Hof van Beroep - 2024/ AR/121
Hof van Beroep - 2024/ AR/121 | |
---|---|
Court: | Hof van Beroep Brussel (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(6) GDPR Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1)(f) GDPR Article 9 GDPR Article 12(1) GDPR Article 12(4) GDPR Article 13 GDPR Article 17 GDPR Article 10 CFR |
Decided: | |
Published: | |
Parties: | Diocese of Gent |
National Case Number/Name: | 2024/ AR/121 |
European Case Law Identifier: | |
Appeal from: | Autorité de protection des données 169/2023 |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | APD (in Dutch) |
Initial Contributor: | n/a |
The Diocese of Ghent appealed the decision of the Belgian Data Protection Authority to grant the complainant's request for his data to be removed from the baptismal registry instead of solely marking them indicating withdrawal.
English Summary
Facts
A complainant requested that their personal data be removed from the Diocese's baptismal registers under GDPR's right to erasure (Article 17 GDPR). The Diocese did not erase the data but annotated it instead. This led to a complaint filed with Belgium's Data Protection Authority (GBA).
The Diocese of Ghent belongs to the Catholic Church and keeps a register of all baptized persons. They claimed that recording such data is essential to keep track of baptisms, as it is a one-time event and cannot be repeated. Therefore, keeping the data would constitute a legitimate interest. However, the Belgian DPA ruled that even though this is indeed a legitimate interest, keeping a written record on paper in a single parish is not the appropriate way of verifying identities and the data retention for a lifetime is disproportionate if an individual explicitly wishes to distance themselves from the Church. Thus, the data subject's interests override those of the Church. The GBA ordered the diocese to remove all the data of the complainant.
Subsequently, the case was appealed by the Diocese of Ghent at the Market Court (Hof van Beroep), questioning whether the right to data erasure applies to baptismal registers. In the appeal, the Diocese questioned whether these may be considered a filing system according to Article 4(6) GDPR, mainly citing its format. This register only exists in paper form and the entries are chronological, by date of baptism. The historical and archival significance (Article 17(3)(d) GDPR) of such registers was also highlighted and named as the main purpose instead of systematic data retrieval.
The Diocese also referenced the religious context, and the irreversibility of baptisms and argued that such data removals could lead to violating religious principles. Moreover, imposing the GDPR could threaten the right to religious freedom. The Diocese also claimed that it did not act as the sole controller, citing the responsibility of individual pastors. They also claimed that the GBA violated its rights of defense and referred to procedural errors.
Holding
Most of the DPA's findings were upheld by the Court. They ruled that the Diocese of Ghent is indeed the controller (Article 4(7) GDPR), highlighting its influence in data management and correspondence. The court also emphasized that the GDPR applies to all entities processing personal data, including religious institutions. Also, baptismal registers qualify as "filing systems" as they constitute a structured set of personal data (Article 4.6 GDPR). The diocese's claims related to procedural issues were dismissed.
The Court referred five questions to the CJEU for a preliminary ruling. The subject of the question is 1) whether a person who was baptized as a minor has the right to get his data removed, 2) whether it could make a difference that according to the data controller, a fundamental right, the freedom of religion (Article 10 CFR) is affected, 3) whether the non-digital format of the register is relevant, 4) whether the historical status and archival purpose could affect the decision as an exemption under Article 17(3)(d) GDPR, and 5) whether an annotation indicating the withdrawal could be seen as equal to data removal in this context.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
The Belgian DPA today ordered the diocese of Ghent to comply with the request of a baptized person to be deleted from the baptismal register of his parish. For the DPA, the Catholic Church has a legitimate interest in recording baptisms in a register, but this interest cannot always be invoked once the person expressly states his or her wish to leave the Church and have his or her baptismal data erased. Background of the case A baptized person applied to the diocese of Ghent to be deleted from all Catholic Church files, including the baptismal register. However, the Church does not delete the data from the baptismal registers, but rather adds an annotation reflecting the person's wish to leave the Church in the margin of the register. The right to data deletion, enshrined in the General Data Protection Regulation (GDPR), is not absolute and can only be exercised under certain conditions. The Catholic Church considers that it has a legitimate interest in retaining the data contained in the baptism register, as such retention is necessary for the purpose of data processing, and that the conditions applicable to a request for deletion are therefore not met in this type of case. She also invoked the archival value of this data, which would prevent its deletion. The unsuccessful party then lodged a complaint with the Data Protection Authority. The Church's interest and the data subject's interest The Church's legal basis for processing baptism data is its legitimate interest in preventing possible (identity) fraud, since, according to Catholic doctrine, a baptism can only take place once. It is therefore necessary to keep a record of it. For the Belgian DPA, this is indeed a legitimate interest on the part of the Church. However, this legitimate interest can only be validly invoked as a basis for data processing if the processing is necessary to achieve this objective, and if the interest of the data subject (here: the complainant) does not override the interest of the organization processing the data (here: the diocese of Ghent). In the present case, the DPA finds that these two conditions are not met: On the one hand, since the register is only kept in paper form within a single parish (that of the baptism), it is not always possible to verify whether or not the baptism took place. Data processing as it is carried out today does not in fact prevent a person from receiving the same sacrament twice, and is therefore not a priori appropriate for achieving the desired purpose. On the other hand, the lifetime retention of all the complainant's data - including data not strictly necessary to determine whether a person has already been baptized - is disproportionate from the moment the complainant expressly states that he or she wishes to distance himself or herself from the Catholic Church. In this case, the interests of the complainant override those of the Church. Consequently, the data processing in question is deemed unlawful, which means that the complainant can exercise his right to have the data deleted. Moreover, data must also be deleted when a legitimate objection to data processing is raised, which is therefore the case here. Furthermore, the DPA considers that the information provided by the Church regarding the processing of baptismal data is not sufficient, in particular because it does not include any indication to the person (or his/her parents) as to how long the data will be kept. Order to comply with erasure request For this reason, the DPA decided to order the Bishopric of Ghent to comply with the complainant's request to object to the processing of his data, and with the request to erase his data. Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian Data Protection Authority: "In this case, several fundamental rights are at stake. In our decision, we only express ourselves on the application of the GDPR to the data processing carried out by the diocese of Ghent, as is our role. From a data protection point of view, the lifelong processing of data, moreover of a sensitive nature, of a person who has asked to leave the Church cannot be justified if such processing is neither proportional nor strictly necessary to the admittedly legitimate interests of the Church. These conditions were not met in this case". Parties affected by the decision have 30 days in which to lodge an appeal. Important note: several cases concerning the data protection aspects of the de-baptization procedure are currently before the Litigation Chamber of the Belgian Data Protection Authority. The decision summarized in this press release concerns only one of these cases. Update 11 december 2024 : The Market Court refers preliminary questions to the Court of Justice of the EU The Market Court decided today to refer preliminary questions to the Court of Justice of the European Union in the appeal that the diocese of Ghent had filed against decision 169/2023 of the Belgian Data Protection Authority (BE DPA). Given, on the one hand, that different European authorities have rendered divergent decisions on a similar subject and, on the other hand, that the question of erasure from the baptismal register is part of a broader social context than just the proceedings at hand, the Market Court decided to ask the CJEU whether, in summary, the right to freedom of religion and the right to data protection and data erasure are absolute and what criteria are pertinent to consider in the event of a conflict between these fundamental rights. More specifically, the Market Court asked 5 preliminary questions, which are summarised below: Does a person who was baptised as a minor and wants to disassociate from the church as an adult have the right to have his/her data erased from the baptismal register? Does it make a difference that, according to the data controller, the data erasure affects his fundamental rights (freedom of religion)? Does it make a difference that the baptismal register is not digital but takes the form of a book? Does it make a difference that the baptismal register itself is a historical artefact so that the data processing is also done for archival purposes? To the extent that a person has the right to request the erasure of his/her data from the baptismal register and no exception to that right is applicable, can an annotation that a person has left the church in the margin of the baptismal register be considered equivalent to a data erasure within the meaning of the General Data Protection Regulation? The judgment and the precise questions presented to the CJEU can be accessed via this link (in Dutch). Hielke Hijmans, Chairman of the Litigation Chamber of the BE DPA : “This is a very nice judgment for the BE DPA that follows our analysis on a large number of points and puts the fundamental question of the balance between data protection and freedom of religion before the highest European court.”