Data Privacy Obligations and Religious Congregations

How about YOUR GDPR compliance?

Four years have passed since the General Decree of the Italian Episcopal Conference (“Provisions for the protection of the right to good reputation and confidentiality”) (the “General Decree”) which implemented the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council) was  adopted and became binding for all religious Institutions in respect of their processing of personal data.

Like other Religious Institutions and Congregations you certainly have rushed to become compliant with the new data protection rules and have:

• Adopted a Data Protection Policy
• Created a Register of Processing Activities
• Appointed a Data Protection Coordinator
• Created procedures for Data Breach Reporting and Handling
• Issued Data Retention Policies and Archives Manuals
• Delivered Privacy Information Notices to members and lay employees
• Entered into Data Processing Agreements with external Processors, etc.

But what happened since then?

• … did you ever check whether these documents were still up to date?
• … do you remember who is the Data Controller and the Data Processor? What are their respective responsibilities?
• … did you ever ask yourselves whether the technical and organisational security measures you enacted back then are still sufficient to protect your personal data from unauthorised or unlawful use, from loss, destruction or accidental damage?
• … are you sure that your members and lay employees involved in data processing activities always comply with your Data Protection Policy, that they abide by the internal procedures and security measures?
• …or shouldn’t we better ask whether your members and lay employees still remember all these mandatory procedures and are fully aware of their respective obligations and responsibilities?
• … do your members know who is your Congregational Data Protection Coordinator whom they may refer to in case of detection of a data breach, of a complaint or access request by a (former) member or external data subject?

If you do not feel confident to to answer all the above questions with YES, it is time to recapitulate some of the main principles and mandatory provisions of the GDPR and the General Decree – and this is what we intend to do during the coming weeks with our “GDPR News Flashes”.

Starting with the “A” – Accountability

As you may recall, one of the main principles introduced by the GDPR and the General Decree is the “Accountability Principle”, which can be broadly described as a requirement for Data Controllers – i.e. for your Congregation, your Institute, your General House or your Province etc. – to be responsible for, and be able to demonstrate, compliance with data protection principles.

In this respect, it is of the utmost importance to keep Data Protection Documents up to date and to regularly educate and upskill – at least once a year (!) – your members and lay employees involved in data processing activities.

Art. 29 of the GDPR and Article 13 § 2 require the Data Controller or the Processor to instruct those who have access to personal data, through an (initial) written act, by which said persons are authorized to process personal data in the various offices and departments of your Institution.

It is further necessary for the Controller to conduct adequate training and education of members and lay personnel on data protection. Training is a security measure, an obligation for the Data Controller and a right and duty of members, employees and contractors who process personal data.

Therefore, the Data Controller should enact a training and refresher plan (giving priority to new members and hires and the most important figures in data processing), allocate appropriate resources in its budgets, plan tests to check the level of learning and alternative solutions in case of negative results.

In the case of failure to provide training, in fact, the sanctions provided for by the GDPR are applicable. The compliance with training obligations is also often the subject of inspections by the Data Protection Authority.

The quintessence of the Accountability Principle is that you must be able to demonstrate that you effectively deliver/ed continuous training to your members and employees.

To this end, DIKAIOS offers onsite training sessions tailored to your Congregation’s reality and specific needs. Upon request, courses can also be held online, and you will receive a written certificate stating the contents of the course, the attendees and possible evaluation tests passed.

The DIKAIOS Team will be happy to review together with you and your entities the status of your GDPR compliance and to carry out a GAP analysis providing recommendations on actions required.

We hope you will enjoy our News Flashes on important GDPR issues and will be following us in the coming weeks.

Your DIKAIOS Team