Is your entity a Data Controller, a Joint Controller or a Data Processor?
Why does this question matter to Religious Institutes?
In summary, a “Controller” is an entity that, alone or jointly with others, determines how and why personal data are processed, whereas a “Processor” is any third-party entity that processes someone’s personal data under the direction of the Controller.
Each time a religious entity processes personal data, it will do so predominantly as a Data Controller and not as a Data Processor.
According to the GDPR (Regulation (EU) 2016/679 and the General Decree of the Italian Episcopal Conference (“Provisions for the protection of the right to good reputation and confidentiality”) (the “General Decree”), these roles bear different responsibilities and obligations.
Therefore, it is important for each of your entities, such as the Congregations itself, your Provinces or your Generalate, to be able to:
What if your entity acts as “Joint Controller”?
In many circumstances (particularly where processing takes place on an intra-congregational level) your different local units may not realize that a joint controllership has come into existence. The GDPR obliges entities to keep an eye on potential situations of joint controllership. Where those arise, your local units must enter into suitable agreements that apportion data protection compliance responsibilities between Joint Controllers.
What are the responsibilities of Joint Controllers?
Data subjects are entitled to enforce their rights against any of the Joint Controllers. Each Joint Controller is liable for the entirety of the damage, although national law may apportion liability between them. A Controller may be exempted from liability if it proves that it is not in any way responsible for the damage.
What should your entity do to comply in case it acts as Controller / Joint Controller?
Controllers / Joint Controllers bear primary responsibility for ensuring that processing activities are compliant with EU data protection law and the General Decree. Each entity that acts as a Data Controller should:
How do you comply?
Data privacy compliance is based on a central principle introduced by the GDPR: Privacy by Design and Default.
This principle means that compliance with EU data protection law should not be an after-thought but should instead be treated as a key issue in the planning and implementation of any (new) activity or service that affects personal data.
Religious Institutes shall thus regularly monitor compliance with the GDPR and the General Decree and supervise that their data protection policies are respected by all members, employees and staff involved in data processing operations.
This includes the assignment of specific responsibilities, awareness-raising and training of members and staff, annual audits of internal processes and documentation put in place and the review of appointments of Data Processors.
Appointment of Processors
Entities that act as Controllers commonly appoint service providers and external consultants, such as lawyers, accountants, pay-roll firms etc. to process personal data on their behalf. The GDPR and the General Decree allow this practice but impose strict requirements on Institutes that (wish to) do so.
A local unit that wishes to appoint a Processor must only use Processors that guarantee compliance with the GDPR and the General Decree.
So-called “Data Processing Agreements” shall be entered into with all Processors used by the Congregation and its local units, and there are significant requirements that must be included in all Data Processing Agreements.
In other words, Institutes must appoint the Processor in the form of a binding agreement in writing, which states that the Processor must:
It goes without saying that many of the appointments and Data Processing Agreements made at the time of the entering into force of the GDPR and the General Decree may no longer be up to date, or even that the obligation to enter into this kind of agreements has been overlooked in the following years.
Annual data protection audits and the regular reviews of the relevant documentation do not only help to remain compliant in future – they are required by law and are the only way to be compliant also in the present.
We hope you will enjoy our News Flashes on important GDPR issues and will be following us in the coming weeks.
Your DIKAIOS Team
We periodically send articles and communications of interest to Religious Congregations. Furthermore, we invite our members to all the free events we organize.
Articles that delve into topics of interest to Religious Congregations, written by our experts.
Religious Congregations are rethinking the management of their administrative burdens in a way that allows them to focus on their particular charisma and mission *** Provinces, houses and institutes...Read more
Is your entity a Data Controller, a Joint Controller or a Data Processor? Why does this question matter to Religious Institutes? In summary, a “Controller” is an entity that, alone or ...Read more
How about YOUR GDPR compliance? Four years have passed since the General Decree of the Italian Episcopal Conference (“Provisions for the protection of the right to good reputation and confidential...Read more
Via Valadier 44 00193 Roma • email@example.com
All rights reserved © Copyright 2022