General Data Protection Regulation
What is the GDPR?
In summary, it can be said that Regulation 2016/679 concerns the "processing of personal data".
What is meant by "personal data" and "processing"?
"Personal data": all information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, identifiers electronically or to one or more specific elements of the identity physical, physiological, genetic, mental, economic, cultural or social of that natural person.
'Processing': an operation or a set of operations carried out on personal data or sets of personal data, contained in a file or set of files or destined for them, by automated or non-automated means, such as collection, registration, organization, structuring, conservation, adaptation or alteration, recovery, consultation, use, dissemination by transmission, diffusion or any other form of availability, comparison or interconnection, limitation, erasure or destruction.
Regulation 2016/649 requires the identification of a “controller” and a “subcontractor”. What are?
"Data controller": the natural or legal person, authority, service or other body that, individually or in conjunction with others, determines the purposes and means of treatment.
"Subcontractor": the natural or legal person, authority, service or other body that processes personal data on behalf of the person responsible for processing it.
In each diocese, in the episcopal conference, in each religious congregation and in each movement or association with canonical legal personality, at least one "controller" must be identified. This does not have to be a nominally determined person (ex: António Silva), he can be the holder of a position or service as such identified that will change whenever that holder changes (ex: the vicar general, the secretary, the president, etc.). ). The same is true of the “subcontractor”.
A “data protection officer” may also be appointed, who has the task of controlling the application of data protection rules. This figure is mandatory when an entity carries out the large-scale treatment of so-called "special data" or "sensitive data", among which are those relating to religious beliefs. Considering that the sacraments of baptism and confirmation are, as a rule, revealing adherence to the Catholic faith, it can be said that each diocese proceeds with the large-scale treatment of "sensitive data". Therefore, the ideal is that each diocese should designate a "data protection officer", who can be neither "controller" nor "subcontractor".
Models needed to comply with the GDPR
Depending on the type of process, the following models should be used to obtain consent or inform the treatment given to personal data.
Choose the models that are directed to your Diocese.
In general, the basis for data collection lies in the consent of the respective holder. In these cases, explicit and written consent from the client is required, as well as the provision of information on the client's rights. The following model can be followed:
In the case of the collection of data relating to the reception of the sacraments of baptism, confirmation and order, for which canon law requires a permanent record (which cannot be erased at the will of the data subject), the basis of the collection is based it is no longer in the consent of the data subject, but in the legitimate interest of the Church. It will not be necessary to collect the consent of that holder, but only to provide him in writing with the following information. The following models for the sacrament of baptism can be followed:
In the case of the collection of data relating to the reception of the sacraments of baptism, confirmation and order, for which canon law requires a permanent record (which cannot be erased at the will of the data subject), the basis of the collection is based it is no longer in the consent of the data subject, but in the legitimate interest of the Church. It will not be necessary to collect the consent of that holder, but only to provide him in writing with the following information. The following models can be followed for the sacrament of confirmation:
In the case of the collection of data relating to the reception of the sacraments of baptism, confirmation and order, for which canon law requires a permanent record (which cannot be erased at the will of the data subject), the basis of the collection is based it is no longer in the consent of the data subject, but in the legitimate interest of the Church. It will not be necessary to collect the consent of that holder, but only to provide him in writing with the following information. The following models for the sacrament of order can be followed:
In the case of the sacrament of marriage, the basis for the collection of data also does not lie in the consent of the data subject. It resides in the requirements of canon law and also in the requirements of civil law, since, under the terms of the Concordat, canonical marriage is recognized in the civil legal order. Thus, this collection is based on a requirement of civil law. It will not be necessary to collect the consent of that holder, but only to provide him in writing with the following information. The following model can be followed:
Whenever possible and canonical rules are not opposed to this (regarding secrecy, for example), authorization should be collected from the holder of personal data to transfer them outside the European Union's jurisdictional area (including the Holy See) . The following form can be followed. The following model can be followed:
It may be understood that also the collection of personal data in the context of a declaration of nullity of marriage lies in the requirements of canon law and also in the requirements of civil law, because, under the terms of the Concordat, that declaration may eventually come civil effectiveness can be attributed. It will not be necessary to collect the consent of that holder, but only to provide him in writing with the following information. The following model can be followed: