Inquiry into processing of Church Records by the Archbishop of Dublin ('the Archbishop') - February 2023
(IN-19-7-6)
Date of Decision: 27 February 2023
The DPC commenced the Inquiry following receipt of a number of complaints from data subjects who wished to obtain erasure in relation to their personal data processed in church registers. All of the data subjects had written to either their parish or to the Archdiocese asking for the erasure of their data pursuant to Article 17 GDPR.
Key findings within the Decision include that:
- The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing of personal data of data subjects which are recorded in the Baptism Register, even in such instances where a data subject no longer wishes to be associated with the Catholic Church;
- Subject to safeguards, the Archbishop’s interests in retaining the personal data contained in the Baptism Registers are not overridden by the interests or fundamental rights and freedoms of the data subjects;
- The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the processing of data subjects’ special category data during the course of their lifetime; The Archbishop, in processing the special category personal data in the Baptism Registers, has in place appropriate safeguards for such processing as required under Article 9(2)(d) GDPR;
- Data subjects may exercise the right to request rectification of the personal data contained in the Baptism Registers, in accordance with Article 16 GDPR;
- The Archbishop must comply with his obligations under Article 12(3) and Article 12(4) of the GDPR in order to facilitate requests in relation to data subject’s rights under Articles 15 to 22 of the GDPR;
- Data subjects who no longer consider themselves to be members of the Catholic Church do not have the right to obtain erasure of their personal data in the Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
- In circumstances where a data subject no longer wishes to be a member of the Catholic Church, a supplementary statement could be added by the Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a Roman Catholic”.
Corrective powers exercised:
The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained. The Archbishop is to:
- update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data controller for the processing of personal data and special category data held in all Baptism Registers within his Archdiocese;
- set out in the Privacy Policy the lawful basis of such processing together with the retention periods for such personal data;
- set out in the Privacy Policy that the subsequent administration of certain sacraments to an individual such as confirmation, marriage/annulment and ordination/laicisation (or adoption) are marked on the record in the Baptism Register, explaining why this is so;
- ensure that the parishes within the Archdiocese make the relevant Privacy Policy accessible and available to those undertaking sacraments.
For more information, you can download the full decision at this link: Inquiry into processing of Church Records by the Archbishop of Dublin ('the Archbishop') - February 2023