Overview
This article allows churches and religious associations to continue applying their existing data protection rules, provided that these rules are aligned with GDPR. These entities must remain subject to supervision by an independent supervisory authority that meets the conditions set out in the Regulation.
Key Principles
Autonomy: Churches and religious associations may maintain their own data protection rules.
Alignment with GDPR: Existing rules must comply with GDPR principles and requirements.
Independent Supervision: Entities must be overseen by a supervisory authority that satisfies GDPR conditions.
Accountability: Supervisory authority ensures compliance and protection of data subjects’ rights.
Transparency: Supervisory oversight guarantees that personal data handling aligns with regulatory standards.
Organizational Applicability
This article applies to:
Churches and religious associations processing personal data.
Independent supervisory authorities monitoring compliance within these organizations.
Legal and compliance teams managing alignment between internal rules and GDPR.
Members, employees, or stakeholders whose data is processed by these entities.
Implementation Requirements
Maintain existing data protection rules while ensuring GDPR alignment.
Submit to supervision by an independent supervisory authority compliant with GDPR.
Document processing activities and safeguards applied to personal data.
Ensure mechanisms exist for oversight, audits, and compliance reporting.
Implementation Guidance
Periodically review internal rules for alignment with GDPR obligations.
Train staff on GDPR principles and supervisory authority requirements.
Establish communication channels with the supervisory authority for guidance and reporting.
Implement procedures to monitor, document, and enforce compliance.
Periodic Review
Frequency: Annually or when GDPR obligations or internal rules are updated.
Responsible Role: Compliance Team, Data Protection Officer (DPO), or Legal.
Outcome: Ensure continued lawful and GDPR-aligned data protection within churches and religious associations.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for GDPR violations.
Legal Exposure: Liability for processing personal data outside the scope of supervision or GDPR compliance.
Reputational Damage: Loss of trust among members, stakeholders, and the public.
Operational Risk: Misalignment with GDPR may lead to regulatory scrutiny or enforcement actions.