Churches in Germany reform their data protection laws

from C. Dorner

With almost no fanfare, the two major churches in Germany - the Protestant Church and the Roman Catholic Church - have reformed their data protection laws and brought them into line with the requirements of the General Data Protection Regulation (GDPR) adapted.

The requirement for this follows from Art. 91 GDPRaccording to which churches and religious associations or communities may continue to apply data protection regulations even after the entry into force of the GDPR can continue to be used, provided that they GDPR be brought into line. The Protestant Church has now met this requirement on 17.11.2017 with the Church Act on the Data protection of the Protestant Church in Germany (DSG-EKD) and the Catholic Church on November 20, 2017 with the Church Data Protection Act (KDG).

The data protection laws of the churches apply to the Processing of personal data by - and also for! - church bodies such as dioceses, parishes and church legal entities such as church foundations, church corporations, institutions and - as far as the KDG is concerned - also Caritas.

The church's data protection laws have their own specific provisions, some of which have been amended by the GDPR deviating regulations on various topics, such as the requirements for the Consent or the form of the contract for commissioned data processing.

The church's data protection laws also apply to non-church legal entities if they process personal data on behalf of the church. This has been the case since 25.05.2018 with the entry into force of these laws and the GDPR The consequence of this is that a stricter form applies to order processing contracts with the Catholic Church than for those outside church circles. The KDG stipulates that order processing contracts can be concluded in electronic form in accordance with the German Civil Code, i.e. only with a qualified electronic signature.

The KDG thus goes significantly further than the GDPRwhich only requires an electronic format. So while the European law wanted to relax the requirements for the data processing agreement, the Catholic Church is tightening the formal requirements once again.
The topic is highly relevant ecclesiastical data protection for anyone who enters into a contractual relationship with church institutions or establishments. We therefore recommend that everyone in this group, when preparing for the GDPR also keep an eye on church data protection law.