Four years have passed since the General Decree of the Italian Episcopal Conference (“Provisions for the protection of the right to good reputation and confidentiality”) (the “General Decree”) which implemented the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council) was adopted and became binding for all religious Institutions in respect of their processing of personal data.
Like other Religious Institutions and Congregations you certainly have rushed to become compliant with the new data protection rules and have:
But what happened since then?
If you do not feel confident to to answer all the above questions with YES, it is time to recapitulate some of the main principles and mandatory provisions of the GDPR and the General Decree – and this is what we intend to do during the coming weeks with our “GDPR News Flashes”.
Starting with the “A” – Accountability
As you may recall, one of the main principles introduced by the GDPR and the General Decree is the “Accountability Principle”, which can be broadly described as a requirement for Data Controllers – i.e. for your Congregation, your Institute, your General House or your Province etc. – to be responsible for, and be able to demonstrate, compliance with data protection principles.
In this respect, it is of the utmost importance to keep Data Protection Documents up to date and to regularly educate and upskill – at least once a year (!) – your members and lay employees involved in data processing activities.
Art. 29 of the GDPR and Article 13 § 2 require the Data Controller or the Processor to instruct those who have access to personal data, through an (initial) written act, by which said persons are authorized to process personal data in the various offices and departments of your Institution.
It is further necessary for the Controller to conduct adequate training and education of members and lay personnel on data protection. Training is a security measure, an obligation for the Data Controller and a right and duty of members, employees and contractors who process personal data.
Therefore, the Data Controller should enact a training and refresher plan (giving priority to new members and hires and the most important figures in data processing), allocate appropriate resources in its budgets, plan tests to check the level of learning and alternative solutions in case of negative results.
In the case of failure to provide training, in fact, the sanctions provided for by the GDPR are applicable. The compliance with training obligations is also often the subject of inspections by the Data Protection Authority.
The quintessence of the Accountability Principle is that you must be able to demonstrate that you effectively deliver/ed continuous training to your members and employees.
To this end, DIKAIOS offers onsite training sessions tailored to your Congregation’s reality and specific needs. Upon request, courses can also be held online, and you will receive a written certificate stating the contents of the course, the attendees and possible evaluation tests passed.
The DIKAIOS Team will be happy to review together with you and your entities the status of your GDPR compliance and to carry out a GAP analysis providing recommendations on actions required.
We hope you will enjoy our News Flashes on important GDPR issues and will be following us in the coming weeks.
Your DIKAIOS Team
We periodically send articles and communications of interest to Religious Congregations. Furthermore, we invite our members to all the free events we organize.
Articles that delve into topics of interest to Religious Congregations, written by our experts.
Religious Congregations are rethinking the management of their administrative burdens in a way that allows them to focus on their particular charisma and mission *** Provinces, houses and institutes...Read more
Is your entity a Data Controller, a Joint Controller or a Data Processor? Why does this question matter to Religious Institutes? In summary, a “Controller” is an entity that, alone or ...Read more
How about YOUR GDPR compliance? Four years have passed since the General Decree of the Italian Episcopal Conference (“Provisions for the protection of the right to good reputation and confidential...Read more
Via Valadier 44 00193 Roma • firstname.lastname@example.org
All rights reserved © Copyright 2022