Churches in Germany reform their data protection laws

Churches in Germany: Data protection reform

Article 91 GDPR

from C. Dorner

The two major churches in Germany - the Protestant Church and the Roman Catholic Church - have reformed their data protection laws and adapted them to the requirements of the General Data Protection Regulation (GDPR) with almost no fanfare.

The requirement for this follows from Art. 91 GDPR, according to which churches and religious associations or communities can continue to use previously applied data protection regulations even after the GDPR comes into force, provided they are brought into line with the GDPR. The Protestant Church complied with this requirement on 17.11.2017 with the Church Law on Data Protection of the Protestant Church in Germany (DSG-EKD) and the Catholic Church on 20.11.2017 with the Church Data Protection Act (KDG).

The data protection laws of the churches apply to the processing of personal data by - and also for! - church bodies such as dioceses, parishes and church legal entities such as church foundations, church corporations, institutions and - as far as the KDG is concerned - also Caritas.

The church data protection laws have their own regulations, some of which deviate from the GDPR, on various topics, such as the requirements for consent or the form of the contract for commissioned data processing.

The church's data protection laws also apply to non-church legal entities if they process personal data on behalf of the church. As of May 25, 2018, when these laws and the GDPR come into force, this will result in a stricter form for order processing contracts with the Catholic Church than for those outside of church circles. The KDG stipulates that order processing contracts can be concluded in electronic form in accordance with the German Civil Code, i.e. only with a qualified electronic signature.

The KDG thus goes significantly further than the GDPR, which only requires an electronic format. So while the European law wanted to relax the requirements for the data processing agreement, the Catholic Church is tightening up the formal requirements once again.
The topic of church data protection is highly relevant for anyone who enters into a contractual relationship with church institutions or establishments. We therefore recommend that everyone in this group keep an eye on church data protection law when preparing for the GDPR.

Share this post :