability of own data protection orders subject to conditions
\n\n
The GDPR takes account of the fact that churches and religious associations were already able to apply data protection provisions before it entered into force. Under certain conditions, the GDPR allows such rules to be continued, provided that they are adapted to the GDPR and are institutionally supported within their scope of application.
\n
Need for independent supervision
\n\n
A key element is the existence of an independent data protection supervisory authority within the respective religious community. The GDPR makes recognition of church data protection regimes conditional on ensuring oversight that is functionally equivalent to state supervision.
\n
Church data protection laws in Germany
\n
Catholic sector: KDG
\n\n
In Germany, the Catholic sphere has its own data protection law, structured as the Church Data Protection Act (KDG). It regulates the processing of personal data by church bodies and contains provisions modeled on the system of the GDPR, without being identical.
\n
Protestant sector: DSG-EKD
\n\n
In the Protestant sphere, a distinct data protection law of the Evangelical Church in Germany (DSG-EKD) applies. This body of rules also contains requirements on lawfulness, transparency, data subject rights, as well as organizational and technical requirements, which are set out within an autonomous body of church-law norm-making.
\n
Scope of application: Which bodies and operations are covered
\n
Church bodies and institutions
\n\n
Church data protection rules are typically geared toward church bodies as well as their institutions, such as administrations, parishes, or other organizational units supported by the church. Whether, in an individual case, church data protection law or the GDPR directly is decisive depends in particular on the legal classification of the acting body and the specific processing context.
\n
Relationship to state rules
\n\n
Church rule systems do not exist independently of the GDPR. Their application presupposes that, in outcome, they ensure a level of data protection that is compatible with EU-law requirements. In addition, in certain matters supplementary state provisions may be relevant, for example in areas that are not assigned to the church’s internal law.
\n
Data subject rights, duties, and enforcement in church data protection
\n
Comparable basic structure, but regulated autonomously
\n\n
Church data protection orders typically contain rules on access, rectification, erasure, as well as further rights of data subjects. Likewise, duties of controllers are addressed, for example with regard to documentation and data security. The specific design and terminology, however, follow the respective church regulatory system.
\n
Supervision and legal remedies
\n\n
In church data protection law, oversight is carried out via church supervisory bodies. Procedures for reviewing complaints are also provided. In this way, enforcement of the data protection requirements is organized within the church framework, without necessarily having to be identical to state authority structures.
\n
Classification and note on information bases
\n\n
This article provides a general presentation of the interplay between the GDPR and church data protection law. It does not replace an examination of specific circumstances. Insofar as individual events or conflicts are discussed in public reporting, the relevant primary sources must be consulted in each case; moreover, where allegations have not been finally established by law, the presumption of innocence applies.
\n
Transition: Need for clarification regarding interfaces and responsibilities
\n\n
In practice, especially at interfaces—such as in cooperations between church institutions and third parties or in the allocation of individual processing operations—questions of delineation regularly arise, which can only be classified on the basis of the specific organizational structure and the applicable regulatory regime in each case. If you would like an assessment in this regard, you can find further information on legal advice on data protection provided by MTR Legal attorneys-at-law.
“
