DPC (Ireland) - IN-19-7-6

From GDPRhub
Revision as of 13:21, 8 July 2023 by Ireland (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=IN-19-7-6 |ECLI= |Original_Source_Name_1=DPC |Original_Source_Link_1=https://gdprhub.eu/images/3/34/Decision_IN-19-7-6.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - IN-19-7-6
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 17 GDPR
Type: Investigation
Outcome: Other Outcome
Started: 07.06.2019
Decided: 27.02.2023
Published:
Fine: n/a
Parties: Archbishop of Dublin
National Case Number/Name: IN-19-7-6
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: Ireland

The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained.

English Summary

Facts

The DPC commenced the Inquiry following receipt of a number of complaints from individuals who wished to obtain erasure in relation to their personal data processed in church registers. All of the individuals had written to either their parish or to the Archdiocese asking for the erasure of their data pursuant to Article 17 GDPR.

Holding

• The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing of personal data of individuals which are recorded in the Baptism Register, even in such instances where an individual no longer wishes to be associated with the Catholic Church; • Subject to safeguards, the Archbishop’s interests in retaining the personal data contained in the Baptism Registers are not overridden by the interests or fundamental rights and freedoms of the individuals; • The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the processing of individuals’ special category data during the course of their lifetime; The Archbishop, in processing the special category personal data in the Baptism Registers, has in place appropriate safeguards for such processing as required under Article 9(2)(d) GDPR; • Individuals may exercise the right to request rectification of the personal data contained in the Baptism Registers, in accordance with Article 16 GDPR; • The Archbishop must comply with his obligations under Article 12(3) and Article 12(4) of the GDPR in order to facilitate requests in relation to individual’s rights under Articles 15 to 22 of the GDPR; • Individuals who no longer consider themselves to be members of the Catholic Church do not have the right to obtain erasure of their personal data in the Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR; • In circumstances where an individual no longer wishes to be a member of the Catholic Church, a supplementary statement could be added by the Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a Roman Catholic”.

The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained. The Archbishop is to: i. update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data controller for the processing of personal data and special category data held in all Baptism Registers within his Archdiocese; ii. set out in the Privacy Policy the lawful basis of such processing together with the retention periods for such personal data; iii. set out in the Privacy Policy that the subsequent administration of certain sacraments to an individual such as confirmation, marriage/annulment and ordination/laicisation (or adoption) are marked on the record in the Baptism Register, explaining why this is so; iv. ensure that the parishes within the Archdiocese make the relevant Privacy Policy accessible and available to those undertaking sacraments.

Comment

This case took many years to come to a judgement, I believe the DPC has not upheld GDPR in this instance and has ruled in favour of an organization that is in breach of GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.