Data Privacy Obligations and Religious Congregations (Part II)

Is your entity a Data Controller, a Joint Controller or a Data Processor?

Why does this question matter to Religious Institutes?

In summary, a “Controller” is an entity that, alone or jointly with others, determines how and why personal data are processed, whereas a “Processor” is any third-party entity that processes someone’s personal data under the direction of the Controller.

Each time a religious entity processes personal data, it will do so predominantly as a Data Controller and not as a Data Processor.

According to the GDPR (Regulation (EU) 2016/679 and the General Decree of the Italian Episcopal Conference (“Provisions for the protection of the right to good reputation and confidentiality”) (the “General Decree”), these roles bear different responsibilities and obligations.

Therefore, it is important for each of your entities, such as the Congregations itself, your Provinces or your Generalate, to be able to:

• identify the scenarios in which it acts as a Data Controller;
• understand the obligations that apply to Data Controllers; and
• comply with those obligations.

What if your entity acts as “Joint Controller”?

In many circumstances (particularly where processing takes place on an intra-congregational level) your different local units may not realize that a joint controllership has come into existence. The GDPR obliges entities to keep an eye on potential situations of joint controllership. Where those arise, your local units must enter into suitable agreements that apportion data protection compliance responsibilities between Joint Controllers.

What are the responsibilities of Joint Controllers?

Data subjects are entitled to enforce their rights against any of the Joint Controllers. Each Joint Controller is liable for the entirety of the damage, although national law may apportion liability between them. A Controller may be exempted from liability if it proves that it is not in any way responsible for the damage.

What should your entity do to comply in case it acts as Controller / Joint Controller?

Controllers / Joint Controllers bear primary responsibility for ensuring that processing activities are compliant with EU data protection law and the General Decree. Each entity that acts as a Data Controller should:

• review – on regular basis – all of its data processing activities in light of the GDPR;
• review and identify the data processing activities for which it is a Controller and ensure that it understands its responsibilities as a Controller;
• constantly ensure that, in respect of each processing activity for which it is a Controller, it has implemented appropriate technical and organizational measures to ensure compliance with the GDPR;
• ensure that it has appropriate processes and templates in place for identifying and (to the extent required) promptly reporting data breaches; and
• ensure and be able to demonstrate that members and employees involved in data processing activities are constantly updated on data privacy regulations and thus guided by specific training programs.

How do you comply?

Data privacy compliance is based on a central principle introduced by the GDPR: Privacy by Design and Default.

This principle means that compliance with EU data protection law should not be an after-thought but should instead be treated as a key issue in the planning and implementation of any (new) activity or service that affects personal data.

Religious Institutes shall thus regularly monitor compliance with the GDPR and the General Decree and supervise that their data protection policies are respected by all members, employees and staff involved in data processing operations.

This includes the assignment of specific responsibilities, awareness-raising and training of members and staff, annual audits of internal processes and documentation put in place and the review of appointments of Data Processors.

Appointment of Processors

Entities that act as Controllers commonly appoint service providers and external consultants, such as lawyers, accountants, pay-roll firms etc. to process personal data on their behalf. The GDPR and the General Decree allow this practice but impose strict requirements on Institutes that (wish to) do so.

A local unit that wishes to appoint a Processor must only use Processors that guarantee compliance with the GDPR and the General Decree.

So-called “Data Processing Agreements” shall be entered into with all Processors used by the Congregation and its local units, and there are significant requirements that must be included in all Data Processing Agreements.

In other words, Institutes must appoint the Processor in the form of a binding agreement in writing, which states that the Processor must:

• only act on the Controller’s documented instructions;
• impose confidentiality obligations on all personnel who process the relevant data;
• ensure the security of the personal data that it processes;
• abide by the rules regarding appointment of sub-processors;
• implement measures to assist the Controller in complying with the rights of data subjects;
• at the Controller’s election, either return or destroy the personal data at the end of the relationship (except as required by EU or Member State law); and
• provide the controller with all information necessary to demonstrate compliance with the GDPR and the General Decree.

It goes without saying that many of the appointments and Data Processing Agreements made at the time of the entering into force of the GDPR and the General Decree may no longer be up to date, or even that the obligation to enter into this kind of agreements has been overlooked in the following years.

Annual data protection audits and the regular reviews of the relevant documentation do not only help to remain compliant in future – they are required by law and are the only way to be compliant also in the present.

We hope you will enjoy our News Flashes on important GDPR issues and will be following us in the coming weeks.

Your DIKAIOS Team