Author: Achim Seifert

 

1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.
2. Churches and religious associations which apply comprehensive rules in accordance with para. 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation.

 

I. General questions

1. Purpose

Art. 91 refers to existing data protection rules adopted by churches and religious associations or communities as they exist in some EU Member States (cf. infra paras. 5-6). Para. 1 comprises a limited “grandfather clause” by preserving the status quo of ecclesiastical data protection rules that have been established by churches and other religious associations insofar as these autonomous provisions are in accordance with the GDPR and have been adopted at the time of the coming into force of the GDPR. Para. 2 ensures that churches and religious associations or communities, adopting such autonomous data protection rules in line with the GDPR, shall be submitted, as all other controllers, to the supervision of an independent SA. However, Art. 91 para. 2 allows the establishment of “specific” SAs for churches and religious associations or communities, but only under the condition that such “specific data protection supervision fulfils the conditions laid down in Chapter VI of the GDPR”.

Art. 91 shall be read in light of Art. 17 TFEU whose para. 1 engages the Union to respect and not to prejudice the status under national law of churches and religious associations or communities in the Member States.[1] This purpose of Art. 91 to respect the power which churches and religious associations or communities have under the national laws of some of the Member States to establish their autonomous data protection law, has been underlined by recital 165; it is worthwhile to note that such concretisation of Art. 17 TFEU may also be found in some other legal acts of the EU’s secondary law, namely in the field of labour law.[2] However, the CJEU has made clear that “the obligation for every person to comply with the rules of EU law on the protection of personal data” does not infringe the principle of organisational autonomy of churches, religious associations or communities under Art. 17 TFEU.[3]

 

2. Position of the DPD and travaux préparatoires to Art. 91

It is interesting to note that the DPD did not privilege autonomous data protection rules of churches and religious associations or communities.[4] The Comm’s proposal for a DPD did not provide an exception on their favour. It was only after the intervention of German churches that Art. 8 para. 2, lit. d and para. 4 were integrated in the DPD, aiming at considering the legal specificities of religious communities.[5] Art. 8 para. 2 DPD (= Art. 9 para. 2, lit. d GDPR) provided an exception from the general prohibition to process sensitive data[6] and authorized data processing “in the course of its legitimate activities by foundations, associations or any other not-for-profit body with a religious aim and to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”. Art. 8 para. 4 DPD even authorized Member States, for reasons of substantial public interest, to lay down exemptions in addition to those of Art. 8 para. 2 by national law or by decision of the SA. Recital 35 DPD made clear that processing of personal data by official authorities for achieving aims, laid down in constitutional law, of officially recognized religious associations is carried out on important grounds of public interest. By this, the transfer of registration data from the State registration office to churches, which have the status of a corporation under public law, was legitimized by Union law.[7]

Art. 91 goes back to Art. 85 Comm-P which already provided an exception in favour of churches and religious associations or communities and which explicitly recognized their specificities. During the legislative procedure, several amendments have been proposed by MPs in the LIBE. Some MPs argued in favour of a complete deletion of the provision, invoking that a preferential treatment of churches and religious associations or communities in data protection law would not be appropriate; furthermore, the interests of churches would already be taken into account by Art. 9.[8] On the other hand, some MPs requested an extension of the “Church clause” in the sense that also changes of the autonomous data protection laws of churches, having been adopted after the entry into force of the GDPR, are covered by the provision[9] or that churches are only required to ensure an appropriate data protection.[10] All these proposals have not been taken into account by the EP. The only modification that was adopted referred to para. 2, second sentence which was changed by the Council. Thus, in contrast to many other provisions of the GDPR, Art. 91 has undergone only minor changes during the legislative procedure.

3. Practical relevance of Art. 91 para. 1

Autonomous data protection rules of churches, religious associations or communities exist only in some of the EU Member States.[11] In the Federal Republic of Germany, for instance, the constitutional guarantee of autonomy of religious communities[12] is interpreted in the sense that it also protects the power of churches and other religious communities to adopt their own (autonomous) data protection rules.[13] The main argument for this guarantee is that religious communities have the power to determine autonomously their internal affairs that are constitutionally protected. However, some authors have challenged this interpretation:[14] they consider churches to be bound by State data protection law since the constitutional guarantee of autonomy of religious communities only exists within the laws which apply to all.[15] In accordance with the predominant interpretation of the constitutional autonomy of religious associations, the Catholic Church as well as the protestant Churches have adopted their own data protection law acts as part of their ecclesiastical law: both churches have recently reformed their rules in order to bring them into line with the provisions of the GDPR.[16]

 

 

 

[…]

 

 

 

[1]For a fuller analysis of TFEU Art. 17 cf. e.g. Robbers, State and Church in the European Union: p. 677, pp. 682 et seq. See also Weber, NVwZ 2011: pp. 1486 et seq. with further references.

[2]Cf. Directive 2000/78/EC, Art. 4 para. 2 establishing a general framework for equal treatment in employment and occupation (OJEC 2000 C 303, p. 16), and Directive 2002/14/EC, Art. 3 para. 2 establishing a general framework for informing and consulting employees in the European Community (OJEC 2002 L 80, p. 29).

[3]Cf. CJEU, Case C-25/17, 10.7.2018, Tietosuojavaltuutettu and Jehovan Todistajat – uskonnollinen yhdyskunta, ECLI:​EU:​C:​2018:551, para. 74.

[4]It is not without relevance to underline that data processing by religious communities did not fall under the exception clause of DPD, Art. 3 para. 2 for personal and family activities: cf. ECJ, Case C-101/01, 6.11.2003, Bodil Lindqvist, ECR 2003, I-12971, para. 45 et seq.; see also CJEU, Case C-25/17, 10.7.2018, Tietosuojavaltuutettu and Jehovan Todistajat – uskonnollinen yhdyskunta, ECLI:​EU:​C:​2018:551, para. 34 et seq.

[5]For an analysis of this background cf. Weber, ZevKR 47 (2002): pp. 230 et seq. with further references.

[6]DPD, Art. 8 para. 1.

[7]See Weber, NVwZ 2011: p. 1488.

[8]Cf. Amendment 3100 (Sophia in’t Veld) and Amendment 3101 (Josef Weidenholzer and Birgit Sippel), European Parliament – Committee on Civil Liberties, Justice and Home Affairs 2012/0011(COD).

[9]See Amendment 3102 (Bastiaan Belder) and Amendment 3103 (Agustín Díaz de Mera García Consuegra), European Parliament – Committee on Civil Liberties, Justice and Home Affairs 2012/0011(COD).

[10]Cf. Amendment 3102 (Bastiaan Belder).

[11]For an overview on the relationship between State and churches in the legal orders of the EU Member States see e.g., Robbers, State and Church in the European Union; see also Mückl, Europäisierung des Staatskirchenrechts: pp. 75 et seq. with further references.

[12]Fundamental Law (Grundgesetz), Art. 140, read together with Constitution of Weimar, Art. 137 para. 3.

[13]Cf. e.g. von Campenhausen/de Wall, Staatskirchenrecht, pp. 294 et seq.

[14]For an overview on this controversy see Gola in Gola, Art. 91 para. 4, and Pauly in Paal/Pauly, Art. 91 para. 5 et seq.

[15]See e.g. Dammann, NVwZ 1992: p. 1147 pp.1148 et seq.), and Dammann in Simitis, BDSG, § 2 para. 90 et seq.

[16]For the Catholic church of Germany, see the Act on data protection in the Church (Gesetz über den kirchlichen Datenschutz) of 20 November 2017 (Reference); the Protestant Churches of Germany, organised in the Protestant Church in Germany (Evangelische Kirche in Deutschland [EKD]), have adopted the Ecclesiastical Act on data protection of the Protestant Church in Germany (Kirchengesetz über den Datenschutz der Evangelischen Kirche in Deutschland). For a short overview of the autonomous data protection law of German churches see Seifert in Simitis/Hornung/Spiecker gen. Döhmann, DSGVO (2019), Art. 91 para. 6 with further references. For a comparison between the data protection acts of the two churches see Hoeren, NVwZ 2018: pp. 373 et seq. For a detailed analysis of the rules of the Catholic church cf. Sydow/Baumann-Gretza, Kirchliches Datenschutzrecht: Datenschutzbestimmungen der katholischen Kirche – Handkommentar.