DPC (Ireland) - IN-19-7-6: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=IN-19-7-6 |ECLI= |Original_Source_Name_1=DPC |Original_Source_Link_1=https://gdprhub.eu/images/3/34/Decision_IN-19-7-6.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...")
 
 
Line 124: Line 124:


<pre>
<pre>
Contents
A. Introduction ....................................................................................................................................3
B. Legal Framework for the Inquiry and the Decision.........................................................................3
i) Legal Basis for the Inquiry ...........................................................................................................3
ii) Data Controller............................................................................................................................4
iii) Legal Basis for the Decision.........................................................................................................4
C. Factual Background.........................................................................................................................5
D. Scope of the Inquiry and the Application of the GDPR...................................................................6
E. Issues for Determination.................................................................................................................7
F. Analysis of the Issues for Determination ......................................................................................12
a) MATERIAL SCOPE ......................................................................................................................12
b) CONTROLLERSHIP......................................................................................................................44
c) LEGAL BASIS ............................................................................................................................102
d) RIGHT OF RECTIFICATION .......................................................................................................141
e) RIGHT OF ERASURE .................................................................................................................154
f) STORAGE LIMITATION.............................................................................................................171
g) SUMMARY OF FINDINGS .........................................................................................................176
G. Finding Regarding Article 5(2).....................................................................................................179
H. Decision on Corrective Powers ...................................................................................................179
I. Order to amend the Privacy Policy .............................................................................................180
J. Right of appeal ............................................................................................................................180
Appendix 1: LIST OF ABBREVIATIONS/ RELEVANT TERMS..................................................................181
A. Introduction
1. This document (‘the Decision’) is a decision made by the Data Protection Commission (‘the
DPC’) in accordance with section 111 of the Data Protection Act 2018 (‘the 2018 Act’). I make
this Decision having considered the information obtained in the own volition inquiry IN-19-7-6
(‘the Inquiry’) pursuant to section 110 of the 2018 Act.
2. The Archbishop of Dublin (‘the Archbishop’) was provided with a Draft Decision (‘the Draft
Decision’) on this inquiry on 4 November 2022 to give him a final opportunity to make any
submissions. The Decision is being provided to the Archbishop pursuant to section 116(1)(a) of
the 2018 Act in order to give the Archbishop notice of the Decision, the reasons for it, and the
corrective powers that I have decided to exercise.
3. This Decision contains corrective powers under section 115 of the 2018 Act and Article 58(2) of
the General Data Protection Regulation (‘the GDPR’) arising from the infringements which have
been identified herein. The Archbishop will be required to complywith these corrective powers,
and it is open to this office to serve an enforcement notice on the Archbishop in accordance
with section 133 of the 2018 Act.
B. Legal Framework for the Inquiry and the Decision
i) Legal Basis for the Inquiry
4. The GDPR is the legal regime covering the processing of personal data in the European Union.
As a regulation, the GDPR is directly applicable in EU member states. The GDPR is given further
effect in Irish law by the 2018 Act. As stated above, the Inquiry was commenced pursuant to
section 110 of the 2018 Act. By way of background in this regard, under Part 6 of the 2018 Act,
the DPC has the power to commence an inquiry on foot of a complaint, or of its own volition.
5. Section 110(1) of the 2018 Act provides that the DPC may, for the purpose of section 109(5)(e)
or section 113(2) of the 2018 Act, or of its own volition, cause such inquiry as it thinks fit to be
conducted, in order to ascertain whether an infringement has occurred or is occurring of the
GDPR or a provision of the 2018 Act, or regulation under the Act that gives further effect to the
GDPR. Section 110(2) of the 2018 Act provides that the DPC may, for the purposes of section
110(1), where it considers it appropriate to do so, cause any of its powers under Chapter 4 of
Part 6 of the 2018 Act (excluding section 135 of the 2018 Act) to be exercised and / or cause an
investigation under Chapter 5 of Part 6 of the 2018 Act to be carried out.
ii) Data Controller
6. The Archbishop of Dublin administers to and is responsible for the Archdiocese of Dublin. The
current Archbishop of Dublin is the Most Reverend Dr. Dermot Farrell D.D., appointed on 29
December 2020, who succeeded the Most Reverend Dr. Diarmuid Martin D.D., the Archbishop
of Dublin at the time of the commencement of this Inquiry. The Archbishop of Dublin also serves
as pastor of StMary's Pro-Cathedral. The DPC acknowledges that theMost Reverend Dr. Dermot
Farrell D.D.’s predecessor, the Most Reverend Dr. Diarmuid Martin D.D., made a number of
submissions in the context of this Inquiry. All references to the Archbishop throughout this
Decision refer to the role or office of the Archbishop rather than specifically to the Most
Reverend Dr. Dermot Farrell D.D.’s or the Most Reverend Dr. Diarmuid Martin D.D..
7. The Archdiocese comprises of 197 parishes and spans county Dublin, parts of countiesWicklow,
Kildare, Carlow, Laois and Wexford and is governed by the Archbishop. The Diocesan Curia,
comprising of officials appointed by the Archbishop including the Moderator of the Curia and
the Chancellor, assists the Archbishop in the governance of the Archdiocese1.
8. In commencing the Inquiry, the DPC expressed the preliminary view that the Archbishop may
be the controller, within the meaning of Article 4(7) of the GDPR, in respect of personal data
within church records contained in Church Registers, pursuant to Article 4(6) of the GDPR.
iii) Legal Basis for the Decision
9. The decision-making process for the Inquiry which applies to this case is provided for under
section 111 of the 2018 Act, and requires that the DPCmust consider the information obtained
during the Inquiry to decide whether an infringement is occurring or has occurred and, if so, to
decide on the corrective powers, if any, to be exercised. As the sole member of the DPC as
defined in section 15 of the 2018 Act, I perform this function in my role as the decision-maker
in the DPC. In so doing, I am required to assess all of the materials and submissions gathered
during the Inquiry and any other materials that I consider to be relevant, in the course of the
decision-making process.
10. A full schedule of all documentation considered by me for the purpose of the preparation of
this Decision is appended hereto.
11. Having considered the information obtained in the Inquiry, I am satisfied that the Inquiry has
been correctly conducted and that fair procedures have been followed throughout. I will have
regard to any submissions that the Archbishop may decide to make in respect of this Decision
before proceeding to make a final Decision under section 111 of the 2018 Act.
1 Canon 469-470.
C. Factual Background
12. The DPC received a number of complaints, from data subjects who wished to exercise the right
to obtain erasure in relation to their personal data processed in church registers (including
baptism, confirmation and marriage registers) held within the Archdiocese Church registers. All
data subjects had written to either their parish or the Archdiocese asking for the erasure of their
personal data pursuant to Article 17 GDPR. The Archdiocese refused the requests on the basis
that the personal data were still necessary for the purpose for which they were collected and/or
the Church Registers were a record of historical fact and not membership of the Church; and in
any event, such records fell outside the scope of the GDPR.
13. Prior to the commencement of the Inquiry, the DPC put the Archbishop on notice of the
complaints received relating to the retention of personal data by the Catholic Church by way of
certain records relating to individuals contained in Church Registers. The complainants’ ability
to exercise their data protection rights in respect of church records relating to them, such as
the right to access the personal data and the right to obtain erasure of the personal data was
outlined in this correspondence. Further, the DPC raised the issue of identifying the controller
of these church records. The DPC confirmed its intention to commence an own volition inquiry
under section 110 of the 2018 Act, noting that this inquiry would not be focused specifically on
any individual complaint but would seek to address, in a collective manner, the general issues
arising from all complaints received on this particular issue.
14. By correspondence to the DPC dated 18 June 2019, Monsignor Callan, for and on behalf of the
Archdiocese of Dublin, expressed inter alia the opinion that baptism registers did not come
within the material scope of the GDPR, as set out in Article 2(1) of the GDPR. Monsignor Callan
stated that baptism registers are maintained in hard copy, are not organised in alphabetical
order, are not processed by automated means and he submitted that they do not consist of a
filing system within themeaning of Article 4(6) of the GDPR.Monsignor Callan further provided
a reasoned opinion as to why the parish priest and not the Archbishop was the controller of all
personal data held in the Church Registers.
15. The DPC issued an Inquiry Commencement Letter (‘the Commencement Letter’) to the
Archbishop on 20 December 2019 notifying that the DPC had commenced an Inquiry under and
in accordance with section 110(1) of the 2018 Act.
16. The decision to commence the Inquiry was taken as the DPC had formed the preliminary view
that the Church Registers were within the material scope of the GDPR and that the Archbishop
was a controller and/or joint controller of the personal data contained in these Church
Registers.
17. The Inquiry is an own volition inquiry conducted by the DPC relating to the refusal by the
Archdiocese of Dublin (‘the Archdiocese’) of certain data subjects’ requests to obtain the
erasure of their personal data. The Archdiocese refused the requests on the basis that the
personal data were still necessary for the purpose for which they were collected and/or the
Church Registers were a record of historical fact and not membership of the Church; and in any
event, such records fell outside the scope of the GDPR. Having considered the issues arising, the
DPC decided to commence an own volition inquiry pursuant to Section 110 of the 2018 Act for
the purpose of assessing the extent to which the Archbishop of Dublin complied with its legal
obligations pursuant to data protection law.
18. The Commencement Letter set out that the Inquiry would formally document the facts as they
relate to the subject of the Inquiry. The relevant facts ascertained prior to the commencement
were set out in the Commencement Letter. The facts, as established during the course of the
Inquiry, are set out below in this Decision.
19. Having received the Archbishop’s submissions, the DPC prepared an Inquiry Issues Paper to
document the relevant facts established and the issues that fell for consideration by me as
Decision-Maker for the purpose making a decision under section 111 of the 2018 Act in respect
of this Inquiry. The DPC furnished the Archbishop with the Inquiry Issues Paper on 9 February
2022 and invited the Archbishop’s submissions on any inaccuracies and/or incompleteness in
the facts.
20. The Archbishop provided comments on the Inquiry Issues Paper on 31 March 2022. The
comments provided additional information relating to the facts as set out in the Inquiry Issues
Paper. The comments on the Inquiry Issues Paper were analysed and I considered them as part
of the Draft Decision.
21. On 4 November 2022, I provided the Draft Decision to the Archbishop. The Archbishop was
afforded the opportunity to make submissions on the proposed infringement that was
identified in the Draft Decision and the corrective power that I proposed to exercise. On 1
February 2023, the Archbishop made submissions on the Draft Decision. I have had full regard
to those submissions and I have reached conclusions that an infringement of data protection
legislation has occurred and that it is necessary to exercise certain corrective powers. This
infringement and corrective powers are set out in this Decision.
D. Scope of the Inquiry and the Application of the GDPR
22. The scope of the Inquiry, which was set out in the Commencement Letter, was to examine the
following aspects of GDPR and the 2018 Act, in connection with the processing of personal data
of data subjectswho no longer wish to have their personal data recorded in all Church Registers:
i. Article 5(1)(e) – the principle of storage limitation;
ii. Article 6 – lawful basis for processing personal data;
iii. Article 9 – lawful basis for processing special category personal data;
iv. Article 16 – the right of a data subject to the rectification of inaccurate
personal data concerning him or her;
v. Article 17 – the right of a data subject to obtain erasure of personal data
concerning him or her;
vi. Article 89 – safeguards and derogations relating to processing of personal
data for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes; and
vii. the relevant provisions in the 2018 Act - which gives further effect to those
provisions, specifically sections 36, 42, 54, and 61;
23. The Commencement Letter stated that the Inquiry might also take into account the
Archbishop’s compliance with Article 5(2) of the GDPR (the principle of accountability), in
addition to his compliance with Article 31 of the GDPR, (co-operation with the supervisory
authority).
24. Following a consideration of the Archbishop’s submissions, the DPC narrowed the focus of the
Inquiry from all Church Registers, to all Baptism Registers held in the Archdiocese only,
including the ‘Parish Registers’ and those held in the Chancellery i.e. the register of baptisms of
persons who are adopted (the ‘Adopted Persons Baptism Register’) and the register of
baptisms for baptisms that took place in Holy Cross College, Clonliffe (the ‘Clonliffe College
Registers’).
E. Issues for Determination
25. Having reviewed the Inquiry Issues Paper and the other relevant materials, I consider that the
following issues arose for determination:
Material Scope - The DPC expressed a preliminary view in the Commencement Letter
that the personal data and special category personal data contained in the church records (now
in respect of all Baptism Registers in the Archdiocese only) form part of a filing system within
the meaning of Article 4(6) of the GDPR. It is acknowledged, that the Archbishop disagrees with
this view and has made a number of submissions asserting that the Baptism Registers are
outside of thematerial scope of the GDPR. As such, the following issues arise for determination
with respect to whether the personal data contained in the Baptism Registers fall within the
material scope of the GDPR:
i. whether the processing of the personal data contained in the Baptism Registers is
undertaken wholly or partly by automated means;
ii. in circumstanceswhere the processing is other than by automatedmeans,whether
the Baptism Registers form part of a filing system or are intended to form part of a
filing system, having regard to the definition of filing system under Article 4(6) of
the GDPR; and
iii. whether any of the exemptions to the scope of the GDPR as set out in Article 2(2)
apply to the processing of the Baptism Resisters.
Controllership - The DPC expressed a preliminary view in the Commencement Letter
that the Archbishop was the (sole) controller in respect of the personal data contained in Church
Registers (now in respect of the Baptism Registers only). Subsequently, the DPC confirmed to
the Archbishop that it was also considering the proposition that both the Archbishop and the
parish priest, having recourse inter-alia to Canon Law, may determine to different extents the
purposes and means of processing in relation to the Baptism Registers, leading to a position of
joint controllership. The Archbishop disagrees with this position and has made a number of
submissions in the course of the Inquiry refuting sole or joint controllership of the Baptism
Registers emphasising both the role of the parish priests and the Chancellor in this regard. As
such, the following issue arises for determination based on a consideration of the submissions
of the Archbishop to date:
i. the extent to which the Archbishop alone and / or jointly with the parish priest or
others determines the purpose and means of the processing of the personal data
and special category personal data contained in the Baptism Register which are
now the subject of this Inquiry;
Legal Bases for processing - In circumstances where I form a preliminary view that (i)
the personal data contained in the Baptism Registers falls within the material scope of the
GDPR; and (ii) the Archbishop is the relevant controller or joint controller of the personal data
contained in Baptism Registers, I must then, based on the submissions received from the
Archbishop to date, form a view as to the Archbishop’s compliance with Articles 6 and 9 of the
GDPR, in particular on the following issues:
i. In relation to the processing of personal data and special category personal data of
data subjects who no longer wish to have their personal data recorded in any
Baptism Registers:
a) whether the Archbishopmay rely on legitimate interests for the processing
of Baptism Registers, in accordance with on Article 6(1)(f) of the GDPR, in
circumstances where the processing is necessary for the purposes of the
legitimate interests pursued by the Archbishop;
b) whether, and to what extent the Archbishop’s interests (or those of a third
party) in retaining the personal data and special category personal data are
overridden by the interest or fundamental rights and freedoms of the data
subjects and accordingly whether the Archbishop is entitled to rely on
Article 6(1)(f) for the processing of the personal data and special category
personal data;
c) whether the Archbishop is entitled to rely on Article 9(2)(d) of the GDPR
for the processing of the special category personal data contained in the
Baptism Registers, which permits processing carried out in the course of
the Archbishop’s legitimate activities as a foundation, association or non-
profit body with a religious aim where the processing relates solely to
members or former members of the body or to persons who have regular
contact with it in connection with its purposes and where the special
category personal data are not disclosed outside the body without the
consent of the data subjects; if so, whether the Archbishop put in place the
required appropriate safeguards for such processing under Article 9(2)(d);
and
d) in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under
Article 5(1)(b) of the GDPR and the principle of lawfulness fairness and
transparency under Article 5(1)(a) of the GDPR.
ii. In relation to any further processing (processing beyond the original purpose of
collection) of personal data and special category personal data of data subjects
who no longer wish to have their personal data recorded in the Baptism Registers:
a) whether the Archbishop may rely on legitimate interests for the
processing, in accordance with on Article 6(1)(f) of the GDPR, in
circumstances where the processing is necessary for the purposes of the
legitimate interests pursued by the Archbishop;
b) whether, and to what extent the Archbishop’s interests (or those of a third
party) in further processing the personal data and special category
personal data are overridden by the interest or fundamental rights and
freedoms of the data subjects and accordingly whether the Archbishop is
entitled to rely on Article 6(1)(f) for the further processing of personal data
and special category personal data;
c) whether the Archbishop is entitled to rely on Article 9(2)(j) of the GDPR for
the further processing of special category personal data contained in the
Baptism Registers, which permits processing which is necessary for
archiving purposes in the public interest, scientific or historical research
purposes in accordance with Article 89(1) of the GDPR; if so, whether the
Archbishop put in place the required appropriate safeguards for such
processing in accordance with Article 89(1) of the GDPR, which ensure that
technical and organisational measures are in place in particular in order
ensure respect for the principle of data minimisation;
d) whether the processing of special category personal data is necessary and
proportionate for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with
Section 54 of the 2018 Act;
e) whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, (i) suitable and specific measures have
been taken by the Archbishop to safeguard the fundamental rights and
freedoms of data subjects; (ii) the processing respects the principle of data
minimisation (Article 5(1)(c) of the GDPR); and (iii) where the purposes can
be fulfilled by processing which does not permit or no longer permits
identification the processing is fulfilled in that manner, in accordance with
Section 42 of the 2018 Act;
f) whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, data subject rights have lawfully been
restricted in accordance with Section 61(1) and 61(2) of the 2018 Act to
the extent that the exercise of any of those rights would be likely to render
impossible, or seriously impair, the achievement of those purposes, and
such restriction is necessary for the fulfilment of those purposes; and
g) in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under
Article 5(1)(b) of the GDPR and the principle of lawfulness fairness and
transparency under Article 5(1)(a) of the GDPR.
The right to obtain rectification – Article 16 - In circumstances where I form a view
that (i) the personal data and special category personal data contained in the Baptism Registers
falls within the material scope of the GDPR; and (ii) the Archbishop is the relevant controller or
joint controller of the personal data contained in the Baptism Registers, I must then, based on
the submissions received from the Archbishop to date, form a preliminary view as to the
Archbishop’s compliance with Article 16 of the GDPR, in particular on the following issues:
i. whether a data subject has the right to obtain from the Archbishop the rectification
of inaccurate personal data concerning him or her;
ii. whether the recording of a data subject’s sacrament of baptism in the Baptism
Registers, in circumstances where the data subject no longer consider themselves
to be a member of the Catholic Church, constitutes inaccurate or incomplete
personal data within the meaning of Article 16 of the GDPR, with reference to the
Archbishop’s compliance with the principle of accuracy under Article 5(1)(d) of the
GDPR in this regard;
iii. whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain rectification of their sacramental status or
their status as members of the Catholic Church in the church records contained in
the Baptism Registers or where the personal data is found to be incomplete, have
the right to have this personal data completed, including by means of providing a
supplementary statement; and
iv. whether, in circumstances where a right to rectification exists, the data subjects’
rights may be restricted by the Archbishop pursuant to Section 61(2) of the 2018
Act, where the processing is for historical research purposes and the exercise of
the right would be likely to render impossible or seriously impair, the achievement
of these purposes and the restriction is necessary for the fulfilment of those
purposes.
The right to obtain erasure – Article 17 - In circumstances where I form a preliminary
view that (i) the personal data and special category personal data contained in the Baptism
Registers falls within the material scope of the GDPR; and (ii) the Archbishop is the relevant
controller or joint controller of the personal data contained in the Baptism Registers, I must
then, based on the submissions received from the Archbishop, form a view as to the
Archbishop’s compliance with Article 17 of the GDPR, in particular on the following issues:
i. whether a data subject has the right to obtain from the Archbishop the erasure of
personal data concerning him or her, in circumstances where one of the grounds
listed under Article 17(1)(a)-(f) of the GDPR applies;
ii. whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain erasure of their personal data in the
Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR; and
iii. whether, a data subject’s right to erasure may be lawfully dis-applied by the
Archbishop to the extent that processing is necessary:
a) for exercising the right to freedom of expression and information, pursuant
to Article 17(3)(a) of the GDPR;
b) for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1), pursuant
to Article 17(3)(d) of the GDPR; or
c) for exercising the right to freedom of religion.
Storage Limitation - In circumstances where I form a view that (i) the personal data
and special category personal data contained in the Baptism Registers falls within the material
scope of the GDPR; and (ii) the Archbishop is the relevant controller or joint controller of the
personal data contained in the Baptism Registers, I must then, based on the submissions
received from the Archbishop, form a view as to the Archbishop’s compliance with the principle
of storage limitation contained in Article 5(1)(e) of the GDPR, in particular on the following
issues:
i. whether the personal data and special category personal data contained in the
Baptism Registers are kept in a form which permits identification for no longer than
is necessary;
ii. whether the personal data and special category personal data contained in the
Baptism Registers are processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and are subject to the implementation of the appropriate
technical and organisational measures in order to safeguard the rights and
freedoms of the data subject; and
iii. whether, in circumstances where the personal data and special category personal
data is processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes, it may be stored for longer
periods.
F. Analysis of the Issues for Determination
a) MATERIAL SCOPE
Issue 1 for determination: whether processing of personal data contained in the Baptism
Registers is undertaken wholly or partly by automated means
Relevant Provisions
26. Article 2(1) of the GDPR states that the GDPR applies
“to the processing of personal data wholly or partly by automated means and to the
processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system”.
27. Article 4(1) of the GDPR defines “personal data” as
“any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person”.
28. Article 4(2) of the GDPR defines “processing” as
“any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction”.
29. Article 4(6) of the GDPR defines a “filing system” as
“any structured set of personal data which are accessible according to specific criteria,
whether centralised, decentralised or dispersed on a functional or geographical basis”.
30. Recital 15 of the GDPR is also of assistance in interpreting the meaning of a filing system:
“in order to prevent creating a serious risk of circumvention, the protection of natural
persons should be technologically neutral and should not depend on the techniques used.
The protection of natural persons should apply to the processing of personal data by
automated means, as well as to manual processing, if the personal data are contained or
are intended to be contained in a filing system. Files or sets of files, as well as their cover
pages, which are not structured according to specific criteria should not fall within the
scope of this Regulation”
31. The DPC expressed a preliminary view in the Commencement Letter that the personal data
contained in church records (now in respect of the Baptism Registers only) forms part of a filing
system within the meaning of Article 4(6) of the GDPR.
Relevant Background
32. The focus of this Decision is on the Baptism Registers held within the Archdiocese of Dublin only,
and not on any other church registers or church records held in this Archdiocese, whether in
parishes or otherwise. This is on the basis that the sacrament of baptism is considered the
gateway to the other sacraments (in accordance with canon 849).
33. The Catholic Church is governed by its own internal body of law, the Code of Canon Law (‘Canon
Law’). The most recent version of the Code of Canon Law was codified and promulgated in
1983.2 While the position in Canon Law is not determinative of the position under Irish or EU
law, it is a relevant consideration to which I will have regard in considering all issues, which arise
for determination within this Decision. The relevance of Canon Law to the inquiry is set out at
paragraphs 254 and 255.
34. I note that canon 535 §1 requires that each parish keep certain parochial registers for “baptisms,
marriages, deaths, and others as prescribed by the conference of bishops or the diocesan bishop.
The pastor is to ensure that these registers are accurately inscribed and carefully preserved”.3
Certain other church registers are held by the Archdiocese in the Chancellery office of the
Diocesan Office, including the Adopted Persons Baptism Registers and the Clonliffe College
Baptism Registers.
2 The DPC has referred throughout this Decision to Canon Law as set out by the Vatican, https://www.vatican.va/archive/cod-
iuris-canonici/cic_index_en.html:
https://wipolex.wipo.int/en/legislation/details/9033.
3 Further to Canon 895 and Decree No. 6 of the Irish Episcopal Conference as promulgated in Intercom December
1987/January 1988.
35. The Church Registers held in the parishes and in the Chancellery office indicate the sacramental
status of a person in the Roman Catholic Church. Baptism is the first and most basic sacrament
of Christian initiation and as confirmed by the Archbishop, it can only be received once.4 A
person must be baptised before they can receive any other sacrament, such as the sacraments
of confirmation, marriage or Holy Orders. As such, the Roman Catholic Church maintains a
record of all those persons who have been baptised so that in the event an individual wishes to
receive another sacrament, their baptismal status can be ascertained in advance. Therefore,
the Baptism Register is the reference point from which any other parish can ascertain whether
a person has been baptised. When an individual subsequently receives another sacrament, the
Baptism Registermust be noted accordingly as those other sacraments can also only be received
once also. The maintenance and retention of such records is essential to the administration of
the Roman Catholic Church.5
36. Any changes regarding the sacramental status of a person must be annotated in the Baptism
Register wherein their baptism is recorded, in accordance with canon 535 §2 (even where also
recorded in a separate register, e.g. confirmation register or marriage register).6
37. Baptism Registers are maintained in hard copy. According to the Archbishop, referring to
parochial registers, “the hard copy, bound volume is the only authentic, authoritative register”.7
Individual baptism registers may contain entries spanning a number of years. The Baptism
Register is replaced only when it is full. A full Baptism Register is stored in the Parish. Baptism
Registers are only transferred from a Parish into the Diocesan archive when a Parish is
suppressed.
38. The entries in a Baptism Register are made when individuals are presented for baptism, in
chronological order, based on the date of presentation. There is no prescribed form for baptism
registers, though they will include the following fields:
• Christian name of person for baptism
• Surname
• Born/Day/Month/
• Name of Parent(s)/guardian(s)
• Residing at Domicile
• Duly Baptised – Day/Month
• Celebrant of Baptism
• Name(s) of Godparent(s).
4 Submissions dated 15 October 2020, page 24.
5 Submissions dated 15 October 2020, page 24.
6 This is set out in canon 535 §2, which states that: “In the baptismal register are also to be noted confirmation and those
things which pertain to the canonical status of the Christian faithful by reason of marriage, without prejudice to the
prescript of _can. 1133, of adoption, of the reception of sacred orders, of perpetual profession made in a religious
institute, and of change of rite. These notations are always to be noted on a baptismal certificate“.
7 Submissions dated 16 March 2020, page 31.
39. The sample Baptism Register pages provided by the Archbishop to the DPC also typically include
a field at the top of each page to fill in the year in which those baptisms took place.8 Pro-forma
register books for baptism, confirmation, marriage or death are commercially available from
religious goods shops with these specific fields designated.
40. Baptism Registers are annotated with any further matters pertaining to the canonical status of
a person, for example if a person receives further sacraments, such as confirmation, marriage
or the reception of holy orders. Annulments of marriages will also be annotated in the baptism
register. In order to annotate a baptism register entry following a confirmation, a confirmation
card is completed, which allows the parish in which the confirmation took place record the
confirmation in its confirmation register. The information on the card is then used to annotate
the baptism register (if this occurred in a different parish, the confirmation card is sent to that
parish), after which the confirmation card is destroyed. Similarly, where a marriage occurs, a
pre-defined form used by all parishes is completed. This form is forwarded to the parish inwhich
the baptism of the individuals took place. That parish then annotates the baptism register to
reflect the fact of marriage.
41. Generally, a manual search of the baptism register will be carried out by the various parishes
when required to do so for the purposes of retrieving or annotating these records.Where there
is no index for the register, a search through hard copy records is required.9
42. In 2018, the Archdiocese entered 13,234 baptisms into baptism registers, 16,929 confirmations
into confirmation registers and 1,334 marriages into marriage registers. I note that each
marriage and confirmation registered was annotated into the relevant baptism registers
(though not necessarily baptism registers located within the Archdiocese).10
43. The Baptism Register is consulted by the parish priest when a request for a baptism certificate
is made by an individual (or their parents/guardian if under 16 years of age). Requests for
certificates normally arise when a person is preparing to receive another sacrament, such as
confirmation ormarriage. If a person contacts a parish looking for baptism records, they receive
a form, which enables them to apply for a copy of their baptism certificate.
44. In specific circumstances, alteration may also be made to a baptism register entry, for example
where a person changed their name by deed poll. The Directives and Guidelines for Sacramental
and Pastoral Practice (2011) (the “Guidelines”) state that any alteration to the baptism register
must be authorised through the Chancellery,11 in particular that “the express permission of the
Chancellery is required before any alteration or emendationmay bemade in an entry in any such
parochial register”.12 Documentary evidence is generally required to ground such a request for
an alteration.
8 Submissions dated 15 October 2020, Schedule of Documents, (pages 212-213 of the PDF submission).
9 Submissions dated 15 October 2020, page 5.
10 Submissions dated 16 March 2020, page 7.
11 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of PDF submission).
12 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.5 (page 23 of the PDF submission).
45. Although deletions of entries contained within the baptism registers are not permitted, there is
no canonical prohibition on the recording of additional details in a baptism register. The
prohibition on the alteration of the Baptism Registers is not expressly set out in Canon Law.
46. In these cases, the parish priest either will apply to the Chancellery for authorisation to make
that change, or will direct the applicant to contact the Chancellery themselves. In certain limited
circumstances, the parish priest may then make a change. The Archbishop provided the DPC
with examples of letters from the Chancellery to a parish priest requesting that certain
amendments bemade to an entry in a baptism register. These letters indicated that information
which is to be altered is not deleted or erased, but, in the case of an error in a date of birth or a
change of name, a line is drawn through the out of date information, the new information is
inserted and a note is made of the corrected information. A direction is placed in the baptism
register, e.g. “Future certificates to reflect changes made”.13
47. The Archbishop informed the DPC that he is aware of “informal” methods of indexing these
registers though he is unaware of the extent of this practice within the parishes of the
Archdiocese. In respect of the Archbishop’s own parish, St Mary’s Pro-Cathedral, a hardcopy
indexing system is in place. Based on the extract provided by the Archbishop, this index appears
to consist of an alphabetical list of individuals who have been baptised, within a particular time
frame (in this case, between 1915 and 1918). Also, each entry in the index is accompanied by a
number indicating the location of the entry in the baptism registers.14
48. The Archbishop is also aware of practices such as scanning copies of the baptism registers and
the use of electronic database systems or “pastoral management systems” to record such
information.15 Microfilmed copies of baptism registers have been created and shared with the
National Library of Ireland. In the instance of the Adopted Persons Baptism Register held in the
Chancellery, an electronic version of this is maintained, “for easy searching”.16
49. With respect to storage of the Baptism Registers held in parishes, each parish is required to
have an archive, in which parochial books are to be kept, together with any and other
documents which itmay be necessary or useful to preserve. In general, parish baptism registers
are kept in safe rooms which are fireproofed and which are only accessible by the parish priest
and certain other authorised personnel.17
50. With respect to storage of the registers, Baptism Registers held in the Chancellery Office were
previously stored at Clonliffe College. Following the sale of the Clonliffe College buildings, the
Chancellery Office is now located in the Archbishop’s House, Drumcondra Road, Dublin 9 and
the Diocesan Offices have appropriate security measures in place, with entry to the Chancellery
being only permitted by the staff members.
13 Submissions dated 15 October 2020, Schedule of Documents, page 193.
14 Submissions dated 15 October 2020, Schedule of Documents, page 234.
15 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of PDF submission); Appendix 3 of the Guidelines provide
guidance on the “Requirements for the Secure Maintaining of Duplicate Electronic Sacramental Records in Parishes”
which appears to envisage parishes employing electronic records of Church Registers.
16 Submissions dated 15 October 2020, page 1.
17 Submissions dated 16 March 2020, page 29. See also storage requirements set out at Canon 535 §4.
51. With respect to retention periods, the Baptism Registers are retained in perpetuity.18
52. The Baptism Registers are private records and are not generally accessible by the public. The
“Archbishop dictates policy with regard to access” to the Baptism Registers.19
Relevant Case Law
53. In the judgment of the Court of Justice of the European Union (“CJEU”) in C-25/17 Jehovan
Todistajat the CJEU considered the meaning of a filing system.When considering the definition
of “filing system” contained in Article 2(c) of Directive 95/46/EC the CJEU stated that:
“a ‘filing system’, referred to by that provision, covers a set of personal data collected in
the course of door-to-door preaching, consisting of the names and addresses and other
information concerning the persons contacted, if those data are structured according to
specific criteria which, in practice, enable them to be easily retrieved for subsequent use.
In order for such a set of data to fall within that concept, it is not necessary that they
include data sheets, specific lists or other search methods”.20
54. The CJEU also stated that in relation to the specific criteria used,
“the specific criterion and the specific form in which the set of personal data collected by
each of the members who engage in preaching is actually structured is irrelevant, so long
as that set of data makes it possible for the data relating to a specific person who has
been contacted to be easily retrieved”.21
55. Also considered is the recent judgment of the Court of Appeal of England and Wales, Dawson-
Damer v Taylor Wessing,22 in which the Court set out four criteria for determining whether a
relevant filing system,within themeaning of the UK Data Protection Act 1998 (which gave direct
effect to Directive 95/46/EC), was in place:
“First, are the files a “structured set of personal data”? Secondly, are the data accessible
according to specific criteria? Thirdly, are those criteria “related to individuals”? Fourthly,
do the specific criteria enable the data to be easily (or “readily” as the 1998 Act puts it)
retrieved?”23
56. Although these cases were decided before the GDPR came into force (and bearing in mind that
Damer v Wessing is only of persuasive authority), the consideration in these cases of the
meaning of a filing system remains somewhat relevant, in circumstances where the definition
of filing system remains the same under Article 2(c) of Directive 95/46/EC and Article 4(6) of the
GDPR.
18 Submissions dated 16 March 2020, page 31.
19 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines for Parishes
(October 2017), (page 32 of the Guidelines document and/or page 167 of the PDF submissions).
20 Case C-25/17, Jehovan Todistajat, EU:C:2018:551, paragraph 62.
21 Case C-25/17, Jehovan todistajat, EU:C:2018:551, paragraph 61.
22 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352.
23 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 90.
57. Although Recitals 15 and 27 of Directive 95/46/EC note that a filing system is to be “structured
according to specific criteria relating to individuals, so as to permit easy access to the personal
data in question”, the current and updated position under Recital 15 of the GDPR does not
contain any reference to a requirement for a filing system to be structured so as to permit “easy
access”.
Archbishop’s Submissions
58. The Archbishop accepts that the information recorded in the Baptism Registers constitutes
personal data in accordance with Article 4(1) of the GDPR; however, he disagrees with the view
of the DPC that Baptism Registers fall under the material scope of the GDPR. The Archbishop
has made numerous submissions on this point.
59. The Archbishop submitted that the Baptism Registers are not subject to the GDPR, as the entries
in the Baptism Registers that contain personal data and special category personal data are not
processed by automated means and do not form part of a filing system within the meaning of
the GDPR.24
60. The Archbishop submitted that the hardcopy baptism registers, which contain personal data,
do not form part of a filing system, as they do not provide “easy access” as “it is not possible to
search same using specific criteria”.25 The Archbishop referred to the CJEU judgment of C-25/17
Jehovan Todistajat in this regard, and the finding of the CJEU that a filing system must be
“structured in order to allow easy access to personal data”. In particular, the Archbishop noted
three elements that were set out in that judgment as the requirements of a filing system:
“(i) The data must be structured by reference to specific criteria;
(ii) The criteria must be “related to individuals”;
(iii) The specific criteria must enable the data to be easily retrieved.
It is submitted that the baptism registers do not fulfil either (i) or (iii) of these criteria”.
24 Submissions dated 16 March 2020, pages 12-13.
25 Submissions dated 16 March 2020, page 13.
61. The Archbishop also submitted that the date of baptism is “entirely random” and “does not
correspond to age or date of birth”26 and as such does not qualify as a “specific criteria” within
the meaning of the GDPR or the elements set out by the CJEU in C-25/17 Jehovan Todistajat. In
C-25/17 Jehovan Todistajat, the CJEU stated that it was clear from Recitals 15 and 27 of Directive
95/46/EC the content of a filing system must be structured in order to allow easy access to
personal data and that it was clear from these recitals that the specific criteria “must be
‘relat[ed] to individuals”.27 The Archbishop asserted that the DPC has not demonstrated how
the criteria in question with respect to the Baptism Registers relate to individuals and in that
regard, the Archbishop referred to the following passage in C-25/17 Jehovan Todistajat also:
“Thus, it appears that the personal data collected in the course of the door-to-door
preaching at issue in the main proceedings are structured according to criteria chosen in
accordance with the objective pursued by that collection, which is to prepare for
subsequent visits and to keep lists of persons who no longer wish to be contacted. Thus,
as it is apparent from the order for reference, those criteria, among which are the name
and address of persons contacted, their beliefs or their wish not to receive further visits,
are chosen so that they enable data relating to specific persons to be easily retrieved”
(emphasis added by Archbishop).28
62. Further, the Archbishop submitted that the personal data contained in the Baptism Registers
are not easily retrieved as:
“information about a person’s baptism can only be retrieved from a baptism register
through a manual, line-by-line, page-by-page, search of likely dates as to when the
baptism occurred. This can be complicated by the fact that, in some cases, a person will
not know the Parish of his or her baptism… There is no central database which allows
identification of the place of a person’s baptism and it would be for the person concerned
to provide information as to the likely place of baptism, so that the registers in that Parish
can be searched”.29
63. The Archbishop also noted the following points:
“a person’s current address may not be sufficient in determining a Parish of baptism. A
person may now reside in Glasnevin Parish, but at the time of baptism resided in Iona
Road Parish;
date of birth does not give any indication of date of baptism. In the past, children were
generally baptised within a few days of birth. However, more recently, there can be a
period of six months or more between the date of birth and date of baptism, making the
identification of the date of baptism much more difficult.
a search of baptism registers for a particular entry requires a trawl through large books
of handwritten records, sometimes resulting in the unsuccessful search of books of the
baptism registers in several parishes. In some cases, information in the baptism register
is irretrievable as it simply cannot be found”.
26 Submissions dated 16 March 2020, page 14.
27 C-25/17 Jehovan todistajat, paragraph 57.
28 C-25/17 Jehovan todistajat, paragraph 60; Submissions dated 16 March 2020, page 15.
29 Submissions dated 16 March 2020, page 15.
64. It is on this basis that the Archbishop contends that the Baptism Registers do not meet the
requirements to be a filing system as set out in C-25/17 Jehovan todisajat, with these not being
structured according to a specific criteria and not being easily retrievable as a manual page-by-
page search is required to locate the entries containing a data subject’s personal data in the
Baptism Registers.
65. The Archbishop also referred to the Advocate General’s Opinion for case C-73/07
Tietosuojavaltuutettu v SatakunnanMarkkinaporssi Oy30 of the CJEU, in which the issue of filing
systems was considered in the context of the publication of alphabetical lists in regional
newspapers of data obtained from Finnish tax authorities. These comprised of the names of
data subjects and their income bracket organised by municipality, and a text messaging service
provided relating to that publication.31 In that Opinion, the Advocate General’s view was that
the publication of the tax data in question in this case constituted a filing system. The
Archbishop distinguished the Baptism Registers from the alphabetical lists of tax data, arguing
that unlike the lists in this case, the Baptism Registers are “not structured so as to be accessible
according to particular criteria, but rather contains entries in chronological order only. The dates
themselves do not correspond to any identifiable date relating to the person baptised, ie entries
are not listed by date of birth”32.
66. The Archbishop also referred to a judgment of the Supreme Court of Spain, case STS
4646/2008,33 which related to whether baptism registers (referred to as ‘Baptism Books’ in the
translation) constituted a filing system. The Court stated that:
“…it cannot be accepted that such personal data referred to by the Instance Court is
contained in the Baptism Books as an organised collection as required by Art. 3(b) of OL
15/99, but rather a pure accumulation of information that would be difficult to search,
access and identify as they are not ordered alphabetically, nor by date of birth, but only
by baptism dates, with the Parish having to know where it took place, and with it not
being accessible to third parties other than the baptised individual […] we must conclude
that the Baptism Books are not files in the clear and specific terms as they are considered
as per OL 15/99 (Art. 3(b), as well as in the definition thereof in Art. 2 of EC Directive
95/46” (emphasis added by Archbishop).
67. The Archbishop contends that the view of the Spanish Court in that case, whereby “a mere
chronological ordering – there by a baptism date – is insufficient to give rise to the presence of
a relevant filing system, resonates with the approach which has been taken in other Member
States in other contexts”.34
30 ECLI:EU:C:2008:727.
31 Submissions dated 16 March 2020, page 16.
32 Submissions dated 16 March 2020, page 16-17.
33 Translation provided by the Archbishop with submissions dated 16 March 2020. No official translation available.
34 Submissions dated 16 March 2020, page 17.
68. The Archbishop also noted that the judgment in case STS 4646/2008 has been re-applied more
recently in a lower court in Spain in SAN4404/2018.35 In that judgment, the court described
baptism registers as follows:
“…a pure accumulation of information that would be difficult to search, access and
identify as they are not ordered alphabetically, nor by date of birth, but only by the
baptism dates, with the Parish having to know where it took place, and with it not being
accessible to third parties other than the baptized individual, as baptism certificates for
other parties cannot be requested.”
69. The Archbishop also pointed to guidance of the UK Information Commissioner’s Office (“ICO”)
from 2011 regarding filing systems:
“Although the information in your files is held purely in chronological order, is your filing
system sufficiently well structured to allow you ready access to specific information about
a particular individual without extensive manual searching through the set of records?
Yes – you have a relevant filing system. Where information is held in a set of manual
records which is sufficiently well structured to allow ready access to specific information
about particular individuals the set will form a relevant filing system for the purposes of
the DPA.
No– you do not have a relevant filing system. Given that you cannot readily [access]
specific information about particular individuals you should consider whether the set is
sufficiently well structured for your business purposes or whether it simply constitutes an
unstructured manual record archive. Consider whether it is sensible/useful to retain these
records in this form” (Emphasis added by Archbishop).36
70. The Archbishop also noted separate ICO guidance which stated that “[w]here a set of
information contains only a single category of information held in chronological order the set
will not usually comprise a relevant filing system unless the set is structured by reference to
individuals or criteria relating to individuals” (Emphasis added by the Archbishop)37.
71. Further, the Archbishop pointed to the case of Shatter v Data Protection Commissioner38
indicating that this case “underscore[s] an apparent requirement for “evidence” if a
determination is to be made that a relevant filing system exists”.39
72. The Archbishop also referred to the case of Dawson-Damer v TaylorWessing40, stating that this
judgment “supports and confirms the position that mere chronological order – or, as with the
baptism registers, the fact that entries aremade sequentially, namely in the next space following
– is insufficient for a ‘filing system’ to arise”.41
35 Translation provided by the Archbishop with submissions dated 16 March 2020 Submission.
36 Frequently asked questions and answers about relevant filing systems, https://ico.org.uk/media/for-
organisations/documents/1592/relevant_filing_systems_faqs.pdf
37 Determining what information is ‘data’ for the purposes of the DPA, https://ico.org.uk/media/for-
organisations/documents/1609/what_is_data_for_the_purposes_of_the_dpa.pdf; Submissions dated 16 March 2020, page 18.
38 Shatter v Data Protection Commissioner [2017] IEHC 670.
39 Submissions dated 16 March 2020, page 19.
40 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352.
41 Submissions dated 16 March 2020, page 20.
73. In reference to electronic filing systems and indexes which may be in place in certain parishes
for the Baptism Registers, the Archbishop stated in his submissions that “he does not know the
indicative number of such Parishes using any such system”.42 However, the Archbishop
submitted “[f]rom a canon law perspective, there is no difficulty with the permanent erasure of
any electronically-held records of baptism or other sacraments, as any electronically held version
is not authoritative”.43
Legal Analysis
Issue 1 for Determination:
Whether processing of personal data contained in the Baptism Registers is undertaken wholly or partly
by automated means
Personal Data and Special Category Data
74. As a preliminary point, I wish to acknowledge that the Archbishop has not contested, during the
course of the Inquiry, that the information recorded and then retained in the Baptism Registers
is personal data and special category personal datawithin themeaning of Article 4(1) and Article
9(1) of the GDPR.
75. The Archbishop stated that the following categories of data are typically recorded and retained
in the Baptism Registers:
• Christian name of person for baptism
• Surname
• Born/Day/Month
• Name of Parent(s)/guardian(s)
• Residing at Domicile
• Duly Baptised – Day/Month
• Celebrant of Baptism
• Name(s) of Godparent(s).
76. In addition, Baptism Registers are annotated with certain further matters pertaining to the
canonical status of a person, such as whether they received the sacraments of confirmation,
marriage or holy orders.
77. I am satisfied that the above categories of data constitute personal data within the meaning of
Article 4(1) of the GDPR, being “information relating to an identified or identifiable natural
person”. Further, I am satisfied that the data listed above, which reveals “religious or
philosophical beliefs” of a natural person, constitutes special category personal data within the
meaning of Article 9 of the GDPR.
42 Submissions dated 15 October 2020, page 9.
43 Submissions dated 16 March 2020, page 32.
Processing of personal data undertaken wholly or partly by automated means
78. Article 2(1) of the GDPR states:
“This Regulation applies to the processing of personal data wholly or partly by automated
means and to the processing other than by automatedmeans of personal datawhich form
part of a filing system or are intended to form part of a filing system”.
79. The Archbishop submitted that he is aware of practices such as scanning copies of the baptism
registers and the use of electronic database systems or “pastoral management systems” to
record such information.44 Further, microfilmed copies of baptism registers were created and
shared with the National Library of Ireland.
80. The Archbishop submitted that the extent to which all separate parishes hold information in
electronic form is not known to him. In respect of the Adopted Persons Baptism Register held
by the Archbishop, this register, which is held in hard copy, is ordered by date of receipt of
notifications from the Adoption Board and “consists of the original pages sent to the
Archdiocese by the Adoption Board upon an Adoption Order being granted”.45 The Chancellery
filed the entries in the Adopted Persons Baptism Register in the order the notifications were
received. There is an electronic version of the Adopted Persons Baptism Register in the
Chancellery and information from each notification received was entered to make the search
easier when requested to issue a baptismal certificate.
81. Appendix 3 of the Guidelines, as previously stated, also sets out for parish priests the
“Requirements for the Secure Maintaining of Duplicate Electronic Sacramental Records in
Parishes”. As such, it is clearly envisaged that certain electronic or automated processing of the
personal data collected in the Baptism Registers may take place. Appendix 3 sets out that:
• The handwritten registers are considered the only authentic copy of sacramental
records. The manual register must always be consulted when issuing a certificate;
• The handwritten registers must be maintained and the registers themselves are never
to be destroyed or discarded;
• Sacramental records nonetheless may be duplicated on secure computers with no
public access;
• These electronic files should be made secure through the use of password protection
and encryption to ensure that only those who should have access can do so, ie the
Parish Priest and those whom he has authorised to assist him in the work of
maintaining and updating sacramental records such as, Parish secretary or sacristan;
• The inputtingof data into the computer should only be carried out by those authorised
by the Parish Priest;46
44 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of PDF submission) which provide guidance on the
“Requirements for the Secure Maintaining of Duplicate Electronic Sacramental Records in Parishes”; this appears to
envisage parishes employing electronic records of Church Registers.
45 Submissions dated the 15 October 2020, page 1.
46 This was intended to read “inputting” not “imputing” in the Guidelines per submissions dated 16 March 2020, page 32.
• Amendments and alterations to the electronic files should simply reflect alterations
which have already been made in the handwritten registers. Any amendment to a
register needs the prior written permission and authorisation from the Chancellery;
• No copying of electronic files should be made beyond the back-up copy which should
always be kept in a very secure place;
• The same confidentiality applies to both the handwritten registers and to the
electronic records.
82. The Archbishop has also submitted that the “the hard copy, bound volume is the only authentic,
authoritative register” 47 and with respect to any electronically-held records that “there is no
difficulty with the permanent erasure of any electronically held records of baptism or other
sacraments, as any electronically held version is not authoritative”.48 The Archbishop also stated
that, when “[i]nformation about a person’s baptism can only be retrieved from a baptism
register through a manual, line-by-line, page-by-page, search of likely dates as to when the
baptism occurred”.49
83. It is my view that, while separate electronic duplicate records of the personal data and special
category personal data contained in the Baptism Registers may be processed wholly or partly
by automated means, I accept that the hard copy Baptism Registers themselves are not
processed by automated means. The hard copy Baptism Registers require manual processing in
order to insert new entries and locate previous entries (even where electronic records may
assist in locating certain records) when checking sacramental status or issuing a certificate. I
also accept that the hardcopy Baptism Registers are the authoritative, official version of the
records and as such, must in practice be consulted (processed) manually, in order to issue a
baptismal certificate, check the sacramental status of a person prior to them receiving another
sacrament, such as confirmation, and to annotate an individual’s entry in the Baptism Register
with any such further sacraments received.
84. Although the hard copy Baptism Registers are the authoritative, official version of the records,
it is my view that any electronic duplicate records of the Baptism Registers and any personal
data and special category personal data contained in the electronic pastoral management
systems constitutes processing by automated means and as such also falls within the material
scope of the GDPR. This has also been accepted by the Archbishop in his submissions.50
47 Submissions dated 16 March 2020, page 31.
48 Submissions dated 16 March 2020, page 32.
49 Submissions dated 16 March 2020, page 15.
50 Submissions dated 16 March 2020, page 12.
Issue 2 for Determination: In circumstances where the processing is other than by automated
means, whether the Baptism Registers form part of a filing system or are intended to form
part of a filing system, having regard to the definition of filing system under Article 4(6) of the
GDPR.
85. I must now consider whether, in circumstances where the hardcopy Baptism Registers are
processed other than by automated means, the Baptism Registers form part of a filing system
or are intended to form part of a filing system, having regard to the definition of a filing system
under Article 4(6) of the GDPR.
86. The relevant provisions, which have been set out above, are Article 2(1), 4(1), 4(6) and Recital
15 of the GDPR.
87. The component elements of a filing system as set out under Article 4(6) of the GDPR are as
follows:
• any structured set of personal data;
• which are accessible according to specific criteria;
• whether centralised, decentralised or dispersed on a functional or geographic basis.
88. The definition of a filing system for the purposes of data protection law has been considered in
case law, although these interpretations are primarily in relation to the now repealed Directive
95/46 as opposed to the GDPR. In case C-25/17 Jehovan todistajat, the CJEU indicated that:
“as is made clear from recitals 15 and 27 of Directive 95/46, the content of a filing system
must be structured in order to allow easy access to the personal data. Furthermore,
although Article 2(c) of that directive does not set out the criteria according to which that
filing system must be structured, it is clear from those recitals that those criteria must be
‘relat[ed] to individuals’. Therefore, it appears that the requirement that the set of
personal data must be ‘structured according to specific criteria’ is simply intended to
enable personal data to be easily retrieved”51 (emphasis added)
89. As such, Jehovan todistajat indicates that a filing system must be structured to allow “easy
access” to the personal data contained within it. Further, the criteria according to which a filing
system is structured must be related to the individual data subjects in question. The CJEU went
on to state that, in respect of the specific criterion and the specific form in which a filing system
is structured, it is “irrelevant” so long as the set of data makes it possible for the data relating
to a specific person to be easily retrieved.52
90. In Dawson-Damer v TaylorWessing53, the English Court of Appeal also considered the meaning
of a filing system under UK Data Protection Act 1998, which transposed Directive 95/46 into UK
law. This case is only of persuasive authority. The Court set out four criteria for determining
whether a relevant filing system, within the meaning of the UK Data Protection Act 1998, was
in place:
51 C-25/17 Jehovan todistajat, paragraph 57.
52 C-25/17 Jehovan todistajat, paragraph 61.
53 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352
“First, are the files a “structured set of personal data”? Secondly, are the data accessible
according to specific criteria? Thirdly, are those criteria “related to individuals”? Fourthly,
do the specific criteria enable the data to be easily (or “readily” as the 1998 Act puts it)
retrieved?”54
91. The Court of Appeal stated that the CJEU in Jehovan todistajat “did not consider the Directive to
be prescriptive as to the form of a relevant filing system. Instead the test is the functional one of
whether specific criteria enable the data to be easily retrieved”.55
92. Of note however, is Recital 15 of Directive 95/46/EC which provides that a filing system is to be
“structured according to specific criteria relating to individuals, so as to permit easy access to
the personal data in question” and Recital 27 of Directive 95/46/EC which states that a filing
system “must be structured according to specific criteria relating to individuals allowing easy
access to the personal data” are not repeated under the GDPR.
93. The wording of Recital 15 GDPR, set out above at paragraph 30, clearly differs from Recitals 15
and 27 of Directive 95/46 in that it does not refer to “easy access” or indeed to access at all, nor
does it specify that the specific criteria must be “relating to individuals”. Instead, the first
sentence of Recital 15 of the GDPR commences with preventing a risk of circumvention of the
application of the Regulation by data controllers: “in order to prevent creating a serious risk of
circumvention, the protection of natural persons should be technologically neutral and should
not depend on the techniques used”. It further states that: [t]he protection of natural persons
should apply to the processing of personal data by automated means, as well as to manual
processing, if the personal data are contained or are intended to be contained in a filing system”.
94. Therefore, it is my view that the definition of a filing system under the GDPR is intended to be
interpreted in a wider manner than the definition of a filing system under Directive 95/46
(guided by Recitals 15 and 27), in that the definition of a filing system is now by reference to a
“any structured set of personal data” which is “accessible” according to specific criteria.
95. That said, I note the UK Court of Appeal’s comment in paragraph 91 of Dawson-Damer v Taylor
Wessing wherein it stated the following:
“Mr White challenged the Judge’s conclusion (relevant to the third question) that the
specific criteria needed to be “related to individuals”. We consider, however, that that
requirement is implicit in Article 2(c). It is difficult to see how personal data could be
accessible according to specific criteria unless those criteria are in some way related to
individuals.”
54 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 90.
55 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 83.
96. The Court of Appeal further stated:
“A criterion may be closely related to an individual (for example it might be his or her
name or National Insurance number), or it may be remotely related to an individual (for
example the street in which he lives). The degree of specificity of the criterion does not
preclude a finding that the criterion relates to an individual. One needs to bear in mind,
nevertheless, that a very general criterionmay be less likely to enable easy or ready access
to the data. The Directive and the Act are clear in requiring a causative link between the
criterion and ease of access of the data”56 (emphasis added).
97. In Jehovan todistajat the CJEU stated that:
“the specific criterion and the specific form in which the set of personal data collected by
each of the members who engage in preaching is actually structured is irrelevant, so long
as that set of data makes it possible for the data relating to a specific person who has
been contacted to be easily retrieved”57
98. It is my view that the tests set out under Jehovan todistajat and Dawson-Damer v Taylor
Wessing (only of persuasive authority), such as the specific criteria “relating to individuals”
which structures the filing system must enable “easy access” to the personal data or allow it to
be “easily retrieved” are not the determinative factors in the interpretation of the definition of
a filing system under the GDPR.
99. Notwithstanding this, I continue to have regard to the case law as set out above. This case law
considers the definition of a filing system with reference to Directive 95/46, and the extent to
which the personal data in a filing system is easily retrievable or readily available based on the
specific criteria relating to individuals which structures the filing system. Although it is certainly
less decisive in this present context as these principles have no legislative basis under the GDPR.
That said, I am of the view that the specific criteria must have some link to accessing the
personal data but does not need to be closely related to that individual.
In addition, it is my view that the personal data and special category personal data in the
Baptism Registers need not necessarily be easily accessible or easily retrieved by way of a
specific criteria which relates to individuals, in order for the Baptism Registers to fall under
the definition of a filing system within the meaning of Article 4(6) of the GDPR.
100. I will now consider whether the Baptism Registers fall within the definition of a filing system as
specifically set out under Article 4(6) of GDPR with reference to whether they are:
• any structured set of personal data;
• accessible according to specific criteria; and
• centralised, decentralised or dispersed on a functional or geographic basis.
56 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 96.
57 C-25/17 Jehovan todistajat, paragraph 61.
Structured Set of Personal Data
101. First, to be included as part of a filing system, the personal data must be a “structured set of
personal data”.
102. As part of his submissions, the Archbishop provided sample pages of a Baptism Register. These
pages identify the personal data and special category personal datawhich is recorded in respect
of an individual when they are baptised; the pages also set out clear fields for the input of this
information in relation to that individual, including:
• christian name;
• surname;
• date of birth;
• name of parents;
• address;
• date of baptism;
• name of parish priest/curate or minister;
• name of god-parents; and
• canonical circumstances to be indicated (e.g. adult, convert, conditional or Private
baptism, foundling etc).58
103. The Baptism Register samples also indicate fields for the recording of details relating to other
sacraments received by an individual. These fields include the following:
• confirmed (by whom, church where, day, month, year);
• contracted marriage, (with whom, diocesan church, where; day, month, year; and
• indicate reception of diaconate or solemn religious profession.
104. There is also a column to indicate whether a baptism certificate was issued. The sample Baptism
Register pages provided by the Archbishop to the DPC also typically include a field at the top of
each page to fill in the year in which the baptisms on that page took place.59
105. While the Archbishop has indicated (and I accept) that the sample Baptism Register is not
indicative of every template of Baptism Register used by every parish in the Archdiocese, I note
that canon 877 §1 is also explicit as to the information which is to be recorded when a baptism
is registered.60
106. With respect to whether the Baptism Registers are structured according to a specific criteria,
the Archbishop submitted that they are not.
58 Submissions dated 15 October 2020, Schedule of Documents, page 212, 213
59 Submissions dated 15 October 2020, Schedule of Documents, page 212, 213.
60 Canon 877 §1 states that “The pastor of the place where the baptism is celebrated must carefully and without any delay
record in the baptismal register the names of the baptized, with mention made of the minister, parents, sponsors,
witnesses, if any, the place and date of the conferral of the baptism, and the date and place of birth”.
107. The entries for each individual, which must include the personal data as described above, are
entered chronologically into the Baptism Register, in order of when the baptism occurs. Once a
Baptism Register is full, a new Baptism Register is commenced. In respect of the Adopted
Persons Baptism Register, the entries were inputted chronologically by date of receipt of
notifications from the Adoption Board.
108. Each parish is required to maintain its own parochial registers, including a baptism register. As
such, the Baptism Registers are structured according to the parish in which they are recorded.
The Adopted Persons Baptism Register is recorded by the Chancellery on behalf of the
Archbishop and is not structured on the basis of the parish in which the baptism took place, but
chronologically according to the date of notification by the Adoption Board to the Chancellery
only.
109. In my view, the Baptism Registers can be considered a “structured set of personal data”, which
is structured according to (a) the parish in which the baptism took place (save for the Adopted
Persons Baptism Register); and (b) the date on which each baptism took place, or in the case of
the Adopted Persons Baptism Register, the date upon which notifications were received from
the Adoption Board.
Accessible According to Specific Criteria
110. I will now consider whether the Baptism Registers, as a structured set of personal data and
special category personal data, are accessible according to specific criteria. Baptism Registers
are kept in each parish of the Archdiocese and are structured by entries which include certain
fields of personal data. These entries are therefore ordered by place of baptism and in turn
included in that parish Baptism Register chronologically by the date upon which the baptism
took place (or the date a notification was received from the Adoption Board in the case of the
Adopted Persons Baptism Register).
Specific Criteria: place and date of baptism
111. The Archbishop has submitted that it is not possible to search the Baptism Registers using
specific criteria.61 In particular, the Archbishop has submitted that the criteria by which the
Baptism Registers are structured - date of baptism/date of receipt of notification “is entirely
random. It does not correspond to age or date of birth, and people can be, and are, baptised as
all manner of ages”.62
112. The Archbishop also submitted that the Baptism Registers are “not structured so as to be
accessible according to particular criteria, but rather contains entries in chronological order only.
The dates themselves do not correspond to any identifiable date relating to the person baptised,
i.e. entries are not listed by date of birth”.63
113. The Archbishop also submitted that the Baptism Registers do not conform with the
requirements as set out in C-25/17 Jehovan todistajat to be a filing system, not being structured
according to a specific criteria and not being easily retrievable.
61 Submissions dated 16 March 2020, page 13.
62 Submissions dated 16 March 2020, page 14.
63 Submissions dated 16 March 2020, page 16-17.
114. With respect to Jehovan todistajat, the Archbishop also submitted that the DPC had not
demonstrated how the criteria in question with respect to the Baptism Registers relates to
individuals and referred to the following passage from Jehovan todistajat:
“Thus, it appears that the personal data collected in the course of the door-to-door
preaching at issue in the main proceedings are structured according to criteria chosen in
accordance with the objective pursued by that collection which is to prepare for
subsequent visits and to keep lists of persons who no longer wish to be contacted. Thus,
as it is apparent from the order for reference, those criteria, among which are the name
and address of persons contacted, their beliefs or their wish not to receive further visits,
are chosen so that they enable data relating to specific persons to be easily retrieved”64.
115. The judgment in Jehovan todistajat set out that the specific criteria must be “related to
individuals“.65 Having regard to the facts in that case as to whether the notes taken by door-to-
door Jehovah’s Witness preachers constituted a filing system within the meaning of Directive
95/46/EC, the CJEU stated that:
“the specific criterion and the specific form in which the set of personal data collected by
each of the members who engage in preaching is actually structured is irrelevant, so long
as that set of data makes it possible for the data relating to a specific person who has
been contacted to be easily retrieved”.66
116. The CJEU in Jehovan todistajat concluded that data collected by individual members of the
Jehovah’sWitnesses Community, in the course of door-to-door preaching as a memory aid and
on the basis of geographical area to facilitate the organisation of subsequent visits, including
the name and address,were structured in such away that data relating to specific persons could
be easily retrieved and thus formed part of a filing system for the purposes of Directive
95/46/EC.
117. The Archbishop also referred to a judgment of the Supreme Court of Spain, Case STS
4646/2008,67 which related to whether baptism registers (referred to as ‘Baptism Books’ in the
translation) constituted a filing system. The Spanish Court stated that baptism registers in that
context were “a pure accumulation of information that would be difficult to search, access and
identify as they are not ordered alphabetically, nor by date of birth, but only by baptism dates,
with the Parish having to know where it took place, and with it not being accessible to third
parties other than the baptised individual […]”.68 The Archbishop also noted that the judgment
in Case STS 4646/2008 has been re-applied more recently in a lower court in Spain in
SAN4404/2018.69
64 C-25/17 Jehovan Todistajat, paragraph 60.
65 C-25/17 Jehovan Todistajat, paragraph 57.
66 C-25/17 Jehovan Todistajat, paragraph 61.
67 Translation provided by the Archbishop with 16 March 2020 Submission. No official translation available.
68 Translation provided by the Archbishop with 16 March 2020 Submission, page 17; No official translation available.
69 Translation provided by the Archbishop with 16 March 2020 Submission. No official translation available.
118. The Archbishop argued that the view of the Spanish Court in that case, that “a mere
chronological ordering – there by a baptism date – is insufficient to give rise to the presence of
a relevant filing system, resonates with the approach which has been taken in other Member
States in other contexts”.70
119. Firstly, I note that Baptism Registers are compiled and thus structured by two specific criteria,
namely, location of parish/place of baptism and date of baptism. Therefore, in circumstances
where the Baptism Registers form a dispersed set of data, and each parish maintains its own
Baptism Register, once an individual knows their place and date of baptism, they would be able
to locate their relevant personal data contained within the Baptism Register.
120. I disagree with the Archbishop on the point that a baptism date (a chronological ordering) is not
a sufficient criteria upon which a filing system may be structured. Indeed, the CJEU in Jehovan
todistajat stressed that “the specific criterion and the specific form in which the set of personal
data […] is actually structured is irrelevant, so long as that set of data makes it possible for the
data relating to a specific person who has been contacted to be easily retrieved”71 (emphasis
added). This would indicate that a criteria which structures a set of data in a chronological
fashion is as valid as any other structure.
121. Further, with respect to the Spanish cases of Case STS 4646/2008 and SAN4404/2018, I note
that these decisions are of persuasive value only and are not binding on the DPC. I respectfully
disagree with the Spanish Court’s finding that the data collected in the Baptism Books was a
“pure accumulation” of information. In my view, the personal data is collected with the clear
intention of future access and disclosure. The collection of the data serves a purpose other than
recording for recording’s sake, and it has a direct relationship to the data subjects referenced.
122. The Baptism Registers serve a particular purpose, mainly to ensure the proper administration
of sacraments by recording the sacrament of baptism and annotating further sacraments.
Therefore, the Baptism Register is more than merely an accumulation of data; the Baptism
Register is an essential record for the Church in the administration of sacraments, which is
accessed regularly by this specific criteria of location and date of baptism by the parishes
themselves for the purposes of the performance of its administrative function regarding the
sacraments. I am of the view that, even in circumstances where the Baptism Registers were only
ordered chronologically by baptism date, this provides a clear criteria by which they were
ordered and by which they can be searched.
123. I note also that the Archbishop has pointed in his submissions to ICO guidance from 2011
entitled “Frequently asked questions and answers about relevant filing systems”, in particular:
“Although the information in your files is held purely in chronological order, is your filing
system sufficiently well structured to allow you ready access to specific information about
a particular individual without extensive manual searching through the set of records?
70 Submissions dated 16 March 2020, page 17.
71 C-25/17 Jehovan todistajat, paragraph 61.
Yes – you have a relevant filing system. Where information is held in a set of manual
records which is sufficiently well structured to allow ready access to specific information
about particular individuals the set will form a relevant filing system for the purposes of
the DPA.
No – you do not have a relevant filing system. Given that you cannot readily [access]
specific information about particular individuals you should consider whether the set is
sufficiently well structured for your business purposes or whether it simply constitutes an
unstructured manual record archive. Consider whether it is sensible/useful to retain these
records in this form”.72
124. I note that this is guidance only and relies on the determinative factor of whether there is ready
access to the personal data, based on the position under the now repealed Directive 95/46. As
I have previously indicated, the GDPR is to be interpreted to take a wider view of filing systems,
not specifying that “easy access” is required, nor that the specific criteria must be “relating to
individuals”, as with the now repealed Directive 95/46.
125. In addition, and in consideration of the passages of the above ICO guidance referred to by the
Archbishop, it must be noted that Baptism Registers, are recorded and maintained in order to
fulfil a central role in the administration of certain sacraments in the Church. Indeed, by the
logic of the ICO, it seems that the Baptism Registers are “sufficiently well structured” for the
analogous “business purposes” of the Church, as they are used frequently for the administration
of the Church. They serve a clear purpose and use within the Church, which stems directly from
the ability of the parishes to be able to search, locate, annotate and alter personal data relating
to specific individuals, based on the parish of baptism and the date of baptism alone (and in the
case of the Adopted Persons Baptism Registers the date of notification alone).
126. The Archbishop has also indicated that he is aware of “informal” methods of indexing these
registers though he is unaware of the extent of this practice within the parishes of the
Archdiocese. In respect of the Archbishop’s own parish, St Mary’s Pro-Cathedral, a hardcopy
indexing system has been put in place. Based on the extract provided by the Archbishop, this
index appears to consist of an alphabetical list of individuals who have been baptised, within a
particular time frame (in this case, between 1915 and 1918). Each entry in the index is also
accompanied by a number indicating the location of the entry in the baptism registers. 73
127. There is no doubt that where specific criteria is used to structure a set of personal data through
an indexing system for ease of access to the personal data contained within the Baptism
Registers no argument can arise as to whether such specific criteria relates to an individual,
being indexed by the name of the individuals themselves.
72 Frequently asked questions and answers about relevant filing systems, https://ico.org.uk/media/for-
organisations/documents/1592/relevant_filing_systems_faqs.pdf
73 Submissions dated 15 October 2020, Schedule of Documents, page 233-235.
128. The Archbishop also referred to case C-73/07 Tietosuojavaltuutettu v Satakunnan
Markkinaporssi Oy74 before the CJEU. In particular, the Archbishop referred to Advocate
General Kokott’s Opinion75 and the reference in that Opinion to the fact that the published tax
data in this case, which related to the publication of tax data in certain newspapers in Finland,
constituted a filing system, being structured in alphabetical order. The Archbishop argued that
this stands in contrast to the Baptism Registers, which are not “not structured so as to be
accessible according to particular criteria, but rather contains entries in chronological order
only”.76 As I have previously stated, chronological ordermay be a sufficiently specific criteria by
which to structure a filing system, in particular where the criteria is the date and location of
baptism. Again, a filing systemwhichwas hypothetically ordered chronologically by date of birth
would clearly be considered to be structured by a specific criteria related to an individual. I am
of the view that the same logic applies to a set of data structured chronologically by date and
location of baptism.
129. In his submissions, the Archbishop also referred to the High Court case of Shatter v Data
Protection Commission77 stating that this case highlights an “apparent requirement for
“evidence” if a determination is to be made that a relevant filing system exists”. The DPC
respectfully notes that this case is fact specific which concerned an email “internal to An Garda
Síochána” shown, but not provided to Mr. Shatter. From my perspective, an assessment as to
whether a filing system within the meaning of the GDPR is in place consists of a factual
assessment as to whether the elements of a filing system as set out in Article 4(6) are present.
Such an assessment must be done on a case-by-case basis.
130. The Archbishop also referred to Dawson-Damer v Taylor Wessing, which applied Jehovan. The
Archbishop stated that the Dawson-Damer case “concerned only ‘35 paper files’… which stands
in contradistinction to the considerably greater number of records at issue here”.78 The
Archbishop also noted that the Court of Appeal stated that “the 35 files were completely
unstructured beyond their chronological compilation under the description ‘Yuills Trusts’ ". The
Archbishop indicated in his submissions that the above passages supports his view that “mere
chronological order – or, as with the baptism registers, the fact that entries are made
sequentially, namely in the next space following – is insufficient for a ‘filing system’ to arise”.79
131. I do not accept the view submitted by the Archbishop and consider that the structure of Baptism
Registers cannot be compared to the factual scenario set out in Dawson-Damer v Taylor
Wessing. A significant difference in fact pattern is that the 35 paper files in TaylorWessing were
arranged by reference to the “corporate client, the trustee”,80 not by reference to individuals
and contained all relevant material relating to the legal matters ongoing for the trustee.
74 Tietosuojavaltuutettu v Satakunnan Markkinaporssi Oy ECLI:EU:C:2008:727.
75 Opinion AG Kokott Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinaporssi Oy ECLI:EU:C:2008:266.
76 Submissions dated 16 March 2020, page 16.
77 Shatter v Data Protection Commissioner [2017] IEHC 670.
78 Submissions dated 16 March 2020, page 19.
79 Submissions dated 16 March 2020, page 20.
80 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 95.
132. By contrast, the Baptism Registers are firstly organised on a geographical basis, by parish. The
Baptism Register is divided into separate ledgers that contain all baptisms for a specific time
period for that parish. Each page of entries in the Baptism Register of a parish contains the year
of baptism for entries on that page. Each entry then is entered chronologically by date of
baptism and contains personal data for each individual, that individual’s Lawfully Married
Parents and the minister.
133. This is to be distinguished from the situation in Dawson-Damer v TaylorWessing, wherein it was
necessary to examine every page of every file to ascertain whether it contained personal data
of the relevant data subjects. The files were not structured by any criteria to the extent that
knowing any details relating to the data subjects would assist in locating the relevant personal
data, as the files were not structured by reference to the data subjects in any way. The Court of
Appeal noted that “[t]he only way that data could be retrieved was by physically examining the
files page by page. The criterion “Yuills Trusts” was so unspecific as to be of little or no assistance
in the retrieval of personal data relating to the individual beneficiaries”.81 The structure of the
filing system in that case did not enable access except with the use of manual search of the
entire set of data.
134. In the instance of the Baptism Registers, knowing the parish of baptism of the data subject and
the date of baptism of the data subject allows the personal data to be accessible, by narrowing
a search to the specific registers held in a particular parish, and to the one Baptism Register
book concerned with the relevant time frame. The search will be narrowed even further when
with a quick preliminary view of the Baptism Register, the pages dealing with the correct year
are located.
135. Pursuant to Article 4(6) GDPR, the criteria is “any” structured set of personal data, that being
“centralised, decentralised or dispersed on a functional or geographical basis.” Furthermore,
this criteria does not need to be “particularly sophisticated”,82 and the “specific criterion and
the specific form” of the data as to how it is structured is “irrelevant”83. I also note Advocate
GeneralMengozzi’s Opinion in Jehovan todistajat, where a broad approach was taken as to the
criteria that can be used to determine how a filing system is structured. Advocate General
Mengozzi found that members of the Jehovah Witness Community can, to an extent, also
become a “criterion”. He stated:
“To a certain extent, the member himself becomes a criterion structuring the data set in
so far as the religious community allocates areas geographically. The community knows,
therefore, that data relating to a particular person living in a specific neighbourhood may
have been collected by a particular member. Even if the religious community does not
indicate to itsmembers the nature of the data collected, the latter can be inferred de facto
from the objective pursued, that is to say, preparation for subsequent visits”.84
81 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 97.
82 Opinion AG Mengozzi, Case C-25/17 Jehovan todistajat, ECLI:EU:C:2018:57, paragraph 57.
83 C-25/17, Jehovan todistajat, paragraph 61.
84 Opinion AG Mengozzi, Case C-25/17 Jehovan todistajat, paragraph 57.
136. I have already given my view that the specific criteria by which data may be structured into a
filing system is not required under the GDPR to closely relate to an individual. Furthermore, I
have difficulty accepting how, in this instance, the date of a person’s baptism, and/or the parish
of their baptism does not relate to the individual, even if those criteria do not provide a one to
one match.
137. The Archbishop stressed that the Baptism Registers “are not searchable by commonly available
information, such as a name, address, date of birth or such similar information that would
generally allow a data controller to retrieve personal data”.85 He submitted that the date of
baptism does not relate to the date of birth of the person or their address and are “entirely
random”. I do not see how the date of a person’s baptism, or the parish of their baptism is any
different functionally , than say the date of a person’s birth or the place of a person’s birth.
While most people will know the date and place of their birth, if they were unaware of this, it
would not discount it as a criteria relating to them for the purposes for any filing system inwhich
such criteria is used.
138. Similarly, the Archbishop contends that many people do not know the date of their baptism or
the place in which they are baptised.86 Again, I fail to see how this lack of knowledge on an
individual’s part would prohibit such criteria from being firstly related to them as an individual;
and secondly used to structure a set of data and make the personal data contained within that
set accessible. It stands to reason of course that if a particular individual does not have the
relevant information as to their own date of baptism or parish of baptism this would hinder the
search within a filing system, but would not discount an entire set of structured data from being
a filing system in itself.
Specific Criteria: Accessible
139. The Archbishop submitted that “the data in the baptism registers is not easily retrieved.
Information about a person’s baptism can only be retrieved from a baptism register through a
manual, line-by-line, page-by-page, search of likely dates as to when the baptism occurred. This
can be complicated by the fact that, in some cases, a person will not know the Parish of his or
her baptism”.87 Elsewhere he stated that in order to find an entry in the formal defection
register “ideally some idea of when the date of petition was submitted would be required, to
narrow the scope of the manual search”.88
140. The Archbishop submitted that there is no “central database” which details a person’s place of
baptism and it would be up to the person themselves to provide information on their place of
baptism. The Archbishop has also submitted that certain parishes have indexing systems in
place in addition to digital copies of the Baptism Registers and pastoral management systems
in place.
141. The Archbishop also noted that:
• “A person’s current address may not be sufficient in determining a Parish of baptism”;
85 Submissions dated 16 March 2020, pages 15, 16.
86 Submissions dated 16 March 2020, page 15.
87 Submissions dated 16 March 2020, page 15.
88 Submissions dated 15 October 2020, page 2.
• “date of birth does not give any indication of date of baptism. In the past, children
were generally baptised within a few days of birth. However, more recently, there can
be a period of six months or more between the date of birth and date of baptism,
making the identification of the date of baptism much more difficult”;
• “a search of baptism registers for a particular entry requires a trawl through large
books of handwritten records, sometimes resulting in the unsuccessful search of books
of the baptism registers in several parishes. In some cases, information in the baptism
register is irretrievable as it simply cannot be found”.89
142. The Archbishop submitted that, as a result, the Baptism Registers cannot meet the criteria of
being “easily retrieved”. He noted that the records are held in hard copy bound volumes and
“are not structured sets but simply list baptisms in the chronological order that they take place
in the Parish”. As such, they are not searchable by commonly available information, such as a
name or address, in contrast to the data referred to in Jehovan todistajat.90
143. The Archbishop also drew the attention of the DPC to Dawson-Damer v TaylorWessing in which
it was stated, in respect of the criteria of what constitutes a filing system:
“One needs to bear in mind, nevertheless, that a very general criterion may be less likely
to enable easy or ready access to the data. The Directive and the Act are clear in requiring
a causative link between the criterion and ease of access of the data”91.
144. I note the two Spanish Supreme Court judgments highlighted by the Archbishop which found
that the baptism registers would be difficult to search, access and identify as they are not
structured alphabetically or by date of birth but by baptism date, with the parish having to know
the church where the baptism took place, and not being accessible to third parties other than
the baptised individual.92
145. In addition, I note in Dawson-Damer v Taylor Wessing that the Court of Appeal stated the files
in question were “completely unstructured beyond their chronological compilation”.93 The
Archbishop finds this statement “supports and confirms the position that mere chronological
order” is insufficient for a filing system to arise.94 I note also that the Court of Appeal in Taylor
Wessing found that:
“the “ready access” required under the Directive and the Act must be enabled by the
criteria, that is to say by the structure of the files. If access to the relevant data requires
the use of trainees and skilled lawyers, turning the pages of the files and reviewing the
material identified, that is a clear indication that the structure itself does not enable ready
access to the data”.95
89 Submissions dated 16 March 2020, page 15.
90 Submissions dated 16 March 2020, pages 15, 16.
91 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 96.
92 SAN4404/2018.
93 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 99.
94 Submissions dated 16 March 2020, page 20.
95 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 99.
146. As previously set out, the Baptism Registers are structured according to the place and date of
baptism. I have already distinguished Taylor Wessing from the facts of this Inquiry in that a
complete manual search of the files was required in that case as they were not structured by
any criteria relating to individuals. I do not accept that a limited amount of manual searching
means that personal data in a filing system is not accessible for the purposes of the GDPR. This
is especially so where it has been demonstrated that the filing system in question in this Inquiry,
the Baptism Registers, are relied upon to provide relevant information for the purposes of
issuing baptismal certificates or to annotate a further sacrament. On this basis, it must be the
case that the personal data contained within the Baptism Registers is accessible. Given the
frequency with which the parishes administer sacraments such as confirmation and marriage,
itmust also be the case that the personal data contained within the Baptism Register are readily
accessible.
147. The ICO guidance on filing systems formulates a rule of thumb “temp test” in order to assist
organisations in determining whether a relevant filing system is in place, focussing on the
accessibility or otherwise of files. The test was also mentioned in Taylor Wessing96 and was
noted by the Archbishop in his submissions. This temp test is set out by the ICO as follows:
“If you employed a temporary administrative assistant (a ‘temp’), would they be able to
extract specific information about an individual from your manual records without any
particular knowledge of your type of work or the documents you hold?
The ‘temp test’ assumes that the temp in question is reasonably competent, requiring only
a short induction, explanation and/or operating manual on the particular filing system in
question for them to be able to use it.”
148. It is noteworthy that this test is based on the legislative regime under the now repealed
Directive 95/46. In circumstances where a temporary administrative assistant was required to
locate a particular entry within the Baptism Register of a particular parish, would they be able
to do so? The answer to that question is yes. Based on the samples provided by the Archbishop,
Baptism Register tends to be marked with a range of years and the year of baptism is set out at
the top of each page. As such, the correct section of the Register would be located with relative
ease by a personwho has no experience with the type of documents the Church holds. Although
some limited manual searching would be required, it would not preclude the administrative
assistant from locating the correct entry. Searching the register would bemore straightforward
if an indexing or pastoral management system exists within the parish.
149. Of crucial importance of course, is the fact that itwas intended that the Baptism Registers would
enable the searching and consultation of particular entries. As the Archbishop submits, the
purpose for which the personal data in the baptism registers is processed, is that it is essential
for the administration of the Church.97
96 Taylor Wessing [2020] EWCA Civ 352, paragraph 79.
97 Submissions dated 15 October 2020, page 23.
150. The Archbishop has submitted that the personal data and special category personal data
contained in the Baptism Registers undergo a number of processing activities:
i. Collection and recording of data for the purposes of recording the baptism;
ii. Storage of the Baptism Register;
iii. Alteration of the Baptism Register on request of the baptised person or his/her parents
(where the baptised person is a minor), or annotation with details of a person’s
confirmation, marriage/annulment and ordination/laicisation (or adoption);
iv. Retrieval, consultation and use of the register, at the request of the baptised person
(or his/her parents) for the administration of other Sacraments, namely confirmation,
marriage and holy orders. The Baptism Register may also be consulted in the context
of annulments of marriages or laicisation of priests; and
v. Disclosure of extracts (baptismal certificates) from the register by transmission upon
request to individual, identified baptised persons, or authorised persons acting on their
behalf, or upon inspection by [the Archbishop] on the occasion of a Parish Visitation.98
151. Of particular relevance to a consideration of the accessibility of Baptism Registers as part of a
filing system or intended to form part of a filing system is point (iv) and (v) of this list as set out
above. Initially certificates can be issued to the person baptised or to the parents of the person
baptised, detailing the date and parish of baptism. Furthermore, there is a requirement to
subsequently annotate the baptism register if a person receives another sacrament
(confirmation, marriage or holy orders). According to the Archbishop, “very often, these
sacraments will be administered in other parishes”99 and must then be annotated in the parish
in which the baptism took place, necessitating a search for the correct entry in that parish
Baptism Register. As this is a regular administrative action carried out by the Church in the
furtherance of the administration of the sacraments, this demonstrates the accessibility of the
baptism registers as a filing system.
152. The Archbishop also gave a clear indication in his submissions of the scale upon which the
Baptism Registers are searched on a yearly basis. In 2018, the Archdiocese entered 13,234
baptisms into baptism registers, 16,929 confirmations into confirmation registers and 1,334
marriages into marriage registers. I note that each marriage and confirmation registered will
have been annotated into the relevant baptism registers also (though not necessarily baptism
registers located within the Archdiocese). In the instance of each confirmation and marriage as
listed above, the Baptism Register would have to have been accessed, searched with the
information retrieved and subsequently annotated to reflect this.
153. In effect, the Baptism Registers may require a limited level of manual searching, once the
correct parish is identified. A certain amount ofmanual searching cannot exempt personal data
from the scope of the GDPR, simply because the manual searching tends to make retrieval of
the personal data slower or more cumbersome.
98 Submissions dated 6 September 2021, pages 2-3.
99 Submissions dated 16 March 2020, page 27.
154. Even if a page-by-page search were required, this would be limited to the years of the baptisms
in question, which are clearly marked at the top of each page in the Baptism Register.100 The
year in question is identified with relative ease and, depending on the number of baptisms
which have taken place in a given parish, it is likely that no more than 10 to 20 pages at a
maximum on average would need to be manually searched before the correct entry is
identified.
155. It is clear that the Baptism Registers were intended to operate to facilitate the searching of
entries manually in this manner. It is also clear that the Baptism Registers are sufficiently
structured according to the criteria of the parish in question and the date of baptism to allow
the Archdiocese function at a sufficient level to uphold a “key tenet” of the Catholic Church101
and to allow the proper recording of the sacramental status of an individual and the checking
of that status where necessary. Indeed, the Archbishop submitted in this regard that the
Baptism Register is “essential for the administration of the affairs of the Catholic Church”.102
156. I also have regard to the fact that the GDPR allows for a wider interpretation of a filing system
than was previously the case with the equivalent definition under Directive 95/46. This more
expansive interpretation serves to protect the fundamental rights and freedoms of natural
persons.
157. On that basis, I do not support the Archbishop’s argument that the personal data in the Baptism
Registers is not easily accessible. I find that the specific criteria of date and parish of baptism
(along with the name of the individual) would provide ready access to the personal data in
question, in circumstances where this filing system, (and in some instances with the assistance
of electronic searching), is used on a regular basis by all the parishes in the Archdiocese.
158. While I acknowledge that the Archbishop has submitted that manual searching must take place
to locate entries after a certain point, I am firmly of the view that ready access to personal data
is possible, particularly when regular reliance is placed on this system including accessing this
personal data by the parishes of the Archdiocese when the need arises.
Centralised, Decentralised or Dispersed on a Functional or Geographic basis.
159. Baptism Registers in the Archdiocese are structured, for the most part, on a geographical basis,
being decentralised and dispersed among the parishes of the Archdiocese. Each parish records
in its respective registers the baptisms that took place there, in accordance with the date of
baptism. There are two exceptions to this.
100 Submissions dated 15 October 2020, Schedule of Documents, pages 212.
101 Submissions dated 16 March 2020, page 44.
102 Submissions dated 16 March 2020, page 50.
160. The first exception is that the Chancellery holds the Clonliffe College Registers which should, as
outlined by the Archbishop, in fact ”be held in the parish of North William Street Parish, which
is the proper place of preservation”. The Archbishop submitted that Clonliffe College was in the
territory of NorthWilliam Street Parish and Clonliffe College itself as a seminary had no right to
confer sacraments of initiation (baptism and confirmation) or to maintain registers to record
those sacraments. The Archbishop submitted that the Clonliffe College Registerswere recorded
“for the sake of ensuring that, in the event that NorthWilliam Street Parish omitted to record a
notification of a conferral of the sacrament which had occurred in Clonliffe College, a record
would remain in the place where the sacrament was conferred.” The Archbishop also submitted
that this “is not an unusual practice in parishes where chaplaincies are located away from the
parish church”.103
161. While not held in the parish church or offices, I am of the view that the Clonliffe College
Registers are held within the bounds of the North William Street Parish itself and as such are
part of the filing system of Baptism Registers in the Archdiocese which is decentralised and
dispersed through the parishes of the Archdiocese.
162. The second exception is the Adopted Persons Baptism Register. This register is held in the
Chancellery on a centralised basis104 and consists of entries relating to baptisms which took
place in various parishes in the Archdiocese between 1982 and 2011. The Adopted Persons
Baptism Registers is ordered by when the Chancellery was notified by the Adoption Board of
the details of an adopted child and the details of their baptism. The original entry in the parish
of baptism then ceased (meaning the original baptismal entry is annotated and that no baptism
certificate may issue from the parish of baptism).
163. In my view the Adopted Persons Baptism Registers also forms part of the filing system of the
Baptism Registers within the Archdiocese. In circumstances where a person’s baptism entry
needs to be annotated or a baptismal certificate needs to be issued, the criteria of parish of
baptism and date of baptism still apply (unless an individual is already aware that they must
contact the Chancellery). As stated in the “Adopted Persons’ Baptismal Register Cessation of
Parish Entry” form provided by the Archbishop with the 16 March 2020 Submission, the parish
is required to annotate the following beside the relevant baptism entry ”Refer all requests for
certificates/notifications to the Chancellery”.
Issue 3 for Determination: Whether any of the exemptions to the scope of the GDPR as set
out in Article 2(2) applies to the processing of the Baptism Registers
164. I must now consider whether, in circumstances where it is my view that that the personal data
and the special category personal data contained in the Baptism Registers, not being processed
by automated means, and forming part of a filing system, are exempt from the GDPR under
Article 2(2) of the GDPR.
165. Article 2(2) of the GDPR outlines certain types of processing of personal data to which the GDPR
does not apply, in particular processing:
a) in the course of an activity which falls outside the scope of Union law;
103 Submissions dated 23 July 2021, page 3.
104 Submissions dated 15 October 2020, page 3.
b) by the Member States when carrying out activities which fall within the scope of
Chapter 2 of Title V of the TEU;
c) by a natural person in the course of a purely personal or household activity;
d) by competent authorities for the purposes of the prevention, investigation, detection
or prosecution of criminal offences or the execution of criminal penalties, including
the safeguarding against and the prevention of threats to public security.
166. I will now address each of these categories in turn.
167. The exemption contained in Article 2(2)(a) applies in circumstances where the processing in
question relates to activities which fall outside the scope of Union law. Although activitieswhich
fall outside the scope of Union law are not defined in the GDPR and are not set out in an
exhaustive form in Union law, Articles 2 to 6 of the TFEU set out the exclusive and shared
competences of the European Union with respect to Member States.
168. While churches and religious associations are not specifically stated as being part of the
exclusive or shared competencies of the Union in Articles 2 to 6 of the TFEU, Article 17(1) of the
TFEU states that “The Union respects and does not prejudice the status under national law of
churches and religious associations or communities in the Member States”. Article 17(2) of the
TFEU also states that “Recognising their identity and their specific contribution, the Union shall
maintain an open, transparent and regular dialogue with these churches and organisations”.
169. As such, it is clearly envisaged under Union law that churches and religious organisations would
interact with Union law in some capacity. Further, the Charter of Fundamental Rights (the
‘Charter’) does encompass the Union’s protection of fundamental rights of European Union
citizens relating to religion, in particular under Article 10 (freedom of thought, conscience and
religion) and Article 12 of the Charter.
170. I note that in the case C-25/17 Jehovan todistajat,105 the ECJ accepted that “the door-to-door
preaching practised by members of a religious community, such as the Jehovah’s Witnesses
Community, is not one of the activities excluded from the scope of Directive 95/46, by virtue of
the first indent of Article 3(2) thereof.”106 The exclusions set out in Article 2 of the GDPR mirror
those originally set out in the previous data protection directive.
171. Therefore, I am of the view that the exemption under Article 2(2)(a) of the GDPR does not apply
to the processing of personal data and special category personal data held in the Baptism
Registers of the Archdiocese, not being processing relating to an activity which falls outside the
scope of Union law.
105 C-25/17 Jehovan todistajat ECLI:EU:C:2018:551.
106 Ibid, at paragraph 19
172. The exemption contained in Article 2(2)(b) applies in circumstances where the processing in
question relates to activities which fall within the scope of Chapter 2 of Title V of the TEU.
Chapter 2 of Title V of the TEU sets out the EU’s Common Foreign and Security Policy. It is clear
that the processing in the context of this Inquiry, being the processing of personal data and
special category personal data held in the Baptism Registers of the Archdioceses, does not relate
to the EU’s Common Foreign and Security Policy. As such, the exemption under Article 2(2)(b)
of the GDPR does not apply to this processing.
173. The exemption contained in Article 2(2)(c) of the GDPR applies in circumstances where the
processing in question is by a natural person in the course of a purely personal or household
activity.
174. The processing of personal data and special category personal data contained in Baptism
Registers is processed in certain circumstances by the Church as an organisation and in an
official capacity, for the purposes of its administration by keeping records of sacraments
undertaken.
175. Therefore, I am satisfied that the exemption contained in Article 2(2)(c) of the GDPR does not
apply in circumstances where the processing of the personal data and special category personal
data contained in the Baptism Registers is not undertaken by a natural person in the course of
a purely personal or household activity.
176. The exemption contained in Article 2(2)(d) of the GDPR applies to processing by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, including the safeguarding against and
the prevention of threats to public security. Processing of personal data and special category
personal data contained within the Baptism Registers of the Archdiocese is not undertaken by
a competent authority for any processing activities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention of threats to public security.
As such, the exemption contained in Article 2(2)(d) of the GDPR does not apply to this
processing.
Findings
177. I find that:
a) The personal data and special category personal data recorded in Baptism Registers
and which is subsequently processed by way of digital indexes, is processing wholly or
partly by automated means for the purposes of the GDPR. However, the hardcopy
Baptism Register is the sole official record of importance for the purposes for which
the personal data and special category personal data is processed in the first instance.
I find that the personal data and special category personal data which is contained in
the hardcopy Baptism Register is not processedwholly or partly by automatedmeans;
b) The hardcopy Baptism Registers form part of a filing system or are intended to form
part of a filing system, having regard to the definition of filing system under Article
4(6) of the GDPR;
c) No exemptions as set out in Article 2(2) of the GDPR apply to the processing of the
personal data and the special category personal data contained in the Baptism
Registers.
178. As such, the GDPR applies to the personal data and special category personal data contained in
the Baptism Registers.
b) CONTROLLERSHIP
Issue for determination: whether the Archbishop or the parish priest alone and / or jointly
with others determines the purposes and means of the processing of the personal data and
special category personal data contained in the Baptism Registers, which are now the subject
of this Inquiry
Introduction
179. The DPC expressed a preliminary view at the commencement of this Inquiry that, in
circumstanceswhere the personal data contained in the church records falls within thematerial
scope of the GDPR, the Archbishop was the (sole) controller in respect of the personal data
contained in these records (now the scope focusses on the Baptism Registers only).
Subsequently, the DPC confirmed to the Archbishop that it was considering the proposition that
both the Archbishop and the parish priest, having recourse to inter-alia Canon Law, may
determine to different extents the purposes and means of processing in relation to the Church
Registers (now the Baptism Registers only), leading to a position of joint controllership.
180. It is acknowledged that the Archbishop disagrees with this position, and has made a number of
submissions during the course of the Inquiry refuting sole or joint controllership of the Baptism
Registers and emphasising both the role of the parish priests and the Chancellor in this regard.
181. To contextualise the question of controllership vis-à-vis processing, this Inquiry is concerned
only with Baptism Registers held within the Archdiocese of Dublin to include those held in the
parishes and the Chancellery, the Adopted Persons Baptism Register and the Clonliffe College
Registers. The overall processing activities each of these Registers concern the recording,
storage, retention, alteration and special annotation of the personal data contained within
these Baptism Registers.107 However, this Inquiry is only concerned with data processing as it
relates to the rectification and erasure of personal data contained within these Registers.
182. As set out above, the issue for determination is whether the Archbishop or the parish priest
alone and/or jointly with others determines the purposes and means of processing personal
data. There are 197 parishes within the Archdiocese of Dublin entrusted to the pastoral care of
the Archbishop.108 It is impracticable for the DPC to make separate inquiries of all parish priests
of all 197 parishes within the Dublin Diocese; this is particularly so in circumstances where the
Archbishop of Dublin administers to and is responsible for his own Archdiocese. Therefore, the
DPC engaged solely with the Archbishop of Dublin. The analysis contained in this Inquiry on the
question of sole or joint controllership of personal data is therefore based on the DPC’s
engagement with the Archbishop of Dublin.
183. As the engagement by the DPC was solely with the Archbishop of Dublin, the DPC has exercised
its discretion to inquire primarily into the role of the Archbishop of Dublin and to determine
whether the Archbishop of Dublin either solely or jointly determines the purposes and means
of processing the personal data and special category contained within the Baptism Registers
which are the subject of this Inquiry.
107 Submissions dated 6 September 2021, page 2.
108 Submissions dated 1 February 2023, [1], citing Canon 381 §1 and Canon 515 §1.
184. As the subsequent analysis will demonstrate, my view is that the Archbishop of Dublin, jointly
with the parish priest, determines the purposes and means of processing activities for the
purposes of collection and recording of the personal data contained within the Parish Baptism
Registers held within the Archdiocese of Dublin.
185. I am of the view that the Archbishop of Dublin solely determines the purposes and means of all
other processing activities on personal data contained within the Parish Baptism Registers
within the Archdiocese of Dublin that are the subject of this Inquiry.
186. In submissions dated 1 February 2023, the Archbishop disputed the findings in the two
paragraphs above109 and made a global submission that “the draft Decision’s conclusions and
findings in respect of controllership are legally in error, with the exception of the proposed
findings in relation to the controllership of the Adopted Persons Baptism Register. In regard to
the other proposed findings, the Archbishop respectfully points to the submissions as made
above, and the submissions made on his behalf during the currency of the investigation to
date.”110
187. In preparing this final Decision, I have carefully considered the Archbishop’s submissions,
including the global submission about the issue of controllership. I have included edits to the
text of the Draft Decision to address specific points raised in paragraphs 1 to 19 of the
submissions of 1 February 2023. However, the submissions of 1 February 2023, in combination
with the other submissions received in the course of the investigation do not convince me to
change the conclusions reached in the Draft Decision regarding controllership. I have therefore
retained those findings in this Decision, but have addressed the submissions on the specific
points raised by the Archbishop on 1 February 2023 in the relevant sections of this Decision.
188. I am also of the view that the Archbishop of Dublin is the sole controller of the personal data
contained within the Clonliffe College Registers and the Adopted Persons Baptism Register for
all processing activities.
Canon Law
189. The Roman Catholic Church in Ireland is divided into dioceses and parishes, but from a civil law
perspective, civil legal obligations attach to the office holders in each diocese and parish, being
the diocesan bishop and parish priest respectively. In respect of the Archdiocese, the
Archbishop is the relevant office holder111 and is the diocesan bishop of the Archdiocese.
190. In accordancewith canon 515 §1 a diocesan bishop is conferredwith authority over the parishes
in the diocese. Canon 515 §2 further states that it is for the diocesan bishop only to erect,
suppress or alter parishes. Under Canon Law, the diocesan bishop is conferred with the
authority to appoint parish priests, in accordance with canon 519 and canon 523. The diocesan
bishop also has the power to determine the suitability of individuals for the office of pastor
(parish priest) in accordance with canon 521 §3.
109 See paragraphs 2 and 3
110 Submissions of 1 February 2023, page 6.
111 Submissions dated 16 March 2020, page 3.
191. Canon Law confers powers on a diocesan bishop within his diocese consistent with the
fulfilment of his office.112 Some relevant provisions are set out hereunder:
• Canon 381 §1: “A diocesan bishop in the diocese entrusted to him has all ordinary,
proper, and immediate power which is required for the exercise of his pastoral function
except for cases which the law or a decree of the Supreme Pontiff reserves to the
supreme authority or to another ecclesiastical authority”;
• Canon 391 §1: “It is for the diocesan bishop to govern the particular church entrusted
to him with legislative, executive, and judicial power according to the norm of law”;
• Canon 391 §2: “The bishop exercises legislative power himself. He exercises executive
power either personally or through vicars general or episcopal vicars according to the
norm of law. He exercises judicial power either personally or through the judicial vicar
and judges according to the norm of law”;
• Canon 392 §1: “Since he must protect the unity of the universal Church, a bishop is
bound to promote the common discipline of the whole Church and therefore to urge
the observance of all ecclesiastical laws”;
• Canon 392 §2: “He is to exercise vigilance so that abuses do not creep into
ecclesiastical discipline, especially regarding the ministry of the word, the celebration
of the sacraments and sacramentals, the worship of God and the veneration of the
saints, and the administration of goods“;
• Canon 393: “The diocesan bishop represents his diocese in all its juridic affairs”;
• Canon 473 §1: “A diocesan bishop must take care that all the affairs which belong to
the administration of thewhole diocese are duly coordinated and are ordered to attain
more suitably the good of the portion of the people of God entrusted to him”;
• Canon 491 §1: “A diocesan bishop is to take care that the acts and documents of the
archives of cathedral, collegiate, parochial, and other churches in his territory are also
diligently preserved and that inventories or catalogs are made in duplicate, one of
which is to be preserved in the archive of the church and the other in the diocesan
archive”;
• Canon 491 §2: “A diocesan bishop is also to take care that there is an historical archive
in the diocese and that documents having historical value are diligently protected and
systematically ordered in it”;
• Canon 491 §3 “In order to inspect or remove the acts and documentsmentioned in §§1
and 2, the norms established by the diocesan bishop are to be observed”.
192. Local normsmay be prescribed by the Archbishop and the Irish Episcopal Conference of Bishops.
112 Submissions of 1 February 2023, [4].
193. In addition, the diocesan bishop enjoys a power of inspection of baptism registers pursuant to
canon 535 §4. This permits the Archbishop to inspect the Baptism Registers held in parishes
during the course of a “visitation” to the parishes of the Archdiocese. The purpose of this
inspection is to ensure that the registers are maintained by the parish priest as he is obligated
to do in his parish, in accordance with Canon Law. In practice, the Archbishop states that this
would involve looking at the last entry in the registers and checking the register was up to
date113. Upon completion of a parish visitation, the Archbishop will complete a report that is
given to the parish priest. This may offer recommendations for certain improvements within
the parish if required.114
194. Canon 1276 §1 also places a responsibility on the Archbishop to “exercise careful vigilance over
the administration of all goods which belong to the public juridic persons subject to him, without
prejudice to legitimate titles which attribute more significant rights to him”. Canon 1287 §1 also
requires that clerical and lay administrators of any ecclesiastical goods whatever (which have
not been legitimately exempted from the power of governance of the diocesan bishop) are
“bound by their office to present an annual report to the local ordinary”.
195. The Archbishop also provides support services to parish priests in the Archdiocese via his
diocesan offices, “including, but not limited to, areas such as education, finance and
communications, property, chancellery, human resources, investment portfolio management
and advice, pastoral relationship management, accounting services and regulatory compliance
and reporting services.” To facilitate this sharing of resources, each Pastor has signed a Data
Processing Agreement in 2016 and an updated Agreement in 2019. These agreements state that
the Archbishop acts as a processor for the parish priest acting as controller.115 These are
considered further at a later point in this Decision.
196. The Archbishop is assisted in his functions by the diocesan curia, as set out in canon 469, which
states that the diocesan curia consists of those institutions and persons which “assist the bishop
in the governance of the whole diocese, especially in guiding pastoral action, in caring for the
administration of the diocese, and in exercising judicial power”. The curia consists of the chief
officials of the Archdiocese. Canon Law allows the Archbishop, as the diocesan bishop of the
Archdiocese, to appoint those who will exercise the offices in the diocesan curia, further to
canon 470.
113 Submissions dated 16 March 2020, page 7.
114 Submissions dated 15 October 2020, page 12.
115 Submissions dated 16 March 2020, page 5.
197. Within every diocesan curia, a diocesan bishop must appoint a chancellor.116 Canon 471 §1
requires that all those admitted to the offices of the curia, which includes the chancellor, must
“promise to fulfil their function faithfully according to the manner determined by the law or by
the bishop”. The diocesan bishopmay also “freely remove” the chancellor from office according
to canon 485117. The principal task of a chancellor as defined in canon 482 §1 is “to see to it that
the acts of the curia are gathered, arranged and safeguarded in the archive of the curia”. The
Chancellery, the office of the Chancellor, also offers advice on certain matters, including Canon
Law, to the Archbishop, the priests of the Archdiocese and the Diocesan Agencies, in order to
ensure good canonical practice.
198. The Chancellery also issues guidance on Canon Law matters for parish priests of the
Archdiocese, which is contained in the ‘Directives and Guidelines for Sacramental and Pastoral
Practice’ (the Guidelines). The Guidelines contain general advice concerning, among other
things, the management of baptism records in accordance with Canon Law. The Guidelines
provide detailed instructions on a number of topics including applying to be baptised, on how
to record baptism details in specific situations, issuing baptismal certificates, access to
baptismal registers, and alterations to the baptism register. In respect of alterations to a
baptism register, the Guidelines state that “[t]he express permission of the Chancellery is
required before any alteration or emendation may be made in any entry in any such parochial
register”.118 The Guidelines also set out that “the primary purpose of registration is to record
the fact of Baptism and to establish the identity of the one who received the sacrament”.119
199. The moderator and financial administrator, other members of the Diocesan Offices, also
provide guidance to parish priests of the Archdiocese via the Administrative Regulations and
Guidelines for Parishes (October 2017) (the “Administrative Regulations”) relating to, among
other things, parish property, finances, data protection, archiving, parish registers and record
management. For instance, with regard to parish registers the Administrative Regulations
provide that “Catholic Parish church records are private records and the public do not have an
automatic right of access to them. The Parish Priest is custodian of the registers but the
Archbishop dictates policy with regard to access”.120
116 Canon 482§1: “In every curia a chancellor is to be appointed whose principal function, unless particular law establishes
otherwise, is to take care that acts of the curia are gathered, arranged, and safeguarded in the archive of the curia. See
also canon 470: “The appointment of those who exercise offices in the diocesan curia pertains to the diocesan bishop”.
117 Canon 485: “The chancellor and other notaries can be freely removed from office by the diocesan bishop, but not by a
diocesan administrator except with the consent of the college of consultors”.
118 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.5 (page 23 of the PDF submission). See section 1.12 which states that
“[a]ny alteration to the Baptismal Register must be authorised though the Chancellery” (page 12 of the PDF submission).
119 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.5 (page 10 of the PDF submission).
120 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations, October 2017, section E1
(page 32 of the Regulations and/or page 167 of the PDF submission).
200. In respect of property, the Administrative Regulations states that “[a]ll property of parishes and
agencies of the diocese must be vested in the St. Laurence O’Toole Diocesan Trust”. The St
Laurence O’Toole Diocesan Trust is a company limited by guarantee which acts as a trustee “for
property and instruments of every kind owned by or used in connection with the Roman Catholic
Church in the Diocese of Dublin or held or to be held in trust for any charitable purpose
whatsoever…”.121
201. The Guidelines and the Administrative Regulations are not formally published or promulgated
by the Archbishop as norms, and as such do not have the force of Canon Law. Where a parish
priest deviates from the Guidelines or Administrative Regulations, further action will be taken
only where the deviation relates to a particular canon in Canon Law or to a particular provision
of civil law. In circumstances where the deviation is amatter of civil law, the finance secretariat
or human resources department of the Diocesan Officesmay intervene. In circumstances where
the deviation relates to sacramental or canonical practice, the Chancellery may intervene.122
The Role and Position of the Parish Priest vis-à-vis the Archbishop under Canon Law
202. Each diocese is made up of parishes, and each parish “has a relationship with the Diocese in
canon law”.123 A parish is described under canon 515 §1, as “a certain community of Christian
faithful stably constituted in a particular church, whose pastoral care is entrusted to a pastor
(parochus) as its proper pastor (pastor) under the authority of the diocesan bishop”.124
203. The diocesan bishop is conferredwith the power to bring a parish into being, according to canon
515 §2.125 Once he has heard the advice of the Presbyteral Council, the Bishop can proceed to
establish a parish.126 In the establishing of a parish, it automatically gains juridic personality,
which means that it is, under Canon Law, a legal person subject to rights and obligations.127
204. In accordancewith canon 519 the pastoral care of the parish is entrusted to the pastor, or parish
priest, by the diocesan bishop. Canon 519 states that “The pastor (parochus) is the proper pastor
(pastor) of the parish entrusted to him, exercising the pastoral care of the community committed
to him under the authority of the diocesan bishop in whose ministry of Christ he has been called
to share, so that for that same community he carries out the functions of teaching, sanctifying,
and governing, also with the cooperation of other presbyters or deacons and with the assistance
of lay members of the Christian faithful, according to the norm of law”128.
121 Memorandum of Association of St. Laurence O’ Toole Diocesan Trust, page 1.
122 Submissions dated 15 October 2020, pages 15-16.
123 Submissions dated 16 March 2020, page 3.
124 This version of the Code of Canon Law is as stated on https://www.vatican.va/archive/cod-iuris-
canonici/eng/documents/cic_lib2-cann460-572_en.html#Art._1 (accessed 20 February 2023). The Submissions of 1
February 2023 appear to use a different source with a variation in the text, which matches that on
http://www.intratext.com/IXT/ENG0017/_P1T.HTM (accessed 20 February 2023).
125 Canon 515 §2 states: “It is only for the diocesan bishop alone to erect, suppress or alter Parishes. He is neither to erect,
suppress nor alter notably parishes, unless he has heard the presbyteral council.”
126 Canon 127.
127 Canon 515 §3.
128 See also canon 521 §3, 522 and 523.
205. The parish priest has all the ordinary power which comes from his office as exercised under the
authority of the Archbishop pursuant to canon 131 §1 and canon 515 §1.129 In the Guidelines at
section 4.3 it is stated that “Parish Priests and Moderators are the legal representatives of the
parish”, however, they do “need the Archbishop’s permission if they wish to initiate or contest
legal proceedings on behalf of the parish”130 and they are answerable to their ecclesiastical
superior. In the submissions of 1 February 2023, the Archbishop clarified that: “… the property
of the Parish belongs to the Parish. The powers of the Parish Priest are not gained by virtue of
or through the person who made the Parish Priest’s appointment.”131
206. Canon 273 provides that “[c]lerics are bound by a special obligation to show reverence and
obedience to the Supreme Pontiff and to their own ordinary”. A bishop cannot command
anything from a parish priest forbidden by law; nor can he prohibit what the Code of Canon Law
clearly permits.
207. Among the duties attached to the office of pastor (parish priest), canon 535 §1 prescribes the
duty to maintain parochial registers. Canon 535 §1 provides that “[e]ach Parish is to have
parochial registers, that is, those of baptisms, marriages, deaths, and others as prescribed by
the conference of bishops or the diocesan bishop. The pastor is to see to it that these registers
are accurately inscribed and carefully preserved”.
208. The Archbishop stated in his submissions that:
“ The Parish Priest is responsible for all applications and activities concerning the baptismal
register, such as:
• the creation of the original, handwritten, record of baptism;
• the responsible disposal of the baptismal application form, completed by the
parent(s)/guardian(s), once the baptism has taken place and has been written up in
the register;
• the issuing of baptismal certificates;
• the annotation of the baptismal record with details of a person’s confirmation,
marriage/annulment and ordination/laicisation;
• the maintenance of security and confidentiality of baptismal registers;
• the making of decisions as to who may access the baptismal register”.132
209. Further, the parish priest is tasked with ensuring that baptism registers do not fall into
unauthorised hands and that they, along with other parochial registers, are stored or archived
correctly within the parish.133
129 This sentence reflects the text suggested in the submission of 1 February 2023.
130 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.3 (page 23 of the PDF submission).
131 Submissions of 1 February 2023 at page 2.
132 Submissions dated 16 March 2020, page 5.
133 Canon 535 §4.
210. On issuing a baptismal certificate, the parish priest must make sure that all documents
emanating from the registers are sealed with the parish seal and bear his signature, or the
signature of his delegate.134
211. When an individual requests the alteration of a baptism record (for instance where the
individual has changed their name), the parish priest must either request authorisation from
the Chancellery to make the change or the parish priest directs the individual to contact the
Chancellery directly. The parish priest cannot make any changes to an entry in the baptism
register without contacting the Chancellery (aside from making notations of other sacraments
received). This is evident from the Guidelines, drafted by the Chancellery, which states that
“[t]he express permission of the Chancellery is required before any alteration or emendation
may be made in any entry in any such parochial register”.135
212. Once the request for authorisation is raised by a parish priest, an investigation is carried out by
the Chancellery. The Chancellor will relay the findings of the investigation in written form to the
parish priest who then makes an annotation of the change in the baptism register. The original
data (even where it is an error) remains in place in the baptism register.136
The Chancellery
213. The involvement of the Chancellery in the processing activities of annotation and alteration is
relevant. The Chancellor deals with Canon Law matters in the Archdiocese.137
214. The Chancellery is an office of the Archdiocese which assists the Chancellor in the discharge of
his functions within the diocesan curia of the Archdiocese. The Archbishop may freely appoint
the heads of the various curial offices and may introduce any improvements that may be
necessary in the curia, and to correct anything that does not conform to canonical discipline.138
The Chancellor’s role in Canon Law is set out in canon 482 §1 ”to take care that acts of the curia
are gathered, arranged and safeguarded in the archive of the curia”. In the Archdiocese, the
Chancellor, along with his office, the Chancellery, is tasked by the Archbishop with dealing with
issues of Canon Law and archiving which arise in the Archdiocese on behalf of the Archbishop.
134 Canon 535 §3; see also submissions dated 16 March 2020, page 31.
135 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.5 (page 23 of the PDF submission).
136 Submissions dated 16 March 2020, page 6.
137 See also https://dublindiocese.ie/archdiocese-overview/diocesan-offices/.
138See passage number 176 of the Directory for the Pastoral Ministry of Bishops (2004)
https://www.vatican.va/roman_curia/congregations/cbishops/documents/rc_con_cbishops_doc_20040222_apostolorum-
successores_en.html
215. While the Archbishop in his submissions has maintained that the Chancellery acts
independently as an advice-giving body, it is clear from Canon Law that the Chancellor is
appointed directly by the Archbishop as part of the diocesan curia.139 The Chancellor may also
be removed at any time by the Archbishop.140 The clear primacy of the Archbishop here is
further emphasised by canon 469, which states that the diocesan curia consists of those
institutions and persons, which “assist the bishop in the governance of the whole diocese,
especially in guiding pastoral action, in caring for the administration of the diocese, and in
exercising judicial power”. Canon 471 §1 requires that all those admitted to the offices of the
curia must “promise to fulfil their function faithfully according to the manner determined by the
law or by the bishop”.
216. I note that the Chancellery, a Diocesan office, which forms part of the diocesan curia, to “assist
the bishop in the governance of the whole diocese”141 issues guidance on Canon lawmatters for
parish priests, which is contained in the Guidelines. According to the Archbishop, these
Guidelines contain general advice concerning the management of baptism records in
accordance with Canon Law only and that the “Archbishop does not impose these requirements
on the Parish”142. In my view, the guidance provides detailed instructions on a number of topics
including on retention of Baptism Registers, on issuing baptismal certificates, on access to
Baptism Registers, and on alterations to Baptism Registers. It also sets out that “the primary
purpose of registration is to record the fact of Baptism and to establish the identity of the one
who received the sacrament”.143
217. It is evident that the role of the Chancellery under Canon law is that of assistance to the
Archbishop in his governance of the Archdiocese, in particular with respect to Canon law
matters. Further, the principal duty of the Chancellor is stated [in the Report] as “his principal
duty is to attend to canon law matter on behalf of the Archdiocese”.144
218. The Archbishop states in his submissions that the Chancellery is an office which provides only
advice to the parish priest, the Archbishop and diocesan agencies, and has no power to impose
the Canon Law on those parties.145 The Archbishop has asserted that in offering canonical advice
to a parish priest “the Chancellery is acting on behalf of the Parish Priest, and not as mentioned
above, for and on behalf of the Archbishop when and if giving any guidance or direction on data
protection issues to Parish Priests within the Archdiocese of Dublin”.146
139 Canon 482.
140 Canon 485.
141 Canon 469.
142 Submissions dated 16 March 2020, page 11.
143 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.5 (page 10 of the PDF submission).
144 Report by Commission of Investigation into Catholic Archdiocese of Dublin commissioned by the Minister for Justice and
Equality (published 29 November 2009), Appendix 3, page 24; https://www.justice.ie/en/JELR/Pages/PB09000504
https://www.justice.ie/en/JELR/DACOI%20Appendices.pdf/Files/DACOI%20Appendices.pdf
145 Submissions dated 16 March 2020, page 6; Submissions dated 15 October 2020, pages 15-16.
146 Submissions dated 15 October 2020, page 14.
219. However, I respectfully reject the notion that the Chancellery acts only on behalf of the party
asking advice (such as the parish priest) at any given time, only providing advice and not
imposing the Archbishop’s interpretation of the Canon Law (or indeed the civil law).
220. On the contrary, the Chancellor is appointed by the Archbishop to assist in the governance of
the Archdiocese. The Chancellormust “promise to fulfil their function faithfully according to the
manner determined by the law or by the bishop”.147 The Chancellormay be “freely” removed by
the Archbishop.148 The Archbishop has confirmed that should a disagreement arise between the
Chancellor and the Archbishop, it would be resolved as follows:
“If the wish of the Archbishop were unlawful, the Chancellery would brief him accordingly.
If the Archbishop refused in the light of this advice to alter his position, the Chancellery,
at that point, would not act against his wishes. Rather, it would inform the Archbishop
that in light of the issue in question, that he or the Chancellery should refer the matter for
decision to a higher authority, namely the Holy See”.149
221. Further, the Archbishop has noted in his submissions that he disseminates guidance to the
Archdiocese “through the Chancellery”150 to assist with the interpretation of Canon Law. I do
not accept that in this instance the Chancellery is providing advice only, but I take the view that
the Chancellery is disseminating the decisions taken by the Archbishop.
222. As such, the Archbishop has not demonstrated to my satisfaction the way in which the
Chancellor acts independently and how he is not under the authority of the Archbishop, who
governs the Archdiocese unequivocally with respect to the Canon Law by legislative, executive
and judicial power, according to the norm of law.151 Therefore, for the purposes of this Decision,
I have taken the view that, on balance, the Chancellery acts for and on behalf of the Archbishop
as part of the diocesan curia, in all its interactions with parish priests of the Archdiocese. The
Chancellery’s guidance and advice to parish priests is an extension of the function of the
Archbishop himself.
Relevant Provisions
223. Article 4(7) of the GDPR defines a ‘controller’ as:
“the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by
Union or Member State law”.
147 Canon 471 §1.
148 Canon 485.
149 Submissions dated 23 July 2021, page 2.
150 Submissions dated 16 March 2020, page 11
151 Canon 391 §1.
224. Article 26(1) of the GDPR provides that:
“[w]here two ormore controllers jointly determine the purposes andmeans of processing,
they shall be joint controllers. They shall in a transparent manner determine their
respective responsibilities for compliance with the obligations under this Regulation, in
particular as regards the exercising of the rights of the data subject and their respective
duties to provide the information referred to in Articles 13 and 14, by means of an
arrangement between them unless, and in so far as, the respective responsibilities of the
controllers are determined by Union or Member State law to which the controllers are
subject”.
225. Article 5(2) of the GDPR requires that controllers “be responsible for, and be able to
demonstrate compliance” with the principles of relating to the processing of personal data as
set out in Article 5(1) of the GDPR.
Relevant Case Law and Guidance
226. Inmaking his submissions regarding controllership, the Archbishop referred to three judgments
of the CJEU, case C-210/16Wirtschaftsakademie,152 case C-25/17 Jehovan todistajat153 and case
C-40/17 Fashion ID,154 which have previously provided guidance on the meaning of a controller,
and joint controllership. All three cases concerned the notion of a controller and joint controller
under Directive 95/46/EC, however, the judgments still offer useful guidance as to the
interpretation of a controller and joint controller under the GDPR. This case law has interpreted
the concept of a controller broadly, with reference to case C-131/12 Google Spain and
Google.155
227. In C-25/17 Jehovan todistajat, the CJEU stated that “a natural or legal person who exerts
influence over the processing of personal data, for his own purposes, and who participates, as a
result, in the determination of the purposes and means of that processing, may be regarded as
a controller within the meaning of Article 2(d) of Directive 95/46”156. Further, the CJEU also
stated that “neither the wording of Article 2(d) of Directive 95/46 nor any other provision of that
directive supports a finding that the determination of the purpose andmeans of processingmust
be carried out by the use of written guidelines or instructions from the controller”.157
228. In C-210/16 Wirtschaftsakademie, the CJEU found that in respect of joint controllers, the
“existence of joint responsibility does not necessarily imply equal responsibility of the various
operators involved in the processing of personal data. On the contrary, those operators may be
involved at different stages of that processing of personal data and to different degrees, so that
the level of responsibility of each of them must be assessed with regard to all the relevant
circumstances of the particular case”.158
152 C-210/16 Wirtschaftsakademie Schleswig-Holstein EU:C:2018:388.
153 C-25/17 Jehovan todistajat ECLI:EU:C:2018:551.
154 C-40/17 Fashion ID ECLI:EU:C:2019:629.
155 C-131/12 Google Spain and Google, EU:C:2014:317, paragraph 34.
156 C-25/17 Jehovan todistajat, paragraph 68.
157 C-25/17 Jehovan todistajat, paragraph 67.
158 C-210/16 Wirtschaftsakademie, paragraph 43.
229. In C-25/17 Jehovan todistajat, the CJEU stated that the concept of a controller may “concern
several actors taking part” in processing of personal data who “may be involved at different
stages of that processing of personal data and to different degrees”.159 In all three judgments,
the CJEU stated that joint responsibility does not require the parties to have access to the
personal data concerned under Directive 95/46/EC.160
230. In C-40/17 Fashion ID, the CJEU stated that a party would be a controller “jointly with others
only in respect of operations involving the processing of personal data for which it determines
jointly the purposes and means”.161
231. The DPC also had regard, when conducting the Inquiry, to the EDPB’s Guidelines 07/2020 on the
concepts of controller and processor in the GDPR (‘the EDPB Guidelines 07/2020’)162, which are
referenced throughout this analysis.
Archbishop’s Submissions
232. In his submissions as to the Archbishop’s role as a controller of the Baptism Registers, the
Archbishop stated his position is that “the data controller in respect of baptism registers is the
Parish Priest”. The Archbishop emphasised that he “is not entitled to remove the registers from
the Parish, he is not entitled to alter entries in the registers and he has no power to compel a
Parish Priest to alter a register”.163
233. The Archbishop submitted that a parish, though created by a Bishop, takes on a wholly separate
juridic statuswhen created. The parish priest as appointed by the bishop and then acts on behalf
of the parish:
“The Pastor governs with the ordinary power granted to him by virtue of his office (canon
131§1). As such, the Parish Priest makes his own decisions, but such decisions are made
in a spirit of the Bishop’s concerns and policies. As the one who governs the juridic person
of the Parish (canon 1279§1), the pastor (Parish Priest) alone represents the Parish in all
juridical matters (canon 532)”.164
234. Any obligations placed on the parish priest to keep records of sacraments administered are
“imposed on Parishes and Parish Priests as a matter of canon law. They are not imposed on the
Parish Priest by ArchbishopMartin”.165 Further, the Archbishop submitted “[l]egal ownership of
the property rights in these registers belongs to the Parish. It is not available to the Archbishop,
either in civil law or in Church law, to enter a Parish and remove a register, or to enter a Parish
and alter or erase a record even if he were minded to do so”.166
159 C-25/17 Jehovan Todistajat, paragraph 66.
160 C-210/16 Wirtschaftsakademie, paragraph 38; C-25/17 Jehovan Todistajat, paragraph 69;and C-40/17 Fashion ID,
paragraph 69.
161 C-40/17 Fashion ID, paragraph 74.
162 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, Adopted on 07 July 2021.
163 Submissions dated 16 March 2020, page 2.
164 Submissions dated 16 March 2020, page 4.
165 Submissions dated 16 March 2020, page 4.
166 Submissions dated 16 March 2020, page 4.
235. The Archbishop has stated that insofar as baptism records are concerned, the Archbishop “plays
only a very limited role”. For example, “if a request for a baptism certificate is received by the
Archbishop, it will be sent, by the Chancellery, to the relevant Parish Priest, so that the request
can be directly fulfilled by him. Archbishop Martin does not play any other role in responding to
the request”.167
236. The Archbishop submitted that the Chancellery is a Diocesan Office, which deals mainly with
Canon Law matters. The Archbishop submitted that the Chancellery “serves as a resource to
give advice on canonical issues to the Archbishop, his staff, Parish Priests and Diocesan agencies.
Where the Chancellery advises on a matter of canon law, it is not defining canon law and
imposing it on the Parish Priest, but rather providing assistance to the Parish Priest in the
interpretation of canon law, and guidance on its operation”.168
237. With regard to data protection requests, the Archbishop stated that the Chancellery “evaluates
queries, in accordance with canon law, and with the advice of civil lawyers, on how to
proceed”.169 This advice is then relayed to the recipient (which may be by the Archbishop, a
parish priest, or a diocesan agency). The Archbishop stated that the actions thereafter fall under
the jurisdiction of the recipient on how they will proceed.
238. The Archbishop stressed that the Chancellery “only offers advice”. It in no way compels the
recipient to follow the advice, much akin to a person seeking legal advice from a solicitor”.170 In
response to queries regarding the Chancellery and the use of the word “authorise” with respect
to requests for alterations to the Baptism Registers171, the Archbishop stated that the
Chancellery “does not “authorise” an amendment in the sense of the giving official permission
by someone in a position of authority. A better termmight perhaps be “advise””. The Archbishop
also emphasised that “in confirming that the request is a legitimate one, the Chancellery is
confirming whether the individual has a right to have their baptismal record amended. It is then
a matter for the relevant Parish Priest to give effect to this right and lawful amendment, where
it arises”.172
239. The Archbishop stated that “most, if not all, of the queries received by the Chancellery originate
in the Parish” and as such it is the parish priest who makes contact with the Chancellery, and
the advice is relayed to him for further action. The Archbishop stated that, in offering canonical
advice to parish priests on any issue, “the Chancellery is acting on behalf of the Parish Priest,
and not, as mentioned above, for and on behalf of the Archbishop when and if giving any
guidance or direction on data protection issues to Parish Priests within the Archdiocese of
Dublin”.173
167 Submissions dated 16 March 2020, page 6.
168 Submissions dated 16 March 2020, page 6.
169 Submissions dated 15 October 2020, page 14.
170 Submissions dated 15 October 2020, page 14.
171 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.12 states “Any alteration to the Baptismal register must be authorised
through the Chancellery” (page 12 of the PDF submission).
172 Submissions dated 23 July 2021, page 1.
173 Submissions dated 15 October 2020, page 14.
240. The Archbishop stated that where a parish priest raises such a matter with the Chancellery, an
investigation of thematter is carried out by canon lawyers, and the staff of the Chancellery. The
Archbishop also stated that “this investigation is carried out by the Chancellery on behalf of the
Parish Priest, because he is the custodian of the records”.174 The Chancellor will then relay the
findings of the investigation “in written form to the Parish Priest, and as data controller, he
makes an annotation of the change in the appropriate column of the register”.175
241. As previously outlined in this Decision the Archbishop submitted that, should a disagreement
arise between the Archbishop and the Chancellery, “[i]f the wish of the Archbishop were
unlawful, the Chancellery would brief him accordingly. If the Archbishop refused in the light of
this advice to alter his position, the Chancellery, at that point, would not act against his wishes.
Rather, it would inform the Archbishop that in light of the issue in question, that he or the
Chancellery should refer the matter for decision to a higher authority, namely the Holy See”.176
242. The Archbishop points out that he did not create the requirement to maintain the Baptism
Registers, this is imposed directly on the parish priest by virtue of Canon Law.177 However, the
Archbishop submitted that he does enjoy a power of inspection of the Baptism Registers when
he makes a visitation to a parish, pursuant to canon 535 §4, to “ensure that the registers are
being maintained by the Parish Priest as he is obligated to do in his Parish in accordance with
canon law”178. The Archbishop submitted that this inspection is “superficial” and “[i]n practice,
thismeant that the Archbishop would look at the last entry in the registers and check the register
was up to date, in a very general sense”. The Archbishop further submitted that “in the context
of the functional analysis that governs the concept of the data controller, the inspection power
cannot be regarded as significant”.179
243. With respect to the relationship between the Archbishop and the parish priest, the Archbishop
submitted that:
“while a priest’s ministry is dependent upon that of his bishop, and every priest promises
respect and obedience to his bishop at ordination, it is a common mistake to think of a
Parish Priest as a kind of “branch manager” or “tenant farmer” of a bishop… A bishop is
free to establish policies for all Parishes in his diocese provided that they do not conflict
with universal canon law or divine law. However, within the boundaries established by
canon law, divine law and civil law, it is the Parish Priest’s job to lead the parish and to
determine how best to govern the community with which he has been entrusted”.180
174 Submissions dated 16 March 2020, page 6.
175 Submissions dated 16 March 2020, page 6.
176 Submissions dated 23 July 2021, page 2.
177 Submissions dated 16 March 2020, page 11.
178 Submissions dated 16 March 2020, page 7.
179 Submissions dated 16 March 2020, page 7.
180 Submissions dated 15 October 2020, page 16.
244. In this regard, the Archbishop also noted that a bishop does have “the authority to oblige any
priest or member of the faithful to do, or not do, a particular thing he may determine to be
detrimental to the wider community. He can do this through a “precept”, a kind of canonical
injunction directed at a specific person or situation”.181 The Archbishop further submitted that
pursuant to canon 49:
Precepts are decrees “by which an obligation is directly and lawfully imposed on a specific
person or persons to do or to omit something, especially in order to urge the observance
of a law”. They are rarely used.”182
245. Further, the Archbishop noted that although bishops have the authority to appoint parish
priests within their diocese,
“[a] bishop is not free, however, to remove or transfer a Parish Priest from his office
without following a detailed and non-negotiable process defined by canon law […] In
short,while no priest has a right to an assignment or toministry, once a priest is appointed
a Parish Priest, he cannot be removed from his office or from his ministry, without serious
cause and without observation of the canon law’s procedural requirements”.183
246. The Archbishop also submitted that upon completion of a visitation the Archbishop is to prepare
a report that is to be given to a parish priest. With respect to this report, the Archbishop
submitted that:
“It is in this report that any shortcomings of the Parish Priest in his duty to maintain and
preserve the parish registers would be highlighted by the Bishop, and recommendations
offered on how he can better fulfil this duty. Any recommendations made are likely to be
taken seriously by the Parish Priest and brought to Parish Council/Parish Finance
Committee for discussion, but there is no power on the part of the Archbishop to compel
compliance with specific recommendations”.184
247. The Archbishop further submitted that, with respect to the two executed agreements relating
to the microfilming project of church registers in the Archdiocese in the 1980s and 1990s:
“[i]t is apparent in these agreements that co-ownership in relation to the records
concerned was asserted by the Archbishop. A careful review of correspondence relating
to these agreements indicates that no analysis was undertaken at the time of their
execution as to the assertion of ownership on the part of the Archbishop in common with
the Parish Priest concerned. Questions relating to ownership and control of records have
necessarily been considered in depth for the purpose of this inquiry and in the context of
the requests made by the DPC. We are satisfied that these agreements were mistaken in
asserting co-ownership on the part of the Archbishop”.185
181 Submissions dated 15 October 2020, page 19.
182 Submissions dated 1 February 2023, page 3.
183 Submissions dated 15 October 2020, page 17.
184 Submissions dated 15 October 2020, page 12.
185 Submissions dated 15 October 2020, page 21.
248. Further, the Archbishop submitted that in applying the law to the facts that “[t]he position of
the Archbishop is that the Parish Priest is the data controller in respect of baptism records” and
that:
“[t]he Parish Priest is the one responsible for the collection of the data in the first instance,
it he who arranges the sacrament of baptism and he who manages the making of the
record in the register. The data in the baptism register exists because the Parish Priest has
permitted the baptism to take place in his Parish.Where a baptism certificate is issued, it
is the Parish Priest that consults the register and issues the certificate. The Parish Priest
has ongoing access to the registers and it is he that bears the responsibility of ensuring
their security and confidentiality. It is the Parish Priest who controls access to the register
for individuals, and he who decides whether someone has a valid reason for seeking
access to the register, in compliance with the principles of canon law. Legal ownership of
the property rights in these registers belongs to the Parish”.186
249. With respect to the above cases, the Archbishop submitted that:
“the most succinct statement of the law may be found in Fashion ID, which defined the
controller as a person “who exerts influence over the processing of personal data, for his
own purposes, and who participates, as a result, in the determination of the purposes and
means of that processing.” There can be no doubt that the Parish Priest exerts influence
in the processing of personal data. An analogy can be drawn with the website operators
in Wirtschaftsakademie and Fashion ID. In those cases the operators merely facilitated
the collection of personal data by Facebook. Here, the Parish Priest not only collects the
data, but remains responsible for the processing stage. He furthermore remains in
possession of the data on a continuous and indefinite basis, and controls access to that
data by all outside parties, including the person to whom the record relates. There can be
no doubt that the Parish Priest, therefore, is a data controller”.187
186 Submissions dated 16 March 2020, page 10.
187 Submissions dated 16 March 2020, page 11.
250. In respect of questions relating to joint controllership, the Archbishop submitted that the
situation of the Archbishop could be distinguished from the above mentioned cases as follows:
“The Archbishop does not create the requirement to maintain baptism registers, nor did
he initiate it. The processing arises as a requirement of canon law, imposed directly on the
Parish Priest. Similarly, the fact of a power of investigation on the part of the Archbishop
does not mean that he initiated or caused the processing to happen. Second, insofar as
the vast majority of entries on the baptism register are concerned, the Archbishop will
never have any control or interaction with them at any point. While the Archbishop
(through the Chancellery) disseminates guidance, this is to assist in the interpretation of
canon law. The Archbishop does not impose these requirements on the Parish. The only
point at which the Chancellery has any influence over a particular entry on the register is
where an amendment is sought to be made, in the circumstances set out above. In such a
case, the Chancellery will advise the Parish Priest as to the results of its investigation as
to the application of canon law to the particular amendment sought. The investigation is
carried out on behalf of the Parish Priest. The Archbishop submits that this minimal role
does not constitute “decisive influence” in the sense contemplated by the CJEU”.188
251. The Archbishop further stated that:
“the role of Archbishop Martin can be distinguished from that of the website
administrators in Wirtschaftsakademie and Fashion ID insofar as the Chancellery only
ever interacts directly with a tiny number of entries on the register, whereas the website
operators caused all data collected via the cookies in question to be gathered.
Furthermore, the role of ArchbishopMartin can be distinguished from the situation of the
religious community in Jehovan todistajat, because there, the data was collected by the
members and then sent (at least in part) to the central church community, organised and
stored by it. This never occurs in the case of the Chancellery, which accesses data only in
the limited circumstances set out above. Similarly, the theoretical power of inspection
does not involve the Archbishop gathering in the data, storing or organising it”.189
Legal Analysis
252. Havingmade the determination in this Decision that Baptism Registers comewithin thematerial
scope of the GDPR, the DPC now considers the following issue:
whether the Archbishop or the parish priest alone and / or jointly with others determines
the purposes and means of the processing of the personal data and special category
personal data contained in the Baptism Registers which are now the subject of this
Inquiry.
188 Submissions dated 16 March 2020, page 11.
189 Submissions dated 16 March 2020, pages 11-12.
Legal Analysis: Canon Law
253. As a preliminary point, it is noted that Canon Law is the internal law of the Roman Catholic
Church and is the principal framework by which the Roman Catholic Church is governed. Canon
Law was revised in 1983 and is the current applicable Code. 190 In addition, provisions relating
to Baptism Registers are contained within Canon Law, which also identifies the respective roles
of the Archbishop and the parish priest regarding these registers.
254. Canon Law is not determinative of the position of controllership under data protection law.
However, Canon Law is clearly a relevant consideration; it assists in understanding, within the
Archdiocese itself, the role and influence the parties have on the governance of parish affairs
and on the decision-making power regarding Baptism Registers.
255. At the outset, I accept the position that Canon Law, from a civil law perspective,must be viewed
as a species of foreign law in accordance with O’Callaghan v O’Sullivan – “[t]he Canon law of
the Roman Catholic Church is foreign law, which must be proved as a fact and by the testimony
of expert witnesses according to the well-settled rules as to proof of foreign law”.191 It ismy view
that, pursuant to the decision in O’Callaghan v O’Sullivan, Canon Law in Ireland is a foreign law
that does not exempt people resident in the State from compliance with the obligations
imposed by the Constitution of Ireland, European Union law and the laws enacted
thereunder.192
256. The Archbishop is considered the representative at law for the Archdiocese of Dublin, which is
not a distinct legal person in its own right, though both dioceses and parishes have distinct
juridical personality under Canon Law.193 The Archbishop is autonomous in the Archdiocese and
is accountable directly to the Holy See.194 The Archbishop has control over the day-to-day
management of the Archdiocese, as long as he remains compliant with Canon Law.195 The
Archbishop governs the Archdiocese of Dublin with the ordinary power which comes from his
office as exercised under the authority of the Pope pursuant to canon 381.196 In accordance with
canon 391 §1, it is for the Archbishop to govern the Archdiocese with “legislative, executive,
and judicial power according to the norm of law”.
257. The EDPB Guidelines 07/2020 state there is “no limitation as to the type of entity which may
assume the role of controller. It might be an organisation, but it might also be an individual or a
group of individuals”.197 As such, the DPC has turned to the Archbishop rather than the
Archdiocese to assess his role as controller (either joint or sole) in the context of this Inquiry.
190 The version of the Code of Canon Law referred to by the DPC is the Canon Law Society of America’s translation, available
on the Vatican website at https://www.vatican.va/archive/cod‐iuris‐canonici/cic_index_en.html
191 O’Callaghan v O’Sullivan [1925] 1 IR 90 at 113.
192 This sentence is based on the submission of 1 February 2023 at paragraph 8.
193 Canons 373, 515 §3.
194 Report by Commission of Investigation into Catholic Archdiocese of Dublin (29 November 2009) at paragraph 3.16
195 Ibid at 3.17.
196 As submitted by the Archbishop in the Submissions of 1 February 2023, at paragraph 9.
197 EDPB Guidelines 07/2020, paragraph 17.
258. I accept that the Archbishop does not solely, or with the conference of bishops, impose the
requirements to record the Baptism Registers on the parish priests of the Archdiocese, or
impose the requirement to record certain personal data in the Baptism Registers as set out in
canon 877 §1. These are requirements, which are imposed by Canon Law. However, Canon Law
does impose a duty on diocesan bishops to govern their dioceses and to represent their diocese
in all juridic affairs. A diocesan bishop is empowered under Canon Law to use his legislative and
executive power to govern his diocese.198 As such, the Archbishop may direct the manner in
which Canon Law is applied by the parishes of the diocese via the issuing of local laws or
directions, whichmay take a number of forms.199 Canon 391 §2 notes that “the bishop exercises
judicial power either personally or through the judicial vicar and judges according to the norm
of [Canon] law.”
259. The Diocesan Curia, via the Chancellery, assists the diocesan bishop in governing by
implementing the directions and norms set down by the Archbishop. For instance, the
Chancellery is the office that authorises or gives permission to parish priests tomake alterations
to Parish Baptism Registers in some instances.
260. As such, Canon Law does not direct the exact purposes for, and means by which, many of its
requirements are to be fulfilled. This is instead determined by the diocesan bishop, at his
discretion, as this discretion is conferred on him under Canon Law.
Legal Analysis: Identifying a Controller: Preliminary Points
261. As a preliminary point, the key test for identifying whether a person, natural or legal, is a
controller is set out in Article 4(7) of the GDPR. A person shall be a controller if they alone or
jointly with others “determines the purposes and means of the processing of personal data”.
Article 26(1) of the GDPR similarly states that in the instance where “two or more controllers
jointly determine the purposes and means of processing, they shall be joint controllers”.
262. I have had regard to the EDPB Guidelines 07/2020 in consideration of this issue. In particular, I
note that the EDPB Guidelines clarify that an assessment of controllership, or indeed joint
controllership, is a factual assessment.200 This is because the concept of a controller is a
functional concept, which aims to “allocate responsibilities according to the actual roles of the
parties”.201
263. I note the view of the EDPB where it states “the concepts of controller and processor are also
autonomous concepts in the sense that, although external legal sources can help identifyingwho
is a controller, it should be interpreted mainly according to EU data protection law”.202
198 Canon 375 defines bishops as, inter alia, “ministers of governance”
199 Canons 391 §1, 391 §2, 392 §1, 392 §2, 393, 369, 375 §1.
200 Opinion of Advocate General Mengozzi, paragraph 68 in Case C-25/17 Jehovan todistajat, ECLI:EU:C:2018:57 –
“excessive formalism would make it easy to circumvent the provisions of Directive 95/46 and that, consequently it is
necessary to rely upon a more factual than formal analysis in order to assess whether the religious community plays an
effective role in determining the objectives and practical means of processing”
201 EDPB Guidelines 07/2020, paragraph 12.
202 EDPB Guidelines 07/2020, paragraph 13.
264. The EDPB Guidelines 07/2020 state that in order to identify the controller in respect of certain
personal data:
“One should look at the specific processing operations in question and understand who
determines them by first considering the following questions: "why is this processing
taking place?” and “who decided that the processing should take place for a particular
purpose?”203
265. This involves analysis of the person or persons who ultimately determines the purposes of
processing.
266. The EDPB Guidelines 07/2020 also note that with respect to the means of processing, a
controllermust determine the essential rather than the non-essentialmeans of processing. The
EDPB notes that essential means are:
“closely linked to the purpose and the scope of the processing, “Essential means” are
means that are closely linked to the purpose and the scope of the processing, such as the
type of personal data which are processed (“which data shall be processed?”), the
duration of the processing (“for how long shall they be processed?”), the categories of
recipients (“who shall have access to them?”) and the categories of data subjects (“whose
personal data are being processed?”)”.204
267. The EDPB Guidelines 07/2020 also confirm that a controller must decide on both the purposes
and the means of processing.205
Legal Analysis: Joint Controller: Preliminary Points
268. The DPC has also considered whether a joint controllership exists over the personal data
contained within the relevant Baptism Registers. Joint controllers are defined under Article
26(1) of the GDPR as two or more controllers, which “jointly determine the purposes and the
means of processing”. To identify a joint controller relationship, the DPC considers the EDPB
Guidelines 07/2020 and the case law of CJEU.
269. The EDPB Guidelines state “[j]oint controllership exists when entities involved in the same
processing carry out the processing for jointly defined purposes. This will be the case if the
entities involved process the data for the same, or common, purposes”.206
203 EDPB Guidelines 07/2020, paragraph 20.
204 EDPB Guidelines 07/2020, paragraph 40.
205 EDPB Guidelines 07/2020, paragraphs 35, 36.
206 EDPB Guidelines 07/2020, paragraph 59.
270. The EDPB Guidelines further state:
“Joint participation in the determination of purposes and means implies that more than
one entity have a decisive influence over whether and how the processing takes place. In
practice, joint participation can take several different forms. For example, joint
participation can take the form of a common decision taken by two or more entities or
result from converging decisions by two or more entities regarding the purposes and
essential means”.207
271. The EDPB sets out that a common decision in this context means “deciding together and
involves a common intention in accordance with the most common understanding of the term
“jointly” referred to in Article 26 of the GDPR”.208
272. Converging decisions are defined by the EDPB as follows:
“Decisions can be considered as converging on purposes and means if they complement
each other and are necessary for the processing to take place in such manner that they
have a tangible impact on the determination of the purposes and means of the
processing”.209
273. The EDPB also notes that an important criterion in identifying a converging decision between
joint controllers is “whether the processing would not be possible without both parties’
participation in the purposes and means in the sense that the processing by each party is
inseparable, i.e. inextricably linked”.210
274. Recent CJEU case law has interpreted the concept of a joint controller broadly. As confirmed by
the CJEU in C-210/16 Wirtschaftsakademie, joint responsibility does not require the parties to
have access to the personal data concerned.211 In Wirtschaftsakademie, it was also noted by
the CJEU that:
“existence of joint responsibility does not necessarily imply equal responsibility of the
various operators involved in the processing of personal data. On the contrary, those
operators may be involved at different stages of that processing of personal data and to
different degrees, so that the level of responsibility of each of them must be assessed with
regard to all the relevant circumstances of the particular case”.212
275. This was also affirmed by the CJEU in C-25/17 Jehovan todistajat.213
207 EDPB Guidelines 07/2020, paragraph 54.
208 EDPB Guidelines 07/2020, paragraph 55.
209 EDPB Guidelines 07/2020, paragraph 55.
210 EDPB Guidelines 07/2020, paragraph 55.
211 C-210/16 Wirtschaftsakademie, paragraph 38.
212 C-210/16 Wirtschaftsakademie, paragraph 43.
213 C-25/17 Jehovan Todistajat, paragraph 66.
276. The CJEU also noted in its judgment for case C-40/17 Fashion ID that “it appears that a natural
or legal person may be a controller, within the meaning of Article 2(d) of Directive 95/46 jointly
with others only in respect of operations involving the processing of personal data for which it
determines jointly the purposes and means”.214
Legal Analysis: Data Processing Agreements
277. As a further preliminary matter, I have considered the two template data processing
agreements which the Archbishop provided during the course of the Inquiry, the 2016 data
processing agreement (‘the 2016 DPA’) and the 2019 data processing agreement (‘the 2019
DPA’) (together the ‘DPAs’). These DPAs were agreed between the parish priest for each parish
and the Archbishop.
278. In respect of the DPAs, I have had regard to the EDPB Guidelines 07/2020, which states in
particular that:
“the legal status of an actor as either a “controller” or a “processor” must in principle be
determined by its actual activities in a specific situation, rather than upon the formal
designation of an actor as being either a “controller” or “processor” (e.g. in a contract).
This means that the allocation of the roles usually should stem from an analysis of the
factual elements or circumstances of the case and as such is not negotiable”.215
279. I have reviewed the DPAs and am of the view that the DPAs are not determinative in indicating
the roles that the Archbishop and the parish priests play in respect of the processing of the
personal data and special category personal data contained in the Baptism Registers for the
purposes of data protection law.
280. First, the 2016 DPA designates the Archbishop as the processor and the parish priests, as listed
in the Schedule, as controller. This is similarly set out in the 2019 DPA. I note that the 2016 DPA
refers to the duties of inspection and oversight (canons 535 and 1276) placed on the Archbishop
in recitals A and B. Recital B notes that “In ease of enabling the Archbishop of Dublin to comply
with the requirements of the Code of Canon Law, in particular but not limited to Can. 535 and
Can. 1276, the Parties desire to enter into this Agreement.”
281. In general, recitals of an agreement tend not to contain operative provisions, but assist in the
interpretation of the operative provisions. Typically, recitals do not override the operative
provisions of an agreement. The 2016 DPA makes clear that the recitals form part of the
agreement within the definition of “Agreement”.
214 C-40/17 Fashion ID, paragraph 74.
215 EDPB Guidelines 07/20, paragraph 12.
282. Recital D of the 2016 DPA states:
“The Archbishop of Dublin, acting as Data Processor, provides a range of management
and support services to each Data Controller, including but not limited to, shared services
support in areas such as education, finance and communications, property, chancellery,
human resources, investment portfolio management and advice, pastoral relationship
management, accounting services and regulatory compliance and reporting services (the
“Purpose”).”
283. Clause 3 of the 2016 DPA sets out the obligations of the Data Processor (the Archbishop) under
the agreement. Clause 3.2.1 requires that the Data Processor will “only deal with and process
the Relevant Personal Data for the Purpose of, and subject to, the instructions received from the
Data Controller and in compliance with this Agreement”.
284. The “Relevant Personal Data” is defined in Clause 1.1 of the 2016 DPA as “Personal Data
controlled by the Parish Priest in relation to a Parish including, but not limited to Personal Data
relating to, the parishioners of a Parish”.
285. It is not clear to the DPC what involvement the Archbishop’s duties of oversight and inspection
have regarding his purported role as a processor under this agreement. Neither of these duties
are encompassed under the defined “Purpose” of the 2016 DPA and are referred to only in the
recitals as opposed to the operative provisions. In any event, I am not convinced that a duty of
oversight and inspection conferred on the Archbishop independently by Canon Law could, in
practice, be executed by the Archbishop acting as a processor, on the instruction of the parish
priest. 216 In such circumstances, the Archbishop could not properly fulfil such oversight without
using his own discretion.
286. On that basis, it is my view that the 2016 DPA does not adequately demonstrate that, with
respect to the processing of personal data and special category personal data in the Baptism
Registers, the Archbishop acts as a processor regarding his duties of inspection and governance.
Indeed, the “Purpose” in the 2016 DPA is confined to matters, which do not touch on these
functions. The 2016 DPA limits the Archbishop’s role as a processor to the “Purpose” and limits
the Archbishop’s obligation under this agreement to take instruction from the parish priest as
a controller in respect of the “Purpose” only.
287. Second, the 2019 DPA is also an agreement between the parish priest and the Archbishop
purportedly in the roles of controller and processor respectively. The 2019 DPA seeks to comply
with changes introduced by the GDPR. The Archbishop’s roles of oversight, governance and
inspection are referred to in the recitals only, similarly to the 2016 DPA, and are not brought
into the operative provisions of the agreement.
216 In paragraph 11 of the 1 February 2023 Submissions, the Archbishop clarified in relation to this paragraph that the
Parish Priest is also bound by obligations and duties under Canon Law.
288. Recital D of the 2019 DPA refers to the “Services” as being:
“A range of management and support services to each Controller, including but not
limited to, shared services support in areas such as education, finance and
communications, property, chancellery, human resources, investment portfolio
management and advice, pastoral relationship management, accounting services and
regulatory compliance and reporting services (the “Services”)”
289. Recital E of the 2019 DPA states:
“The Data Controller may provide the Processor (and the Processor Personnel) with
Relevant Personal Data and the Processor (and the Processor Personnel) may process
Relevant Personal Data on behalf of the Controller for the purpose of providing the
Services.”
290. Clause 3 of the 2019 DPA sets out the details of the processing activities:
“[t]he subject-matter and duration of the processing carried out by the Processor on
behalf of the Controller together with the nature and purpose of the processing, the type
of personal data and categories of data subjects are described in Schedule 2, which forms
an integral part of this Agreement”.
291. Clause 4 of the 2019 DPA specifies, as required by Article 28(3)(a) of the GDPR, that “the
Processor shall only Process the Relevant Personal Data on the written instructions of the
Controller”, unless required by law to do otherwise. Relevant Personal Data is defined in Clause
1.1 of the 2019 DPA as “Personal Data controlled by the Parish Priest in relation to a Parish
including, but not limited to Personal Data relating to, the parishioners of a Parish, as set out in
Schedule 2”.
292. Clause 2 of the 2019 DPA sets out that the “[t]he Processor may process Data to the extent
necessary to provide the Services to the Controller” only. Schedule 2 of the 2019 DPA also sets
out that the data processed by the processor concerns a number of categories of data subjects,
including “individuals participating in ceremonies or rites conducted by the Controller
(marriages, baptisms, confirmations etc)”.
293. Similar to the 2016 DPA, the activities for which the Archbishop acts as a processor under the
2019 DPA does not encompass his roles of oversight and inspection, though these are
mentioned in the 2019 DPA at Recital A. The 2019 DPA clearly states that the Archbishop may
process the personal data only for providing “the Services to the Controller”, and this must be
on the written instructions of the parish priest. On consideration of the above, the DPC finds it
difficult to see how the Archbishop’s inspection and oversight roles could be encompassed by
the Services of the 2019 DPA, as processing activities delegated to a processor.
294. The Archbishop does not in practice take instruction from the parish priest on the manner in
which he conducts his inspections, or his obligations under canon 1276, and it seems to the DPC
that taking any such instructions would be contrary to the duty of oversight and inspection
placed on him by Canon Law in any event. While the 2019 DPA seeks to demonstrate that this
is the case, it limits itself to the provision of the Services only, even in circumstances where the
categories of data subjects included seeks to cover those who have participated in ceremonies
or rights. The actual role of the Archbishop, in my view would not entail taking instruction from
the parish priest with respect to functions under canon 535 and canon 1276, and even if it did,
the 2019 DPA does not adequately capture such processing activities.
295. Therefore, the DPC does not accept the 2016 DPA or the 2019 DPA as evidence, which reflects
the actual role the Archbishop plays in relation to the processing of the personal data and the
special category personal data contained in any of the Baptism Registers. The DPAs may on
paper designate the role of processor to the Archbishop, however, considering the concept of
a ‘controller’ and ‘processor’ as functional concepts,217 functionally the DPAs do not encompass
the actual role the Archbishop plays when it comes to the processing of the personal data and
special category personal data in the Baptism Registers.
296. In coming to this conclusion, I have regard in particular to the EDPB Guidelines 07/20 which
state that:
“It may also be that the contract contains an explicit statement as to the identity of the
controller. If there is no reason to doubt that this accurately reflects the reality, there is
nothing against following the terms of the contract. However, the terms of a contract are
not decisive in all circumstances, as this would simply allow parties to allocate
responsibility as they see fit. It is not possible either to become a controller or to escape
controller obligations simply by shaping the contract in a certain way where the factual
circumstances say something else. If one party in fact decides why and how personal data
are processed that party will be a controller even if a contract says that it is a
processor”.218
297. Therefore, I have formed the view that the DPA Agreements do not establish, for the purposes
of data protection law, that the Archbishop is a data processor or that the parish priest is a
controller, but that the Archbishop has a role to play as a data controller regarding the
processing of personal data contained within the Baptism Registers. As to whether the
Archbishop is sole controller or joint controller with the parish priest depends on the processing
activities involved with the Baptism Registers.
Identification of the relevant Baptism Registers
298. In order to examine whether the Archbishop, alone or jointly with others (such as the parish
priest), determines the purposes and means of processing of the personal data and special
category personal data contained in the Baptism Registers, it is necessary for the DPC to look at
the various Baptism Registers separately.
217 EDPB Guidelines 07/2020, paragraph 12.
218 EDPB Guideline 07/2020, paragraphs 28, 29.
299. The Baptism Registers will be considered separately within the context of the relevant
processing activities. The three registers that form the Baptism Registers are the Parish Baptism
Registers, Clonliffe College Register and the Adopted Persons Register.
Parish Baptism Registers
300. The Parish Baptism Registers consist of the Baptism Registers which are held within each parish
of the Archdiocese, according to canon 535 §1. The content of the Parish Baptism Registers is
set out in various provisions of the Code of Canon law, such as canon 535 §2 and canon 877 §1.
Clonliffe College Register
301. The Clonliffe College Register consists of the register of baptisms for baptisms that took place
in Holy Cross College, Clonliffe, dating between 1913 and 1999. This register is held in the
Chancellery Office, though the Archbishop submits that it should be properly held in the parish
of NorthWilliam Street in which the former seminary Clonliffe College was located. The content
of the Clonliffe College Registers is set out in various provisions of the Code of Canon Law, such
as canon 535 §2 and canon 877 §1.
Adopted Persons Baptism Register
302. The Adopted Persons Baptism Register is a central baptism register for all adopted children
(adopted after baptism). Between 1982 and 2011, it recorded the details of an adopted child
and of their baptism, as sent by the Adoption Board to the Archdiocese. The Adopted Persons
Baptism Register is ordered by the date of receipt of notifications from the Adoption Board, not
by order of date of baptism, as are the Parish Baptism Registers and the Clonliffe College
Registers. This register was recorded by the Chancellery and is held in the Chancellery Office on
behalf of the Archbishop.
Identification of the Relevant Processing Activities for the purposes of this Inquiry
303. In addition to retention, the Archbishop has indicated that the following processing activities
take place regarding the Baptism Registers:
Collection and recording of data for the purposes of recording the baptism;
Storage of the Baptism Register
Alteration of the Baptism Register on request of the baptised person or his/her
parents (where the baptised person is a minor), or annotation with details of a
person’s confirmation, marriage/annulment and ordination/laicisation (or adoption);
Retrieval, consultation and use of the Baptism Register, at the request of the baptised
person for the administration of other Sacraments, namely Confirmation, Marriage
and Holy Orders. The Baptism Register may also be consulted in the context of
annulments of marriages or laicisation of priests; and
Disclosure of extracts (baptismal certificates) from the Baptism Register by
transmission upon request to individual, identified baptised persons, or authorised
persons acting on their behalf, or upon inspection by the Archbishop on the occasion
of a Parish Visitation.219
304. In case C-40/17 Fashion ID, the CJEU stated, “the processing of personal datamay consist in one
or a number of operations, each of which relates to one of the different stages that the
processing of personal data may involve”.220 As such, I consider that the relevant processing
activities as they relate to this Inquiry are the retention (retention and storage), erasure
(deletion) and rectification (annotation/special annotation) of personal data contained within
the various Baptism Registers.
305. Further, as the subject of this Inquiry relates primarily to rectification and erasure, I have
considered the processing activity of collection and recording of personal data in the Baptism
Registers because all other data processing activities flow from that point. I am of the opinion
that it is not necessary to examine all possible processing activities as they are not relevant for
the purposes of this Inquiry. I also consider it necessary to identify whether the Archbishop is a
controller or joint controller of the personal data for such processing activities as identified and
which are relevant for the purposes of this Inquiry.
219 Submissions dated 6 September 2021, pages 2-3.
220 C-40/17 Fashion ID ECLI:EU:C:2019:629, paragraph 72.
306. The Archbishop also noted that in circumstances where “a person no longer wishes to be
identified as a member of the Catholic Church, the only processing activity likely to continue is
the storage of the baptism register”.221 However, the Archbishop also submitted that
“[e]xceptionally, the entry in respect of that person may be retrieved, consulted and disclosed in
rare circumstances where the person concerned or his/her spouse has requested an annulment
(ie within the Church and not an annulment under civil law), or the even rarer circumstances
where the person concerned is a priest and wishes to be laicised”. I am not convinced that these
statements cover all possible processing activity of the personal data belonging to the data
subject.Whether or not a person no longer wishes to be identified as a member of the Catholic
Church, the personal data and special category personal data stored on the Baptismal Register
in relation to that person remains accessible for disclosure to the parish priest who retains it,
and is readily available when accessing any other records on that page of that volume.
Collection and Recording
The Archbishop
307. The Archbishop is considered the representative at law for the Archdiocese of Dublin, which is
not a distinct legal person in its own right, though both dioceses and parishes have distinct
juridical personality under Canon Law. The Archbishop is autonomous in the Archdiocese and is
accountable directly to the Holy See.222 The Archbishop has control over the day-to-day
management of the Archdiocese, as long as he remains compliant with Canon law.223 In
accordance with canon 391 §1, it is for the Archbishop to govern the Archdiocese with
“legislative, executive, and judicial power according to the norm of law”.
308. In general, the Archbishop is under an obligation placed on him by canon 473 §1 “to take care
that all the affairs which belong to the administration of the whole diocese are duly coordinated
and are ordered to attain more suitably the good of the portion of the people of God entrusted
to him”.
309. The administration of the diocese “to attain more suitably the good of the portion of the people
of God entrusted” to the Archbishop includes the recordings and proper keeping of registers, in
my view. This is particularly in light of the Archbishop’s submissions that “[i]t is essential for the
administration of the affairs of the Catholic Church tomaintain a register of all people who have
been baptised in the Church”224. I am of the view that if the proper recording of relevant
sacraments is a core aspect of the administration of the Catholic Church, then it must also be
central to the administration of the affairs of the diocese.
221 Submissions dated 6 September 2021, page 2.
222 Paragraph 3.16, Report by Commission of Investigation into Catholic Archdiocese of Dublin (29 November 2009).
223 Ibid.
224 Submissions dated 16 March 2020, page 50.
310. Canon 515 §1 and canon 519 also provide thatwhile a parish is entrusted to a pastor, it is “under
the authority of the diocesan bishop”. Passage number 221 of the Directory for the Pastoral
Ministry of Bishops (2004) states that the “weight of responsibility to govern the diocese falls
squarely on the shoulders of the Bishop”.225
311. Canon 396 §1 places an obligation on the Archbishop to make a visitation to the parishes of the
Archdiocese. During his visitation, the Archbishop has stated that he is to:
“examine the administration and maintenance of the parish, including places of worship,
liturgical vessels and appointments, parish registers and other goods. Nevertheless, some
aspects of this task may be left to the Vicars forane or other suitable clerics (683) just
before or after the visit, so that the Bishop can concentrate on personal meetings during
the visit itself, as befits a true Shepherd (684)”.226
312. Though the Archbishop stated in his submissions that the emphasis is on the pastoral nature of
the visitation, the original text of the above passage from number 221 of the Directory for the
Pastoral Ministry of Bishops (2004), places an italicised emphasis on the words “administration
and maintenance”, not evident in the excerpt included in the Archbishop’s submission.227
313. The Archbishop had also submitted that a power of inspection exists under canon 535 §4,
allowing him to inspect Baptism Registers during the course of a visitation. In practice, this
entails the Archbishop looking at the last entry of the register and checking that the register is
up-to-date.228
314. Following a visitation, the Archbishop is to prepare a report of the visit, which can include
“offering recommendations for certain improvements in the life of the parish, with special
reference to the state of divine worship, pastoral work and any other important initiatives”.229
315. Further, canon 1276 §1, places a responsibility on the Archbishop to “exercise careful vigilance”
over the administration of all goodswhich belong to public juridic persons subject to him (which
would include the parishes of the Archdiocese).
225See
https://www.vatican.va/roman_curia/congregations/cbishops/documents/rc_con_cbishops_doc_20040222_apostoloru
m-successores_en.html.
226 Page 12, 15 October 2020 Submission, with reference to the Directory for the Pastoral Ministry of Bishops (2004) no.
221.
227See
https://www.vatican.va/roman_curia/congregations/cbishops/documents/rc_con_cbishops_doc_20040222_apostoloru
m-successores_en.html.
228 Page 7, 16 March 2020 Submission.
229 Directory for the Pastoral Ministry of Bishops (2004) no. 224: This was also submitted by the Archbishop in the 15
October 2020 Submission.
316. The Guidelines (The Directives and Guidelines for Sacramental and Pastoral Practice) also set
out specific guidance on the collection and recording of personal datawhen recording a baptism
in particular or unusual circumstances, for example, in section 1.6, “The Child of a CivillyMarried
Couple”230. With respect to the Guidelines, the Archbishop submitted that:
“[i]n cases where the Directives or Guidelines are not followed, further action can be taken
against the priest who deviates from them, but only where the deviation relates directly
to a particular canon in the Code of Canon Law, or a particular element of civil law”.231
317. In determining the controllership status of an entity or individual, consideration must be given
as to whether the Archbishop determines the purpose and means of processing.
318. The obligation to collect and record personal data at the time of baptism emanates from Canon
Law. Some sacraments are only administered once, and only if one is baptised. As such, it is
essential, according to the Archbishop, tomaintain a record of all those persons who have been
baptised232 as this keeps a record of “the administration of certain sacraments in the Church”233
which is “essential for the administration of the Church”.234
319. The Archbishop is obliged under canon 473 §1 “to take care that all the affairs which belong to
the administration of the whole diocese are duly coordinated and are ordered to attain more
suitably the good of the portion of the people of God entrusted to him”. The parishes of the
Archdiocese are under the authority of the Archbishop further to canons 515 §1 and 519. As
such, I am satisfied that the Archbishop has a practical duty of oversight regarding the
administration of the Archdiocese and exercises authority over the parishes of the Archdiocese.
This, in my view, includes matters “essential for the administration of the Church” such as the
recording of baptisms.
320. The Archbishop submitted that any obligations placed on the parish priest to keep records of
sacraments administered are “imposed on Parishes and Parish Priests as amatter of canon law.
They are not imposed on the Parish Priest by ArchbishopMartin”235. I accept that the Archbishop
does not set the obligation in Canon Law for the parish priest to collect and record data relating
to baptisms. However, in my view, the Archbishop still plays a central role in overseeing the
execution of these duties, in addition to enforcing those interpretations of Canon Law among
the parishes that he oversees. The Archbishop submitted, “the Archbishop (through the
Chancellery) disseminates guidance, this is to assist in the interpretation of canon law”.236
Further, the Archbishop is in a position to promulgate norms, which take on the force of Canon
Law, and as such is in a position to steer and augment Canon Law obligations placed on the
parish priest, which form the basis of the purposes of processing for this processing activity.
321. The Archbishop plays a significant role in determining the purpose of processing for the
collection and recording of the data for the Baptism Registers by virtue of his administrative
function and his oversight of the duties and obligations placed on the parish priest.
230 Page 10, Schedule accompanying the 15 October 2020 Submission.
231 Page 15, 15 October 2020 Submission.
232 Page 34, 16 March 2020 Submission.
233 Page 34, 16 March 2020 Submission.
234 Page 23, 15 October 2020 Submission.
235 Page 4, 16 March 2020 Submission.
236 Page 11, 16 March 2020 Submission.
322. In the case of the Adopted Persons Baptism Register and the Clonliffe College Register, I am of
the same view, that the Archbishop plays a central role in determining the purposes of
processing with respect to collection and recording of data relating to a baptism. Although the
personal data and special category personal data contained in the Adopted Persons Baptism
Register is also contained in a separate Parish Baptism Register, this does not alter the position
that the Archbishop (occasionally also via the Irish Episcopal Bishop’s Conference) steers the
purpose of the collection and recording as he sees fit and exerts influence on the purposes of
the processing. The Clonliffe College Register, may, for the purposes of the above discussion,
be assessed in the same manner as a Parish Baptism Register; I accept that the Archbishop
exerts influence over the Clonliffe College Register in the same manner as that of a Parish
Baptism Register for the processing activities of collection and recording. This is because the
former seminary of Clonliffe College, which collected and recorded the personal data, had
juridic personality in its own right within the Archdiocese, much like a parish does. 237
323. The Archbishop, by enforcing Canon Law and providing guidance, norms, recommendations and
issuing precepts to individuals in the parishes in his Archdiocese,238 as well fulfilling his duties of
governance and oversight, defines the parameters through which the personal data and special
category personal data of those who are baptised is collected and recorded.
324. Canon 391 states that “It is for the diocesan bishop to govern the particular church entrusted to
him with legislative, executive, and judicial power according to the norm of law... He exercises
legislative power himself. He exercises executive power either personally or through vicars
general or episcopal vicars according to the norm of law. He exercises judicial power either
personally or through the judicial vicar and judges according to the norm of law.” My view is
that the Archbishop may decide certain key elements about the purposes of personal data
processing in his diocese through his exercise of those functions of the Canon Law.
325. The Archbishop’s power of inspection has been set out above. The Archbishop also submitted
that the “purpose of this superficial inspection is not to ascertain the information contained in
the registers, rather it is to ensure that the registers are being maintained by the Parish Priest
as he is obligated to do in his Parish according to canon law”.239
326. I note that it is within the competence of the Archbishop to determine the extent and depth of
the inspection, whether superficial or otherwise, however, this does not negate the power of
inspection the Archbishop holds, regardless as to how he wishes to implement that power.
327. Following a visitation and inspection, the Archbishop writes a report to the parish priest
containing recommendations for improving practices if necessary. The Archbishop has stated
that, though these recommendations are “likely to be taken seriously by the Parish Priest”, there
is “no power on the part of the Archbishop to compel compliance with specific
recommendations”.
237 Canon 238 §1.
238 As per submissions of 1 February 2023, paragraph 13.
239 Ibid.
328. The Archbishop may not have an express power under Canon Law that compels compliance
with the recommendations of his report following visitation and inspection; however, in
practice the Archbishop exerts significant factual influence240 over the parish priest. In addition,
the Archbishop has a number of other powers conferred by Canon Law, which allow him to
exert decisive influence241 on the parish priest. In this way, the Archbishop operates an effective
decision-making power242 over the means of processing.
329. The Archbishop did concede that “a priest’s ministry is dependent upon that of his bishop, and
every priest promises respect and obedience to his bishop at ordination”. However, the
Archbishop asserted: “it is a common mistake to think of a parish priest as a kind of ‘branch
manager’ or ‘tenant farmer’ of a bishop”. The Archbishop also acknowledged that a bishop is
“free to establish policies for all Parishes in his diocese provided that they do not conflict with
universal canon law or divine law”.243
330. I note in particular the priests’ duty of obedience to their bishop, based on canon 273, which
states: “[c]lerics are bound by a special obligation to show reverence and obedience to the
Supreme Pontiff and to their own ordinary”. At ordination, a priest is required to take an oath
of obedience as they are asked by their bishop “Do you promise respect and obedience to me
and my successors?”244 to which the priest responds, “I do”.245 I also note246 that norms
published and promulgated by the Archbishop take on the force of Canon Law, and must be
obeyed by the parish priests of the Archdiocese.247
240 See paragraph 25, EDPB Guidelines 07/2020.
241 Paragraph 78, C-40/2017 Fashion ID.
242 See paragraph 20, EDPB Guidelines 07/2020.
243 Page 16, 15 October 2020 Submission.
244 Paragraph 3.28 Murphy Report.
245 Page 1, Obedience to the bishop by the diocesan priest in the 1983 Code of Canon Law by Francis James Schneider
J.C.D., dissertation, 1990, Catholic University of America.
246 A statement in the Draft Decision (that canonical obedience was restricted to matters prescribed in Canon Law) was
removed on foot of Submission of 1 February 2023 paragraph 6.
247 See for example canon 491 §3 “In order to inspect or remove the acts and documents mentioned in §§1 and 2, the norms
established by the diocesan bishop are to be observed”.
331. Any recommendations in a report following a visitation and inspection, which may seek to
change the means by which the parish priest is collecting and recording data to record a
baptism, are framed by the Archbishop as recommendations only. However, it is clear that the
oath of obedience placed on a parish priest to his diocesan bishop will create an expectation in
practice that the parish priest will obey any such recommendations. The submissions of
1 February 2023 dispute this view, on the basis that any such guidelines have “no compelling
force”, as they “have not been promulgated by the Archbishop according to Canon Law.” The
absence of compelling force in a bishop’s instructions do not convinceme to altermy conclusion
that in practice, the oath of obedience will create an expectation that parish priests obey
recommendations of their diocesan bishops.
332. I remain of the view that any policy put in place by the Archbishop for the parishes of the
Archdiocese are likely to be complied with by parish priests, based on each parish priest’s duty
of obedience. Although the Archbishop has argued: “[w]hile the Archbishop (through the
Chancellery) disseminates guidance, this is to assist in the interpretation of canon law. The
Archbishop does not impose these requirements on the Parish”,248 the DPC respectfully rejects
the implication that the Archbishop is not aware, when disseminating such guidance, of the
decisive influence his policies will have over the actions of parish priests in the Archdiocese.
333. Furthermore, the Archbishop, possessing executive power, can issue instructions to the parish
priest to clarify Canon Law and to set out the manner in which it should be observed.249 This
would allow the Archbishop to clarify the obligations of the parish priest to collect and record
the data relating to a baptism under canon 535 and under canon 877. In this regard, I note that
canon 138 states: “ordinary executive power as well as power delegated for all cases must be
interpreted broadly”.
334. The Archbishop also has the power to issue precepts under canon 35 and canon 49.250 A precept
may be issued in respect of a particular priest. The issuing of a precept enables the Archbishop
to make a ruling of sorts on what that priest is permitted to do, even in circumstances where
the priest may in the ordinary course make decisions as to the running of the parish. The
Archbishop has confirmed that this is the case, stating that he does have the “authority to oblige
any priest or member of the faithful to do, or not to do, a particular thing he may determine to
be detrimental to the wider community. He can do this through a “precept”, a kind of canonical
injunction directed at a specific person or situation”251. It is my view that such a power allows
the Archbishop to effectively override any decisions or actions of the parish priest in respect of
processing personal data in the Baptism Registers, if he so wishes.
248 Page 11, 16 March 2020 Submission.
249 Canon 34 and canon 1276 §2.
250 Canon 35 states that “A singular administrative act, whether it is a decree, a precept, or a rescript, can be issued by one
who possesses executive power within the limits of that person’s competence, without prejudice to the prescript of can.
76, §1”and canon 49 states that “A singular precept is a decree which directly and legitimately enjoins a specific person
or persons to do or omit something, especially in order to urge the observance of law”.
251 Page 17, 15 October 2020 Submission.
335. It is also necessary to consider whether the Archbishop is in a position to determine the
essential rather than the non-essential means of processing with respect to the collection and
recording of data for the purposes of recording a baptism. As stated by the EDPB, the essential
means of processing are closely linked to the purpose and the scope of processing, such as “the
type of personal data which are processed (‘which data shall be processed?’), the duration of
the processing (‘for how long shall they be processed?’), the categories of recipients (‘who shall
have access to them?’) and the categories of data subjects (‘whose personal data are being
processed?’)”.252
336. For the purposes of collecting and recording, the Archbishop has oversight over the affairs of
the parishes in his Archdiocese, which includes what data shall be processed by collection and
recording a baptism entry.253 The Archbishop’s power of inspection, derived from canon 535 §4,
allows him to provide recommendations to the parish priest with respect to the Parish Baptism
Registers and how they have been recorded.While the Archbishop has asserted that he has no
power to compel compliance from the parish priest with such recommendation, they are “likely
to be taken seriously by the Parish Priest”.254 I am satisfied that it is reasonable to assume that
in practice the relationship between the Archbishop and the parish priest is such that the
recommendations are more likely than not to be followed by the parish priest, which is largely
due to the oath of obedience to his bishop taken by the parish priest on ordination.
337. With respect to the Clonliffe College Register, though the Archbishop does not in practice
exercise his power of inspection over this register as it is housed in the Chancellery Office rather
than a parish, he can still exercise his power to do so. The Archbishop is in a position to exert
material influence on the means of processing with respect to the Clonliffe College Register
notwithstanding that it is not held within a parish but in the Archbishop’s House itself.
338. With respect to the Adopted Persons Baptism Register, I am of the view that the Archbishop
directly and solely influenced the collection and recording of this register held in the Chancellery
Office also on behalf of the Archbishop. The Archbishop solely determined the means of
processing with respect to the collection and recording for this register, in particular, the type
of personal data recorded (the personal data which was provided on the notifications from the
Adoption Board), and the categories of data subjects whose personal data was included in the
Adopted Persons Baptism Register.
252 Paragraph 40, EDPB Guidelines 07/2020.
253 Canon 473 §1, canon 1276 §1.
254 Page 12, 15 October 2020 Submission.
339. As such, while the source of the Archbishop’s authority to exercise control may be Canon Law,
it ismy view that the Archbishop, in practice, determines the purposes andmeans of processing
of the personal data and special category personal data in the Baptism Registers. The
submissions of 1 February 2023 contest this view, stating that “the purpose of processing of the
personal data and special category personal data contained in the Baptism Registers is
determined by Canon Law, which the Archbishop plays no role in initiating. Further, the
Archbishop does not prescribe the means of recording or collecting personal data or special
category personal data in the Baptism Registers.” I note that although canon 535 §1 states that
“the pastor is to see to it that these registers are accurately inscribed…”, the earlier sentence in
that same canon states that “Each parish is to have parochial registers… as prescribed by the
conference of bishops or the diocesan bishop.” On the basis of this Canon and the reasoning set
out earlier in this section of the Decision, I remain of the view that the Archbishop exerts a de
facto influence over the activity of collecting and processing the personal data and so is a
controller.
340. Although the Archbishop has argued that his ““power of investigation” “does not mean that he
initiated or caused the processing to happen”, 255 it is my view that given the right to visitation
and inspection conferred on the Archbishop,256 and his responsibility for governance and
oversight of the parishes of the Archdiocese, that the Archbishop has a central role in
determining the manner, purpose and means of the collection and recording of the personal
data contained within the Baptism Registers, to such a degree as to be identified as a data
controller.
Controllership: Collection and Recording:
The Parish Priest
341. The parish priest is under an obligation, further to canon 535 and canon 877, to collect and
record certain personal data when recording a baptism and other sacraments257. Canon 535 §1
states “the pastor is to see to it that these registers are accurately inscribed and carefully
preserved”. Canon 877 §1 prescribes the personal data which must be recorded by the parish
priest “without delay”.
342. Canon 515 §1 states that a parish is entrusted to a parish priest “as its proper pastor (pastor)
under the authority of the diocesan bishop”. In general, the parish priest has also been conferred
a governance role over his parish via his office, further to canon 131 §1. In accordance with
canon 519, the parish priest is entrusted with, “exercising the pastoral care of the community”
and carrying out the “functions of teaching, sanctifying, and governing”.
343. Certain functions are also “especially entrusted” to the parish priest in accordance with canon
530. One of these functions is “the administration of baptism”. In accordance with canon 532,
the parish priest represents his parish in all juridic affairs and is to “take care that goods of the
parish are administered according to the norm of _ cann. 1281-1288”.
255 Page 11, 16 March 2020 Submission.
256 Submissions dated 15 October 2020, page 12.
257 See further canon 535 §2.
344. The Archbishop has submitted that the parish priest is “responsible for all applications and
activities concerning the baptismal register” including “the creation of the original, handwritten,
record of baptism”258. Further, the Archbishop submitted that:
“[t]he Parish Priest is the one responsible for the collection of the data in the first instance,
it he who arranges the sacrament of baptism and he who manages the making of the
record in the register. The data in the baptism register exists because the Parish Priest has
permitted the baptism to take place in his Parish”259.
345. I accept that the parish priest is obliged under Canon Law, in particular canon 535 and canon
877, to collect and record certain details relating to baptisms (and certain other sacraments) in
registers. The DPC also accepts that “the parish priest governs the parish with the ordinary
power which comes from his office as exercised under the authority of the Archbishop pursuant
to canon 131 §1 and canon 515 §1.”260 Therefore, the DPC also accepts that the parish priest
has a degree of autonomy as to the governance and administration of his parish, including the
manner in which he executes the duties and obligations placed on him by Canon Law.
346. As previously stated in this Decision, the purpose for which the personal data of data subjects
is collected and recorded is because it is central to the administration of the Church. As the
sacrament of baptism can only be administered once, it is necessary to collect and record
certain details relating to the baptised person in the Baptism Registers.
347. It is the view of the DPC that the parish priest has the ability to determine the purpose for which
personal data are collected and recorded in the Baptism Registers. The parish priest may
undertake his obligations under Canon Law in such a way as to collect and record, for example,
more personal data and special category personal data than is strictly necessary under Canon
Law.
348. I am of the view that the parish priest has discretion as to the means he uses to collect and
record the personal data and special category personal data in the Parish Baptism Register.
Neither Canon Law nor the Archbishop have prescribed all the means by which the personal
data is collected, though certain requirements are in place surrounding the type of personal
data which are processed and the categories of data subjects.
258 Page 5, 16 March 2020 Submission.
259 Page 10, 16 March 2020 Submission.
260 Submission of 1 February 2023 at paragraph 17.
349. Canon Law requires the recording of certain information as per canon 877; however, this does
not preclude the parish priest from recording additional information or choosing his preferred
format for recording the hardcopy Parish Baptism Register. I note that the submission of
1 February 2023 includes the statement that “the Parish Priest essentially has very little choice
in what may be recorded here. Cannon Law requires the Parish Priest of the place of baptism to
record the information specified in canon 877 §1 in the Baptismal Register.” 261 This submission
does not convince me to alter the views set out in the first sentence of this paragraph. While
Canon 877 §1 specifies certain minimum information, the submissions do not dispute that the
parish priest can add additional information to the register. Further, the parish priest may also
determine the essential means of processing of the personal data, via collection and recording,
by the use electronic forms of indexing and recording the entries. The parish priest may choose
the types of personal data processed in this way, the duration of such processing and the
categories of data subjects whose personal data is processed. The option to use electronic
means is envisaged in Appendix 3 to the Guidelines, as published by the Chancellery, which sets
out requirements for “the Secure Maintaining of Duplicate Electronic Sacramental Records in
Parishes”, “Software Requirements for Electronic Sacramental Records” and “Scanning of Parish
Registers”. I am of the view that the use of these means, while envisaged as a possibility by the
Archbishop, is not prescribed and it is for the parish priest himself to determine whether to
process the personal data and special category personal data by electronic means.
350. As such, I am satisfied that the parish priest, in the case of the Parish Baptism Registers,
determines the means of processing to such an extent as to include essential means of
processing. Consequently, I am of the view that the parish priest exerts a decisive influence over
the processing activities contained in the Parish Baptism Register by reference to the collection
and recording of personal data in those Registers.
Conclusion: Controller of Collection and Recording
Parish Baptism Register
351. I am satisfied that both the Archbishop and the parish priests engage in controllership decisions
relating to the collection and recording of personal data in the Parish Baptism Registers and are
therefore joint controllers.
352. I am satisfied that the processing would not be possible without both parties’ participation in
deciding, albeit to different extents, the purposes and means of processing and that the
processing by each party is inextricably linked. The DPC reiterates the content of paragraph 38
of the C-210/16Wirtschaftsakademie judgment, and the fact that one of the parties not having
access to the personal data processed is not a sufficient reason to exclude the concept of joint
controllership. This is relevant within the context of the Parish Baptism Registers whereby the
Archbishop does not have day-to-day access to them.
261 Submissions of 1 February 2023, [19]
353. Both the parish priests and the Archbishop have obligations under Canon Law, as detailed in
sections 191 and 347, which are inextricably linked. Both the decisions of the parish priest and
the Archbishop as to how they comply with their obligations determine the purpose of
processing which is the recording of the sacrament of baptism to ensure it is only administered
once. As previously set out, this is an important tenet in the administration of the Catholic
Church.
354. While it is for the parish priest to determine how the personal data and special category
personal data is collected and recorded, he must comply with his obligations under canon
535 §1, canon 877 §1 and the guidance of the Archbishop. It is also within the competence of
the parish priest to collect additional personal data or record it in an electronic format as well
as recording it electronically to create an index. The Archbishop has oversight of the process to
ensure that themanner inwhich the personal data is collected and recorded by the parish priest
complies with Canon Law, such as whether it is accurately inscribed and diligently preserved.262
The Archbishop is empowered to alter the means of processing used by the parish priest via
recommendations in the report sent to the parish following a visitation, via guidance in the
Guidelines, or by publishing a norm. The Archbishop can also issue directions via precepts to
the parish priests and the parish priests operate under an oath of allegiance to the Archbishop
under Canon Law. Therefore, both the decisions of the parish priest and the Archbishop
complement each other in determining the means of processing and have a tangible impact on
the determination of the means of processing.
355. As such, I am of the view that within the framework of Canon Law, it falls to both the diocesan
bishop (the Archbishop in this instance) and the parish priest to determine the purposes and
means of processing of personal data in the Parish Baptism Registers in respect of the personal
data and special category contained therein. With regard to the personal data collected and
recorded in the Parish Baptism Registers, the Archbishop and the parish priests are joint
controllers in circumstances where both jointly determine the purposes and means of
processing.
262 Canon 535 §1, Canon 545 §4, canon 473, canon 491 §2 and canon 396 §1.
Conclusion: Controller of Collection and Recording
Clonliffe Parish Register
356. Although the Archbishop has submitted that the Clonliffe College Registers are in fact rightfully
Parish Baptism Registers of North William Street Parish, I am of the view that these registers
have never been under the practical influence of the parish priest of North William Street.
Recorded to “ensure that, in the event that North William Street Parish omitted to record a
notification of a conferral of the sacrament which had occurred in Clonliffe College, a record
would remain in the place where the sacrament was conferred”263, the parish priest of North
William street has not in reality ever had influence over the purpose andmeans of the collection
and recording of the personal datawhich is held in the Clonliffe College Registers. In that regard,
the Archbishop, being the person who holds the Clonliffe College Registers following the
dissolution of the Clonliffe College seminary, and who played and continues to play a role of
oversight and governance in the administration of his Archdiocese, is the controller of the
personal data contained within it for the processing activity of collecting and recording.
Conclusion: Controller of Collection and Recording
Adopted Persons’ Baptism Register
357. In respect of the Adopted Persons’ Baptism Register, I am of the view that the Archbishop is the
sole controller of the personal data and special category personal data contained within it for
all processing activities.
358. The personal data and special category personal data was collected and recorded in the
Adopted Persons Baptism Register between 1982 and 2011, by the Chancellery on behalf of the
Archbishop. The information contained in this register was provided to the Archbishop by way
of notifications received from the Adoption Board. The parishes in which the data subjects were
originally baptised did not provide the personal data directly to the Archbishop.
359. Further to Decree 10 of the Irish Episcopal Bishop’s Conference (at which the Archbishop’s
predecessor would have had an opportunity to provide his views and input), a centralised
baptism register for adopted children was to be kept in each diocese. As such, the obligation to
keep this centralised register and all the processing activities flowing from this fell on the
Archbishop himself, being the leader of his diocese.264
263 Page 3, 23 July 2021 Submission.
264 Promulgated in Intercom December 1987/January 1988. Decree No. 10 states that “It was decided that a central
baptismal register for all adopted children be kept in each diocese. This is to be kept either at the diocesan Curia or in a
parish or centre specially designated by the diocesan Bishop for this purpose. It has been agreed that the (civil) Adoption
Board would, on the adoption of a child, send to this office all relevant information necessary for the issuing of baptismal
certificates”.
360. In order to adhere to this obligation, which he himself would have had influence over at the
Irish Episcopal Bishop’s Conference, the Archbishop determines the purposes of processing the
personal data contained in the Adopted Persons Baptism Register. As previously stated, the
Archbishop is in a position to provide guidance on the interpretation of Canon Law, and issue
decrees and norms on behalf of his Archdiocese, and to implement these in whatever manner
he sees fit (as long as this adheres to Canon law, divine law and civil law).265
361. The Chancellery has put in place an electronic version of the register also, which indicates the
determination of the essential means of processing. The Archbishop also determines, based on
the notifications received from the Adoption Board, which types of personal data contained in
the notification would be collected and recorded and which categories of data subjects
(adopted children) would be entered into the Adopted Persons’ Baptism Register, what
duration the processing would take and the possible recipients of the personal data contained
in the Adopted Persons Baptism Register.
362. As such, I am of the view that the Archbishop solely influences the collection and recording of
this register, which is held in the Chancellery Office also on behalf of the Archbishop. The
Archbishop solely determines the means of processing with respect to collection and recording
for this register, in particular, the type of personal data recorded (the personal data which was
provided on the notifications from the Adoption Board), and the categories of data subjects
whose personal data was included in the Adopted Persons Baptism Register.
Storage and Retention
The Archbishop
363. Baptism Registers are stored and retained for the purposes of maintaining a record of those
who have received the sacrament of baptism. These records are essential to the administration
of the Catholic Church.
364. Under canon 491 §1, a diocesan bishop is required to “take care that the acts and documents
of the archives of cathedral, collegiate, parochial, and other churches in his territory are also
diligently preserved and that inventories or catalogs are made in duplicate, one of which is to be
preserved in the archive of the church and the other in the diocesan archive.” The requirement
of the Archbishop to ensure documents are “diligently preserved”, whether in the various
parishes within the diocese or in the Archbishop’s house, mandates that the Archbishop must
ensure a particular standard is met according to his own judgment.
365. I am of the view that this demonstrates an element of controllership by the Archbishop, as he
is the person with sole competence and discretion in terms of setting the relevant standard. Of
note also in canon 491 §1 is the requirement that “catalogs” or “inventories” of archives “of the
church” are made and the provision places the responsibility on the Archbishop to ensure this
is done.
265 See canon 381§1 and 391§1.
366. Further, canon 491 §3 provides that the Archbishop’s norms must be observed “in order to
inspect or remove acts and documents mentioned in §§1 and 2”, being the acts and documents
of an archive in the parish or in the Archdiocese. I am of the view that this provision also points
to the important role the Archbishop’s norms play in exerting influence on both the purposes
and the means of processing the personal data contained in the Baptism Registers, both those
held in the Chancellery and the parishes.
367. Canon 1276 §1 also requires the Archbishop to exercise “careful vigilance over the
administration of all goods which belong to public juridic persons subject to him without
prejudice to legitimate titles which attribute more significant rights to him”. This provision
requires the Archbishop to exercise vigilance over the goods of the parishes in his Archdiocese.
This would include the storage of the Parish Baptism Registers held in these parishes, the
Clonliffe College Registers and the Adopted Persons Baptism Registers in the Chancellery
(situated in the Archbishop’s House). As this provision does not define “careful vigilance”, I am
satisfied that Canon Law affords the Archbishop discretion as he sees fit in the implementation
of this obligation.
368. Further, canon 1276 §2 requires that “ordinaries are to take care of the ordering of the entire
matter of the administration of ecclesiastical goods by issuing special instructions within the
limits of universal and particular law”. This provision, in the view of the DPC, envisages that the
Archbishop will use his discretion in exercising his vigilance and oversight over the Baptism
Registers (among other things) to issue special instructions to the juridic personalities in his
diocese to order the administration of such goods.
369. As previously set out, I am of the view that any recommendations, instructions, directions and
guidance provided by the Archbishop to the parish priests of the Archdiocese, will be likely to
be interpreted as a requirement by the parish priest, in light of the oath of obedience to
ecclesiastical superiors undertaken by each priest on ordination. The Archbishop has confirmed,
“part of the Parish Visitation could include the Bishop, or his delegate, not only inspecting that
the registers are kept up to date, but also that they are carefully stored and preserved in the
parish”.266
370. As previously set out, under canon 35 and canon 49, the Archbishop has the power to issue
singular precepts to priests in this Archdiocese requiring them to store and retain the Baptism
Registers in a certain way, or to refrain from doing so. The Archbishop is not limited in the
subjectmatter of a precept, though itmust not conflict with divine law, other Canon Law or civil
law.
371. In respect of guidance and instruction to the parish priests, the Archbishop issued, via the
Chancellery, the Administrative Regulations, most recently in October 2017 and previously in
November 2008 (the ‘November 2008 Administrative Regulations’) and August 2002 (the
‘August 2002 Administrative Regulations’).
266 Submissions dated 15 October 2020, page 12.
372. Section E of the Administrative Regulations set out guidance for the parish priest regarding
“Preservation and Storage”, “Fire Prevention” and “Security”.267 Under “RecordsManagement”,
the Administrative Regulations set out the “suggested length of time records are kept”. With
respect to Baptism Registers, the length of time for storage and retention is “permanent”.
373. The previous iterations of the Administrative Regulations are more definitive as to the role the
Archbishop plays with regard to the Baptism Registers. The November 2008 Administrative
Regulations contains similar guidance on the Baptism Registers with regard to “Preservation
and Storage”, “Fire Prevention” and “Security”268. However, the November 2008 Administrative
Regulations also states that:
“Catholic parish church records are private records and the public do not have an
automatic right of access to them. They are the property of the church, coming under
the jurisdiction of the local bishop as is the case with all aspects of parochial
administration” (emphasis added).269
374. Both the November 2008 Administrative Regulations and the August 2002 Administrative
Regulations state on their cover pages that “Unless indicated otherwise, the following
regulations and guidelines apply to each parish and agency in the diocese”.270
375. The Archbishop submitted that the DPC should not read anything into the change of language
between the different versions of the Administrative Regulations, stating:
“Nothing should be read into the fact that there was a change in the language between
the two documents. The documents are intended for the guidance of parishes, for the
most part run by a Parish Priest, secretary (usually employed on a part-time basis) and
volunteers. Therefore, the guidelines need to be drafted in such a way that they are
accessible to that audience. As such, nothing turns on the fact that a sentence appeared
in one version and not the other. It is simply a matter of drafting” 271
376. With regard to this submission, I am of the view that the Administrative Regulations (each draft)
are the intended directions of the Archbishop, which are delivered via the diocesan curia, to the
parish priests of the diocese.
267 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines for Parishes
(2017), Schedule E (page 167 of PDF submission).
268 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines (2008), section
L1-L4 (Preservation, Storage, Fire Prevention, Security) (pages 107-109 of the PDF submission).
269 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines (2008), section
L (Archives/Parish Registers) (page 107 of the PDF submission).
270 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines (2008) (page 73
of the PDF submission); Administrative Regulations and Guidelines (2002) (page 41 of the PDF submission).
271 Submissions dated 23 July 2021, page 2.
377. In his submissions, the Archbishop also noted that Baptism Registers are stored and retained in
perpetuity.272 There is no express provision in Canon Law requiring Baptism Registers be
retained and stored in perpetuity, only that they are carefully or diligently preserved.273 Further,
the Archbishop submitted that “[a] central requirement of canon law in this regard is that
entries are never deleted from baptismal records”;274 this is with reference to canon 535 §1
which requires Baptism Registers (and other sacramental registers) be preserved. Though the
duty set out under canon 535 §1 is a duty placed on the relevant parish priest, it is clear from
the Archbishop’s submission that he has a role to play in interpreting and disseminating the
appropriate approach, in his view, to Canon Law, among the parishes of the Archdiocese.
378. Notwithstanding the fact that there is no express requirement under Canon Law to store
Baptism Registers in perpetuity, or any express prohibition against deleting/destroying entities
(this is not expressly contained in canon 535 §1), the Archbishop has clearly stated that “records
are retained in perpetuity” and that “entries are never deleted from baptismal records” in any
circumstances. In the Draft Decision, I noted that this indicates the Archbishop’s defining role
in determining the purposes and essential means of processing when it comes to storage and
retention. In the submissions of 1 February 2023, the Archbishop clarified that:
“the Archbishop does not require the Baptism Registers to be retained in perpetuity. This
is a long-standing tradition of the Catholic Church, dating back centuries. For example, in
France, parish registers have been in use since the Middle Ages. The oldest surviving
registers there date from 1303.”
379. I accept this clarification. However, it does not lead me to change the conclusions around the
Archbishop’s influence over storage and retention, for the reasons set out below and elsewhere
in this Decision. In particular, Appendix 3 of the Guidelines published by the Chancellery in 2011,
for the benefit of the parish priests, states “[t]he handwritten registers must be maintained and
the registers themselves are never to be destroyed or discarded”.275
380. I am satisfied that with respect to storage of the Parish Baptism Registers, the Archbishop has
sufficient control of the purposes of processing and disseminates his views to the parish priests
in the form of guidance and instruction, in particular, via Guidelines and the Administrative
Regulations, which explicitly set out that the Baptism Register entries are not to be deleted and
should be stored and retained permanently.
272 Submissions dated 16 March 2020, page 31.
273 Canons 535 §1, 491
274 Submissions dated 16 March 2020, pages 4-5.
275 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3 (page 27 of the PDF submission).
381. With respect to the Clonliffe College Register and the Adopted Persons Baptism Register, the
Archbishop holds these registers in the Chancellery. As far as storage and retention is
concerned, including duration or length of processing, organisation and preservation of the
registers while in storage and security measures in place in the Chancellery, it appears to the
DPC that the Archbishop is the only person who enforces and makes these decisions.While the
Clonliffe College Register is, according to the Archbishop, a Parish Baptism Register, I have been
provided with no evidence that the parish priest of NorthWilliam Street has any input as to the
storage environment of the Clonliffe College Register, or that on balance he exerts any tangible
influence over the duration of the storage and retention.
382. The Archbishop has submitted that both the Clonliffe College registers and the Adopted
Persons’ Baptism Registers are kept securely. The Chancellery Offices, located at the
Archbishop’s house is under the jurisdiction of the Archbishop. He is responsible for the
administration and good ordering of the goods in his diocese and I am satisfied that ultimately
he is in charge of the security arrangements, which are in place in the Archbishop’s House, even
where such tasks may be delegated to others in the diocesan curia in certain instances. The
Archbishop is obligated under Canon Law to ensure that there is an historical archive in the
Archdiocese and that “documents having historical value are diligently protected and
systematically order in it”.276 I am satisfied that, given the necessity (according to the
Archbishop) of retaining the Baptism Registers even after the death of the individuals whose
baptisms are recorded in them, the Clonliffe College Register and the Adopted Person Baptism
Register are ‘documents’which have an historical value and which, being in the Dublin Diocesan
Archives, are to be diligently protected and systematically ordered by the Archbishop.
383. Based on the above analysis, I am of the view that the Archbishop does exert a decisive influence
over the processing of the personal data and special category personal data contained in all
Baptism Registers for the purposes of storage and retention. The DPC next considers whether
this is sole or joint controllership.
Controllership: Storage and Retention
The Parish Priest
384. The parish priest is under an obligation further to canon 535 §1 to ensure that the Parish
Baptism Registers are “carefully preserved”. Further, the parish priest is also tasked with
ensuring that the Parish Baptism Registers are stored correctly and do not fall into unauthorised
hands, in accordance with canon 535 §4. Canon 535 §4 requires that each parish has a storage
area or archived “in which the parochial registers are protected”.
276 Canon 491§2.
385. The Archbishop submitted that the parish priest is responsible for the “the maintenance of
security and confidentiality of baptismal registers”277 and has also submitted that each Parish is
required to have an archive in which Parish Baptism Registers are kept, and that these are
normally kept in safe rooms, which are fireproofed and are accessible only by authorised
personnel.278
386. The Archbishop has asserted that the parish priest “has ongoing access to the registers and it is
he that bears the responsibility of ensuring their security and confidentiality”.279 According to
the Archbishop, the parish priest not only collects the personal data but also “remains in
possession of the data on a continuous and indefinite basis, and controls access to that data by
all outside parties, including the person to whom the record relates. There can be no doubt that
the Parish Priest, therefore, is a data controller”.280
387. My initial view is that, while the parish priest does remain in possession of the personal data in
the Parish Baptism Registers on a ”continuous and indefinite basis”, this duration of processing
has been pre-determined by the Archbishop and is specified to the parish priest through the
Archbishop’s instructions and guidance. Such instructions and guidance are based on the
Archbishop’s interpretation of Canon Law.281
388. Further, I am of the view that while the parish priest is responsible for day-to-day storage and
retention of the Parish Baptism Registers, the Archbishop does provide clear guidance on the
minimum standards expected with regard to retention, security, preservation and fire safety for
the Parish Baptism Registers.282 Indeed, the Dublin Diocesan Archives Guidance provided by the
Archbishop notes explicitly that with respect to Parish Records, “No items are to be disposed of
through sale, donation, or other means before they have been assessed by the archivist and
without the explicit permission of the Archbishop”.283
389. I have had regard to the “non-essential means” of processing as set out in the EDPB Guidelines
07/20. It states: ”Non-essentialmeans” concernmore practical aspects of implementation, such
as the choice for a particular type of hard-or software or the detailed security measures which
may be left to the processor to decide on.
390. I am of the view that the parish priest has a discretion as to the means he uses to store the
personal data contained with the Parish Baptism Registers. Neither Canon Law nor the
Archbishop’s guidance have prescribed all themeans by which the personal data is to be stored,
though certain guidance is in place as to how the parish priest may best preserve his archive
and ensure that it is secure against unauthorised third parties.
277 Submissions dated 16 March 2020, page 5.
278 Submissions dated 16 March 2020, page 29.
279 Submissions dated 16 March 2020, page 10.
280 Submissions dated 16 March 2020, page 11.
281 Submissions dated 16 March 2020, page 11.
282 Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 3.6.1 (page
256 of the PDF submission) and Administrative Regulations, November 2008, section L (pages 107-109 of the PDF
submission).
283 Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 3.6.1 (page
256 of the PDF submission).
391. I am of the view that for the purposes of storage of personal data contained within the Parish
Baptism Registers that the parish priest is engaged with the “non-essential means” of such
processing and is therefore not a data controller for this purpose. This is because the storage of
the parish Baptism Registers by the parish priest is concerned with the practical implementation
of the Archbishop’s instruction and, based upon the EDPB guidance, it is within the discretion
of the parish priest to decide upon certain storage measures once they conform overall to and
are within the overall parameters of the instructions of the Archbishop as data controller.
392. I do not accept either that the parish priest, short of disobeying the instructions of the
Archbishop and by extension the Archbishop’s interpretation of Canon Law, determines the
duration of the processing, which must be perpetual and which has been clearly set out by the
Archbishop.
393. Based on the above, I am of the view that the parish priest does not exert influence over the
processing of the personal data and special category personal data contained in the Parish
Baptism Registers for the purposes of storage.
Conclusion: Controllership: Storage
394. I am of the view that the Archbishop solely engages in decisions relating to the storage of the
personal data in the Parish Baptism Registers.
395. With respect to the purposes of processing, both the Archbishop and the parish priest have
obligations under Canon Law that are inextricably linked. The parish priest is under an obligation
to carefully preserve the Parish Baptism Registers and to ensure that they are protected in an
adequate storage area, further to canon 535 §1 and canon 535 §4 respectively. The Archbishop
is under an obligation to ensure the affairs that relate to the administration of the Archdiocese
are duly coordinated and ordered. However, it is the Archbishop who has issued clear guidance
as to how the Parish Baptism Registers should be stored and it is the parish priest who must
ensure that this guidance is followed, even though hemay have some discretion as to the “non-
essential means” of processing.
396. With respect to the means of processing, the parish priest must comply with his obligations
under canon 535 §1 and canon 535 §4, in addition to the guidance provided by the Archbishop.
The parish priestmay have some discretion, but this is in relation to the non-essential means of
processing. The Archbishop however determines the means of processing, having a role of
oversight to ensure that the manner in which the personal data is stored by the parish priest
complies with Canon Law, such as whether they have been diligently preserved284, and in
compliance with the guidance he has put in place via the Administrative Regulations. The
Archbishop is empowered to alter the means of processing used by the parish priest via
recommendations in the report sent to the parish following a visitation further to canon 535 §4
or via a precept.
397. As such, I am satisfied, based on the evidence presented to it, that the Archbishop is the sole
controller for the purposes of the storage of the Parish Baptism Registers.
284 Canons 535 §1, 545 §4, 491 §2, 396 §1.
Conclusion: Controllership: Retention
398. On careful consideration of the evidence before me, I am of the view that the Archbishop is the
sole controller for the purposes of the retention of the personal data and special category
personal data contained in the Parish Baptism Registers.
399. I have considered the judgment of C-40/17 Fashion ID, in this regard, in particular the CJEU’s
statement at paragraph 40 that a personmay be a controller jointly with others “only in respect
of the operations involving the processing of personal data for which it determines jointly the
purposes and means”. On consideration of this processing activity, the DPC does not regard the
parish priest to act in the role of a joint controller in respect of retention, not being involved in
jointly determining the purposes andmeans for the retention of the personal data in the Parish
Baptism Registers.
400. From the evidence provided, it is the view of the DPC that the Archbishop solely determines the
purposes and means of the retention of the personal data in the Parish Baptism Registers. It is
the Archbishop who has determined that the personal data in these registers must be retained
indefinitely and never deleted in order that the purposes of processing are fulfilled. As such, the
parish priest has no control over the essential means of processing of the Parish Baptism
Registers when it comes to retention, in particular the duration of the processing.285
401. The essential means of processing for retention of the personal data in perpetuity are not
agreed jointly between the Archbishop and the parish priest and there has been no evidence
presented to the DPC that there is any joint participation in determining the purposes and
means in this regard. The DPC rejects that there is any evidence that the parish priest solely
determines the means and purposes of processing with respect to retention. The Guidelines
from the Archbishop as set out above clearly state that the Parish Baptism Register entries are
never to be deleted or destroyed. According to the Dublin Diocesan Archives guidance, the
Parish Baptism Registers are not to be disposed of by anymeans, without the explicit permission
of the Archbishop.286
402. As such, in respect of the processing activity of retention, I am of the view that the Archbishop
solely controls the purposes and means of processing and therefore is the sole controller of the
personal data for this processing activity.
Conclusion: Controllership
Clonliffe College Registers
285 EDPB Guidelines 07/20, paragraph 40.
286Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 3.6.1 (page
256 of the PDF submission) and Directives and Guidelines for Sacramental and Pastoral Practice, Draft, The Chancellery,
2011, Appendix 3 (page 27 of the PDF submission).
403. Although, as previously set out, the Archbishop submits that the Clonliffe College Register is
rightfully a Parish Baptism Register, it has never been in the possession of the North William
Street parish (or at least this was the case up until July 2021 as far as I am aware). The Clonliffe
College Register is stored in the Chancellery Office/Diocesan Archives at the Archbishop’s House
and the Archbishop is the only person (having regard to the delegation of the task to others in
the diocesan curia) who determines the purposes and means of processing for the storage of
this register, including security, fire prevention, preservation etc. The DPC rejects any
implication that the parish priest of North William Street has any practical or realistic input as
to the purposes and means of storage for this register.
404. Insofar as retention is concerned, further to my views as set out above, the Archbishop is also
the sole controller of the Clonliffe College Register in respect of this processing activity.
Conclusion on Controllership: Storage and Retention
Adopted Persons Baptism Register
405. I am of the view that the Archbishop is the sole controller of the personal data and special
category personal data in the Adopted Persons Baptism Register for all processing activities,
and refers to my views previously set out herein in this regard.
Alteration of Baptismal records
Preliminary Points
406. As a preliminary point, I note that in the context of this Inquiry, the meaning of annotation of
the Baptism Registers and alteration of the Baptism Registers must be distinguished.
407. When an individual undertakes certain sacraments, such as confirmation or marriage, a note of
this is made in the Baptism Register entry for that person. (‘Standard Annotation’). Further,
when a person’s marriage is annulled by the Church, or when a person formally defects from
the Church, this would also be annotated into the Baptism Register. In the case of when a
baptised person prior to 2011 was adopted, their original baptism entry in the Parish Baptism
Register ‘ceased’ by way of a notation only. This notation was placed beside the entry, referring
all requests to the Chancellery (a ‘Special Annotation’).
408. This is to be distinguished from an alteration (‘Alteration’) to the Baptism Register,which is also
of a form of annotation. When an entry to the Baptism Register requires alteration, which may
occur for a number of reasons, for example a change of name or an error in the recording of a
date of birth, the entry is not deleted. The Archbishop has submitted that entries in the Baptism
Register are never deleted. Rather, when an alteration or emendation is required, the incorrect
or out of date information will be struck through and a note of the correct information will be
made on the Baptism Register, above or below the struck through entry.287
287 Submissions dated 16 March 2020, page 6.
409. However, for the purposes of this Decision, a Standard Annotation will refer to routine
annotations of the Baptism Register, which take place when information on further sacraments
received is recorded on the Baptism Register. A Special Annotation will refer to an instance
where the parish priest it notified by the Chancellery of the addition of a specific note to an
entry in a Baptism Register (often also changing the sacramental status of a person). An
Alteration will refer to the less common instances where a Baptism Register entry is annotated
with a view to altering or changing the information which is already present in that entry, due
to an error or inaccuracy.
Standard Annotation, Special Annotation and Alteration
410. The Archbishop has submitted that, with respect to alteration and annotation of the Baptism
Registers, “he is not entitled to alter entries in the registers and he has no power to compel a
Parish Priest to alter a register”288. I have previously set out herein, the obligations of the
Archbishop regarding governance and oversight within the Archdiocese, in addition to his
powers to compel a parish priest to take certain actions by way of a precept. As such, the DPC
finds it difficult to accept the Archbishop’s assertion that he has no power to compel the parish
priest to alter a Parish Baptism Register.
411. I previously stated my view that the Archbishop’s power of inspection, coupled with the parish
priest’s oath of obedience effectively means that the Archbishop exerts influence over the
Annotations which the parish priest makes in the Parish Baptism Registers, being subject to
scrutiny and possible recommendations from the Archbishop.
412. In the submissions to the DPC by the Archbishop, I note that there are suggestions therein, that
the Archbishop, via the Chancellery, exerts influence over themanner in which the Annotations
and Alterations may occur with reference to the personal data contained in the Baptism
Registers.
413. The Archbishop also asserted that the Chancellery “only offers advice. It in no way compels the
recipient to follow the advice, much akin to a person seeking legal advice from a solicitor”289.
However, I note the following:
• section 1.12 of the Guidelines state that “[a]ny alteration to the Baptismal Register
must be authorised through the Chancellery”;
• section 4.5 of the Guidelines state that “[t]he express permission of the Chancellery is
required before any alteration or emendation may be made in any entry in any such
parochial register”; and
• Appendix 3 of the Guidelines, explicitly states, “[a]ny amendment to a register needs
to the prior written permission and authorisation from the Chancellery”.290
288 Submissions dated 16 March 2020, page 2.
289 Submissions dated 15 October 2020, page 14.
290 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, (pages 12, 23, 27 of the PDF submission).
414. The Archbishop has argued that the Chancellery does not in fact ““authorise” an amendment in
the sense of the giving official permission by someone in a position of authority. A better term
might perhaps be “advise””291. While the Archbishop states that in respect of the term
“authorise” “[i]ts usual meaning is where official permission or approval is given for something
to happen. It is important to note that it is not used in that sense where the Chancellery is
concerned”, the DPC respectfully rejects this assertion by the Archbishop.
415. Taking the ordinary meaning of phrases such as “must be authorised”, “express permission”, or
“written permission” it is untenable to suggest that such phrases in fact mean that the
Chancellery will advise only, and that they would be universally understood to be read that way
by parish priests and others in receipt of the Guidelines. Further, the Archbishop has not
demonstrated why these words do not retain their ordinary meaning “where the Chancellery is
concerned” or why this might be. On balance, I am satisfied that if “advise” was the meaning
intended by the Archbishop and the Chancellery in the Guidelines, it would have in fact been
used instead of the language of authorisation and permission.
416. It is not solely the Guidelines, which reflect the language of authorisation in the Archbishop’s
and Chancellery’s communications with parish priests. In a letter dated 24 September 2018,292
a parish priest is requested by the Chancellery to amend an entry in the Parish Baptism Register.
The parish priest is requested to write “Chancellery Auth. 24th September 2018” beside the
change in the Observation Column293 and that the alteration to the date of birth of the data
subject be executed as follows:
“i) In the Date of Birth Column place an asterisk, draw a line through the “9th” and,
above or below insert the “10th”.
ii) In the Observation Column place an asterisk and the following: “Future certificates
to reflect changes made: pub.doc: Chancellery Auth. 24th September 2018”.294
417. The same type of notation is present in a letter of 22 October 2018 requesting an alteration,
“Chancellery Auth. 22nd October 2018”295. In the letter dated 22 October 2018, the Chancellery
instructed the parish priest to rectify the surname of a data subject, which was recorded in the
Parish Baptism Register. The Chancellery instructed the parish priest of St Luke the Evangelist
parish alter the entry as follows:
“i) In the Surname column place an asterisk, before the name […] and, insert the
name […]
ii) In the Observation Column place an asterisk and the following: “Future certificates
to be issued in the name […] pub.doc: Chancellery Auth. 22nd October 2018”
291 Submissions dated 23 July 2021, page 1.
292 Submissions dated 15 October 2020, Schedule of Documents, (page 194 of the PDF submission).
293 Submissions dated 15 October 2020, Schedule of Documents, (page 194 of the PDF submission).
294 Submissions dated 15 October 2020, Schedule of Documents, (page 194 of the PDF submission).
295 Submissions dated 15 October 2020, Schedule of Documents, (page 207 of the PDF submission).
418. I am satisfied that these references indicate that the parish priestmust record whenmaking the
Alteration that the Chancellery’s authorisation has been obtained and the Alteration is
legitimatelymade. In addition to this, in an email to the data subject in respect of the 22 October
2018 request, the Chancellery writes “[w]e have authorised the parish of St Luke the Evangelist
to amend […] Baptismal Certificate”.296 This further strengthens my view that the ordinary
meaning of the word “authorise” is intended with respect to the Chancellery’s involvement in
Annotations and Alterations. This arises in circumstances where it is used with laypeople who
may not be privy to any purported special status surrounding the Chancellery.
419. The Archbishop states that:
“the Chancellery acts as a form of legal advisor to a Parish Priest in that it carries out
an investigation of the particular circumstances surrounding the requested
amendment and confirms to the Parish Priest whether it is legally possible, according
to canon law, to effect the amendment. In this regard, the Chancellery confirms
whether the request is a legitimate one […]
As such, in confirming that the request is a legitimate one, the Chancellery is
confirming whether the individual has a right to have their baptismal record
amended. It is then a matter for the relevant Parish Priest to give effect to this right
and lawful amendment, where it arises”.297
420. Similarly, the Archbishop also stated that:
“This advice is then relayed to the recipient (which in any particular case could be the
Archbishop, a Parish Priest, or a Diocesan Agency). The action(s) thereafter fall under
the jurisdiction of the recipient on how they will proceed”.298
421. I am of the view that the only recipient of “advice” from the Chancellery with any element of
discretion in terms of how to proceed is the Archbishop. I am not satisfied that it is possible for
a parish priest or indeed a diocesan agency, to go against the directions of the Chancellery, even
where the parish priest has operational control within his parish. This is in circumstances where
I am satisfied that in respect of Special Annotations and Alterations, the communications issued
from the Chancellery are not in fact advice, but instructions from the Archbishop to be complied
with by the parish priest.
296 Submissions dated 15 October 2020, Schedule of Documents, (page 203 of the PDF submission).
297 Submissions dated 23 July 2021, page 1.
298 Submissions dated 15 October 2020, page 14.
422. As previously stated, in C-131/12 Google Spain, the concept of a controller (in that case with
reference to the definition under Article 2(d) of Directive 95/46) is defined broadly to ensure
the effective and complete protection of data subjects299. It would be remiss to ignore the
practical influence the Chancellery has in guiding, assisting and advising the Archbishop as part
of the diocesan curia) over the actions of the parish priest, when it comes to amending and
annotating the personal data in the Baptism Registers. In order to protect data subject rights
properly, it is necessary to define a controller broadly and to ensure that the influence of
controllers, even when emanating from another body or office, which purportedly has no
power, is properly recognised for what it is.
423. With respect to the Adopted Persons Baptism Register, the Archbishop provided a template
letter with his 16 March 2020 Submission, which is issued to a parish when an individual is
entered on that register centrally. The letter states that:
“The record of Baptism of the person named below is now contained within the
Adopted Persons’ Baptismal Register held in the Chancellery, Archbishop’s House. As
a result, the entry contained in the Baptismal Register of your Parish ceases.
No Baptismal certificate may be issued from your parish for this entry”
424. The letter also states that “to effect this, I would ask you to make the following notation in the
comments column of the above entry …”.300 In the view of the DPC, the language in this letter is
a clear statement that the entry in the Parish Baptism Registers has ceased and the parish priest
is now prohibited from issuing a baptismal certificate, by direct instruction from the
Chancellery. This is not advice but a strict direction, though the Chancellery has attempted to
frame the latter part of the letter as a request.
425. The Archbishop stated in respect of this that “[u]ltimately it was a decision of the Parish Priest
concerned to make the relevant annotations in the baptismal register held in the Parish”.301
I have considered this submission by the Archbishop and having had regard to all evidence
presented to the Inquiry, respectfully reject this assertion. The above statement is similar to
prior submissions made by the Archbishop whereby “[i]t is then a matter for the relevant Parish
Priest to give effect to this right and lawful amendment, where it arises” and “[t]he action(s)
thereafter fall under the jurisdiction of the recipient on how they will proceed” respectively.
While technically a parish priest may choose not to make the relevant Special Annotation or
Alteration, just as a parish priest may choose not even to record a legitimate baptism in a
register in the first place, this would be in direct contravention of his duties under Canon Law
and his oath of obedience to the Archbishop, as previously set out.
299 C-131/12 Google Spain, paragraph 34.
300 D-201015 Adopted Persons – cessation of entry in baptismal register letter.
301 Submissions dated 23 July 2021, pages 8-9.
426. The Archbishop has certain authority over a parish priest and can even remove a parish priest
from his office in some instances,302 in addition to a power of oversight of the Baptism Register
at his visitation, after which hemay send a report to the parish detailing improvements that are
required. The fact that a parish priest does not undertake the instructions given to him by the
Chancellery does not indicate he is prima facie a controller in his own right, in circumstances
where the alternative to following the instruction is to be in contravention of the duties and
obligations of his office and possibly incur some degree of sanction.
427. The failure to make a Special Annotation or Alteration requested by the Chancellery would not
be the action of a controller legitimately determining the purposes and means of processing
personal data, but rather, the actions of a processor who has failed to follow the instructions of
a controller. In that circumstance the parish priest would then become a controller, further to
Article 28(10) of the GDPR.303
428. In addition to the foregoing and coupled with the Archbishop’s duties of oversight and
governance, including his power of inspection and the right tomake recommendations, or issue
a precept, extends to the oversight of these annotations in the Baptism Registers also. The
interpretation of Canon Law and its anticipated outcome may be provided by the Archbishop
and disseminated to the parish priests, either as guidance or by recommendations to a
particular parish following an inspection and visitation and this determines the purposes of
processing of the personal data.
429. With respect to other Special Annotations directed by the Chancellery, the Archbishop is
empowered to determine not only that a Special Annotation bemade, but also exactly, how the
annotation is to be phrased. In this regard, I note that the Archbishop, via the Chancellery,
directed that when a person formally defected from the Catholic Church, this would be
annotated on their Parish Baptism Register entry. The template letter which was sent to the
parish priest indicates the exactmanner inwhich the Parish Baptism Register is to be annotated:
“I would be grateful if you would make the following insertion in the observation
column of the Baptismal Register in respect of the Petitioner:
“Cessation of Church membership by formal act of defection recognised: Doc. Apud
Curiam, prot. No FD/XX/09.
All future requested Baptism Certificates should include this observation” .304
430. In circumstances where a baptised person was adopted prior to 2011, the Chancellery also
notified the parish priest of the exact means by which the Parish Baptism Register was to be
annotated, as set out previously. In this instance, the Chancellery would set out the following
entry which was to be made in the comments column of the Parish Baptism Register entry:
302 Submissions dated 15 October 2020, page 19
303 EDPB Guidelines 07/20, page 4 states: “A processor infringes the GDPR, however, if it goes beyond the controller’s
instructions and starts to determine its own purposes and means of the processing. The processor will then be considered
a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions”.
304 Submissions dated 23 July 2021, Booklet of Documents Accompanying Responses to DPC Queries, template letter dated
31 August 2009 on the cessation of church membership sent from the Chancellery (page 21 of the PDF submission).
“Adoption Order granted (DATE), Serial No:
In the name
Refer all requests for certificates/notifications to the Chancellery”.305
431. Further, I note that the Archbishop has in fact offered in his submissions to recommend that a
further annotation be made by the parish priests in circumstances where a person has sought
de facto defection. The Archbishop stated that the “register could be annotated as follows: “No
longer wishes to be identified as a Roman Catholic”.306 This, in my view, indicates that the
Archbishop has the power to determine further annotations, whichmay be placed on the entry
of a data subject in the Baptism Registers, including the Clonliffe College Registers and Adopted
Persons Baptism Registers.
432. As such, the Archbishop determines the essential means of processing when it comes to Special
Annotations, which are specifically directed by the Chancellery, in particular the type of the
personal data processed, the duration of the processing, the data subjects whose personal data
is processed and the form in which the processing must take.
433. Similarly, with regard to Alterations to the Baptism Registers, the Archbishop, via the
Chancellery, specifies exactly the means by which an alteration to an entry is executed. This is
evident from the sample letters dated 24 September 2018 and letter of 22 October 2018
provided by the Archbishop in his submissions, which instruct a parish priest to perform an
Alteration to the Parish Baptism Register.
434. Both of the aforementioned Alterations are set out precisely in their terms, and the parish priest
does not determine any aspect of the essential means of processing for the above alterations.
He must execute these as instructed, transcribing the exact language used by the Chancellery.
It is evident to the DPC that that these Alterations, are to be undertaken in the exact manner in
which the Chancellery has directed that they be done.
435. For Standard Annotations which indicate a change in a person’s sacramental status, further to
canon 535 §2, the Archbishop is empowered to determine the interpretation and
implementation of Canon Law in his Archdiocese. As such, he is empowered to direct themeans
of processing for such annotations if he wishes, in particular, the type of personal data
processed by determining the amount of detailwhich should be provided in such an annotation;
the duration of the processing for an annotation (in perpetuity); and the categories of data
subjects. With respect to the categories of data subjects, the Archbishop is empowered to
determine whether further annotations can be made in the Baptism Register.
436. The parish priest has no power to effect an Alteration without the express permission and
instruction of the Chancellery. Hemay not even formulate thewording of the Alteration himself,
nor can he decide to include more or less personal data, further to his own discretion under
canon 535 §2.
305 Submissions dated 16 March 2020, per template letter provided therein, D-201015 Adopted Persons – cessation of entry
in baptismal register letter.
306 Submissions dated 16 March 2020, page 44.
Controllership: Standard Annotation, Special Annotation and Alteration
Parish Priest
437. The parish priest is obliged under canon 535 §2 to make Standard Annotations on the Parish
Baptism Register. Canon 535 §2 provides that:
“In the baptismal register are also to be noted confirmation and those things which
pertain to the canonical status of the Christian faithful by reason of marriage, without
prejudice to the prescript of _ can. 1133, of adoption, of the reception of sacred orders, of
perpetual profession made in a religious institute, and of change of rite. These notations
are always to be noted on a baptismal certificate”.
438. I accept that the parish priest, for the most part, fulfils this obligation on a day-to-day basis
without reference to the Archbishop and am of the view that he has an element of discretion
as to how this is achieved. Canon 895 states that “[t]he pastor must inform the pastor of the
place of baptism about the conferral of confirmation so that a notation ismade in the baptismal
register according to the norm of _ can. 535, §2”. Canon Law does not specify the personal data
which is to be included in such a notation, just that it must be done to fulfil the requirements of
Canon Law. The parish priest is obliged under Canon Law to make standard annotations in the
parish baptism registers for the purposes of recording the sacramental or canonical status of an
individual, the recording of which is central to the administration of the Church.
439. My view is that any element of discretion that the parish priest may have in terms of the
recording of the standard annotation is part of the non-essential means of processing. It simply
concerns a practical aspect of the implementation of obligations that are set out under Canon
Law, notwithstanding the significance of its administrative function and purpose.
440. The Archbishop has also submitted that the parish priest is responsible for the “annotation of
the baptismal record with details of a person’s confirmation, marriage/annulment and
ordination/laicisation”.307 I note the distinction between these Standard Annotations and
Special Annotations, which require direction or instruction from the Archbishop (via the
Chancellery). Such Special Annotations may include the recording in a Baptism Register of the
annulment of a marriage, the laicisation of a previously ordained individual, the formal
defection of an individual from the Church (which is no longer possible), or annotating the
cessation of an entry in a Parish Baptism Register on the adoption of a baptised individual (this
practice has also ceased).
307 Submissions dated 16 March 2020, page 5.
441. With respect to these Special Annotations, the evidence provided to the DPC by the Archbishop
indicates that, in these instances, such an annotation is only performed by a parish priest when
a specific instruction has been received by the Chancellery to do so. These specific instructions
appear to set out the exactwording and form which the Special Annotation is to take and leaves
no discretion to the parish priest as to how the personal data in question is to be processed.
The wording of such an annotation in the case of a formal defection from the Church has been
previously set out herein together with the wording in the case of the cessation of a baptismal
entry following the adoption of a baptised person.
442. When a parish priest is approached by an individual who wishes an Alteration to be made to
the Baptism Register, the Archbishop has submitted that this will only occur in limited
circumstances. The Archbishop submits that an Alteration can consist of changing the name of
the individual following a change of name by deed poll.308 Amending a factual error in the name
or date recorded are also possible alterations that may be made.309
443. To make an Alteration to a Baptism Register entry, the parish priest must apply to the
Chancellery for “authorisation” if he has been contacted directly by an individual.310 The
Chancellery then undertakes an investigation as to whether the alteration may be carried out.
The Archbishop submitted that the investigation is “carried out on behalf of the Parish Priest as
he is the custodian of the records”.311 The Chancellery then relays the findings to the parish
priest and the parish priest then undertakes the Alteration based on the Chancellery’s findings.
As stated above, I note the clear language used in a number of the documents submitted by the
Archbishop accompanying the submissions, which indicates that the Chancellery must in fact
expressly authorise or give permission for an Alteration to be performed by the parish priest.
The parish priest does not have any discretion in this regard.
444. The DPC respectfully disagrees with the viewpoint presented by the Archbishop that the
Chancellery is working on behalf of the parish priest, providing advice only as to whether an
Alteration should be performed. As previously set out, I am of the view that the parish priest
cannot alter the baptism records unless and until he is permitted to do so by the instructions
from the Archbishop, delivered through the Chancellery.
Conclusion on Controllership:
Standard Annotation, Special Annotation, Alteration
Parish Baptism Registers
445. I am of the view that the Archbishop, in respect of Standard Annotations of entries in the Parish
Baptism Registers, is the sole controller who determines the purposes and means of the
processing of personal data.
308 Submissions dated 16 March 2020, page 6.
309 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.13 (page 12 of the PDF submission).
310 Submissions dated 16 March 2020, page 6.
311 Submissions dated 16 March 2020, page 6.
446. It is the view of the DPC that the Archbishop, in respect of the processing activity of Special
Annotation of entries in the Parish Baptism Registers, is the sole controller who directs the
purposes and means of processing. The Archbishop via the Chancellery instructs the parish
priest as to the exact manner in which a Special Annotation is to be effected. The parish priest
does not determine the purposes or the means of such processing and therefore cannot be
identified as a controller in these circumstances.
447. I am of the view that in respect of the processing activity of Alteration of entries in the Parish
Baptism Registers, the Archbishop is the sole controller who directs the purposes and means of
processing. The Archbishop via the Chancellery instructs the parish priest as to the exactmanner
in which an Alteration is to be effected. The parish priest is required to obtain the express
permission or authorisation for the purposes of an Alteration. The parish priest does not
determine the purposes or the means of such processing and therefore cannot be identified as
a controller in these circumstances.
Clonliffe College Registers
448. I am of the view that the Archbishop is the sole controller of the personal data and special
category personal data in the Clonliffe College Register for the processing activities of Standard
Annotation, Special Annotation and Alteration. Although the Archbishop submits that the
Clonliffe College Register is rightfully a Parish Baptism Register, it was not in the possession of
the NorthWilliam Street parish at the time of the Archishop’s submission.
449. The Clonliffe College Register is stored in the Chancellery Office/Diocesan Archives at the
Archbishop’s House and the Archbishop is the only person (having regard to the delegation of
the task to others in the diocesan curia) who determines the purposes andmeans of processing
for the standard and special annotation and alteration of this register. The DPC rejects any
implication that the parish priest of North William Street has any practical or realistic input on
the purposes and means of Standard Annotation for this Clonliffe College Register.
Adopted Persons Baptism Register
450. I am of the view that the Archbishop is the sole controller of the personal data and special
category personal data in the Adopted Persons Baptism Register this Decision.
Findings
451. While having regard to the findings of joint controllership with the parish priest, I reiterate the
position previously set out which is that the DPC engaged solely with the Archbishop of Dublin
in relation to this Inquiry and my findings are based on the submissions of the Archbishop.
However, it is important to note that this Inquiry relates to the rectification and erasure of
personal data contained within the Baptism Registers (which includes retention and storage)
under Articles 16 and 17 of the GDPR respectively. Earlier sections of this Decision included an
analysis of the collection and recording of personal data because the issue of rectification or
erasure flows therefrom.
452. It is clear to me from the foregoing analysis, that the Archbishop retains sole controllership for
the processing activities of rectification and erasure of personal data contained within the
Baptism Registers. In simple terms, this is so because any such amendment cannot be made by
the parish priest without having first obtained hierarchal approval. While the Archbishop
submits that the Chancellery is the Canon Law office of the Diocesan Curia with no decision-
making power and fulfils only an advisory role, the DPC does not accept for the purposes of data
protection law that this organisational make-up relieves or removes the Archbishop from
consideration as a data controller. The Archbishop decides certain key elements312 about the
purposes of the data processing by his governance of the interpretation of the obligations under
Canon Law and instructing those to the parish priest. The Archbishop issues instructions on how
to comply with certain obligations, via the Chancellery.
453. Therefore, I find that:
a. The Archbishop and the parish priest are joint controllers of the personal data and
special category data contained in the Parish Baptism Registers with respect to the
processing activities of:
i. Collecting and recording.
b. The Archbishop is the sole controller of the personal data and special category data
contained in the Parish Baptism Registers with respect to the processing activities of:
i. Storage and Retention;
ii. Standard and Special Annotation;
iii. Alteration;
c. The Archbishop is the sole controller of the personal data and special category
personal data contained in the Clonliffe College Registers with respect to all
processing activities.
d. The Archbishop is the sole controller of the personal data and special category
personal data contained in the Adopted Persons Baptism Register with respect to all
processing activities.
312 EDPB Guidelines 07/20, paragraph 20.
c) LEGAL BASIS
Issue for determination
Introduction
454. I have made the determinations herein that firstly the Baptism Registers come within the
material scope of the GDPR; and secondly that the Archbishop acts in the capacity as sole
controller for the processing activities, the subject of this Inquiry. As such, the following issues
arise for determination by the DPC in relation to the Archbishop’s compliance with Articles 6
and 9 of the GDPR They are set out as follows:
a. In relation to the processing of personal data and special category personal data of
data subjects who no longer wish to have their personal data recorded in any
Baptism Registers:
i. whether the Archbishopmay rely on legitimate interests for the processing of
Baptism Registers, in accordance with on Article 6(1)(f) of the GDPR, in
circumstances where the processing is necessary for the purposes of the
legitimate interests pursued by the Archbishop;
ii. whether, and to what extent the Archbishop’s interests (or those of a third
party) in retaining the personal data and special category personal data are
overridden by the interest or fundamental rights and freedoms of the data
subjects and accordingly whether the Archbishop is entitled to rely on Article
6(1)(f) for the processing of the personal data and special category personal
data;
iii. whether the Archbishop is entitled to rely on Article 9(2)(d) of the GDPR for
the processing of the special category personal data contained in the Baptism
Registers, which permits processing carried out in the course of the
Archbishop’s legitimate activities as a foundation, association or non-profit
body with a religious aim where the processing relates solely to members or
former members of the body or to persons who have regular contact with it
in connection with its purposes and where the special category personal data
are not disclosed outside the body without the consent of the data subjects;
iv. whether the Archbishop, in processing the special category personal data in
accordance with Article 9(2)(d) of the GDPR, put in place the required
appropriate safeguards for such processing under Article 9(2)(d); and
v. in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under Article
5(1)(b) of the GDPR and the principle of lawfulness fairness and transparency
under Article 5(1)(a) of the GDPR.
b. In relation to any further processing of personal data and special category personal data
of data subjectswho no longer wish to have their personal data recorded in the Baptism
Registers:
vi. whether the Archbishop may rely on legitimate interests for the processing,
in accordance with Article 6(1)(f) of the GDPR, in circumstances where the
processing is necessary for the purposes of the legitimate interests pursued
by the Archbishop;
vii. whether, and to what extent the Archbishop’s interests (or those of a third
party) in further processing the personal data and special category personal
data are overridden by the interest or fundamental rights and freedoms of
the data subjects and accordingly whether the Archbishop is entitled to rely
on Article 6(1)(f) for the further processing of personal data and special
category personal data;
viii. whether the Archbishop is entitled to rely on Article 9(2)(j) of the GDPR for
the further processing of special category personal data contained in the
Baptism Registers, which permits processing which is necessary for archiving
purposes in the public interest, scientific or historical research purposes in
accordance with Article 89(1) of the GDPR;
ix. whether the Archbishop, in further processing the special category personal
data in accordance with Article 9(2)(j) of the GDPR, put in place the required
appropriate safeguards for such processing in accordance with Article 89(1)
of the GDPR, which ensure that technical and organisational measures are in
place in particular in order ensure respect for the principle of data
minimisation;
x. whether the processing of special category personal data is necessary and
proportionate for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with
Section 54 of the 2018 Act;
xi. whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, (i) suitable and specific measures have been
taken by the Archbishop to safeguard the fundamental rights and freedoms
of data subjects; (ii) the processing respects the principle of dataminimisation
(Article 5(1)(c) of the GDPR); and (iii) where the purposes can be fulfilled by
processing which does not permit or no longer permits identification the
processing is fulfilled in that manner, in accordance with Section 42 of the
2018 Act;
xii. whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, data subject rights have lawfully been
restricted in accordance with Section 61(1) and 61(2) of the 2018 Act to the
extent that the exercise of any of those rights would be likely to render
impossible, or seriously impair, the achievement of those purposes, and such
restriction is necessary for the fulfilment of those purposes; and
xiii. in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under Article
5(1)(b) of the GDPR and the principle of lawfulness fairness and transparency
under Article 5(1)(a) of the GDPR.
Relevant Provisions
455. Article 5(1) (a) of the GDPR requires that personal data shall be “processed lawfully, fairly and
in a transparent manner in relation to the data subject”. This is known as the principle of
lawfulness, fairness and transparency.
456. Article 5(1)(b) of the GDPR requires that the personal data be
“collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordancewith Article 89(1), not be considered to be incompatiblewith
the initial purposes (‘purpose limitation’).
457. Article 6 of the GDPR states that processing shall be lawful only if and to the extent that one of
the conditions under Article 6(1) applies. Under Article 6(1)(f), processing shall be lawful in
circumstances where:
“processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the interests
or fundamental rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a child”.
458. Under Article 9 of the GDPR, the processing of special categories of personal data (which
includes personal data revealing religious or philosophical beliefs) is prohibited unless one of
the conditions under Article 9(2) applies. This includes: Article 9(2)(d) permits processing which
is:
“carried out in the course of its legitimate activities with appropriate safeguards by a
foundation, association or any other not-for-profit body with a political, philosophical,
religious or trade union aim and on condition that the processing relates solely to the
members or to former members of the body or to persons who have regular contact with
it in connection with its purposes and that the personal data are not disclosed outside that
body without the consent of the data subjects”; and
459. Article 9(2)(j) permits processing which is:
“necessary for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1) based on Union or
Member State law which shall be proportionate to the aim pursued, respect the essence
of the right to data protection and provide for suitable and specificmeasures to safeguard
the fundamental rights and the interests of the data subject.”
460. Article 89(1) of the GDPR states that:
“Processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance
with this Regulation, for the rights and freedoms of the data subject. Those safeguards
shall ensure that technical and organisational measures are in place in particular in order
to ensure respect for the principle of data minimisation. Those measures may include
pseudonymisation provided that those purposes can be fulfilled in that manner. Where
those purposes can be fulfilled by further processing which does not permit or no longer
permits the identification of data subjects, those purposes shall be fulfilled in that
manner”.
461. Recital 156 of the GDPR provides guidance on further processing under the legal basis of Article
9(2)(j), stating that the:
“further processing of personal data for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes is to be carried out when the
controller has assessed the feasibility to fulfil those purposes by processing data which do
not permit or no longer permit the identification of data subjects, provided that
appropriate safeguards exist (such as, for instance, pseudonymisation of the data).”
462. Recital 158 of the GDPR provides further guidance on the legal basis under Article 9(2)(j), stating
that:
“Where personal data are processed for archiving purposes, this Regulation should also
apply to that processing, bearing in mind that this Regulation should not apply to
deceased persons. Public authorities or public or private bodies that hold records of public
interest should be services which, pursuant to Union or Member State law, have a legal
obligation to acquire, preserve, appraise, arrange, describe, communicate, promote,
disseminate and provide access to records of enduring value for general public interest...”
463. Article 9(2)(j) has also been given further effect in Irish law by section 54 of the 2018 Act,313
which provides that:
“Subject to compliance with section 42, the processing of special categories of personal data
is lawful where such processing is necessary and proportionate for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes”.
464. Section 42 of the 2018 Act states that:
“(1) Subject to suitable and specificmeasures being taken to safeguard the fundamental rights
and freedoms of data subjects, personal data may be processed, in accordance with
Article 89, for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes.
(2) Processing of personal data for the purposes referred to in subsection (1) shall respect the
principle of data minimisation.
(3) Where the purposes referred to in paragraph (a), (b) or (c) of subsection (1) can be fulfilled
by processing which does not permit, or no longer permits, identification of data subjects,
the processing of information for such purposes shall be fulfilled in that manner.”
Relevant Case Law
465. The CJEU in Rigas Satiksme314 set out ‘three cumulative conditions’ to satisfy the lawfulness of
processing under Article 7(f) of Directive 94/46 in the following terms:
“first, the pursuit of a legitimate interest by the data controller or by the third party or
parties to whom the data is disclosed; second, the need to process personal data for the
purposes of the legitimate interests pursued; and third, that the fundamental rights and
freedoms of the person concerned by the data protection do not take precedence”.315
Although Article 7(f) refers to the now repealed Data Protection Directive, its provisions are
comparable to Article 6(1)(f) of the GDPR and therefore the case law remains relevant for the
purposes of interpreting Article 6(1)(f).
313 Article 89 of the GDPR refers to safeguards and derogations relating to processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes
314 C-13/16 Rigas Satiksme 4 May 2017
315 C-13/16 Rigas Satiksme 4 May 2017, paragraph 28.
466. As affirmed in the DPC’s Guidance Note on Legal Bases for Processing Personal Data:
“Controllers who are assessing whether to process data under the legitimate interest legal
basis should consider the three elements needed for this legal basis:
a) Identifying a legitimate interest which they or a third party pursue;
b) Demonstrating that the intended processing of the data subject’s personal data is
necessary to achieve the legitimate interest; and
c) Balancing the legitimate interest against the data subject’s interests, rights and
freedoms”.316
467. In C-524/06 Heinz Huber,317 the CJEU held that the ‘concept of necessity’ must ‘fully reflect the
objective of’ the directive.318
468. In Rigas,319 the CJEU held:
“As regards the condition relating to the necessity of processing personal data, it should
be borne inmind that derogations and limitations in relation to the protection of personal
data must apply only in so far as it strictly necessary…’320
469. The DPC in its Guidance on Legal Bases for Processing Personal Data clarifies the ‘Necessity and
Legitimate Interests’ further in the following terms:
“Once a legitimate interest has been identified, a controller must be able to show that the
processing of personal data is actually necessary for the purpose of that interest. The
necessity test requires controllers to demonstrate that the processing is a reasonable and
proportionate way of achieving their purpose. If a controller can reasonably pursue these
interests in another, less intrusive way, legitimate interests will not provide a legal basis
for processing.
Therefore, when assessing whether processing is necessary for the purpose of pursuing a
legitimate interest, controllers should consider whether the processing actually helps to
further the identified interest, whether it is a reasonable and proportionate way to do so,
and whether there are any less intrusive ways to achieve the same result.
In line with the principle of data minimisation, even where processing may seem
necessary, controllers should ensure that the amount of data processed and extent of that
processing is the minimum amount needed to achieve the stated purpose. As is the case
of other legal bases which involve the concept of necessity, the extent of what precisely is
‘necessary’ for the purposes of any legitimate interest will ultimately depend on the
circumstances of each case, and will also be relevant to the consideration of the balancing
of interests…”.321
316 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 21.
317 C-524/06 Heinz Huber v Bundesrepublik Deutschland, 18 December 2008.
318 C-524/06 Heinz Huber v Bundesrepublik Deutschland, 18 December 2008, paragraph 52.
319 C-13/16 Rigas Satiksme 4 May 2017
320 C-13/16 Rigas Satiksme 4 May 2017, para 30.
321 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 23.
470. In relation to the balancing exercise between the legitimate interests of the data controller and
the fundamental rights and freedoms of the data subjects, Advocate General Bobek in his
Opinion in Rigas stated:
“[s]uch an act of balancing must be carried out on a case-by-case basis”…….“[b]alancing
is the key to the correct application of Article 7(f). It is that operation that makes Article
7(f) wholly distinctive compared to the other provisions of Article 7”.322
471. The DPC’s Guidance Note provides direction regarding the balancing test that is required:
“A balancing test is needed as a controller’s interests will not always align with the
interests of the data subject(s). However, where there is a conflict or tension between
these interests it is not the case that processing can never take place, but rather the
controller can only process the personal data where their interests provide a clear and
proportionate justification for the impact on the individual”.323
472. Finally, the DPC Guidance Note sets out that in relation to the principle of accountability under
Article 5 of the GDPR:
“In line with the principle of accountability, found in Article 5 GDPR, controllers should
keep a record of the assessment they undertook to determine whether the legitimate
interests were overridden by the interests, rights, or freedoms of the data subject. There
is no set way in which controllers have to do this, but it is important that they record their
reasoning in some way, to show that an appropriate decision-making process was utilised
to justify processing, and that data subject rights and freedoms were sufficiently taken
into account. The results of this assessment should also be reviewed if there is a significant
change in the nature or context of the processing operation”.324
Background
473. The DPC acknowledges that the Archbishop is of the view that he is not a controller or a joint
controller of the personal data and special category personal data contained in the parish
Baptism Registers and that the parish priest is the controller of the parish Baptism Registers. As
such, the submissions made by the Archbishop with respect to the lawful bases for processing,
relate to what the Archbishop states are the legal bases relied upon by the parish priests for
such processing of the parish Baptism Registers and the Archbishop’s legal basis for processing
the Baptism Registers held in the Chancellery325 (save for the Clonliffe College Registers, which
the Archbishop has submitted are held in the Chancellery but not on behalf of the Archbishop,
according to his submissions).326
322 C-13/16, Opinion of Advocate General Bobek delivered on 26 January 2017, Valsts policijas Rīgas reģiona pārvaldes
Kārtības policijas at paras 67 & 68 respectively.
323 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 24.
324 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 24.
325 See section 1.4 of the letter from Mason Hayes Curran on behalf of the Archbishop, accompanying the
16 March 2020 Submission.
326 Submissions dated 23 July 2021, page 3.
For Determination: Processing Issues: In relation to the processing of personal data and special
category personal data of data subjects who no longer wish to have their personal data recorded in
any Baptism Register.
474. In his submissions to the DPC, the Archbishop stated that he and the parish priests rely on the
following legal bases for the processing by way of retention of the personal data and special
category data contained in the Baptism Registers:
• Articles 6(1)(f) of the GDPR, which provides that processing will be lawful where it is
necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject; and
• Article 9(2)(d) of the GDPR, which provides that processing of special categories of
personal data is permitted where the processing is carried out in the course of its
legitimate activities with appropriate safeguards by a foundation, association or any
other not-for-profit body with a religious aim and on condition that the processing
relates solely to members or to former members of the body of persons who have
regular contact with it in connection with its purpose and that the personal data are
not disclosed outside that body without the consent of the consent of the data
subjects.
Archbishop’s Submissions
Article 6(1)(f)
475. The Archbishop submitted that the lawful basis of legitimate interests under Article 6(1)(f) of
the GDPR is often analysed using a three-stage approach, with reference to the CJEU’s judgment
in case C-13/16 Rigas Satiksme,327 namely:
a) identifying a legitimate interest which a controller or a third party pursues;
b) demonstrating that the intended processing of the data subject’s personal data is
necessary to achieve the legitimate interest; and
c) balancing the legitimate interest against the data subject’s interests, rights, and
freedoms.
The Archbishop submitted that the processing in question with respect to this legal basis is the
“maintenance of the name of the data subject on a register of baptised persons”.328
Identifying a legitimate interest
476. With respect to the first of these criteria, the Archbishop identified the legitimate interests
pursued in the processing of the personal data contained in the Baptism Registers. The
Archbishop noted at the outset that with respect to an appropriate legitimate interest “a wide
range of interests may be covered, including commercial interests, individual interests and
broader societal benefits”.329
327 C-13/16 Rigas Satiksme ECLI:EU:C:2017:336, paragraphs 28-31.
328 Submissions dated 16 March 2020, page 44.
329 Submissions dated 16 March 2020, pages 33-34.
477. The Archbishop firstly submitted that the parish priests of the Archdiocese of Dublin “have a
legitimate interest in preserving the information contained in Parish registers, because such
registers (baptism, confirmation and marriage in particular) consist of a record of the
administration of certain sacraments in the Church. The Archbishop also has a legitimate
interest in preserving the information contained in the records held in the Chancellery Office”.330
478. The Archbishop also submitted, “The Roman Catholic Church sees baptism as the first and basic
sacrament of Christian initiation. It is important to note that baptism can only be received once.
As such, it is essential that the Roman Catholic Church maintain a record of all those persons
who have been baptised”.331
479. Similarly, the Archbishop noted that the sacrament of confirmation may only be received once,
and that a marriage between baptised people, validly entered into, cannot be dissolved. As
such, “a careful record is made of the administration of the sacraments of baptism,
confirmation, matrimony and Holy Orders, as, from the perspective of Church teaching, these
sacraments can only be administered once. Insofar as these sacraments are concerned, the
Roman Catholic Church has a particular interest in maintaining an accurate record on a
permanent basis”332. Certain other sacraments may be administered a number of times, such
as the Eucharist, and as such there is no necessity to keep a register.
480. Secondly, the Archbishop submitted that:
“[...] the baptism register is of particular importance as it is considered to be the
“gateway” to all of the records of a person’s life within the Catholic Church. The baptism
register includes a space for notations of future sacraments, namely confirmation, and/or
marriage/Holy Orders.
In order to receive the sacraments of confirmation and marriage/Holy Orders, reference
is alwaysmade to the entries made in the baptism register to establish (1) that the person
has been baptised and (2) there is no impediment to receiving the proposed sacrament,
eg it would not be possible for a man who had received the sacrament of marriage then
to receive the sacrament of Holy Orders.
It is also important to note that the registers are not considered to be a list of members
of the Catholic Church. It is entirely possible and, indeed, perhaps common, that a person
who has received the sacrament of baptism is no longer a practising Catholic or no longer
considers themselves to be a member of the Catholic Church. […] However, the baptism
register at all times remains the reference point from which any other Parish throughout
the world can ascertain whether a person has received any of the other sacraments. This
information is critical in terms of certain key beliefs in the Catholic faith, i.e. that a person
can only receive the sacraments of baptism, confirmation, marriage or Holy Orders
once”.333
330 Submissions dated 16 March 2020, page 34.
331 Submissions dated 16 March 2020, page 34.
332 Submissions dated 16 March 2020, pages 34-35.
333 Submissions dated 16 March 2020, page 35.
481. The Archbishop also noted the case study included in the Data Protection Commissioner’s
Annual Report 2003. In the case study, the Commissioner had concluded that a parish priest
was entitled to refuse a request by a data subject to have their name removed from a parish
Baptism Register, stating “it is my understanding that the data could not be deleted from the
Register as it is essential for the administration of Church affairs to maintain a register of all the
people who have been baptised. Indeed it is of course a factual record of an event that
happened”.334
482. The Archbishop noted that the legitimate interests he had outlined
(i) that it is necessary for the administration of the Church to keep a record of the
sacraments received by individuals; and
(ii) to ensure that certain sacraments are not administered more than once
are underpinned by fundamental rights and protections under the Irish Constitution and the
Charter which among other things, protect the right of religious denominations tomanage their
own affairs.335
483. The Archbishop also noted that Recital 4 of the GDPR “respects the principles enshrined in the
Charter, particularly relating to the protection of conscience and religion”336 and referred to
Recital 165 of the GDPR which states that “[t]his Regulation respects and does not prejudice the
status under existing constitutional law of churches and religious associations or communities
in theMember States, as recognised in Article 17 TFEU”. As such, the Archbishop also submitted,
“data protection law should be interpreted, insofar as possible to respect the fundamental
freedoms of religious organisations”.337
Processing is necessary to achieve the legitimate interest(s)
484. The Archbishop submitted that the processing is necessary, as “complete and accurate records
of all persons who have been baptised must be maintained because it must be possible to
operate a rule that baptism may only be administered once. In the absence of such a record, it
would be impossible to operate this rule, and thus a core aspect of the freedom of religious
practice would be interfered with”.338 The Archbishop also submitted that:
“[t]he only way to maintain such a record is to retain the names of all persons who have
been baptised. There is no other way that the data controller could reasonably pursue this
end. The legitimate interests in maintaining baptismal records cannot be achieved by any
other means and thus the means – the maintaining of the original record – are the least
intrusive method possible, and are necessary for the purposes of the legitimate
interests”.339
334 DPC Annual Report 2003, Case Study 8, page 37.
335 Bunreacht na hÉireann, Articles 44.2.1, 44.2.5; Charter of Fundamental Rights, Article 22.
336 Submissions dated 16 March 2020, page 36.
337 Submissions dated 16 March 2020, page 38.
338 Submissions dated 16 March 2020, page 42.
339 Submissions dated 16 March 2020, page 42.
485. The Archbishop also referred to the CJEU judgment in C-13/16 Rigas Satiksme,which considered
the concept of necessity in this context and theminimum personal data thatwould be necessary
to process in order to give effect to the legitimate interest. The Archbishop stated that in respect
of the Baptism Registers, “the processing in question involves the minimum amount of personal
data necessary to achieve the end, ie, the name of the data subject and the date of baptism”.340
486. When questioned by the DPC as to how the parish or the Archdiocese verifies the sacramental
status of a person (in particular the baptismal status) in circumstances where Baptism Registers
have been irreparably damaged, the Archbishop responded that:
“ The Chancellery on behalf of the Parish, would first obtain objective evidence from the
Bishop of the Diocese where the fire/flood occurred, that this in fact happened.
Following that, the Chancellery would obtain statements from the godparents, being the
official witnesses, regarding the fact of baptism and the approximate date of the event.
Failing that, it would obtain a sworn statement from the parents/siblings/other relations
present on the day, regarding similar details. The person may also be in possession of
photographic evidence of the day.
It may happen that the parents had an old certificate received at the time of the baptism,
which in the circumstances, would also suffice”.341
487. The Archbishop also responded that in circumstances where a person wishes to undertake a
sacrament but the parish or the Archdiocese is unable to verify the sacramental status of that
person:
“ the individual is invited to search the neighbouring parishes in the vicinity of the place of
residence of his parents upon his/her birth. Inmany cases, the Chancellery undertakes this
task on behalf of the individual.
When the Archdiocese, after an extensive enquiry, fails to determine in any way that
baptism has occurred, the person in that event will be conditionally baptised in
accordance with Canon 869 of the Code of Canon Law”.342
Balancing the legitimate interest(s)
488. The final criteria for establishing whether a controller may rely on Article 6(1)(f) of the GDPR as
a lawful basis for processing is a balancing exercise between the legitimate interests being
pursued on the one hand and the interests or fundamental rights and freedoms of the data
subject on the other.
340 Submission dated 16 March 2020, page 43.
341 Submission dated 23 July 2021, page 5.
342 Submission dated 23 July 2021, page 5.
489. In this regard, the Archbishop referred to the Article 29 Working Party Opinion 06/2014, in
particular its statement that “important and compelling legitimate interests may in some cases
and subject to safeguards and measures justify even significant intrusion into privacy or other
significant impact on the interests or rights of the data subjects”.343 The Archbishop also noted
the emphasis the Working Party gave to the role of safeguards in conducting a legitimate
interests balancing exercise.
490. The Archbishop submitted that the legitimate interests pursued with respect to the Baptism
Registers are “undoubtedly serious ones”. The Archbishop submitted that “[w]ithout a complete
baptism register the Catholic Church would be unable to operate a key tenet of its faith, the rule
that a person may only be baptised once”.344 However, the Archbishop asserted:
“the content of the entry on the register does not signify that the data subject is a current
member of the Roman Catholic Church but rather signifies the fact that the person was,
at one point in the past, baptised as a Catholic. As such, the Archbishop submits that, if
this is an infringement of the data subject’s rights and freedoms, it is a very minimal one.
If it does constitute such an infringement, important safeguards are in place to protect
the fundamental rights of the data subject and to ensure that this processing is a
proportionate limitation of the data subject’s rights and freedoms”.345
491. The Archbishop set out the safeguards that have been put in place, which are as follows:
• The Baptism Register is “private and secure” and subject to “strict rules of
confidentiality”; and
• A de facto defection register is maintained in the Archdiocese to “address any concern
that the data subject might have that the register would be regarded as a record of
current membership”. This “mitigates against any concern that a data subject may
have in respect of the register being assumed to provide a record of their present-day
religious status and beliefs”. The Archbishop also noted that while “this register is
maintained by a different data controller (the Archbishop rather than the Parish Priest)
it is a relevant factual safeguard which vindicates the data subject’s rights”.346
492. As a further safeguard the Archbishop noted that, although this is not the current practice of
the parishes in the Archdiocese, the Archbishop “could recommend to Parish Priests that it
would be permissible to adopt a practice whereby the register could be annotated as follows:
“No longer wishes to be identified as a Roman Catholic”.347
493. On that basis, the Archbishop argued that when the “minor interest of the data subject is
balanced against the significant countervailing interests at play and the important safeguards
in place, it is clear that the legitimate interests test is satisfied”.348
343 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, page
30.
344 Submissions dated 16 March 2020, page 44.
345 Submissions dated 16 March 2020, page 44.
346 Submissions dated 16 March 2020, page 44.
347 Submissions dated 16 March 2020, page 44.
348 Submissions dated 16 March 2020, page 44.
494. Further, the Archbishop referred to Recital 47 of the GDPR, which states, “[t]he interests and
fundamental rights of the data subject could in particular override the interest of the data
controller where personal data are processed in circumstances where data subjects do not
reasonably expect further processing”. In considering whether it would be the reasonable
expectation of a data subject that their personal data be processed in this manner, the
Archbishop stated that:
“Persons who have been baptised Catholic are usually aware of the fact, and likely too to
be aware of the fact that a permanent record is made of the baptism. [The Archbishop]
submits that it is widely known that details of baptisms are recorded in Parish registers.
Baptismal records are often, for example, sought by those carrying out genealogical
research. There is no factor that would lead a baptised person to believe that no
permanent record existed. If a person is concerned about the permanent nature of the
record, they may seek to be listed on the de facto defection register”.349
495. The Archbishop also submitted, “to the extent that the processing entails the processing of the
personal data of children, it is important to note that baptism of a child is usually only permitted
with the consent of both parents”.350
496. Finally, the Archbishop noted that, “it should be observed that the balancing analysis depends
on the particular circumstances of the case at hand. The unique purpose and context of baptism
registers should, for this reason, be given special attention”.351
349 Submissions dated 16 March 2020, page 45.
350 Submissions dated 16 March 2020, page 45.
351 Submissions dated 16 March 2020, page 45.
Article 9(2)(d) – activities of a foundation, association or any other not-for-profit body with a
religious aim
497. The Archbishop submitted that, in his view, the following processing activities in respect of the
Baptism Registers would rely on Article 9(2)(d) as their legal basis:
i. Collection and recording of data for the purposes of recording the baptism;
ii. Storage of the Baptism Register;
iii. Alteration of the Baptism Register on request of the baptised person or his/her parents
(where the baptised person is a minor), or annotation with details of a person’s
confirmation, marriage/annulment and ordination/laicisation (or adoption);352
iv. Retrieval, consultation and use of the register, at the request of the baptised person (or
his/her parents) for the administration of other Sacraments, namely Confirmation,
Marriage and Holy Orders. The Baptism Register may also be consulted in the context
of annulments of marriages or laicisation of priests; and
v. Disclosure of extracts (baptismal certificates) from the register by transmission upon
request to individual, identified baptised persons, or authorised persons acting on their
behalf, or upon inspection by [the Archbishop] on the occasion of a Parish Visitation.353
498. The Archbishop noted that he could not “provide definitive information regarding any
processing activities which may or may not be undertaken by Parish Priests (who are the data
controllers)”. The Archbishop further noted, “where a person no longer wishes to be identified
as a member of the Catholic Church, the only processing activity likely to continue is the storage
of the baptism register”. Further, “the entry in respect of that personmay be retrieved, consulted
and disclosed in rare circumstances where the person concerned or his/her spouse has requested
an annulment” or where the person concerned is a priest and wishes to be laicised.354
499. The Archbishop submitted that the conditions of Article 9(2)(d) of the GDPR are fulfilled by the
processing in question, “in that the personal data contained in the baptism registers are
processed in accordance with the legitimate activities of the Catholic Church, the data relates
solely to members or former members of the Catholic Church, or to persons who have regular
contact with it, and those personal data are not disclosed outside that body without the consent
of the data subjects”.355
500. The Archbishop also stated that in respect of membership of the Catholic Church, “[w]hile the
Roman Catholic Church does notmaintain a register ofmembers – as discussed elsewhere in this
submission – it is correct to say that at the point of baptism, the baptised person is properly
considered a member of the Catholic Church. As such, all baptism records relate to either
members or formermembers”.356 The Archbishop also noted that Article 9(2)(d) includes former
members of the body.
352 Up to 2011.
353 Submission dated 6 September 2021, page 2.
354 Submission dated 6 September 2021, pages 2-3.
355 Submissions dated 16 March 2020, page 38.
356 Submissions dated 16 March 2020, page 38.
501. When requested to outline the appropriate safeguards put in place for these processing
activities as specified by Article 9(2)(d), the Archbishop stated that the Adopted Persons
Baptism Register and the Clonliffe College Registers are securely stored in the Chancellery
Offices, and that the parish Baptism Registers, are normally securely kept and “accessible only
by the pastor and authorised Parish personnel”.357 The Archbishop submitted, “The Parish Priest
is to take care that the baptism registers do not fall into unauthorised hands. The Diocesan
Bishop or his delegate is to inspect the archive at the time of the visitation. Older parochial
registers are also to be carefully safeguarded, in accordance with the provisions of particular
law”.358
502. The Archbishop referred to section 2.11 of the Administrative Regulations, which provides that
“Catholic Parish church records are private records and the public do not have an automatic
right of access to them. The Parish Priest is custodian of the registers but the Archbishop dictates
policy with regard to access”.359 The Archbishop also noted in section 2.11 that “[f]or entries
over 100 years old, third parties may request access to specific information contained in the
register”.360
For Determination - Further processing: In relation to any further processing of personal data and
special category personal data of data subjects who no longer wish to have their personal data
recorded in the Baptism Registers
Article 9(2)(j) – Archiving purposes in the public interest, scientific or historical research purposes:
503. The Archbishop submitted that Article 6(1)(f) of the GDPR, is the legal basis upon which the
parish priests and the Archbishop rely for processing personal data contained in the Baptism
Registers, including further processing.
504. The Archbishop submitted that in respect of any further processing of the special category
personal data contained in the Baptism Registers, he also relied on Article 9(2)(j) of the GDPR,
which provides that processing of special categories of personal data is permitted where the
processing is necessary for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) of the GDPR based on
Union or Member State law which shall be proportionate to the aim pursued, respect the
essence of the right to data protection and provide for suitable and specific measures to
safeguard the fundamental rights and the interests of the data subject.
505. According to the Diocesan Archives’ Guidelines to Family History Research, “[d]irect access to
parish registers is not permitted” and “[i]nformation from Parish Registers is only accessible up
to and including 1920”.361
357 Submissions dated 16 March 2020, page 29.
358 Submissions dated 16 March 2020, page 29.
359 Submissions dated 16 March 2020, page 30. Submissions dated 15 October 2020, Schedule of Documents,
Administrative Regulations, October 2017, section E1 (page 167 of the PDF submission).
360 Submissions dated 16 March 2020, page 31.
361 See https://dublindiocese.ie/wp-content/uploads/2021/10/Family-History-1.docx
506. The Archbishop submitted that, in his view, the following processing activities in respect of the
Baptism Registers would rely on Article 9(2)(j) as their legal basis:
I. Collection and recording of data for the purposes of recording the baptism;
II. Alteration of the Baptism Registers on request of the baptised person or his/her
parents (where the baptised person is aminor), or annotationwith details of a person’s
confirmation, marriage/annulment and ordination/laicisation; and
III. Storage of the Baptism Registers.362
507. The Archbishop submitted: “The baptism register is an important historical record, providing an
invaluable record for social historians, sociologists, anthropologists, various academic
researchers and genealogists. In this regard, the baptismal register states a historical fact at a
point in time”.363
508. The Archbishop submitted that the GDPR allows for a number of exemptions in favour of
archiving in the public interest or for historical research purposes and that the Archbishop
“relies on these provisions as a legal basis for the maintenance of the baptism registers, further
or in addition to the grounds set out above. The baptism registers form an important part of the
Church’s wider role in maintaining records and archives”.364
509. For instance, the Diocesan Archives hold a register from St Michan’s Church, Halston Street,
Dublin dating from 1726.365 Themajority of the registers in the Diocesan archives date from the
nineteenth century. Certain of these registers from the 1850s are pro-forma registers,
customised with detailed columns and headings unlike earlier versions. Individual Baptism
Registers will generally contain entries going back a number of years.
510. The Archbishop also referred to Pontifical Commission for the Cultural Patrimony of the Church
circular letter dated 2 February 1997 in which it considered the pastoral function of Church
Archives. The Archbishop also noted the following passage from the article “Protection of
Personal Data and Apostasy: Comparative Law Considerations”:
“Baptismal registers are thus reliable records of the historic event of having been baptized
and not a file, recording members who join and leave the Church”.366
362 Submissions dated 6 September 2021, page 3.
363 Letter from Mason Hayes Curran on behalf of the Archbishop to the DPC dated 16 March 2020 enclosing 16 March 2020
Submission, page 4.
364 Submissions dated 16 March 2020, page 39.
365 Submissions dated 16 March 2020, page 40.
366 ‘Protection of Personal Data and Apostasy: Comparative Law Considerations’ Montserrat Gas-Aixandri, (2015) 57 Oxford
Journal of Church and State, pp. 72-89, page 4.
511. The Archbishop submitted that the purposes for processing the Baptism Registers is necessary
for historical research purposes and for archiving purposes in the public interest. Regarding the
latter, the Archbishop stated that he considers “that the registers maintained are a form of
archiving, and that such can be considered as being in the public interest (notwithstanding the
protections and limitations for the purposes of confidentiality etc which apply)”.367
512. The Archbishop referred to Recital 158 and stated, “we note that Recital 158 refers to ‘services’
which have a ‘legal obligation’ in respect of preservation etc. However, it is not apparent that
this Recital was intended to limit the ambit of Article 17(3)(d). Indeed, a ‘legal obligation’ is
expressly referenced in Article 17(3)(b) but not in Article 17(3)(d). Moreover, a legal obligation
in this respect need not be limited to a statutory obligation, as Recital 41 makes clear”.368
513. The Archbishop further submitted: “there is no distinction to be made in respect of respect of
[sic] processing necessary for archiving purposes in the public interest and processing necessary
for historical purposes”.369 The Archbishop also provided the DPC with two reports outlining the
value of the Baptism Registers for historical research and for archiving purposes in the public
interest.370
514. The Archbishop relied on these reports to demonstrate the “public interest” element required
for “archiving purposes in the public interest” and referred to in Recital 158. In respect of the
“legal obligation” element referred to in Recital 158, the Archbishop submitted that this need
not be limited to a statutory obligation, stating, “the canon law obligations on parish priests to
preserve baptismal and other registers are set out in the Code of Canon Law”.371
515. The Archbishop also referred again to Article 44.2.5° of the Irish Constitution which provides
that every religious denomination shall have the right to manage its own affairs, own, acquire
and administer property, movable and immovable, and maintain institutions for religious or
charitable purposes, in addition to the Charter rights, such as Article 10 which enshrines the
freedom of religion, and Recital 4 of the GDPR.372
516. In respect of the principle of data minimisation, the Archbishop submitted that in relation to
the register of baptism for persons who are adopted, “only the minimal information is retained
for the purpose for which it is collected”. In respect of the parish Baptism Registers, the
Archbishop submitted, “Parish Priests, as a matter of canon law, have no discretion regarding
the informationwhich is required to be required [sic] in baptismal registers,which is in any event,
minimal”.373
367 Submissions dated 16 March 2020, page 45.
368 Submissions dated 16 March, pages 45-46.
369 Submissions dated 15 October 2020, page 30.
370 ‘Value of Church Registers for Archiving Purposes in the Public Interest’ dated 14 October 2020 by John McDonough and
‘Baptismal Registers and Historical Research’ dated 14 October 2020 by Professor John McCafferty.
371 Submissions dated 15 October 2020, page 31.
372 Submissions dated 15 October 2020, page 31.
373 Submissions dated 15 October 2020, page 32.
517. The Archbishop also stated that retention of the Baptism Registers is necessary for historical
research purposes and archiving purposes as, “absent such retention, there can be no guarantee
that such records, and the information therein, will be available in the future.” The Archbishop
referred to the letter dated 17 April 2019 from the Chairman of the National Library to the then
Chancellor stating that “[t]he National Library of Ireland acknowledges and endorses the
importance of the long-term preservation of records, such as church records, which are likely to
be of historical research value. As you noted, the National Library has made digital copies of
historical Catholic Parish records, specifically those over 100 years old, publicly available online.
This has received a very positive response both from Irish citizens and the Diaspora as they are
an important source for Irish family history research”.374
518. The Archbishop also noted that baptism certificates are “often used for persons seeking to
establish Irish citizenship through antecedents (usually grandparents), in the absence of State
records due to the fire in the Customs House in 1921, or prior to the creation of State records”.375
519. In respect of the application of the transparency principle (Article 5(1)(a) of the GDPR) to
processing undertaken for the purpose of archiving in the public interest and historical research
purposes, the Archbishop submitted that information regarding records held in the Diocesan
Archives is available publically online376 and that it “is amatter for individual Parishes to address
the transparency principle in respect of the registers held by them and which are subject to the
GDPR”. In respect to the Adopted Persons Baptism Register, “the Parish of baptism will direct
adopted persons applying for baptismal certificates to the Chancellery”.377
520. When requested to outline the suitable and specific measures put in place for these processing
activities as specified by Article 9(2)(j) and Article 89(1), the Archbishop again referred to his
previous submissions, which are as set out above. The Archbishop also noted that section
36(1)(d) of the 2018 Act states that suitable and specific measures may include “specific
targeted training for those involved in processing operations”. In this regard, the Archbishop
noted that he “organises data protection training days for Parish Priests and members of the
parish administrative teams. It is also open to Parish Priests to organise their own training in
respect of data protection matters”.378
Legal Analysis of the processing of the processing of personal data and special category personal
data.
First Issue for Determination whether the Archbishop may rely on legitimate interests for the
processing of the Baptism Registers, in accordance with Article 6(1)(f) of the GDPR, in circumstances
where the processing is necessary for the purposes of the legitimate interests pursued by the
Archbishop.
374 As provided to the DPC with the 16 March 2020 submission.
375 Submissions dated 16 March 2020, page 46.
376See https://www.dublindiocese.ie/archives/ and https://www.dublindiocese.ie/guidelines-for-family-history-research/.
377 Submissions dated 15 October 2020, page 33.
378 Submissions dated 23 July 2021, page 7.
521. The first issue for determination is in relation to the processing of personal data and special
category personal data of data subjects who no longer wish to have their personal data
recorded in any Baptism Registers.
522. The Archbishop has submitted that the personal data of individuals who no longer wish to have
their personal data recorded in Baptism Registers is processed lawfully on the basis of Article
6(1)(f) of the GDPR, which states that “[p]rocessing shall be lawful only if […] processing is
necessary for the purposes of the legitimate interests pursued by the controller or by a third
party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the
data subject is a child”.
523. I have also considered, when assessing whether this legal basis may lawfully be relied upon by
the Archbishop, recital 47 which states the following:
“The legitimate interests of a controller, including those of a controller to which the personal
data may be disclosed, or of a third party, may provide a legal basis for processing, provided
that the interests or the fundamental rights and freedoms of the data subject are not overriding,
taking into consideration the reasonable expectations of data subjects based on their
relationship with the controller. Such legitimate interest could exist for example where there is
a relevant and appropriate relationship between the data subject and the controller in situations
such as where the data subject is a client or in the service of the controller. At any rate the
existence of a legitimate interest would need careful assessment including whether a data
subject can reasonably expect at the time and in the context of the collection of the personal
data that processing for that purpose may take place. The interests and fundamental rights of
the data subject could in particular override the interest of the data controller where personal
data are processed in circumstances where data subjects do not reasonably expect further
processing. Given that it is for the legislator to provide by law for the legal basis for public
authorities to process personal data, that legal basis should not apply to the processing by public
authorities in the performance of their tasks. The processing of personal data strictly necessary
for the purposes of preventing fraud also constitutes a legitimate interest of the data controller
concerned. The processing of personal data for direct marketing purposes may be regarded as
carried out for a legitimate interest” (emphasis added).
524. I accept that the lawful reliance on the legal basis of legitimate interest is to be assessed based
on three essential conditions, based on Article 6(1)(f) of the GDPR and those set out by the CJEU
in case C-13/16 Rigas Satiksme:379
• identifying a legitimate interest which the controller or a third party pursues;
• demonstrating that the intended processing of the data subject’s personal data is
necessary to achieve the legitimate interest identified; and
• on balancing the legitimate interest against the data subject’s interests, rights, and
freedoms, the legitimate interest is not outweighed by the data subject’s interests, rights,
and freedoms.
379 C-13/16 Rigas Satiksme, paragraph 28.
525. This was further considered by the DPC in its Guidance Note on Legal Bases for Processing
Personal data as previously identified.
526. I will now consider each of these conditions in turn, in order to determine, whether the
Archbishop may lawfully process data subjects’ personal data contained in the Baptism
Registers, in circumstances where the data subjects no longer wish their personal data to be
recorded in the Baptism Registers, based on the legal basis of Article 6(1)(f) of the GDPR.
Identifying a Legitimate Interest
527. In order to rely on the legal basis under Article 6(1)(f) of the GDPR, a controller is required to
identify a legitimate interest that is being pursued, pertaining either to itself or to a third party.
Generally, a legitimate interest can be cover a wide range of situations, however it must be
sufficiently articulated to allow a balancing test to be carried out against the interest and
fundamental rights of the data subject.380 A legitimate interest may arise, according to recital
47, where there is a “relevant and appropriate relationship” between the data subject and the
controller.
528. In his submissions, the Archbishop identified the legitimate interests for processing the personal
data contained in the Baptism Registers. Firstly, he submitted:
“ First, the Parish Priests of the Archdiocese of Dublin have a legitimate interest in
preserving the information contained in Parish registers, because such registers (baptism,
confirmation and marriage in particular) consist of a record of the administration of
certain sacraments in the Church. The Archbishop also has a legitimate interest in
preserving the information contained in the records held in the Chancellery Office”.381
529. The Archbishop also stated that the Roman Catholic Church “sees baptism as the first and basic
sacrament of Christian initiation” which “can only be received once”. As such, “it is essential that
the Roman Catholic Church maintain a record of all those persons who have been baptised”382.
Therefore “a careful record is made of the administration of the sacraments of baptism,
confirmation, matrimony and Holy Orders, as, from the perspective of Church teaching, these
sacraments can only be administered once”. The Archbishop submitted that the Roman Catholic
Church has “a particular interest in maintaining an accurate record on a permanent basis”.383
530. Secondly, the Archbishop submitted that the Baptism Register entries are used to check the
sacramental status of a person prior to receiving another sacrament:
“ In order to receive the sacraments of confirmation and marriage/Holy Orders, reference
is alwaysmade to the entries made in the baptism register to establish (1) that the person
has been baptised and (2) there is no impediment to receiving the proposed sacrament,
eg it would not be possible for a man who had received the sacrament of marriage then
to receive the sacrament of Holy Orders.”
380 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller, section III.3.1.
381 Submissions dated 16 March 2020, page 34.
382 Submissions dated 16 March 2020, page 34.
383 Submissions dated 16 March 2020, pages 34-35.
531. Although the Baptism Register is not a list of members of the Catholic Church, the Archbishop
submitted that it did act as a “reference point for which any other parish throughout the world
can ascertain whether a person has received any of the other sacraments”. The Archbishop
noted that “[t]his information is critical in terms of certain key beliefs in the Catholic faith, ie
that a person can only receive the sacraments of baptism, confirmation,marriage or Holy Orders
once” and that the Baptism Register acted as “a ‘gateway’ to all the records of a person’s life
within the Catholic Church”.384
532. The Archbishop has also submitted that the DPC in its Annual Report of 2003 recognised the
importance of the Baptism Register in case study 8, stating that it was “essential for the
administration of Church affairs to maintain a registers of all the people who have been
baptised”.
533. Further, the Archbishop noted that the legitimate interests outlined; (i) that it is necessary for
the administration of the Church to keep a record of the sacraments, in particular baptism,
received by individuals; and (ii) to ensure that certain sacraments are not administered more
than once are underpinned by fundamental rights and protections under the Irish Constitution
and the Charter, which among other things, protect the right of religious denominations to
manage their own affairs.385
534. I accept that the interests pursued by the Archbishop in this regard are central to the proper
functioning of key aspects of the Roman Catholic faith in Ireland.
535. However, I must also consider, when assessing whether a legitimate interest arises, the
guidance provided by recital 47 of the GDPR. Recital 47 firstly states, “[s]uch legitimate interest
could exist for example where there is a relevant and appropriate relationship between the data
subject and the controller”. In the context of personal data of a data subject being recorded in
Baptism Registers, I accept that such a relevant relationship arises between a data subject who
has undergone certain sacraments in the Catholic Church (whether they consider themselves
to be a member of the Catholic Church or not) and the Archbishop as a representative of that
Church in his Archdiocese with responsibility for the proper governance of that Archdiocese.
536. Recital 47 secondly notes, “the existence of a legitimate interest would need careful assessment
including whether a data subject can reasonably expect at the time and in the context of the
collection of the personal data that the processing for that purpose may take place”. In the
context of the recording and retention of the details of a baptism in the Baptism Registers, I am
of the view that a data subject could reasonably expect the personal data to be processed for
the purposes of ensuring that the data subject has been baptised and to ensure that there is no
impediment to that data subject receiving a further sacrament, such as confirmation or
marriage.
384 Submissions dated 16 March 2020, page 35.
385 Bunreacht na hÉireann, Articles 44.2.1, 44.2.5; Charter of Fundamental Rights Articles 22.
537. I am of the view, that it would be reasonably known among persons who have been baptised in
Irish society, whether such a person actively continues to practice the Catholic faith or not, that
certain sacraments may only be received once in the Catholic Church and that a record is kept
of certain sacraments by the Catholic Church.
538. Further, I note the CJEU in case C-708/18 Asociaţia de Proprietari blocM5A-ScaraA386 held that
a legitimate interest (in that case under Article 7(f) of Directive 95/46) pursued by a controller
or by a third partymust be “present and effective as at the date of the data processing andmust
not be hypothetical at that date”.387
539. In consideration of this requirement laid down by the CJEU, I am of the view that the legitimate
interests pursued by the Archbishop are not hypothetical in nature, and the Archbishop has
provided evidence of the process which is undertaken to verify the sacramental status of a data
subject, often prior to that data subject receiving another sacrament such as that of marriage.
The DPC considers that the legitimate interests asserted by the Archbishop are “present and
effective” in nature during the lifetime of the data subjects whose personal data are recorded
in the Baptism Registers for that reason.
540. Therefore, I am of the view that the interests submitted by the Archbishop to be legitimate
interests within themeaning of Article 6(1)(f) of the GDPR are legitimate and I accept that these
legitimate interests allow for the proper administration of certain sacraments of the Catholic
Church and are central to the Roman Catholic faith, are sufficiently articulated and are real and
present.
Necessity of processing to achieve the legitimate interests
541. I must now turn to consider the second condition required in order to rely on Article 6(1)(f) to
establish lawfulness of processing: that the processing of the personal data is necessary in order
to achieve the legitimate interests pursued.
542. Under EU law, necessity has its own independent meaning and must be interpreted to fully
reflect the objectives of data protection law, as set out in case C-524/06 Heinz Huber v
Bundesrepublik Deutschland (‘Heinz Huber’),388 being the protection of the fundamental rights
and freedoms of natural persons and their right to privacy with respect to the processing of
personal data.389
543. I note that, in accordance with the CJEU’s judgment in C-13/16, Rigas Satiksme, a controller is
required to demonstrate that the data processing does not go beyond what is “strictly
necessary” for the purposes of processing.390 This requires that the Archbishop demonstrates
that the processing is a reasonable and proportionate way of achieving the legitimate interests.
386 C-708/18 Asociaţia de Proprietari bloc M5A-ScaraA ECLI:EU:C:2019:1064.
387 C-708/18 Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 44.
388 C-524/06 Heinz Huber, paragraph 52.
389 C-524/06 Heinz Huber refers to Article 1(1) of Directive 95/46 in paragraph 52. The equivalent provision under the GDPR
is Article 1(2).
390 C-13/16, Rigas Satiksme, paragraph 30.
544. Should there be a less intrusive way to achieve the same interests, then in general, it cannot be
said that the processing is necessary to achieve those interests. In cases C-92/09 and C-93/09
Scheke, Eifert and Hessen, the CJEU held that, where it was possible to “envisage measures
which affect less adversely that fundamental right of natural persons and which still contribute
effectively to the objectives” in question, such measures will not comply with the principle of
proportionality.391 Finally, I note that in order to be considered necessary processing, no equally
effective alternatives to the processing may be available.
545. I note the Archbishop has submitted that the processing of the data is necessary as:
“complete and accurate records of all persons who have been baptised must be
maintained because it must be possible to operate a rule that baptism may only be
administered once. In the absence of such a record, it would be impossible to operate this
rule, and thus a core aspect of the freedom of religious practice would be interfered
with”.392
546. The Archbishop also submitted that:
“[t]he only way to maintain such a record is to retain the names of all persons who have
been baptised. There is no other way that the data controller could reasonably pursue this
end. The legitimate interests in maintaining baptismal records cannot be achieved by any
other means and thus the means – the maintaining of the original record – are the least
intrusive method possible, and are necessary for the purposes of the legitimate
interests”.393
547. I am in agreement with the Archbishop that the personal data processed in the Baptism Register
is generally limited to what is strictly necessary in order to achieve its legitimate interests. I also
accept, in accordance with the requirement of data minimisation, that the data in question is
the minimum amount required to achieve the legitimate interests.
548. Further, the Archbishop has confirmed that, in instances where a baptismal record does not
exist for an individual, the Archbishop may require the individual to provide sworn statements
from their godparents or parents confirming that the baptism took place. In other
circumstances, where the sacramental status of an individual may not be verified, after an
extensive enquiry the individual may be conditionally baptised further to canon 869. 394
391 C-92/09 and C-93/09 Scheke, Eifert and Hessen, ECLI:EU:C:2010:662, paragraph 86.
392 Submissions dated 16 March 2020, page 42.
393 Submissions dated 16 March 2020, page 42.
394 Submissions dated 23 July 2021, page 5.
549. Although these are alternative measures to achieving the legitimate interests set out by the
Archbishop, I consider that these could not be equally effective alternatives to the processing
undertaken by recording and retaining personal data in the Baptism Registers. Given the
importance of the principle in the Catholic Church that certain sacraments may only be
administered once, the reliance on statements of godparents and other witnesses instead of
the official record of the Church (or indeed conditionally baptising a person without any
verification as to whether they have been previously baptised), does not provide the certainty
and effectiveness of the recording of Baptism Registers and is clearly only suited to exceptional
occasions.
550. As such, I am satisfied that the Archbishop has demonstrated that the processing of the data
subject’s personal data is necessary to achieve the legitimate interests outlined.
Balancing the legitimate interests against the interests or fundamental rights and freedoms of the
data subject
551. Finally, I must consider whether the legitimate interests pursued by the Archbishop are not
overridden by the interests, rights or fundamental freedoms of the data subjects. When
undertaking this assessment a number of considerations need to be taken into account.
Moreover, those interestsmust be present and effective at the date of the data processing and
must not be hypothetical in nature.395
Impact of the processing
552. I note that an important consideration to take into account is the consequences for the
individual by the processing of their personal data in Baptism Registers.396 The purpose is not
to prevent any negative impact on the data subject, but to prevent a disproportionate impact.397
Such impact encompasses the different ways in which an individual may be affected - positively
or negatively - by the processing, and should address any possible (potential or actual) positive
and negative consequences of such processing.398
553. Although the Baptism Register does not act as a list of member of the Catholic Church, the
Archbishop has submitted that at the point of baptism, “the baptised person is properly
considered a member of the Catholic Church”.399 For various reasons, data subjects may no
longer wish to be considered members of the Catholic Church. Further, I note that since 2010,
a change was made to Canon law, which resulted in a data subject being unable to defect
formally from the Catholic Church.400
The nature of the personal data
395 C-708/18, Asociaţia de Proprietari bloc M5A-ScaraA 11 December 2019, paragraph 44
396 See WP Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
95/46/EC, assessing the impact of processing, page 37.
397 WP29 Opinion 06/2014 on the notion of legitimate interests, page 41
398 WP29 Opinion 06/2014 on the notion of legitimate interests, page 37
399 Submissions dated 16 March 2020, page 38.
400 Submissions dated 16 March 2020, page 21.
554. The CJEU has clarified that “account must be taken, inter alia, of the nature of the personal data
at issue, in particular of the potentially sensitive nature of those data, and of the nature and
specific methods of processing the data at issue, in particular of the number of persons having
access to those data and the methods of accessing them”.401
555. I note that, pursuant to Article 9(1) of the GDPR, the personal data recorded in the Baptism
Registers is also considered to be special category personal data as it reveals a religious belief.
Special category data is considered more sensitive than other types of personal data and
warrants special protection and consideration. In addition, the personal data recorded in the
Baptism Records also concerns the personal data and special category data of children, who,
under Recital 38 of the GDPR ‘merit specific protection’, this being within the backdrop of
parental consent being obtained at the time of the baptismal event.
556. Further, I note that the processing of the personal data in the Baptism Registers is not intensive
(though it is long in duration); the personal data collected and recorded is not extensive and
consists of no more than is strictly necessary than what is required to pursue the legitimate
interest. In addition, as outlined prior, there are strict rules on who can access this data and it
is limited to select individuals.402
Reasonable expectations of the data subject
557. When balancing the interests, rights and fundamental freedoms of the data subject against the
legitimate interests pursued by a controller or a third party, consideration for the reasonable
expectations of the data subject is required, as set out in recital 47 of the GDPR. The DPC’s views
on the reasonable expectations of the data subject were previously set out in this section.
558. The Archbishop in his submissions states that these “legitimate interests” for the purposes of
data protection law are underpinned by fundamental rights protections pursuant to Article
44.2.1° and Article 44.2.5° of the Irish Constitution and Articles 10 and 22 the Charter of
Fundamental Rights (the ‘Charter’). In particular, the Archbishop notes the right of freedom of
religion with the right to self-determination and the right to manage their own affairs being an
integral part of that right.403
559. In this regard, the rights of data subjects under data protection law should be read in
conjunction with Article 10 of the Charter, which provides for the right to “freedom of thought,
conscience and religion”. This includes “the freedom to change religion or belief and freedom,
either alone or in community with others and in public or in private, tomanifest religion or belief,
in worship, teaching, practice and observance”. This Article reflects also Article 9 of the
European Convention of Human Rights (the “ECHR”). The right to freedom of religion includes
the corollary of that right, the right not to belong to a religion or to practice it. The right to
freedom of religion also protects the right not to manifest or reveal one’s religious beliefs.
401 C-708/18 Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 57.
402 Submissions dated 16 March 2020, page 44.
403 Submissions dated 16 March 2020, pages 36 -38.
560. Article 1(2) of the GDPR provides that the “Regulation protects the fundamental rights and
freedoms of natural persons and in particular their right to the protection of personal data.” The
data subjects in the present context have the right to freedom of thought conscience and
religion, which ought to be weighed against the Archbishop’s legitimate interests in this
instance. In that regard, I note that on the other hand the State also has an obligation to ensure
that it does not impede the normal functioning of religious organisations. The Constitution
protects the functioning of religious organisations, under Article 44.5 - “[e]very religious
denomination shall have the right to manage its own affairs, own, acquire and administer
property, movable and immovable, and maintain institutions for religious or charitable
purposes”. The DPC must seek to balance the rights of the Catholic Church and the Archbishop
against the rights of the data subjects who do not wish to belong to a religious organisation, nor
wish to have their data processed by that religious organisation, nor wish to be seen to be
manifesting their religious beliefs in a way that allows such a belief to be inferred by the
recording and processing of their personal data.
561. Further, Article 12 of the Charter provides for the right to “freedom of association at all levels,
in particular in political, trade union and civic matters, which implies the right of everyone to
form and to join trade unions for the protection of his or her interests”. This right encompasses
the freedom to associate with religious associations. This Article reflects Article 11 of the ECHR.
The freedom of association encompasses a freedom of choice as to how an individual may wish
to exercise their freedom of association. This includes the right not to join an association and
the right to withdraw from an association, which is the corollary to the freedom of association
and is essential for the proper exercise of the rights.404 The rights of data subjects whose
personal data is recorded in the Baptism Registersmust also be weighed by the DPC against the
legitimate interests of the Archbishop in this case.
562. Even in instances where the infringement of the data subject’s interests and/ or rights and
fundamental freedoms occur, this does not necessarily mean that the balance falls in favour of
the legitimate interests being overridden. In circumstances where there is a clear and
proportionate justification for the impact on the data subject’s rights, the processing may still
lawfully occur based on the legitimate interests.
563. In case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos
(AEPD), Mario Costeja Gonzalez (‘Google Spain’)405 the CJEU considered the rights of a data
subject who wished to have links to his personal data removed from a search engine against the
legitimate interests of the search engine in this case. In this case the held that the application
of Article 7(f) (legitimate interests under Directive 95/46) “necessitates a balancing of the
opposing rights and interests concerned, in the context of which account must be taken of the
significance of the data subject’s rights arising from Articles 7 and 8 of the Charter”.406
404 [See following ECHR cases (Sørensen and Rasmussen v. Denmark [GC], 2006, § 54). (Sigurður A. Sigurjónsson v. Iceland,
1993, § 35; Vörður Ólafsson v. Iceland, 2021, § 45)]]
405 ECLI:EU:C:2014:317.
406 C-131/12 Google Spain, paragraph 74.
564. The CJEU sought to balance the rights of the data subject in that case, even where such rights
may be interfered with, against the legitimate interests of third party internet users and
considered that such balancing would have to be done on a case-by-case basis and would
depend on the nature of the personal data among other things. This was also echoed by the
CJEU in C-13/16 Rigas Satiksme, wherein the CJEU stated, “as regards the condition of balancing
the opposing rights and interests at issue, it depends in principle on the specific circumstances
of the particular case”.407
565. The DPC finds that the Archbishop has an overriding justification for the impact on the data
subject’s rights. The Archbishop’s legitimate interests represent the pursuance of central beliefs
in the Catholic Church. The DPC recognises that the right to freedom of thought, conscience and
religion of the Church must also be taken into account when balancing the rights of the data
subjects. As the achievement of the legitimate interests, in this instance, are fundamental to
the proper administration of certain sacraments, in particular baptism, in the Catholic Church,
the failure of which would impact on the rights of a number of members of the Church, I am of
the view that the Archbishop’s legitimate interests are not overridden by the interests, rights
and fundamental freedoms of the data subjects, including those who consider themselves no
longer members of the Church. The Archbishop has legitimate reasons for the impact on the
data subjects’ rights, which stem from the aim of ensuring the proper administration of
sacraments as a whole.
Safeguards
566. The Article 29 Working Party stated in its opinion on legitimate interests, as submitted by the
Archbishop, that “important and compelling legitimate interests may in some cases and subject
to safeguards and measures justify even significant intrusion into privacy or other significant
impact on the interests or rights of the data subjects”.408 It is accepted that adequate and
sufficient safeguards can significantly reduce the impact on data subjects. I note that the
Archbishop has pointed to a number of safeguards that are in place, such as the fact that the
Baptism Registers are kept private and secure and subject to strict rules of confidentiality, only
accessible by a very small number of authorised individuals. Further, the Archbishop has
submitted that a de facto defection register is kept in order to allow those who no longer wish
to have an association with the Church to have this view recorded. The Archbishop has also
offered to direct the parish priests to include an annotation on the Baptism Register stated that
an individual “No longer wishes to be identified as Roman Catholic”, though this is not the
current practice of the Archdiocese.409
567. I am of the view that these safeguards reduce the impact on the data subject’s rights. I am of
the view that an annotation on the Baptism Register itself, clearly indicating the wishes of the
data subject on the baptism entry would be an appropriate method of safeguarding the data
subject’s rights.
407 C-13/16 Rigas Satiksme, paragraph 31.
408 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of
Directive 95/46/EC, page 30.
409 Submissions dated 16 March 2020, page 44.
568. It is my view that in pursuing his legitimate interests, the Archbishop is infringing the rights and
freedoms of data subjects. In such instances, a fair balance must be struck between these
competing rights and interests. The DPC considers that the processing of personal data of
individuals who no longer wish to have their personal data processed may impact on the data
subjects’ rights such as their right to freedom of religion and freedom of association and the
corollary rights. However, I am of the view that the legitimate interests of the Catholic Church
in the proper administration of the sacraments and the Church as a whole, with appropriate
safeguards in place to protect the personal data, overall outweighs the rights and freedoms of
data subjects. The Archbishop’s legitimate interests are justified even with such an impact on
the data subject as they represent central aims and beliefs in the Catholic Church.
569. It is the view of the DPC that the Archbishop may lawfully rely on legitimate interests under
Article 6(1)(f) of the GDPR as a legal basis for processing the personal data of data subjects
which is recorded in the Baptism Register, even in instances where a data subjectmay no longer
wish to be associated with the Catholic Church. The Archbishop has:
• established clear legitimate interests which are being pursued;
• demonstrated the necessity of the processing to achieve these legitimate interests;
and
• subject to certain safeguards, the legitimate interests are not outweighed by the
interests, rights and fundamental freedoms of the data subjects.
Second Issue for Determination
570. The second issue for determination is whether, and to what extent the Archbishop’s interests
(or those of a third party) in retaining the personal data and special category personal data are
overridden by the interest or fundamental rights and freedoms of the data subjects and
accordingly whether the Archbishop is entitled to rely on Article 6(1)(f) for the processing of the
personal data and special category personal data.
571. As stated in the previous section, subject to safeguards, the Archbishop’s interests in retaining
the personal data contained in the Baptism Registers are not overridden by the interest or
fundamental rights and freedoms of the data subjects. The Archbishop is entitled to rely on
Article 6(1)(f) for the processing of the personal data and special category personal data.
Third Issue for Determination
572. The third issue for determination is whether the Archbishop is entitled to rely on Article 9(2)(d)
of the GDPR for the processing of the special category personal data contained in the Baptism
Registers, which permits processing carried out in the course of the Archbishop’s legitimate
activities as a foundation, association or non-profit body with a religious aim where the
processing relates solely to members or former members of the body or to persons who have
regular contact with it in connection with its purposes and where the special category personal
data are not disclosed outside the body without the consent of the data subjects.
573. Article 9(2)(d) of the GDPR permits processing of special category personal data which is:
“carried out in the course of its legitimate activities with appropriate safeguards by a
foundation, association or any other not-for-profit body with a political, philosophical,
religious or trade union aim and on condition that the processing relates solely to the
members or to former members of the body or to persons who have regular contact with
it in connection with its purposes and that the personal data are not disclosed outside that
body without the consent of the data subjects”.
574. Recital 51 also notes that:
“[d]erogations from the general prohibition for processing such special categories of
personal data should be explicitly provided, inter alia, where the data subject gives his or
her explicit consent or in respect of specific needs in particular where the processing is
carried out in the course of legitimate activities by certain associations or foundations the
purpose of which is to permit the exercise of fundamental freedoms”.
575. The Archbishop has submitted that the processing of the special category personal data
contained in the Baptism Registers, in particular the retention of such data in circumstances
where the data subject no longer wishes to be recognised as a member of the Catholic Church,
is in accordance with Article 9(2)(d) of the GDPR.
576. In order to assess whether the Archbishop is entitled to rely on the legal basis under Article
9(2)(d) of the GDPR, I must assess if the required criteria under Article 9(2)(d) are met:
a. the personal data is processed in the course of its legitimate activities;
b. by a foundation, association or any other not-for-profit body with a political,
philosophical, religious or trade union aim;
c. on the condition that the processing relates solely to the members or to former
members of the body or to persons who have regular contact with it in connection
with its purposes; and
d. the personal data are not disclosed outside that bodywithout the consent of the data
subjects.
Criteria a: The personal data are processed in the course of its legitimate activities
577. I have previously established herein that the activities of the Catholic Church for which the
Archbishop processes the personal data and special category personal data, which is contained
in the Baptism Registers, are the legitimate interests of the Archbishop.
578. Further, I also note the guidance of the ICO with respect to the legitimate activities of a not-for-
profit body under Article 9(2)(d). The ICO states that legitimate activities “is fairly broad, and
covers most of what you do, as long as it does not stray outside the purposes and powers set out
in your constitution or governing documents, and is not unlawful or unethical in any way”.410
410 ICO, Special Category data What are the conditions of processing, https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-are-the-conditions-for-
processing/#conditions
579. I accept that these activities, relating to the recording and administering of certain sacraments
in Baptism Registers are legitimate activities of the Catholic Church, being central to the key
beliefs of the Church and being provided for in Canon Law which constitutes the internal rules
of the Catholic Church and sets out the purposes of the Church and the powers provided to
instruments of the Church to achieve this.
Criteria b: By a foundation, association or any other not-for-profit body with a political,
philosophical, religious or trade union aim
580. The Archbishop has submitted:
“that the conditions required by Article 9(2)(d) in this instance are fulfilled, in that the
personal data contained in the baptism registers are processed in accordance with the
legitimate activities of the Catholic Church, the data relates solely to members or former
members of the Catholic Church, or to persons who have regular contact with it, and those
personal data are not disclosed outside that body without the consent of the data
subjects”.411
581. I also note the guidance of the ICO in this regard. With respect to the bodies that may rely on
Article 9(2)(d) as a legal basis for processing special category personal data, the ICO states that
“[y]ou can only rely on this condition if you […] are a not-for-profit body, for example charities,
clubs, political parties, churches, trade unions and other associations if they have a political,
philosophical, or religious aim”412 (emphasis added). Indeed, the ICO goes on to set out the
following example:
“A church processes personal data of its members and supporters in order to run church
activities and provide pastoral care. The church can rely on the not-for-profit condition to
process the data which reveals their religious belief.”413
582. Further, in a 2016 talk given by Cardinal Stefan Wyszyński, at a Conference organised by the
Polish Inspector for Personal Data Protection and published online by the EDPS (European Data
Protection Supervisor), entitled “Personal Data Protection in churches and religious
organisation” the Cardinal noted the following with respect to Article 9(2)(d) (which was still in
draft form):
“The new Regulation will maintain the existing exemption which allows churches and
other bodies with a 'religious... aim' to process sensitive data:
• 'in the course of its legitimate activities...';
• '...with appropriate safeguards';
411 Submissions dated 16 March 2020, page 38.
412 ICO, Special Category data What are the conditions of processing, https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-are-the-conditions-for-
processing/#conditions.
413 Ibid.
• '...on condition that the processing relates solely to the members or to former
members of the body or to persons who have regular contact with it in connection
with its purposes'; and
• on condition that 'the data are not disclosed outside that body without the consent
of the data subject'”.414
583. In consideration of the above, I am satisfied that Article 9(2)(d) is intended to cover religious
organisations that constitute not-for-profit bodies. I accept that the Archbishop is a member of
a not-for-profit body, with a religious aim, that being the Archdiocese of Dublin.
414https://edps.europa.eu/sites/edp/files/publication/16-02-25_personal_data_protection_church_warsaw_en.pdf.
Criteria c: On the condition that the processing relates solely to themembers or to former members
of the body or to persons who have regular contact with it in connection with its purposes
584. The processing in question with respect to the Baptism Registers relates to persons who have
undertaken what is considered the “gateway” sacrament within the Catholic Church415. While
the Archbishop submits that the Baptism Registers do not constitute a list of members of the
Church and nor is a register of members maintained for that intention, the Archbishop has
noted that a “baptised person is properly considered a member of the Catholic Church”. As such
“all baptism records relate either to members or former members”.416
585. I accept that in principle, any individual who has undergone baptism in the Catholic Church
becomes a member of the Catholic Church. If subsequently, that individual no longer wishes to
be amember of the Church; regardless of defection, that individual would be a formermember
of the Church.
586. Therefore, I am satisfied that the processing of the special category personal data in the Baptism
Registers relates only to persons who may properly be considered to be members or former
members of the Church.
Criteria d: The personal data are not disclosed outside that body without the consent of the data
subjects:
587. Article 9(2)(d) also requires that personal data processed by the not-for-profit body not be
disclosed outside that body without the consent of the data subjects. I note that the Baptism
Registers are generally subject to strict confidentiality even within the Church itself and are only
disclosed outside the Church after 100 years have passed.417 The personal data in the Baptism
Registers may on limited occasions be disclosed within the organisation, either by the
Archbishop seeking to instruct the parish priest to make a Special Annotation for example, or
by a parish priest seeking advice from the Archbishop, via the Chancellery. I also note that, on
occasion, a parent or guardian may request a baptismal certificate on behalf of an individual
who had been baptised. This would be in situations where that individual is unable to consent
on their own behalf, due to their age. I have not been provided with any evidence suggesting
that the personal data contained in the Baptism Registers is disclosed outside of the Church
without the consent of those data subjects.
588. Based on the above considerations, I am satisfied that the Archbishop may rely on the legal
basis under Article 9(2)(d) of the GDPR for the processing of data subjects’ special category
personal data during the course of their lifetime, being members or former members of a not-
for-profit body with a religious aim.
415 Submissions dated 16 March 2020, page 26.
416 Submissions dated 16 March 2020, page 38.
417 Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 2.5 (page 243
of the PDF submission).
Fourth Issue for Determination
589. The fourth issue for determination is whether the Archbishop, in processing the special category
personal data in accordance with Article 9(2)(d) of the GDPR, put in place the required
appropriate safeguards for such processing under Article 9(2)(d)
590. I have previously noted that the Archbishop has referred to a number of safeguards that are in
place for the processing of the Baptism Registers. This includes the fact that the Baptism
Registers are kept securely in the parishes, or in the Archbishop’s House and are confidential,
only accessible by a very small number of authorised individuals. Further, the Archbishop has
submitted that a de facto defection register is kept in order to allow those who no longer wish
to have an association with the Church to have this view recorded. The Archbishop has also
offered to direct the parish priests to include an annotation on the Baptism Register stated that
an individual “No longer wishes to be identified as Roman Catholic”, though this is not the
current practice of the Archdiocese.418
591. As previously stated, I am not of the view that the De Facto Defection Register is an appropriate
safeguard. However, I am satisfied that the other safeguards put in place by the Archbishop are
appropriate to safeguard the rights and fundamental freedoms of data subjects.
592. Based on the above considerations, I am satisfied that the Archbishop , in processing the special
category personal data in accordance with Article 9(2)(d) of the GDPR, has in place the required
appropriate safeguards for such processing under Article 9(2)(d).
Fifth issue for Determination
593. The fifth issue for determination is in assessing the legal basis relied on by the Archbishop,
whether the Archbishop is compliant with the principle of purpose limitation under Article
5(1)(b) of the GDPR and the principle of lawfulness, fairness and transparency under Article
5(1)(a) of the GDPR.
594. Regarding processing (as opposed to further processing) and the principle of ‘purpose
limitation’, Article 5(1)(b) of the GDPR provides that the personal data shall be ‘collected for
specified, explicit and legitimate purposes.’ Therefore, for compliance with the principle of
‘purpose limitation’ a data controller must only process data for specified, explicit and
legitimate purposes.
595. With regard to the Baptism Registers as set out previously, the Archbishop has submitted it is
essential for the administration of the affairs of the Catholic Church to maintain a register of all
people who have been baptised in the Church. In addition, baptism is a sacrament, which can
only be administered once and is the gateway to all other sacraments. At baptism, the personal
data collected contains set information as set out at paragraph 38 of this Decision which is
personal data required for the purposes of recording the fact that the individual was baptised.
418 Submissions dated 16 March, page 44.
596. It is the view of the DPC that the data which is processed (as opposed to further processed), in
the baptism registers is for a specified, explicit and legitimate purpose in line with Article
5(1)(b).
597. Regarding processing (as opposed to further processing) and the requirements under Article
5(1)(a) of the GDPR, that personal data must be processed lawfully, fairly and transparently, it
appears to the DPC that the personal data contained in the Baptism Registers, is processed
lawfully under Article 6(1)(f) of the GDPR and this analysis is set out above which includes
appropriate safeguards being in place.
598. Regarding the ‘fair’ component of Article 5(1)(a) of the GDPR, I am of the view that the data is
processed fairly insofar as the data being processed is not processed by deception or in the
absence of the data subject’s knowledge (or legal guardian’s knowledge) and is relevant to an
event that factually occurred.
599. Regarding the ‘transparency’ component of Article 5(1)(a) of the GDPR, Recital 39 of the GDPR
states ‘[i]t should be transparent to natural persons that personal data concerning them are
collected, used, consulted or otherwise processed and to what extent the personal data are or
will be processed.’ The principle of transparency requires that any information and
communication relating to the processing of those personal data be easily accessible and easy
to understand, and that clear and plain language be used.’
600. In relation to the transparency principle in respect of processing undertaken for the purposes
of archiving in the public interest and for historical research purposes, the Archbishop stated:
“It is a matter for individual Parishes to address the transparency principle on respect of
the registers held by them and which are subject to the GDPR. However, in relation to the
register of baptisms of persons who are adopted, the parish of baptism will direct adopted
persons applying for baptismal certificated to the Chancellery”.419
601. On the basis of the foregoing, I am of the view that the Archbishop has infringed the
transparency principle under Article 5(1)(a) of the GDPR, in circumstances where (1) the
Archbishop is of the view that he is not a data controller in the first instance and on that basis
it is a matter more appropriate for the Parish Priest as data controller and (2) the Archbishop
has not provided the DPCwith any evidence as to how he is in compliance with the transparency
principle.
419 Submissions dated 15 October 2020, page 33.
Legal Analysis: Further Processing
602. Regarding further processing of personal data and special category data of data subjects who
no longer wish to have their personal data recorded in the Baptism Registers, the eight separate
issues for determination are set out above in this Decision. Further processing is processing for
a purpose other than that for which the personal data have been collected. Article 5(1)(b) states
that “further processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes shall, in accordance with Article 89(1), not be
considered to be incompatible with the initial purposes.” Reliance is placed on Article 6(1)(f) and
Article 9(2)(j) of the GDPR for such further processing by the Archbishop within the context of
‘[A]rchiving purposes in the public interest and historical research purposes’.
603. Article 9(2)(j) states:
“processing is necessary for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with Article 89(1) based
on Union orMember State law which shall be proportionate to the aim pursued, respect
the essence of the right to data protection and provide for suitable and specific measures
to safeguard the fundamental rights and the interests of the data subject.” (Emphasis
added).
Article 89(1) provides that such processing for archiving purposes in the public interest or
historical research “shall be subject to appropriate safeguards”. This is explained further in
Recital 156 of the GDPR.
604. In the first instance, personal data is being collected and processed by the Church primarily to
document and record the administration of the sacrament of baptism, which is an initiation into
the Catholic faith; as set out previously, this is the basis upon which other sacraments can be
administered and without which other sacraments cannot be administered. Such
administration is “critical in terms of certain key beliefs in the Catholic faith”420 and is a key tenet
in the administration of the Catholic Church.
605. The Baptism Records as a matter of course are essentially required for the lifetime of an
individual as there is no time frame within which an individual receives sacraments, and I have
set out that it is of the view that the Archbishop has a lawful basis for such processing under
Article 9(2)(d) of the GDPR which essentially extends for the lifetime of a data subject.
420 Submissions dated 16 March 2020, page 35
606. The Archbishop, in addition, now relies on Article 9(2)(j) for the further processing of the same
personal data-set for archiving in the public interest and for historical research purposes as he
submits that the “baptism registers form an important part of the Church’s wider role in
maintaining records and archives” and that the “Baptism Registers record the historical fact of
baptisms having taken place. Over time, these registers assume a different importance
becoming a unique archival and/or historic record of enduring value. Baptismal records are
often, for example, sought by those carrying out genealogical research.”421 This appears to be
ancillary to the original purpose of the processing. The archiving processing only arises by virtue
of the initial existence of the Baptism Registers.
607. The Archbishop submits that the “registers maintained are a form of archiving”’422 and that he
is aware “that baptism certificates are often used for persons seeking to establish Irish
citizenship through antecedents (usually grandparents), in the absence of State records due to
the fire in the Customs House in 1921, or prior to the creation of State records”’.423 The historic
Catholic parish records shared with the National Library during the 1940s/1950s had a “cut-off
date of 1880” for reasons of confidentiality.424
608. In addition, the Archbishop provides a comprehensive summary regarding the historic archiving
of church records and states that the “Diocesan Archives hold a register from St. Michan’s
Church, Halston Street, Dublin, dating from 1726. However, the vast majority of the registers in
the Diocesan archives date from the 19th century. Those from the mid-1850s are pro-forma
registers, customised with detailed columns and headings unlike earlier versions”. 425
609. The Dublin Diocesan Archive426 states that the “vast bulk of its holdings are confined to the
nineteenth and twentieth centuries, with the Archives processing only a small amount of
material covering the reigns of twelve Archbishops from 1600-1770”. It further states that it
holds “the papers of eleven successive archbishops of Dublin covering the period 1770 to 2004”
“eight of which are available to researchers’. The reign of the eight Archbishops referred to date
from 1770 to 1972. For Family History Research purposes, it states “information from Parish
Registers is only accessible up to and including 1920”.
610. Recital 158 of the GDPR provides that “public authorities or public or private bodies that hold
records of public interest should be services which, pursuant to Union orMember State law, have
a legal obligation to acquire…..” (Emphasis added). It appears therefore that in order for a data
controller to rely on archiving in the public interests, the legal obligation to process such data
must be set out in law.
611. As set out previously, the Archbishop submitted that the “legal obligation” referred to in Recital
158 need not be limited to a statutory obligation stating “the canon law obligations on parish
priests to preserve baptismal and other registers are set out under the Code of Canon Law”.
421 Submissions dated 16 March 2020, page 52.
422 Submissions dated 16 March 2020, page 45.
423 Submissions dated 16 March 2020, page 46.
424 Submissions dated 15 October 2020, page 19.
425 Submissions dated 16 March 2020, page 40.
426 Archives | Archdiocese of Dublin (dublindiocese.ie); https://dublindiocese.ie/archives/
612. Recital 41 states:
“Where this Regulation refers to a legal basis or a legislative measure, this does not
necessarily require a legislative act adopted by a parliament, without prejudice to
requirements pursuant to the constitutional order of the Member State concerned.
However, such a legal basis or legislative measure should be clear and precise and its
application should be foreseeable to persons subject to it, in accordance with the case-
law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European
Court of Human Rights’”. (Emphasis added)
613. As set out at previously, the position under Canon Law is not determinative of the position
under Irish or EU law. Canon Law is an internal body of law, which governs the internal
operations of the Catholic Church. Recital 41 clarifies that some form of a legal basis is required
which must be clear, concise and foreseeable to individuals and in line with the case law of the
CJEU and the ECtHR. For the purposes of archiving in the public interest, there must be a legal
obligation for the Archbishop to engage in such archiving.
614. Article 91 of the GDPR states:
“(1) Where a Member State, churches and religious associations or communities apply, at
the time of entry into force of this Regulation, comprehensive rules relating to the
protection of natural persons with regard to processing, such rules may continue to apply,
provided that they are brought into line with this Regulation.
(2) Churches and religions associations which apply comprehensive rules in accordance with
paragraph 1 of this Article shall be subject to the supervision of an independent supervisory
authority, which may be specific, provided that it fulfils the conditions laid down in Chapter
VI of this Regulation”.
615. I am not aware of any set of comprehensive data protection rules as referred to in Article 91 at
domestic level in this jurisdiction which relates to the protection of natural persons with regard
to such processing to permit any form of a derogation. Further, there were no submissions
made by the Archbishop on this point. In any event, Article 91(1) clearly sets out that such rules
could only continue to apply on condition they complied with the GDPR.
616. I note the Archbishop’s reference to Article 44.2.5 of Bunreacht na hÉireann and the right of
religious denominations to manage their own affairs. In Jehovan Todistajat (Case C-25/17) at
paragraph 74, the CJEU held that:
“The obligation for every person to comply with the rules of EU law on the protection of
personal data cannot be regarded as an interference in the organisational autonomy of
those communities (see, to that effect, judgment of 17 April 2018, Egenberger, C‐414/16,
EU:C:2018:257, paragraph 58).”427
427 C-25/17 Jehovan Todistajat, EU:C:2018:551, paragraph 74.
617. Based on the foregoing, the GDPR does not interfere with nor can it be construed as interfering
with the autonomy of any religious denomination, including the Catholic Church, from
managing its own affairs. Article 91 of the GDPR indicates that churches, religious associations
or communities must operate within the parameters of data protection law.
618. While I accept for present purposes that the legal obligation for archiving in the public interest
need not necessarily be limited to a statutory obligation (for example, the legal obligation could
be set out in common law), Article 9(2)(j) is underpinned by a legal obligation being placed on
the data controller in the first instance, which it is not presently. It is not sufficient for the
purposes of data protection law for a data controller to rely on its own internal set of rules for
the purposes of Article 9(2)(j) of the GDPR.
619. I note that the Diocesan Archives holds various historic registers dating from 1726. In relation
to further processing for the purposes of historical research, I am of the view, that insofar as
the data subjects named in those historic registers are deceased,428 the GDPR does not apply.
Insofar as there may be some data subjects named in those registers who are still alive, I am of
the view that their personal data is lawfully processed in the first instance under Articles 6(1)(f)
and 9(2)(d) of the GDPR for their lifetime which is the primary purpose of the processing of that
data and not for an ancillary or further processing function.
620. Based on the foregoing, it is the view of the DPC that it is not necessary to consider or analyse
further the other elements contained within the provisions of Article 9(2)(j) of the GDPR that
were set out in the Issues Paper. Namely, whether the processing is necessary, the public
interest element, the proportionality of the processing, the right to data protection or the
safeguards that ought to be in place and on that basis, within the context of this Inquiry, the
remaining issues for determination as set out in the Issues paper, are now moot.
428 Article 4(1) of the GDPR states that the Regulation applies to the personal data of ‘natural persons’. Recital 27 further
clarifies that the GDPR ‘does not apply to the personal data of deceased persons. Member States may provide for rules
regarding the processing of personal data of deceased persons’.
Findings
621. Therefore, I find that:
a. The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) of the
GDPR as a legal basis for the processing of personal data of data subjects which is
recorded in the Baptism Register, even in such instances where a data subject may no
longer wish to be associated with the Catholic Church;
b. Subject to safeguards, the Archbishop’s interests in retaining the personal data
contained in the Baptism Registers are not overridden by the interest or fundamental
rights and freedoms of the data subjects;
c. The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the
processing of data subjects’ special category personal data during the course of their
lifetime, being members or former members of a not-for-profit with a religious aim;
d. The Archbishop, in processing the special category personal data in accordance with
Article 9(2)(d) of the GDPR, has in place the required appropriate safeguards for such
processing under Article 9(2)(d)
e. The Archbishop cannot lawfully rely upon Article 9(2)(j) of the GDPR for the purposes
of further processing the personal data and special category data of those named in
the Baptism Registers, the subject of this Inquiry.
622. As it has now been determined that the Archbishop is the data controller for the processing
activities the subject of this Inquiry. He must now ensure compliance with Article 5(1) of the
GDPR. In particular, as part of his compliance under Article 5(1)(a) of the GDPR vis-à-vis
transparency of processing (and having regard to the provisions of Articles 12 to 14 of the
GDPR), the Archbishop should now make clear that all personal data collected and recorded
and otherwise processed for the purposes of the administration of sacraments, is retained for
the lifetime of that individual.
d) RIGHT OF RECTIFICATION
Issues for determination
623. In relation to the Archbishop’s compliance with the data subject right under Article 16 of the
GDPR, the following issues arise for determination, as set out in the Issues Paper:
a. whether a data subject has the right to obtain from the Archbishop the rectification
of inaccurate personal data concerning him or her;
b. whether the recording of a data subject’s sacrament of baptism in the Baptism
Registers, in circumstances where the data subject no longer consider themselves to
be a member of the Catholic Church, constitutes inaccurate or incomplete personal
data within themeaning of Article 16 of the GDPR, with reference to the Archbishop’s
compliance with the principle of accuracy under Article 5(1)(d) of the GDPR in this
regard;
c. whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain rectification of their sacramental status or
their status as members of the Catholic Church in the church records contained in the
Baptism Registers or where the personal data is found to be incomplete, have the
right to have this personal data completed, including by means of providing a
supplementary statement; and;
d. whether, in circumstances where a right to rectification exists, the data subjects’
rights may be restricted by the Archbishop, pursuant to Section 61(1) of the 2018 Act,
where the processing is for archiving purposes in the public interest, or by section
61(2) of the 2018 Act, where the processing is for historical research purposes and the
exercise of the right would be likely to render impossible or seriously impair, the
achievement of these purposes and the restriction is necessary for the fulfilment of
those purposes.
624. The Baptism Registers contain a record of individuals who have undergone the sacrament of
baptism within the Catholic Church in the Archdiocese, which is central to the administration of
the church. Under canon 535 §1, the Baptism Registers (along with all parochial registers) are
to be “accurately inscribed and carefully preserved” by the parish priest. The parish priest in
certain circumstances may amend parish Baptism Registers. As previously set out, the
Guidelines state at section 1.12 that “[f]acts cannot be changed. Errors can be corrected when
proof is provided. Some emendations however are possible. For example, sometimes people
adopt a new name for themselves or more especially for their children […] any alteration to the
Baptismal Register must be authorised through the Chancellery”429.
429 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.12 (page 12 of the PDF submission).
625. As stated, such amendments require input from the Chancellery, as set out in the Guidelines at
section 4.5: “the express permission of the Chancellery is required before any alteration or
emendation may be made in an entry in any such parochial register”430.
626. Though this Inquiry is an own-volition Inquiry, certain of the complaints received by the DPC
from data subjects prior to the commencement of the Inquiry stated that they no longer
consider themselves members of the Catholic Church. It now falls to me to determine whether
a church record, which continues to list these data subjects and their sacramental status in the
Catholic Church, is inaccurate or incomplete in that context, and whether a right to obtain
rectification may arise in favour of these data subjects should they so wish to request
rectification.
Relevant Provisions
627. Article 16 of the GDPR states that data subjects “shall have the right to obtain from the
controller without undue delay the rectification of inaccurate personal data concerning him or
her. Taking into account the purposes of the processing, the data subject shall have the right to
have incomplete personal data completed, including by means of providing a supplementary
statement”.
628. Article 19 of the GDPR also requires that the “controller shall communicate any rectification or
erasure of personal data or restriction of processing, carried out in accordance with Article 16,
Article 17(1) and Article 18 to each recipient to whom the personal data may have been
disclosed, unless this proves impossible or involves disproportionate effort”.
629. Article 5(1)(d) of the GDPR requires that personal data be “accurate and, where necessary, kept
up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified
without delay” (otherwise known as the principle of accuracy).
630. Recital 39 of the GDPR also states, “[e]very reasonable step should be taken to ensure that
personal data which are inaccurate are rectified or deleted”.
631. Recital 65 of the GDPR also states that “[a] data subject should have the right to have personal
data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such
data infringes this Regulation or Union or Member State law to which the controller is subject.”
632. Section 61 the 2018 Act restricts the exercise of certain data subject rights, including rights
under Article 16, in certain instances. Section 61(1) restricts data subject rights where
processing of data is for archiving purposes in the public interest and section 61(2) of the 2018
Act restricts data subject rights where processing of data is for scientific or historical research
purposes or statistical purposes to the extent that:
(a) the exercise of any of those rights would be likely to render impossible, or seriously
impair, the achievement of those purposes, and
(b) such restriction is necessary for the fulfilment of those purposes.
430 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.5 (page 23 of the PDF submission).
Relevant Case Law
633. In the judgment of the CJEU in C-434/16 Nowak v Data Protection Commissioner,431 the CJEU
considered the right of rectification within the context of Directive 95/46/EC. The CJEU stated,
in consideration of whether an exam script constituted personal data, and if so whether the
exam answers and the comments by the examiners could be the subject of the right of access
and the right of rectification, that:
“It is apparent from Article 6(1)(d) of Directive 95/46 that the assessment of whether
personal data is accurate and complete must be made in the light of the purpose for
which that data was collected. That purpose consists, as far as the answers submitted
by an examination candidate are concerned, in being able to evaluate the level of
knowledge and competence of that candidate at the time of the examination. That
level is revealed precisely by any errors in those answers. Consequently, such errors do
not represent inaccuracy, within the meaning of Directive 95/46, which would give rise
to a right of rectification under Article 12(b) of that directive.
On the other hand, it is possible that there might be situations where the answers of
an examination candidate and the examiner’s comments with respect to those
answers prove to be inaccurate, within the meaning of Article 6(1)(d) of Directive
95/46, for example due to the fact that, by mistake, the examination scripts were
mixed up in such a way that the answers of another candidate were ascribed to the
candidate concerned, or that some of the cover sheets containing the answers of that
candidate are lost, so that those answers are incomplete, or that any comments made
by an examiner do not accurately record the examiner’s evaluation of the answers of
the candidate concerned”.432
431 C-434/16 Nowak v Data Protection Commissioner ECLI:EU:C:2017:994.
432 C-434/16 Nowak v Data Protection Commissioner, paragraphs 53-54.
Archbishop’s Submissions
634. The Archbishop submitted that baptism records are not inaccurate (in the instance where an
individual no longer considers themselves to be a member of the Catholic Church), stating that
the Baptism Registers “are an accurate record of a particular event having occurred at a certain
time in the past”. In general, the Archbishop noted that if there were an inaccuracy in the record
“such as an incorrect spelling of a name” itwould be possible to correct such as an inaccuracy.433
635. The Archbishop submitted that the Baptism Registers should not be mischaracterised as a “list
of current members of the Catholic Church”. Instead, the Baptism Registers “sets out a person’s
status in respect of certain sacraments, which can be administered only once in a person’s
lifetime. As such, the baptism registermerely indicates a person’s status as baptised, and has no
bearing on their status as regards adherence to the beliefs of, or communion with, the Catholic
Church”.434
636. As such, the Archbishop expressed the view that “unless it has been demonstrated that a factual
inaccuracy exists within the register the Archbishop submits that the right provided for in Article
16 does not apply”.435
637. The Archbishop also noted that Article 16 provides data subjects with the right to have
incomplete personal data completed. In this regard, the Archbishop stated that “the purposes
of the processing is to record a person’s status in respect of certain sacraments. As long as the
registers have beenmaintained and are up-to-date, it cannot be said that the information in this
regard is “incomplete”, so again, the right provided for in Article 16 does not apply”.436
638. The Archbishop also stated in this regard that, although it is not understood to be the current
practice in the parishes of the Archdiocese, “the Archbishop could indicate to Parish Priests that
it would be permissible pursuant to canon law to adopt a practice whereby the register could be
annotated as follows: “No longer wishes to be identified as a Roman Catholic”. However, the
Archbishopwished to stress that it is not accepted that this is orwould be necessary (to facilitate
data subject rights) and that “the adoption of this practice would ultimately be a matter for the
parish priest as the data controller”.437
639. Finally, the Archbishop pointed to section 61(2) of the 2018 Act, which provides that where the
processing of personal data is for historical research purposes, the rights of a data subject under
Article 16 are restricted to the extent that:
“the exercise of any of that right would be likely to render impossible, or seriously
impair, the achievement of those purposes, and such restriction is necessary for the
fulfilment of those purposes”.438
433 Submissions dated 16 March 2020, page 48.
434 Submissions dated 16 March 2020, page 48
435 Submissions dated 16 March 2020, page 48
436 Submissions dated 16 March 2020, page 48
437 Submissions dated 16 March 2020, page 49.
438 Submissions dated 16 March 2020, page 49.
Legal Analysis
640. I have made the finding above that the personal data and the special category personal data
held in the Baptism Register falls within the material scope of Article 2(1) of the GDPR. This is
on the basis that the Baptism Registers form part of a filing system (as defined under Article
4(6) of the GDPR) or are intended to form part of a filing system.
641. I have found that the Archbishop is the sole controller of the personal data and special category
personal data contained in the Parish Baptism Registers for the processing activities of
retention, special annotation and alteration and the sole controller for all processing activities
with respect to the Clonliffe College Registers and the Adopted Persons Baptism Registers. In
addition, I made the finding that the Archbishop’s lawful basis for the processing of such
personal data is pursuant to Article 6(1)(f) and Article 9(2)(d) of the GDPR. Further, I made the
finding that processingwas not lawful under Article 9(2)(j) of the GDPR for archiving in the public
interest and/or for historical research purposes.
642. On the basis of these findings, I must now consider generally whether the right to obtain
rectification under Article 16 of the GDPR applies to the personal data and special category
personal data for which the Archbishop is the controller and which falls within the material
scope of the GDPR. Article 16 of the GDPR provides for two things: firstly, the right of the data
subject to have factually inaccurate personal data rectified and secondly the right to have
incomplete personal data “completed” including by way of a supplemental statement; the latter
must take into account the purposes of processing. For the purposes of Baptism Records, Imust
turn my consideration to whether the data is inaccurate or is it incomplete.
Issue 1 for Determination: whether a data subject has the right to obtain from the Archbishop the
rectification of inaccurate personal data concerning him or her under Article 16 of the GDPR.
643. It is important to note that the right to rectification is not an absolute right and it depends on
the circumstances of the case. An assessment must be made in each instance as to whether
personal data is accurate and complete and this assessment must be made in light of the
purpose for which that data was collected and processed, according to the CJEU in Nowak.439
Although this case considered the relevant issues under Directive 95/46, the principle of
accuracy under the GDPR has remained largely the same.
644. As a controller, the Archbishop is under an obligation to comply with the principle of accuracy
under Article 5(1)(d) of the GDPR, requiring the Archbishop to take every reasonable step “to
ensure that personal data that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay”. Compliance with this obligation must be
demonstrable in accordance with the principle of accountability under Article 5(2), which states
that a controller “shall be responsible for, and be able to demonstrate compliance with,
paragraph 1”.
439 C-434/16 Nowak v DPC, paragraph 53.
645. Further, Article 12(2) of the GDPR places an obligation on a controller to “facilitate the exercise
of data subject rights under Articles 15 to 22”. Article 12(3) of the GDPR also requires that a
controller “shall provide information on action taken on a request under Articles 15 to 22 to the
data subject without undue delay and in any event within one month of receipt of the request”.
646. In circumstances where a controller does not take action on a request, Article 12(4) of the GDPR
requires that the controller:
“shall inform the data subject without delay and at the latest within one month of receipt
of the request of the reasons for not taking action and on the possibility of lodging a
complaint with a supervisory authority and seeking a judicial remedy”.
647. Further to the above provisions, the Archbishop as a controller is under an obligation to
facilitate the exercise of data subject rights under Articles 15 to 22 in respect of the personal
data and special category personal data for which he acts as a controller and which falls within
the material scope of the GDPR. The right to rectification under Article 16 is encompassed in
the controller obligations set out in Article 12.
648. As such, it is my view that a request by a data subject regarding the exercise of their right to
rectification under Article 16 of the GDPR must be facilitated by the Archbishop in line with the
provisions and requirements of Article 16 and as mandated under Article 12(2) of the GDPR
which states “The controller shall facilitate the exercise of data subject rights under Articles 15
to 22.”
Issue 2 for Determination whether the recording of a data subject’s sacrament of baptism in the
Baptism Registers, in circumstances where the data subject no longer consider themselves to be a
member of the Catholic Church, constitutes inaccurate or incomplete personal datawithin themeaning
of Article 16 of the GDPR, with reference to the Archbishop’s compliance with the principle of accuracy
under Article 5(1)(d) of the GDPR in this regard.
649. The Archbishop has indicated that rectification of the Baptism Registers already occurs in some
instances. The Baptism Registers (along with all parochial registers) are to be “accurately
inscribed and carefully preserved” by the parish priest in accordance with canon 535 §1. Parish
priests are only permitted to amend the registers in certain circumstances as set out in the
Guidelines. Documentary evidence is generally required to ground such a request for an
Alteration. In particular, the Guidelines state at section 1.12 that “[f]acts cannot be changed.
Errors can be corrected when proof is provided. Some emendations, however are possible. For
example, sometimes people adopt a new name for themselves or more especially for their
children.” This therefore relates to the rectification of data that is inaccurate as a matter of fact
under Article 16 of the GDPR.
650. The evidence provided to the DPC indicates that where an Alteration is made to an entry in the
Baptism Register, the incorrect or inaccurate personal data is not deleted, but a line is drawn
through it and the new information is inserted and a note is added with a direction to include
the alteration in any future baptism certificates issued.440
440 Submissions dated 15 October 2020, Schedule of Documents, copy of letter, (page 194 of the PDF submission).
651. The GDPR does not define the term “accurate” or “inaccurate”’. While not referring to the
GDPR, section 92(17) of the 2018 Act states that, for the purposes of transposing the right of
rectification under the Law Enforcement Directive,441 personal data are inaccurate if “(a) they
are incorrect or misleading as to any matter of fact”, or (b) they are incomplete in a material
manner”. Further, though less persuasive value from a European Law perspective since the exit
of the United Kingdom from the European Union, the UK Data Protection Act 2018 defines
“inaccurate” in relation to personal data as “incorrect or misleading as to any matter of fact”.442
652. The concept of accuracy is to be interpreted in light of Article 5(1)(d) of the GDPR. Article 5(1)(d)
states that “every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified
without delay” (emphasis added).
653. It is the view of the DPC that, in principle, the correction of factually incorrect data as submitted
by the Archbishop is sufficient for compliance with Article 16 of the GDPR having regard to the
factual inaccuracy of the original recording and processing of the personal data and special
category data.
654. In the context of this Inquiry, I must consider whether the recording and thus processing of
personal data and special category data is inaccurate or incomplete in circumstances where a
data subject no longer wishes to be amember of the Catholic Church. As set out previously, the
issue of a formal/defacto defection from the Catholic Church is not a matter for the DPC; the
issue for the DPC relates to the rectification of personal data and special category data
contained within the Baptism Registers for such individuals. This issue for determination
regarding rectification within this context must be considered within the parameters as to
whether it relates to (a) the inaccuracy of the factual data that is recorded or (b) whether the
factual data is incomplete taking into account the purposes of processing.
655. The Archbishop submitted that certain sacramental registers held in the Archdiocese consist of
a record of the administration of certain sacraments in the Church.443 The Archbishop also
submitted that baptism can only be received once and as such, “it is essential that the Roman
Catholic Church maintain a record of all those persons who have been baptised”.444 The
Archbishop further submitted that the purposes of the processing of the Baptism Register is to
be assured that certain sacraments have been administered once only in a person’s lifetime
(baptism, confirmation,marriage and holy orders) by recording the baptism of an individual and
annotating any future sacraments of confirmation, marriage or holy orders.445
656. The Archbishop has submitted that the Baptism Registers record the occurrence of an event,
that of the administration of the sacrament of baptism. The Archbishop stated that the Baptism
Registers “are an accurate record of particular event having occurred at a certain time in the
past”. However, the Archbishop also submitted that if an inaccuracy exists in that record, such
as the spelling of a name, such an inaccuracy would be corrected.
441 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.
442 UK Data Protection Act 2018, section 205.
443 Submissions dated 16 March 2020, pages 34-35.
444 Submissions dated 16 March 2020, page 34.
445 Submissions dated 16 March 2020, page 35.
657. A question arises which is whether the Baptism Registers merely record the event of baptism
(and certain further sacraments), and are therefore not inaccurate even where a data subject is
no longer a member of the Catholic Church, or whether the Baptism Registers effectively
operate as a list of the members of the Catholic Church.
658. The Archbishop submitted that in respect of membership of the Catholic Church, “[w]hile the
Roman Catholic Church does not maintain a register of members […] it is correct to say that at
the point of baptism, the baptised person is properly considered a member of the Catholic
Church”. 446 However, the Archbishop also submitted that the content of the entry on the
register does not signify that the data subject is a currentmember of the Roman Catholic Church
but rather signifies the fact that the person was, at one point in the past, baptised as a
Catholic.447
659. I note the Archbishop’s reference to the past decision ofmy predecessor as outlined in the Data
Protection Commissioner’s Annual Report 2003. The former Commissioner, in relation to
Baptism Registers concluded that they were “a factual record of an event that happened”.448
Although Baptism Registers are a factual record of an event that happened, it must be noted
that case study was considered under the Data Protection Acts, 1988-2003, the complainant’s
baptismal records were never located and the complainant did not pursue the matter beyond
the initial stages of complaint-handling; therefore the matter did not progress any further.
660. Based on the purpose for which the Archbishop and the parish priests retain the Baptism
Registers, which is to ensure the proper administration of certain sacraments of the Catholic
Church (in particular that individuals may only undergo these once in their lifetime), it is my
view that the Baptism Registers are intended to record the event of baptism (and any further
sacraments which are annotated).
661. This is as opposed to the Baptism Registers acting as a list of members of the Catholic Church.
Although the Archbishop stated that a person may be called a member of the Catholic Church
once they are baptised, there is no evidence to suggest that the Catholic Church records and
maintains a list of its current members. The Archbishop’s submissions have consistently set out
that the Baptism Registers are to ensure it has a clear record of a person’s sacramental status
within the Church.
662. The Archbishop has recognised that a number of people no longer wish to be considered
members of the Catholic Church and this has been recorded in the Defection Registers. In this
regard, the Archbishop has stated that the purposes of the de facto defection register is to
“address any concern that the data subject might have that the [baptism] register would be
regarded as a record of current membership”. This “mitigates against any concern that a data
subject may have in respect of the register being assumed to provide a record of their present-
day religious status and beliefs”449.
446 Submissions dated 16 March 2020, page 38.
447 Submissions dated 16 March 2020, page 44.
448 DPC Annual Report 2003, case study 8, page 37.
449 Submissions dated 16 March 2020, page 44.
663. The maintenance of a de facto defection register demonstrates that the Archbishop is open to
recording an individual’s views on their membership in the Catholic Church if they so wish.
However, the recording of sacraments in the Baptism Register has the main purpose of
documenting the occurrence of particular events, namely, the administration of sacraments, to
ensure that the same sacrament is not re-administered to the same person.
664. In considering whether the Baptism Register (and subsequent annotations) may be inaccurate
in the context of the purposes forwhich it is processed, in accordance with Article 5(1)(d), I have
noted themain purpose for the recording of sacraments in the Baptism Register is documenting
the occurrence of an event. As the Baptism Register is a factual record of an event that occurred,
it is important to note that any exercise of the right to rectification does not alter the fact that
the event took place. The exercise of the right to rectification regarding inaccurate records is to
rectify the inaccurate data surrounding the processing of that data which recorded that factual
event in the first instance.
665. Within the context of individuals who no longer wish to be a considered a member of or
associated with the Catholic Church, I am of the view that this does not give rise to a right to
rectification as the event, which is recorded in the Baptism Register, still occurred and from a
data processing perspective, remains factually accurate.
666. I am therefore of the view that the recording of a data subject’s sacrament of baptism in the
Baptism Register, in circumstances where the data subject no longer considers themselves to
be a member of the catholic Church, does not constitute inaccurate personal data within the
meaning of Article 16 of the GDPR. This view is ascertained with reference to the Archbishop’s
compliance with the principle of accuracy under Article 5(1)(d) of the GDPR and on the
assumption that all recorded details accurately reflect the event.
667. I wish to note that, in circumstances where the Archbishop assesses a request for rectification
under Article 16 of the GDPR, and concludes that no factual inaccuracy arises with the recorded
data, he must still comply with his obligations under Article 12(3) and or Article 12(4) of the
GDPR, in order to properly facilitate the exercise of data subject rights (which aremore broadly
contained under Articles 15 to 22 of the GDPR). The Archbishop is obliged to ensure that any
communicationwith data subjects under Articles 15 to 22 is in a concise, transparent, intelligible
form in accordance with Article 12(1) of the GDPR. The issue of records being “incomplete” is
considered under the next section.
Issue 3 for Determination - whether data subjects who no longer consider themselves to be members
of the Catholic Church have the right to obtain rectification of their sacramental status or their status
as members of the Catholic Church in the church records contained in the Baptism Registers or where
the personal data is found to be incomplete, have the right to have this personal data completed,
including by means of providing a supplementary statement.
668. I formed the view above that in circumstances where the data subject no longer considers
themselves to be a member of the Catholic Church that the recording of a data subject’s
sacrament of baptism in the Baptism Register does not constitute inaccurate personal data
within the meaning of Article 16 of the GDPR, with reference to the Archbishop’s compliance
with the principle of accuracy under Article 5(1) of the GDPR. As a consequence of same, the
DPC forms the view that individuals who no longer consider themselves to be members of the
Catholic Church do not have the right to obtain rectification of their sacramental status or their
status as members of the Catholic Church, as the recording and processing of the data is not
inaccurate as amatter of fact in the first instance; this is also on the assumption that all recorded
details accurately reflect the event.
669. I now must consider whether, in circumstances where the personal data and special category
data, contained in the Baptism Registers of data subjects who no longer consider themselves to
be members of the Catholic Church, may be considered to be incomplete, and if so, whether
those data subjects may have a right to have this personal data completed by means of
providing a supplementary statement.
670. In his submissions, the Archbishop referenced the DPC Annual Report of 2003.450 The Church in
the instance of that case study had offered to make a note in the data subject’s record of
baptism in circumstances where they wished for their baptism record to be deleted in that “the
person no longer wished to be associatedwith the Catholic church or to be classed as a Catholic”.
This approach was considered by my predecessor at the time to be “appropriate and
considerate”.
671. The Archbishop has also submitted that he could recommend to parish priests that it would be
permissible to adopt a practice whereby the Baptism Register is annotated, in circumstances
where individuals no longer consider themselves a member of the Catholic Church. The
annotation would read “No longer wishes to be identified as a Roman Catholic”.
672. This would, in effect act as a supplementary statement in circumstances where the personal
data and special category personal data is assessed to be incomplete with regard to the data
subject’s sacramental status within the Catholic Church. i.e., the failure to record a data
subject’s wish not to be recognised as amember of the Catholic Church. I wish to note however,
the Archbishop has not accepted that such a supplementary statement would be necessary to
rectify incomplete personal data and special category personal data in this context, only that it
might service to facilitate the concerns of data subjects in this regard.
673. From 1983 to 2010 in the Code of Canon law, a formal act of defection from the Catholic Church
was recognised. Up until 2009, it was possible to defect formally from the Catholic Church by
way of a notification to the Chancellery.
450 DPC Annual Report 2003, case study 8, page 37.
674. From 2010 onwards, following the issue of the document Omnium inMentem by Pope Benedict
XVI in 2009, formal defection was no longer possible. Individuals may still indicate to the
Archbishop that they do not wish to be considered members of the Catholic Church and that
they have defected from the Church in practice. In that instance, their details will be recorded
in the De Facto Defection Register, which is maintained by the Archdiocese of Dublin for this
purpose. No record of the individual’s de facto defection is recorded in the Baptism Registers.
675. This Decision considered the rights of data subjects vis-à-vis Article 10 of the Charter of
Fundamental Rights (right to freedom of thought, conscience and religion) and Article 9 of the
ECHR which considers the right to freedom of religion and the corollary of that right, the right
not to belong to a religion or practice it. Article 12 of the Charter also provides for the right to
freedom of association including the freedom to associate with religions associations. The
corollary of the right to associate is the right to dis-associate. As set out previously, the defection
from the Catholic Church is not a data protection matter, but examining the lawfulness of
processing of personal data is within the remit of the DPC, which includes the processing of
personal data of those who wish to leave or formally defect from the Catholic Church.
676. In this Decision, the DPC analysed the balancing test for the purposes of Article 6(1)(f) of the
GDPR, which concerns the lawfulness of processing by the Catholic Church for members and
former members. Article 1(2) of the GDPR states that “This Regulation protects fundamental
rights and freedoms of natural persons and in particular their right to the protection of personal
data” [emphasis added]. I am satisfied that the inclusion of a supplemental statement on the
Baptism Register supports the interests, rights and freedoms of those data subjects who no
longer wish to be associated with the Catholic Church.
677. Further, I am of the view, that the insertion of a supplemental statement enhances the
balancing exercise under Article 6(1)(f) of the GDPR insofar as it goes towards vindicating data
subjects’ rights vis-à-vis their status/sacramental status while simultaneously the supplemental
status does not impose on the legitimate interests of the Church.
678. This arises in particular in circumstances where the Archbishop has submitted that he could
recommend to parish priests that it would be permissible to adopt a practice whereby the
Baptism Register is annotated with “No longer wishes to be identified as a Roman Catholic”.
However, it is my view that in circumstances where a data subject no longer wishes to be a
member of the Catholic Church, the data subject does not have a right to have a supplementary
statement added to the entry in the Baptism Register. This follows as a logical conclusion from
the finding that the Baptism Register is held for the purpose of recording the event of a baptism
and is not processed as some form of a register of membership.
679. I consider the inclusion of a supplementary statement beneficial, but not a necessary element
of data accuracy, having regard to the purposes for which the personal data on that register is
processed. It is not necessary to insert supplemental statements into the records of baptisms
to vindicate the rights of data subjects who subsequently wish to leave the Catholic Church.
680. The Baptism Register is intended as a record of an individual’s sacramental status. The
Archbishop has described the Baptism Register as “of particular importance as it is considered
to be the “gateway” to all of the records of a person’s life within the Catholic Church”. The
Archbishop has submitted any further changes regarding the sacraments that a person has
received are to be annotated in the Baptism Register.
681. While I acknowledge that registration in the De Facto Defection Register does not change the
canonical status of a person, unlike registration in the formal defection register in the past, or
the sacramental status of a person (not being equivalent to undertaking a sacrament), it is my
view that being registered in the de facto defection register can be a record of a “person’s life
within the Catholic Church”. However, I do not see this De Facto Defection Register as forming
a necessary processing operation under the GDPR. The current entries on that De Facto
Defection Register were made with the consent of the data subjects affected, however the
Archbishop does not hold this register out to be a definitive list of all non-practising exmembers
of the Catholic Church.
682. I am of the view that in the circumstances where the recording and processing of the
sacramental status of a person in the Baptism Register is considered to be personal data and
special category data, and is within the material scope of the GDPR, the recording of the
sacramental status of the personmay be complete in relation to its purpose, even where it fails
to reflect the current status of the individual’s relationship to those sacraments.
683. The fact that that Baptism Register records fail to indicate the status and relationship of the
data subject vis-à-vis the Church does not amount to an infringement of the accuracy principle
set out in Article 5(1)(d) GDPR.
684. Therefore, while a supplemental statement could be a pragmatic solution to provide clarity as
to the factual position of an individual vis-à-vis their canonical status, it is not necessary as the
basic facts recorded remain accurate in and of themselves.
Issue 4 for Determination: whether, in circumstances where a right to rectification exists, the data
subjects’ rights may be restricted by the Archbishop, pursuant to Section 61(1) of the 2018 Act, where
the processing is for archiving purposes in the public interest, or by section 61(2) of the 2018 Act,where
the processing is for historical research purposes and the exercise of the right would be likely to render
impossible or seriously impair, the achievement of these purposes and the restriction is necessary for
the fulfilment of those purposes.
685. As set out under the section on Legal Bases, the DPC formed the view that there is no legal
underpinning for the Archbishop to rely upon Article 9(2)(j) of the GDPR as a lawful basis for the
processing (or further processing) of personal data for the purposes of archiving in the public
interest or for historical research purposes. Under those circumstances, I am of the view that it
is not necessary to consider the issue as set out in the preceding paragraph.
Findings
686. I find that:
a. Data subjects may exercise the right to request rectification, in accordance with Article
16, of the personal data contained in the Baptism Registers. The Archbishop must assess
each request on a case-by-case basis to assess on its own merit whether an inaccuracy
arises as to a matter of fact or whether the personal data is incomplete;
b. In circumstances where a data subject no longer wishes to be a member of the Catholic
Church, the personal data and special category personal data contained in the Baptism
Register is unlikely to be inaccurate, as it records a particular event, which occurred at a
point in time: the receiving of the sacrament of baptism. In such circumstances the
Archbishop will be required to undertake an individual assessment of the request for
rectification and must comply with his obligations under Article 12(3) and Article 12(4) in
order to facilitate the data subject’s rights under Articles 15 to 22 of the GDPR;
c. That Baptism Register does not reflect the data subject’s membership of the Church. The
ongoing processing of personal data in the Baptism Register does not infringe Article
5(1)(d) GDPR. In such circumstances,where a data subject notifies the Archbishop of their
wish to leave the Catholic Church, a supplementary statement may be added by the
Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a
Roman Catholic”, however this is not necessary as a matter of data protection law.
d. Any amendment made to the hard copy authoritative Baptism Registers ought to be
reflected in any copymade of the Registers, whether in electronic form, indexed registers
or otherwise.
e) RIGHT OF ERASURE
Issues for determination
687. In relation to the Archbishop’s compliance with data subject rights under Article 17 of the GDPR,
the following issues arise for determination:
a) whether a data subject has the right to obtain from the Archbishop the erasure of
personal data concerning him or her, in circumstanceswhere one of the grounds listed
under Article 17(1)(a)-(f) of the GDPR applies;
b) whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain erasure of their personal data in the Baptism
Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR; and
c) whether, a data subject’s right to erasure may be lawfully dis-applied by the
Archbishop to the extent that processing is necessary:
a. for exercising the right to freedom of expression and information, pursuant
to Article 17(3)(a) of the GDPR;
b. archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1), pursuant to
Article 17(3)(d) of the GDPR; and
c. for exercising the right to freedom of religion.
Relevant Provisions
688. Article 17(1) of the GDPR states that data subjects “shall have the right to obtain from the
controller the erasure of personal data concerning him or her without undue delay and the
controller shall have the obligation to erase personal data without undue delay where one of
the following applies:
a) the personal data are no longer necessary in relation to the purposes for which they
were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to
point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal
ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society
services referred to in Article 8(1).
689. The right to obtain erasure under one of these grounds shall not apply, according to Article 17(3)
of the GDPR, to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member
State law to which the controller is subject or for the performance of a task carried out
in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h)
and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes in accordance with Article 89(1) in so far as the right referred to
in paragraph 1 is likely to render impossible or seriously impair the achievement of the
objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
690. Article 19 of the GDPR requires that the
“controller shall communicate any rectification or erasure of personal data or restriction
of processing, carried out in accordance with Article 16, Article 17(1) and Article 18 to
each recipient to whom the personal data may have been disclosed, unless this proves
impossible or involves disproportionate effort”.
691. Article 21(1) provides:
“The data subject shall have the right to object, on grounds relating to his or her particular
situation, at any time to processing of personal data concerning him or her which is based
on point (e) or (f) of Article 6(1), including profiling based on those provisions. The
controller shall no longer process the personal data unless the controller demonstrates
compelling legitimate grounds for the processing which override the interests, rights and
freedoms of the data subject or for the establishment, exercise or defence of legal claims”.
692. Recital 65 states:
“In particular, a data subject should have the right to have his or her personal data erased
and no longer processed where the personal data are no longer necessary in relation to
the purposes for which they are collected or otherwise processed, where a data subject
has withdrawn his or her consent or objects to the processing of personal data concerning
him or her, or where the processing of his or her personal data does not otherwise comply
with this Regulation. That right is relevant in particular where the data subject has given
his or her consent as a child and is not fully aware of the risks involved by the processing,
and later wants to remove such personal data, especially on the internet. The data subject
should be able to exercise that right notwithstanding the fact that he or she is no longer
a child.”
693. Recital 69 requires that
“ personal data might lawfully be processed because processing is necessary for the
performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller, or on grounds of the legitimate interests of a controller
or a third party, a data subject should, nevertheless, be entitled to object to the processing
of any personal data relating to his or her particular situation. It should be for the
controller to demonstrate that its compelling legitimate interest overrides the interests or
the fundamental rights and freedoms of the data subject.”
Relevant Background: Baptism Registers
694. The Baptism Registers contain a record of individuals who have undergone the sacrament of
baptism within the Catholic Church in Ireland, which is central to the administration of the
Church. Under canon 535 §1, the Baptism Registers (along with all parochial registers) are to be
“accurately inscribed and carefully preserved” by the parish priest.
695. The Guidelines, at Appendix 3, state that “[t]he handwritten registers are considered the only
authentic copy of sacramental records. […]The manual register must always be consulted when
issuing a certificate. The handwritten registersmust bemaintained and the registers themselves
are never to be destroyed or discarded”.451
696. Though this is an own-volition Inquiry, certain of the complaints received by the DPC from data
subjects prior to the commencement of this Inquiry stated that they wished to have their
personal data erased from Church records, including Baptism Registers, in circumstances where
they no longer consider themselves to be members of the Catholic Church. The DPC seeks to
ascertain whether a right to obtain erasure arises in this context.
697. It is noted that should the right to erasure be considered to exist within the context of the
Baptism Registers, the only data that could be erased would be the personal data of the
individual who made the request. The remainder of the data would not be erased under such a
request as that refers to the personal data of others for example, the names of parents or
godparents.
451 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of the PDF submission).
Archbishop’s Submissions
698. In considering whether a right to obtain erasure arises with respect to the Baptism Registers,
the Archbishop submitted that the right to erasure only arises where one of six conditions or
grounds under Article 17(1) have been fulfilled. With respect to Article 17(1)(a) – (f), the
Archbishop submitted that these grounds do not apply for the reasons as set out hereunder:
• Article 17(1)(a) – the Archbishop submitted that this ground does not apply, as set out
in previous responses regarding the legal bases for processing, because the processing
continues to be necessary.452
• Article 17(1)(b) – the Archbishop submitted that he “does not rely on consent as basis
for processing personal data” in the Baptism Registers, and accordingly this ground
does not apply.453
• Article 17(1)(c) – the Archbishop submitted that this ground is “based on an invocation
of the right to object in Article 21 when processing is based on Article 6(1)(f).454
However, the Archbishop submits that compelling legitimate grounds for the
processing have been demonstrated which override the interests, rights and freedoms
of the data subject, with the result that Article 17(1)(c) is inapplicable”.455
699. In response to queries regarding the interests or fundamental rights and freedoms of data
subjects the Archbishop considered in this context, as against the compelling legitimate grounds
for the processing, and submitted that “[i]n respect of Parish baptismal registers, again, it is the
Archbishop’s submission that hard copy, unindexed baptismal registers fall outside the scope of
the GDPR. Insofar as any electronic or indexed hard copy registers are held by individual Parish
Priests, it would be a matter for that Parish Priest to carry out the balancing test in respect of
the individuals concerned”.456
700. The Archbishop further submitted that the retention of personal data by the parishes of church
records “is unlikely to cause a barrier to individuals accessing services or opportunities, physical
harm, financial loss, identity theft, fraud, or any other significant economic or social
disadvantage (such as discrimination, loss of confidentiality or reputational damage). The
Parishes do not derive any economic benefit from the retention of the personal data, nor is it
used for any other purpose; other than at some future point being relevant to historical or public
interest research”.457
452 Submissions dated 16 March 2020, page 49.
453 Submissions dated 16 March 2020, page 50.
454 Submissions dated 16 March 2020, page 50, footnote 72 states: “or Article 6(1)(e) which is not relevant in this context.”
455 Submissions dated 16 March 2020, page 50.
456 Submissions dated 15 October 2020, page 27.
457 Submissions dated 15 October 2020, page 27.
701. In respect of the rights of data subjects, which are to be considered in this context, the
Archbishop listed the following European Convention on Human Rights (the ‘ECHR’) and Charter
rights:
• Article 8 ECHR – Right to respect for private and family life;
• Article 9 ECHR/Article 10 Charter - Freedom of thought, conscience and religion; and
• Article 8 Charter – Protection of Personal Data.
702. With respect to the Adopted Persons Baptism Register, the Archbishop submitted, “this register
exists to protect the delicate balance between the legal obligation not to make traceable the
connection between an adopted person and their birth parents, the right to privacy of the birth
parents and the right of those persons to know more information about their family history. It is
submitted that this is a complex area, in which attempts have been made to legislate further
and to bring clarity to the position”.458
703. With respect to the compelling legitimate grounds for the processing considered by the
Archbishop, the Archbishop referred to his previous submissions. With respect to the factors
that were taken into account in deciding that the compelling legitimate interests pursued by
the data controller would override the interests or fundamental rights and freedoms of the data
subject, the Archbishop submitted that in relation to the parish Baptism Registers, “any
potential impacts appear to be minimal. The information concerned is stored confidentially, it is
not accessible to the public, it is not used for any profit-making purpose, but rather to record a
person’s status in respect of sacraments administered within the Church”.459
704. The Archbishop submitted that the Article 17(1)(d) ground does not apply, as set out in previous
responses regarding the legal bases for processing.460
705. The Archbishop submitted that Article 17(1)(e) and Article 17(1)(f) grounds are “not relevant
and do not apply in this context”.461
706. The Archbishop further submitted that, even where a request from a data subject to obtain
erasure is received “the processing of the personal data continues to be necessary for the
purposes for which it was collected” as it is “essential for the administration of the affairs of the
Catholic Church to maintain a register of all people who have been baptised in the Church. It is
a factual record of an event that happened”462 and noted again that this positionwas recognised
by the Data Protection Commissioner in his 2003 Annual Report.
458 Submissions dated 15 October 2020, page 28.
459 Submissions dated 15 October 2020, page 29.
460 Submissions dated 16 March 2020, page 50.
461 Submissions dated 16 March 2020, page 50.
462 Submissions dated 16 March 2020, page 50.
707. The Archbishop also noted that:
“Moreover, also relevant in this regard is the right of every religious denomination “to
manage its own affairs”, which has specific constitutional status under Art. 44.2.5°. It is
not accepted that it has been shown that the displacement of this important right would
be “necessitated by the obligations of membership of the European Union” for the
purposes of Article 29.4.6 of the Constitution”.463
708. The Archbishop again stated that although it is not accepted that any such action would be
necessary, it may be permissible for parishes to annotate the Baptism Registers with a
statement such as “No longer wishes to be identified as a Roman Catholic” to address any
concerns the DPC may have, as an alternative to erasure464. In this regard, the Archbishop also
referred to the European Court of Human Rights judgment ofWegrzynowski and Smolczewski v
Poland465, in particular paragraphs 65 and 66, and The EU General Data Protection Regulation
edited by Kuner et al466. The Archbishop also noted again that the Data Protection
Commissioner in Case Study 8 of his 2003 Annual Report also had regard to an offer of an
annotation made by a parish priest.
709. Finally, the Archbishop submitted that even if one of the grounds or conditions under Article
17(1) were met, an exemption to the right of erasure under Article 17(3) of the GDPR would
apply.
Article 17(3)
710. The Archbishop confirmed that he considered it necessary, pursuant to Article 17(3)(d), to
process church records held in church registers for archiving purposes in the public interest and
for historical research purposes.
711. With respect to processing for archiving purposes in the public interest, the Archbishop referred
to his previous responses in respect to Article 9(2)(j). The Archbishop submitted, “The Baptism
Registers record the historical fact of baptisms having taken place. Over time, these registers
assume a different importance becoming a unique archival and/or historic record of enduring
value. Baptismal records are often, for example, sought by those carrying out genealogical
research”.467
463 Submissions dated 16 March 2020, page 50.
464 Submissions dated 16 March 2020, page 50.
465 Application No. 33846/07, 16 July 2013.
466 Page 479 and pages 1260-61.
467 Submissions dated 16 March 2020, page 52.
712. With respect to processing for historical research purposes, the Archbishop noted that although
the meaning of the term historical research is not set out, is does include “both historical
research and research for genealogical purposes, as is clear from Recital 160”.468. The
Archbishop also noted, “Baptism Registers record the historical fact of baptisms having taken
place. Over time, these registers assume a different importance becoming a unique archival
and/or historic record of enduring value”.469
713. In respect of the safeguards in accordance with Article 89(1) that have been put in place in order
to safeguard the rights and freedoms of the data subject, the Archbishop submitted that the
“baptism registers are subject to strict confidentiality requirements”. In addition, the Archbishop
noted that if “a person wishes to leave the Church, and to have this fact acknowledged and
recorded, a register for those who wish their de facto defection from the Church to be recorded
is now maintained by the Chancellery Office on behalf of the Archbishop”.470
714. In response to why the Archbishop is of the view that granting the right to erasure would likely
render impossible or seriously impair the achievement of the objectives of that processing, the
Archbishop stated that:
“In order for historical research and/or archiving in the public interest to be properly
conducted it is necessary for records to be full and complete. Deletions of various of the
records would leave ‘gaps’ for the future historian or researcher, which would seriously
impair their research. The relevant archive would become known as being incomplete and
limited. Also important in this regard is the unique nature of a baptismal record. It
contains information that would not be replicated in State archives for example.
Moreover, as already noted, baptismal records are often consulted by genealogical
researchers”.471
715. The Archbishop also submitted that the exemption under Article 17(3)(a) applies, which refers
to processing which is necessary for exercising the right of freedom of expression and
information, in particular in relation to Church members in the Archdiocese. As submitted by
the Archbishop:
“in order to receive the sacraments of confirmation and marriage/Holy Orders,
reference is always made to the entries made in the baptism register to establish (1)
that the person has been baptised and (2) there is no impediment to receiving the
proposed sacrament […]
Erasure of records or of entries on records risks significantly undermining these
important considerations, e.g. if someone were to seek and obtain erasure of a
baptismal register which indicated that the person was married, and later, subsequent
to such erasure, sought receive the sacrament of Holy Orders, or conceivably even the
sacrament of marriage again.
468 Submissions dated 16 March 2020, page 52.
469 Submissions dated 16 March 2020, page 52.
470 Submissions dated 16 March 2020, page 53.
471 Submissions dated 16 March 2020, page 53.
In that respect, it is noted that certain case law has interpreted the concept of freedom
of expression as extending to expressive association, and thus it is submitted that the
concept of expression is capable to extending to protect the associative interest in
denominational rules and governance (quite apart from being this protected under Art.
44.2.5) Accordingly Art. 17(3)(a) is engaged”.472
Electronic Copies of the Baptism Registers and the Right to Obtain Erasure
716. The Archbishop has previously submitted that the “hard copy, bound volume is the only
authentic, authoritative register”.473 The manual Baptism Register must always be consulted
when issuing a baptismal certificate.474 The Archbishop has also submitted that certain
electronic records of registers may be kept within parishes, such as scanned copies of the
manual registers or information from the registers contained in electronic database systems.475
717. The Archbishop submitted that in relation to these electronic records “[f]rom a canon law
perspective, there is no difficulty with the permanent erasure of any electronically-held records
of baptism or other sacraments, as any electronically held version is not authoritative”.476
Legal Analysis
718. I havemade a finding above that the personal data and special category data held in the Baptism
Registers falls within thematerial scope of Article 2(1) of the GDPR; I have alsomade the finding
in this Decision that the Archbishop is the data controller in respect of all processing activities
of the personal data and special category data contained in the Baptism Registers, the subject
of this Inquiry.
719. It is also important for data subjects to note that their personal data is not just processed on
the legal basis of their consent. Article 6(1) of the GDPR provides that personal data can be
lawfully processed by data controllers on the basis of one of six grounds as set out under this
Article and the consent of the data subject is only one such basis. In addition, although Article
9 (1) of the GDPR prohibits the processing of special category personal data (such as religious
beliefs), Article 9(2) of the GDPR provides a list of exceptions to that prohibition and the explicit
consent of the data subject is only one such exception. As set out previously in this Decision, I
am satisfied that the Catholic Church lawfully processes the personal data and special category
data contained within the Baptism Registers under Article 6(1)(f) and Article 9(2)(d) of the
GDPR.
472 Submissions dated 16 March 2020, page 54.
473 Submissions dated 16 March 2020, page 31.
474 Submissions dated 16 March 2020, page 31.
475 Submissions dated 16 March 2020, page 12.
476 Submissions dated 16 March 2020, page 32.
720. In the normal course of events, data subjects first exercise their data protection rights as against
the data controller, with recourse to the DPC should an issue arise. Article 12(2) of the GDPR
states that the “controller shall facilitate the exercise of data subject rights under Articles 15 to
22”. Article 12(3) of the GDPR provides that the “controller shall provide information on action
taken on a request under Articles 15 to 22 to the data subject without undue delay and in any
event within one month of receipt of the request”. Provision is made for an extension of time
for up to two further months in limited circumstances and the data subject must be notified if
an extension of time is required prior to the expiry of the one-month time frame, setting out
the reasons for the delay.
721. In order for the right to erasure to apply, one of the conditions as set under Article 17(1) must
apply. In addition, under Article 17(3), data controllers can lawfully refuse an erasure request.
It is worth noting at this point that data protection rights are not absolute rights.
722. The personal data contained within the Baptism Registers is collected in the first instance to
record the fact that a baptism has taken place which is the first sacrament an individual receives
when entering into the Catholic faith. The Archbishop has submitted that the recording of this
event is necessary for the purposes of the administration of Church affairs and for the
administration of the sacraments, some of which can only be received once and none of which
can be received unless that individual is baptised in the first instance. The personal data
contained within the Baptism Registers is therefore the reference point for both. The
Archbishop has also submitted that the recording and processing of the personal data in the
Baptism Registers is necessary for the purposes of pursuing the Church’s legitimate interest and
there is no other less intrusive way in which the objectives of the Church can be achieved.
723. The DPC received complaints from numerous individuals who wish to exercise their right to
erasure and have their personal data removed from the Baptism Registers. A number of these
complainants also wish to defect from or leave the Catholic Church. As set out previously in this
Decision, the process of defection from the Catholic Church is not a matter with which the DPC
can assist; that is a matter between the Catholic Church and the individual complainants. The
DPC’s jurisdiction is limited in that its parameters in this Inquiry are defined, not by how an
individual can or should be permitted to defect from or leave an organisation such as the
Church, but by the lawfulness of the processing of personal data that is taking place and the
exercise of data subjects’ rights as set out in data protection law. Although the act of a defection
from the Catholic Church and the erasure of an individual’s personal data from the Baptism
Registers are somewhat interlinked, for the purposes of data protection law they are two
entirely different issues.
724. However, I note that certain data subjects who no longer wish to have their personal data
contained in the Baptism Registers may have subjective reasons in seeking to have it removed,
which stem from their personal relationship with the Catholic Church and the ongoing
processing may cause distress for such data subjects.
725. In relation to the Archbishop’s compliance with the data subject right under Article 17 of the
GDPR I need to consider whether a data subject has the right to obtain from the Archbishop the
erasure of personal data concerning him or her, in circumstances where one of the grounds
listed under Article 17(1)(a)-(f) of the GDPR applies.
726. Based on the foregoing, I will now proceed to consider each ground under Article 17(1) of the
GDPR and consider its applicability within the parameters of this Inquiry.
Article 17(1)(a)
727. Article 17(1)(a) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
are no longer necessary in relation to the purposes for which they were collected or otherwise
processed”.
728. If an individual wishes to exercise their right to erasure under Article 17(1)(a) of the GDPR, on
the basis that the personal data is no longer necessary for the purposes for which it was
collected or otherwise processed, it will be incumbent at that stage for the data controller to
identify and demonstrate that the processing remains necessary, and that there is no
alternative option available to achieve the objective of the data controller.
729. Article 17(1)(a) of the GDPR does not state that a balancing exercisemust be undertaken similar
to that of Article 6(1)(f) of the GDPR, it simply states that the data must be erased unless the
processing of the data is still necessary. If it is still necessary to process the data, then there is
no erasure of the data.
730. The submissions of the Archbishop regarding the significance and importance of the Baptism
Registers in the administration of the Church have been set out above. The Guidelines establish
that these Registers are the only authentic copy of sacramental records, which must be always
maintained and never destroyed. This position has been elaborated upon in the Archbishop’s
submission, which have been referenced throughout this Decision. Under such circumstances,
the Archbishop submits that, in the furtherance of the administration of the Church and for the
correct administration of the sacraments, the processing continues to be necessary.
731. As set out previously in this Decision, the Archbishop submitted “[w]ithout a complete baptism
register the Catholic Church would be unable to operate a key tenet of its faith, the rule that a
person may only be baptised once.” This essentially means that the need for the processing of
the personal data for those who have been baptised into the Catholic faith will remain intact
for their lifetime simply because, at any stage in one’s life, a sacrament may be administered
(or an annulment may be permitted) and the Baptism Register will need to be noted
accordingly. There is essentially no expiry date for the administration of sacraments for the life
of an individual baptised into the Catholic faith.
732. If it is the case that the data controller is of the view that the processing of personal data
continues to be necessary, the data controller is obliged to inform the data subject as to how
this is so. The element of “necessity” must also be grounded on a lawful basis under Articles
6(1) and 9(2) of the GDPR, as there is a continuation of processing of personal data. At all times,
the processing of personal data must have a lawful basis.
733. I note that some complainants wish to leave or defect from the Catholic Church and want to
exercise their right to erasure of their personal data contained within the Baptism Registers. As
set out previously in this Decision, the act of leaving the Catholic Church and the exercise of the
right to erasure, while intertwined, are separate issues for the purposes of data protection law
and the DPC cannot make a finding or determination on an individual’s wish to defect from or
leave the Catholic Church and can only consider the processing of the personal data contained
within the Baptism Registers.
734. I note that in response to some of the complainants who wished to have their data erased from
the Baptism Registers, reliance was being placed on the fact that the registers are of archival
and historical value and therefore the data could not be erased as its ongoing processing was
necessary for such purposes. It has been set out above, that I have formed the view that the
Archbishop cannot rely on Article 9(2)(j) of the GDPR, as there is no legal basis underpinning
this processing as required.
735. As set out above, for the right to erasure to apply under Article 17(1)(a) of the GDPR, the
personal data must be no longer necessary in relation to the purposes for which they were
collected or otherwise processed. It is clear from the submissions of the Archbishop that once
a decision has beenmade to enter into the Catholic faith, the record and processing of personal
data surrounding that sacramental event remains necessary for the lifetime of that person, as
it is a necessary record for the administration of the Church and the administration of
subsequent sacraments.
736. It appears therefore to me that the absence or non-availability of this record would hinder the
Catholic Church in the furtherance of its objectives as set out. The retention of the personal
data and special category personal data remains necessary for the purposes for which it was
collected by the Catholic Church in terms of the administration of Church affairs, for the lifetime
of the data subject.
The determination vis-à-vis Article 17(1)(a)
737. Based on the foregoing, I am of the view that a data subject does not have the right under Article
17(1)(a) of the GDPR to obtain from the Archbishop the erasure of personal data concerning
him or her.
Article 17(1)(b)
738. Article 17(1)(b) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the data subject
withdraws consent on which the processing is based according to point (a) of Article 6(1), or
point (a) of Article 9(2), and where there is no other legal ground for the processing”.
739. Article 17(1)(b) of the GDPR and the withdrawal of consent is contingent on the processing of
the personal data in question being processed in the first instance on the basis of consent under
Article 6(1)(a) and Article 9(2)(a) of the GDPR. As set out under the section on Legal Bases of
this Decision, the Archbishop is relying on Article 6(1)(f) and Article 9(2)(d) of the GDPR for the
processing of personal data contained within the Baptism Registers. Although further reliance
has been placed on Article 9(2)(j) of the GDPR by the Archbishop, I am of the view that the
Archbishop cannot rely on this provision for the processing of personal data contained within
the Baptism Registers.
The determination vis-à-vis Article 17(1)(b)
740. Based on the foregoing, I am of the view that the personal data contained within the Baptism
Registers was not and is not processed on the legal basis of consent under Article 6(1)(a) and
explicit consent under Article 9(2)(a) of the GDPR. Therefore, data subjects cannot rely on
withdrawal of consent pursuant to Article 17(1)(b) of the GDPR for the erasure of the personal
data processed in the Baptism Registers. This applies in circumstances where the individual is a
current member of the Catholic Church or whether they no longer consider themselves a
member of the Catholic Church.
Article 17(1)(c)
741. Article 17(1)(c) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where:
“the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2)”.
742. Article 21(1) provides that:
“The data subject shall have the right to object, on the grounds relating to his or her
particular situation, at any time to processing of personal data concerning him or her
which is based on point (e) or (f) of Article 6(1), including profiling based on those
provisions. The controller shall no longer process the personal data unless the controller
demonstrates compelling legitimate grounds for the processing which override the
interests, rights and freedoms of the data subject or for the establishment, exercise or
defence of legal claims.”
743. The foregoing provisions identify that for Article 17(1)(c) of the GDPR to apply, Article 21 must
be invoked by an individual in the exercise of their right to erasure and that the processing of
the personal data by the data controller must be under either Article 6(1)(e) or 6(1)(f). The
Archbishop relies on Article 6(1)(f) of the GDPR for such processing so therefore, once Article
21 is invoked, the other component elements of Article 17(1)(c) and Article 21 must be
considered.
744. Of relevance are Recitals 65 and 69 of the GDPR. Recital 65 states that a “data subject should
have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’
where the retention of such data infringes this Regulation or Union or Member State law to
which the controller is subject.” In other words, it considers that the right to erasure arises
where the processing is unlawful. Recital 69 states, “[w]here personal data might lawfully be
processed because performance is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller, or on grounds of
the legitimate interests of a controller or a third party, data subject should, nevertheless, be
entitled to object to the processing of any personal data relating to his or her particular
situation.” In other words, the processing is lawful in the first instance and there is an objection
to the processing that requires a balancing exercise.
745. Article 21(1) of the GDPR provides that the data controller must demonstrate “compelling
legitimate grounds” which override the rights and freedoms of the data subject, failure of which
requires the erasure of the data by the data controller. Therefore, not only does the data
controller need to identify that he has a legitimate interest, which overrides the rights and
freedoms of the data subject, he must demonstrate that the legitimate interest is one that is
“compelling”.
746. WP29 Guidelines on Automated individual decision-making and Profiling for the purposes of
Regulation 2016/67, adopted on 6 February 2018 and endorsed by the EDPB state:
“It is clear from the wording of Article 21 that the balancing test is different from that
found in Article 6(1)(f). In other words, it is not sufficient for a controller to just
demonstrate that their earlier legitimate interest analysis was correct. This balancing test
requires the legitimate interest to be compelling, implying a higher threshold for
overriding objections”.477 [Emphasis added]
747. The foregoing demonstrates that the burden is on the data controller to identify that not only
do they have a legitimate interest which overrides the fundamental interests and freedoms of
the data subjects, but that it is one that is compelling, with a higher standard than under Article
6(1)(f) of the GDPR and this should be made clear to any data subject who wishes to exercise
their right on these grounds.
748. The Archbishop states that:
“Article 17(1)(c) is based on an invocation of the right to object in Article 21 when
processing is based on Article 6(1)(f). However, the Archbishop submits that compelling
legitimate grounds for the processing have been demonstrated which override the
interests, rights and freedoms of the data subject, with the result that Article 17(1)(c) is
inapplicable”.478
477 WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, last
revised and adopted on 6 February 2018, page 19; These Guidelines have been endorsed by the EDPB:
https://edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en
478 Submissions dated the 16 March 2020, page 50
749. He further states that the processing of the personal data contained within the Baptism
Registers:
“is essential for the administration of the affairs of the Catholic Church to maintain a
register of all people who have been baptised in the Church. It is a factual record of an
event that happened. This position was recognised by the Irish Data Protection
Commissioner in 2003”.479
750. When specifically asked to identify “‘the compelling legitimate grounds for the processing
considered by the Archbishop”, the Archbishop referred the DPC to their previous
submissions.480 Those submissions relate to the elements of Article 6(1)(f) and Article 9. In that
regard the Archbishop sets out the legitimate interests for the processing of personal data in
the Baptism Registers which are, amongst other things, that Baptism Registers (and others)
consist of a record of the administration of certain sacraments in the Church; that baptism is
the first and basic sacrament of Christian initiation which can only be received once and
therefore it is essential that a record of same bemaintained; the Baptism Register is of particular
importance as it is the “gateway” to all the records of a person’s life within the Catholic Church;
the Register has space for the recording of other sacraments that can also only be administered
once; that the information contained within the Baptism Registers is “critical” in terms of certain
key beliefs in the Catholic faith; that the importance of the permanency of the record was
recognised by the Data Protection Commissioner in his Annual Report in 2003; that these
legitimate interests are underpinned by fundamental rights protections under the Irish
Constitution and the Charter of Fundamental Rights of the European Union; the Baptism
Registers are central to the management of the affairs of the Church. In relation to Article
9(2)(d) of the GDPR, the Archbishop submits that the personal data contained in the Baptism
Registers are processed in accordance with the legitimate activities of the Catholic Church.481
751. When specifically asked to identify the factors which led to the decision that the compelling
legitimate interests pursued by the Data Controller would override those interests or
fundamental rights and freedoms of the Data Subject, the Archbishop stated:
“it is noted that the collection and retention of information regarding individuals in the
Formal Defection register and de facto defection registers is at the request of the
individuals themselves. It is submitted that a request for retention is implicit in a request
for entry into the register. It is therefore considered that any impact on the interests or
fundamental rights and freedoms of those individuals is either minimal, or non-existent.
479 Submissions dated the 16 March 2020, page 50
480 Submissions dated the 15 October 2020, page 28.
481 Submissions dated 16 March 2020, pages 33- 42.
In relation to Parish baptismal registers, the Archbishop would also note that any
potential impacts appear to be minimal. The information concerned is stored
confidentially, is not accessible to the public, is not used for any profit-making purpose,
but rather to record a person’s status in respect of certain sacraments administeredwithin
the Church.”482
752. It is my view that any exercise of the right to erasure under Article 17(1)(c) of the GDPR must
be accompanied by the right to object under Article 21 of the GDPR where the burden of proof
regarding the compellability of the legitimate interests (under Article 21(1)) must be borne by
the data controller. Having regard to the analysis of the legitimate interests of the Archbishop
considered in the section analysing Article 6(1)(f) above, I am of the view that the legitimate
interests of the Archbishop when considered in the circumstances of these particular requests
collectively also constitute “compelling”’ legitimate grounds for the purposes of Article 21(1) of
the GDPR. In this regard, I have taken into account the higher threshold for “legitimate grounds”
as envisaged by the WP 2018 Guidelines (endorsed by the EDPB and referred to above). This
applies in circumstances where the individual is a current member of the Catholic Church or
whether they no longer consider themselves a member of the Catholic Church.
Article 17(1)(d)
753. Article 17(1)(d) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
have been unlawfully processed”.
754. For an individual to exercise their right to erasure under Article 17(1)(d) of the GDPR, the
personal datamust have been unlawfully processed. A data controller unlawfully processes data
when it is processed in the absence of a legal basis under Article 6(1) of the GDPR and or fails
to fall one of the exceptions under Article 9(2) of the GDPR in the case of special category data.
755. Under the section on Legal Basis, this Decision analysed the lawful bases for the processing of
the personal data and special category data. Set out therein are my findings which are that the
processing of personal data containedwithin the Baptism Registers is lawful under Article 6(1)(f)
of the GDPR and Article 9(2)(d) of the GDPR. I alsomade a finding that the Archbishop could not
rely on Article 9(2)(j) of the GDPR for the purposes of processing or further processing the
personal data and special category data of those named in the Baptism Registers, the subject
of this Inquiry.
The determination vis-à-vis Article 17(1)(d)
756. Based on the foregoing, it is the view of the DPC that as the personal data contained within the
Baptism Register is lawfully processed, data subjects cannot rely on Article 17(1)(d) of the GDPR
for the erasure of the personal data processed in the Baptism Registers.
482 Submissions dated 15 October 2020, page 29.
757. As set out above, the processing/recording of personal data surrounding sacramental events is
a necessary record for the administration of the Church. It appears to me that the absence or
non-availability of this record would hinder the Catholic Church in the furtherance of its
objectives as set out. On that basis, this processing, which remains necessary, has a lawful basis
under Article 6(1)(f) and Article 9(2)(d) of the GDPR. Therefore, an individual who no longer
consider themselves a member of the Catholic Church cannot rely on Article 17(1)(d) of the
GDPR for the erasure of the personal data processed in Baptism Registers.
Article 17(1)(e)
758. Article 17(1)(e) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
have to be erased for compliance with a legal obligation in Union or Member State law to which
the controller is subject”.
The determination vis-à-vis Article 17(1)(e)
759. In relation to the Archbishop’s compliance with the data subject right under Article 17 of the
GDPR, whether a data subject has the right to obtain from the Archbishop the erasure of
personal data concerning him or her, in circumstances where one of the grounds listed under
Article 17(1)(a)-(f) of the GDPR applies;
760. In relation to the Archbishop’s compliance with the data subject right under Article 17 of the
GDPR, whether data subjects who no longer consider themselves members of the Catholic
Church have the right to obtain erasure of their personal data in the Baptism Registers under
the grounds set out at Article 17(1) of the GDPR.
761. The Archbishop is not subject to any legal obligation in either Union or in Member State law,-
that requires the erasure, by him, of the personal data or special category data of any individual
whose data is processed and recorded within the Baptism Registers, the subject of this Inquiry.
On that basis, Article 17(1)(e) is not applicablewithin the facts and circumstances of this Inquiry.
Article 17(1)(f)
762. Article 17(1)(f) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
have been collected in relation to the offer of information society services referred to in Article
8(1)”.
The determination vis-à-vis Article 17(1)(f)
763. The data controller is the Archbishop and does not offer information society services. On that
basis, Article 17(f) of the GDPR is not applicable within the facts and circumstances of this
Inquiry.
Restrictions on the Right to Erasure
764. For determination are the issues as to whether, a data subject’s right to erasuremay be lawfully
dis-applied by the Archbishop to the extent that processing is necessary:
• for exercising the right to freedom of expression and information, pursuant to
Article 17(3)(a) of the GDPR;
• archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1), pursuant to Article 17(3)(d) of
the GDPR; and
• for exercising the right to freedom of religion.
765. As the foregoing analysis demonstrates, the right to erasure of a data subject’s personal data
and special category data contained with the Baptism Registers under Article 17(1) of the GDPR
does not exist. Consequently, Article 17(3) of the GDPR does not apply. Under those
circumstances, it is not necessary to consider the applicability of any of the restrictions on the
exercise of an individual’s right to erasure as set out in the preceding paragraph as the point is
now moot.
Finding
766. Therefore, I find that:
a. A data subject has not got the right to obtain from the Archbishop the erasure of
personal data concerning him or her as none of the provisions under Article 17(1)(a)-
(f) of the GDPR apply;
b. Data subjects who no longer consider themselves to be members of the Catholic
Church do not have the right to obtain erasure of their personal data in the Baptism
Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
c. Under those circumstances, the provisions of Article 17(3) do not apply.
f) STORAGE LIMITATION
Issues for determination
767. In relation to the Archbishop’s compliance with the principle of storage limitation as contained
in Article 5(1)(e) of the GDPR, the following issues arise for determination:
a. whether the personal data and special category personal data contained in the
Baptism Registers are kept in a form which permits identification for no longer than is
necessary;
b. whether the personal data and special category personal data contained in the
Baptism Registers are processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and are subject to the implementation of the appropriate
technical and organisational measures in order to safeguard the rights and freedoms
of the data subject;
c. whether, in circumstances where the personal data and special category personal
data is processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes, it may be stored for longer
periods.
Relevant Provisions
768. Article 5(1)(e) of the GDPR sets out the principle of storage limitation and requires that personal
data be:
“kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data may
be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to implementation of the
appropriate technical and organisational measures required by this Regulation in order
to safeguard the rights and freedoms of the data subject.”
Archbishop’s submissions
769. The Archbishop submitted that he is “satisfied that the requirements of Article 5(1)(e) are
met”.483
770. He further submitted that “it is essential for the administration of the sacraments of baptism,
confirmation, marriage and holy orders to be assured that these sacraments have been
administered once only in a person’s lifetime. De-identification of the record would undermine
the purpose for which the record is created andmaintained. Therefore the storage of these data
is necessary on a permanent basis, for the purposes for which the data are processed”.484
483 Submissions dated 16 March 2020, page 47.
484 Submissions dated 16 March 2020, page 47.
771. The Archbishop also noted that Articles 5(1)(e) “permits the storage of personal data for longer
periods if it is for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes and is subject to implementation of appropriate technical and
organisational measures in order to safeguard the rights and freedoms of the data subject”.485
The Archbishop referred to his previous submissions relating to the technical and organisational
measures which apply to the Baptism Registers “and which safeguard the rights and freedoms
of the data subject”.486
Legal Analysis
First Issue for Determination: Whether the personal data and special category personal data
contained in the Baptism Registers are kept in a form that permits identification for no longer than is
necessary
772. The importance of the recording and processing of personal data in the Baptism Registers vis-
à-vis the administration of Church affairs, per the Archbishop’s submissions, has been identified
throughout the course of this Decision. The Archbishop also indicated that de-identification of
the personal data and special category personal data in the Baptism Registers would
“undermine the purpose for which the record is created and maintained”.487
773. Article 5(1)(e) of the GDPR requires a controller to keep personal data “in a form which permits
identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed”. This means that a controller must delete or anonymise personal
data once it is no longer necessary for the purposes for which they were originally collected.
774. The Archbishop contends that it remains necessary to keep the personal data and special
category personal data contained in the Baptism Registers in a form, which permits
identification on a “permanent basis”, for the purposes of the administration of certain
sacraments of the Catholic Church.
775. With respect to whether it is necessary to retain the personal data and special category personal
data in a form, which permits identification to achieve the purposes of processing, the concept
of necessity is relevant. This conceptwas considered earlier in this Decision under legal bases.488
485 Submissions dated 16 March 2020, page 47.
486 Submissions dated 16 March 2020, pages 29-31.
487 Submissions dated 16 March 2020, page 47.
488 C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk ECLI:EU:C:2003:294, paragraph 88.
776. The Archbishop has stated that de-identification of the personal data and special category
personal data in the Baptism Registers would “undermine the purpose for which the record is
created and maintained”489 which is for the administration of certain sacraments and to ensure
such sacraments are not administered more than once in a person’s lifetime. As set out earlier,
there is no set timeframe in a person’s life vis-à-vis the administration of sacraments and on
that basis, the Baptism Registers remain live registers for the lifetime of that person. In respect
of the reasonableness and proportionality of retaining this personal data on a permanent basis,
it is difficult to ascertain how individuals who have been baptised could be otherwise identified
correctly, during their lifetime, for the purposes of administering further sacraments, without
the retention of a minimum amount of personal data and special category personal data such
as is contained in the Baptism Register. Such data includes:
“ 1. Christian name of person for baptism
2. Surname
3. Born/Day/Month
4. Name of Parent(s)/guardian(s)
5. Residing at Domicile
6. Duly Baptised – Day/Month
7. Celebrant of Baptism
8. Name(s) of Godparent(s)”490
777. Further sacraments administered are annotated in the Baptism Registers. As such, I am of the
view that the retention is reasonable and necessary to achieve the stated purposes.
778. In my view, no equally effective alternative to retaining a minimum amount of personal data
and special category personal data in a form, which permits identification, is apparent. In
circumstances where the personal data and special category personal data must permit
identification in order to achieve the purpose in question, retention of anonymised data would
not be a suitable equally effective alternative measure. Further, in circumstances where it is
conceivable that individuals who have undergone baptism in the Archdiocese may share the
same name, the same birth date or may have parents who share similar names, it is
proportionate for the Archdiocese to retain a minimum amount of personal data and special
category data. This should be limited to the personal data listed above in order to ensure that
the sacramental status of an individual may be sufficiently verified. The retention of less
personal data and special category personal data would likely be marginally less intrusive to
data subjects, however, itmay significantly lessen the effectiveness of themeasures in order to
achieve the stated purpose.
489 Submissions dated 16 March 2020, page 47.
490 Submissions dated 16 March 2020, page 25.
779. I am satisfied that keeping personal data and special category personal data in the Baptism
Registers in a form which permits identification remains necessary during the life time of the
data subjects in question who have undergone baptism in the Archdiocese. This is in order to
achieve the purpose of correctly administering certain sacraments thatmay only be undertaken
once in a person’s lifetime.
780. I also wish to note that the GDPR does not apply to the personal data and special category
personal data of deceased persons, further to Recital 27 of that Regulation. As such, the
Archbishop is not under an obligation to comply with the principle of storage limitation once
the lifetime of the data subjects in question ends.
Second Issue for Determination
781. The second issue for determination is whether the personal data and special category personal
data contained in the Baptism Registers are processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and are subject to the implementation of the appropriate technical
and organisational measures in order to safeguard the rights and freedoms of the data subject
782. The Archbishop stated that the personal data and the special category personal data which is
contained in the Baptism Registers are “essential for the administration of the affairs of the
Catholic Church”,491 in particular to maintain a record of people who have been baptised and to
set out a “person’s status in respect of certain sacraments, which can be administered only once
in a person’s lifetime”492. The Archbishop stated that the purpose for which this personal data
and special category personal data was collected is also “to record the fact that a person
received the sacrament of baptism into the Roman Catholic Church on a particular date”493.
783. Further, in respect to archiving purposes in the public interest and historical research purposes,
the Archbishop stated, “The Baptism Registers record the historical fact of baptisms having
taken place. Over time, these registers assume a different importance becoming a unique
archival and/or historic record of enduring value. Baptismal records are often, for example,
sought by those carrying out genealogical research”.494
784. With respect to appropriate technical and organisational measures in place in order to
safeguard the rights and freedoms of the data subject, the Archbishop stated that the following
technical and organisational measures were in place:
• the Adopted Persons Baptism Registers and the Clonliffe College Registers are securely
stored in the Chancellery Offices;
• the parish Baptism Registers are normally “kept in safe rooms, fire-proofed, and are
accessible only by the pastor and authorised Parish personnel”495;
491 Submissions dated 16 March 2020, page 50.
492 Submissions dated 16 March 2020, page 48.
493 Submissions dated 16 March 2020, page 54.
494 Submissions dated 16 March 2020, page 52.
495 Submissions dated 16 March 2020, page 29.
• the parish priest is under an obligation “to take care that the baptism registers do not
fall into unauthorised hands. The Diocesan Bishop or his delegate is to inspect the archive
at the time of the visitation. Older parochial registers are also to be carefully
safeguarded, in accordance with the provisions of particular law”;496 and
• the Archbishop “organises data protection training days for Parish Priests and members
of the parish administrative teams. It is also open to Parish Priests to organise their own
training in respect of data protection matters”497.
785. I have previously considered whether the personal data and special category personal data
contained in the Baptism Registers may lawfully be processed relying on archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes (Article
9(2)(j)) as the legal basis for processing. It is my view that the Archbishop may not rely on
archiving purposes in the public interest and historical research purposes as a legal basis for
processing for the reasons as previously set out.
786. As the central purpose for processing the data contained in the Baptism Registers is in order to
keep an accurate record of the sacramental status of individuals with such processing having a
lawful basis under Article 6(1)(f) and Article 9(2)(d) of the GDPR, it is not necessary to consider
the technical and organisational measures pursuant to Article 9(2)(j) and or Article 89(1) of the
GDPR.
Third Issue for Determination:
787. The third issue for determination is whether, in circumstances where the personal data and
special category personal data is processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes, it may be stored for longer
periods
788. As set out above, the central purpose for processing the data contained in the Baptism Registers
is for the purposes of maintaining an accurate record of the sacramental status of individuals.
Consequently as there is no limitation during the life of a person as to when sacraments can be
administered and the records can lawfully be maintained for the lifetime of an individual.
Therefore, any evaluation of storage data for ‘”longer periods” than one’s lifetime is moot.
Findings
789. I find that the Archbishop did not infringe the principle of storage limitation contained in Article
5(1)(e) of the GDPR. In particular, I make the following findings:
a. The personal data and the special category personal data contained in the Baptism
Registers are kept in a form that permits identification for no longer than is necessary
which is essentially for the lifetime of an individual. I am satisfied that this is necessary,
given the purpose for which the Baptism Registers aremaintained and it does not give
rise to an infringement by the Archbishop regarding the principle of storage limitation.
496 Submissions dated 16 March 2020, page 29.
497 Submissions dated 23 July 2021, page 7.
b. The personal data and the special category personal data contained in the Baptism
Registers are not processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR.
c. As the personal data is lawfully processed under Article 6(1)(f) and Article 9(2)(d) of
the GDPR during the lifetime of the data subjects who are members and or former
members of the Catholic Church, the issue of longer storage periods under Article
9(2)(j) and or Article 89(1) of the GDPR does not arise.
g) SUMMARY OF FINDINGS
790. Having carefully considered the submissionsmade by the Archbishop I now summarisemymain
findings in this Decision, which are as follows:
a. Material Scope:
i. That hardcopy Baptism Registers form part of a filing system or are intended to form
part of a filing system, having regard to the definition of filing system under Article
4(6) of the GDPR;
ii. That no exemptions under Article 2(2) of the GDPR apply to the processing of the
personal data and special category data contained within the Baptism Registers.
b. Controllership:
i. That the Archbishop and Parish Priests are joint controllers of the personal data and
special category data contained in the Parish Baptism Registers with respect to the
processing activities of collection and recording of data only;
ii. That the Archbishop is the sole controller of the personal data and special category
data in the Parish Baptism records with respect to the processing activities of storage
and retention, standard and special annotation and alteration;
iii. That the Archbishop is the sole controller of the personal data and special category
data in the Clonliffe College Registers with respect to all processing activities;
iv. That the Archbishop is the sole controller of the personal data and special category
data contained in the Adopted Persons Baptism Register with respect to all processing
activities.
c. Legal Bases
i. That the Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) of
the GDPR as a legal basis for the processing of personal data of data subjects which is
recorded in the Baptism Register, even in such instances where a data subject no
longer wishes to be associated with the Catholic Church;
ii. That subject to safeguards, the Archbishop’s interests in retaining the personal data
contained in the Baptism Registers are not overridden by the interests or fundamental
rights and freedoms of the data subjects;
iii. That the Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for
the processing of data subjects’ special category data during the course of their
lifetime, being members or former members of a not-for-profit with a religious aim;
iv. That the Archbishop, in processing the special category personal data in accordance
with Article 9(2)(d) of the GDPR, has in place the required appropriate safeguards for
such processing under Article 9(2)(d);
v. That the Archbishop cannot lawfully rely upon Article 9(2)(j) of the GDPR for the
purposes of further processing the personal data and special category data of those
named in the Baptism Registers, the subject of this Inquiry.
d. Rectification
i. That data subjects may exercise the right to request rectification, in accordance with
Article 16, of the personal data contained in the Baptism Registers;
ii. That the Archbishop must comply with his obligations under Article 12(3) and Article
12(4) of the GDPR in order to facilitate requests in relation to data subject’s rights
under Articles 15 to 22 of the GDPR;
iii. That in circumstances where a data subject no longer wishes to be a member of the
Catholic Church a supplementary statement could be added by the Archbishop to the
Baptism Register entry stating “No longerwishes to be identified as a Roman Catholic”;
iv. Any amendment made to the hard copy authoritative Baptism Registers ought to be
reflected in any copy made of the Registers, whether in electronic form, indexed
registers or otherwise.
e. Erasure
i. That a data subject has not got the right to obtain from the Archbishop the erasure of
personal data concerning him or her as none of the provisions under Article 17(1)(a)-
(f) of the GDPR apply;
ii. That data subjects who no longer consider themselves to be members of the Catholic
Church do not have the right to obtain erasure of their personal data in the Baptism
Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
iii. In the circumstances where a ground under Article 17(1) have not been met the
provisions of Article 17(3) do not apply.
f. Storage Limitation
i. That the personal data and the special category personal data contained in the
Baptism Registers are kept in a form that permits identification for no longer than is
necessary which is essentially for the life time of an individual;
ii. That the personal data and the special category personal data contained in the
Baptism Registers are not processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) of the GDPR;
iii. That as the personal data is lawfully processed under Article 6(1)(f) and Article 9(2)(d)
of the GDPR during the lifetime of the data subjects who are members and or former
members of the Catholic Church, the issue of longer storage periods under Article
9(2)(j) and or Article 89(1) of the GDPR does not arise.
Recommendations
791. One of the issues for determination in this Decision was the issue of controllership. This arises
in circumstanceswhere the Archbishop is of the view that hewas not and is not a data controller
of the relevant Parish Baptism Registers and that the Parish Priest was and is in fact the data
controller. On that basis the Archbishop submitted “[I]t is a matter for individual Parishes to
address the transparency principle in respect of registers held by them and which are subject to
the GDPR. However, in relation to the register of baptisms of persons who are adopted, the
Parish of baptism will direct adopted persons applying for baptismal certificates to the
Chancellery”.498
792. The imposition of obligations and duties under the GDPR flow from controllership and one of
those obligations is transparency of processing which is provided for under Article 5(1)(a) of the
GDPR. In light of the findings of this Decision, that the Archbishop is the joint controller along
with the parish priests for collection and recording and sole controller of the relevant Baptism
Registers with respect to the processing activities of storage and retention, standard and special
annotation and alteration, certain obligations and duties fall to him to fulfil, including his
obligations and duties in relation to transparency under Article 5(1)(a) of the GDPR.
793. I am of the view that it is necessary and proportionate for the purpose of ensuring compliance
with the GDPR that I make the following orders to the Archbishop as controller
i. update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data
controller for the processing of personal data and special category data held in all
Baptism Registers within his Archdiocese;
ii. set out in the Privacy Policy the lawful basis of such processing together with the
retention periods for such personal data;
iii. set out in their Privacy Policy that the subsequent administration of certain
sacraments to an individual are annotated in the Baptism Register, explaining why this
is so;
iv. ensure that the parishes within the Archdiocese make the relevant notice accessible
and available to those undertaking sacraments.
498 Submissions 15 October 2020 page 33
G. Finding Regarding Article 5(2)
794. The scope of this inquiry included an analysis of compliance with Article 5(1)(e) GDPR and the
associated ability to demonstrate that compliance. In the circumstances, the personal data was
retained for a purpose that was to document that certain baptisms occurred on specific dates.
I do not find any infringement of Article 5(2) GDPR in relation to demonstrating this principle of
storage limitation in relation to the original entries in the Baptismal Registers. Therefore, I find
that the Archbishop did not infringe Article 5(2) GDPR.
H. Decision on Corrective Powers
795. I have set out above, pursuant to section 111(1)(a) of the 2018 Act, my decision to the effect
that the Archbishop has infringed Article 5(1)(a) of the GDPR. This finding was made in
paragraph 622.
796. Under section 111(2) of the 2018 Act, where the DPCmakes a decision (under section 111(1)(a)),
it must, in addition, make a decision as to whether a corrective power should be exercised in
respect of the controller or processor concerned and, if so, the corrective power to be exercised.
The remaining question for determination in this Decision is whether or not that infringement
merits the exercise of any of the corrective powers set out in Article 58(2) GDPR and, if so, which
corrective powers.
797. Article 58(2) GDPR sets out the corrective powers that supervisory authorities may exercise in
respect of non-compliance by a controller or processor. In deciding whether to exercise those
powers, Recital 129 provides guidance as follows:
…each measure should be appropriate, necessary and proportionate in view of ensuring
compliance with this Regulation, taking into account the circumstances of each individual
case…
798. Having carefully considered the infringement identified in this Decision, I have decided to
exercise a certain corrective power in accordance with section 115 of the 2018 Act and Article
58(2) GDPR. In summary, the corrective power that I have decided is appropriate to address the
infringement in the particular circumstances is:
An order to the Archbishop to update the Privacy Notice in the manner outlined in
paragraph 793.
I. Order to amend the Privacy Policy
799. Under Article 58(2)(d) GDPR, supervisory authorities have the power “to order the controller or
processor to bring processing operations into compliance with the provisions of this Regulation,
where appropriate, in a specified manner and within a specified period.”
800. Vindication of the rights available to data subjects pursuant to Chapter III of the GDPR depends
upon, inter alia, the clear identification of the controller.
801. In light of the identified infringement of Article 5(1)(a) GDPR, I order the Archbishop to make
the updates to the Privacy Policy specified in paragraph 793 by one month from the date of the
Final Decision in this Inquiry.
J. Right of appeal
802. This Decision is issued in accordance with section 111 of the 2018 Act. Pursuant to section
150(5) of the 2018 Act, the Archbishop has the right to appeal against this decision within 28
days from the date on which notice of the Decision is received by it.
Appendix 1: LIST OF ABBREVIATIONS/ RELEVANT TERMS
the 2018 Act
the Archbishop/Archdiocese
Canon Law
the Chancellor
the Chancellery
Data Protection Act 2018
the Archbishop of Dublin/Archdiocese of
Dublin
Canon Law is the internal law of the Roman
Catholic Church
assists the Archbishop in the governance of
the Archdiocese
is an office of the Archdiocese which assists the
Chancellor in the discharge of his functions
within the diocesan curia of the Archdiocese
the Charter Charter of Fundamental Rights of the
European Union
the CJEU Court of Justice of the European Union
the Decision the Decision of the Data Protection
Commission delivered in the context of an
own-volition inquiry
the DPC Data Protection Commission (previously the
Data Protection Commissioner prior to the
entry into application of the Data Protection
Act 2018)
the Commissioner Data Protection Commissioner established
pursuant to the Data Protection Acts 1988–
2003
the Complaints Complaints received in the DPC pursuant to
Article 77 of the GDPR
the Complainants Natural persons who lodged the complaints
the Directive Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the
protection of individuals with regard to the
processing of personal data and on the free
movement of such data
EDPB European Data Protection Board
GDPR Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016
on the protection of natural persons with
regard to the processing of personal data and
on the free movement of such data, and
repealing Directive 95/46/EC
the Inquiry The inquiry commenced pursuant to Section
110 of the 2018 Act


</pre>
</pre>

Latest revision as of 13:25, 8 July 2023

DPC - IN-19-7-6
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 17 GDPR
Type: Investigation
Outcome: Other Outcome
Started: 07.06.2019
Decided: 27.02.2023
Published:
Fine: n/a
Parties: Archbishop of Dublin
National Case Number/Name: IN-19-7-6
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: Ireland

The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained.

English Summary

Facts

The DPC commenced the Inquiry following receipt of a number of complaints from individuals who wished to obtain erasure in relation to their personal data processed in church registers. All of the individuals had written to either their parish or to the Archdiocese asking for the erasure of their data pursuant to Article 17 GDPR.

Holding

• The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing of personal data of individuals which are recorded in the Baptism Register, even in such instances where an individual no longer wishes to be associated with the Catholic Church; • Subject to safeguards, the Archbishop’s interests in retaining the personal data contained in the Baptism Registers are not overridden by the interests or fundamental rights and freedoms of the individuals; • The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the processing of individuals’ special category data during the course of their lifetime; The Archbishop, in processing the special category personal data in the Baptism Registers, has in place appropriate safeguards for such processing as required under Article 9(2)(d) GDPR; • Individuals may exercise the right to request rectification of the personal data contained in the Baptism Registers, in accordance with Article 16 GDPR; • The Archbishop must comply with his obligations under Article 12(3) and Article 12(4) of the GDPR in order to facilitate requests in relation to individual’s rights under Articles 15 to 22 of the GDPR; • Individuals who no longer consider themselves to be members of the Catholic Church do not have the right to obtain erasure of their personal data in the Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR; • In circumstances where an individual no longer wishes to be a member of the Catholic Church, a supplementary statement could be added by the Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a Roman Catholic”.

The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained. The Archbishop is to: i. update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data controller for the processing of personal data and special category data held in all Baptism Registers within his Archdiocese; ii. set out in the Privacy Policy the lawful basis of such processing together with the retention periods for such personal data; iii. set out in the Privacy Policy that the subsequent administration of certain sacraments to an individual such as confirmation, marriage/annulment and ordination/laicisation (or adoption) are marked on the record in the Baptism Register, explaining why this is so; iv. ensure that the parishes within the Archdiocese make the relevant Privacy Policy accessible and available to those undertaking sacraments.

Comment

This case took many years to come to a judgement, I believe the DPC has not upheld GDPR in this instance and has ruled in favour of an organization that is in breach of GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Contents
A. Introduction ....................................................................................................................................3
B. Legal Framework for the Inquiry and the Decision.........................................................................3
i) Legal Basis for the Inquiry ...........................................................................................................3
ii) Data Controller............................................................................................................................4
iii) Legal Basis for the Decision.........................................................................................................4
C. Factual Background.........................................................................................................................5
D. Scope of the Inquiry and the Application of the GDPR...................................................................6
E. Issues for Determination.................................................................................................................7
F. Analysis of the Issues for Determination ......................................................................................12
a) MATERIAL SCOPE ......................................................................................................................12
b) CONTROLLERSHIP......................................................................................................................44
c) LEGAL BASIS ............................................................................................................................102
d) RIGHT OF RECTIFICATION .......................................................................................................141
e) RIGHT OF ERASURE .................................................................................................................154
f) STORAGE LIMITATION.............................................................................................................171
g) SUMMARY OF FINDINGS .........................................................................................................176
G. Finding Regarding Article 5(2).....................................................................................................179
H. Decision on Corrective Powers ...................................................................................................179
I. Order to amend the Privacy Policy .............................................................................................180
J. Right of appeal ............................................................................................................................180
Appendix 1: LIST OF ABBREVIATIONS/ RELEVANT TERMS..................................................................181
A. Introduction
1. This document (‘the Decision’) is a decision made by the Data Protection Commission (‘the
DPC’) in accordance with section 111 of the Data Protection Act 2018 (‘the 2018 Act’). I make
this Decision having considered the information obtained in the own volition inquiry IN-19-7-6
(‘the Inquiry’) pursuant to section 110 of the 2018 Act.
2. The Archbishop of Dublin (‘the Archbishop’) was provided with a Draft Decision (‘the Draft
Decision’) on this inquiry on 4 November 2022 to give him a final opportunity to make any
submissions. The Decision is being provided to the Archbishop pursuant to section 116(1)(a) of
the 2018 Act in order to give the Archbishop notice of the Decision, the reasons for it, and the
corrective powers that I have decided to exercise.
3. This Decision contains corrective powers under section 115 of the 2018 Act and Article 58(2) of
the General Data Protection Regulation (‘the GDPR’) arising from the infringements which have
been identified herein. The Archbishop will be required to complywith these corrective powers,
and it is open to this office to serve an enforcement notice on the Archbishop in accordance
with section 133 of the 2018 Act.
B. Legal Framework for the Inquiry and the Decision
i) Legal Basis for the Inquiry
4. The GDPR is the legal regime covering the processing of personal data in the European Union.
As a regulation, the GDPR is directly applicable in EU member states. The GDPR is given further
effect in Irish law by the 2018 Act. As stated above, the Inquiry was commenced pursuant to
section 110 of the 2018 Act. By way of background in this regard, under Part 6 of the 2018 Act,
the DPC has the power to commence an inquiry on foot of a complaint, or of its own volition.
5. Section 110(1) of the 2018 Act provides that the DPC may, for the purpose of section 109(5)(e)
or section 113(2) of the 2018 Act, or of its own volition, cause such inquiry as it thinks fit to be
conducted, in order to ascertain whether an infringement has occurred or is occurring of the
GDPR or a provision of the 2018 Act, or regulation under the Act that gives further effect to the
GDPR. Section 110(2) of the 2018 Act provides that the DPC may, for the purposes of section
110(1), where it considers it appropriate to do so, cause any of its powers under Chapter 4 of
Part 6 of the 2018 Act (excluding section 135 of the 2018 Act) to be exercised and / or cause an
investigation under Chapter 5 of Part 6 of the 2018 Act to be carried out.
ii) Data Controller
6. The Archbishop of Dublin administers to and is responsible for the Archdiocese of Dublin. The
current Archbishop of Dublin is the Most Reverend Dr. Dermot Farrell D.D., appointed on 29
December 2020, who succeeded the Most Reverend Dr. Diarmuid Martin D.D., the Archbishop
of Dublin at the time of the commencement of this Inquiry. The Archbishop of Dublin also serves
as pastor of StMary's Pro-Cathedral. The DPC acknowledges that theMost Reverend Dr. Dermot
Farrell D.D.’s predecessor, the Most Reverend Dr. Diarmuid Martin D.D., made a number of
submissions in the context of this Inquiry. All references to the Archbishop throughout this
Decision refer to the role or office of the Archbishop rather than specifically to the Most
Reverend Dr. Dermot Farrell D.D.’s or the Most Reverend Dr. Diarmuid Martin D.D..
7. The Archdiocese comprises of 197 parishes and spans county Dublin, parts of countiesWicklow,
Kildare, Carlow, Laois and Wexford and is governed by the Archbishop. The Diocesan Curia,
comprising of officials appointed by the Archbishop including the Moderator of the Curia and
the Chancellor, assists the Archbishop in the governance of the Archdiocese1.
8. In commencing the Inquiry, the DPC expressed the preliminary view that the Archbishop may
be the controller, within the meaning of Article 4(7) of the GDPR, in respect of personal data
within church records contained in Church Registers, pursuant to Article 4(6) of the GDPR.
iii) Legal Basis for the Decision
9. The decision-making process for the Inquiry which applies to this case is provided for under
section 111 of the 2018 Act, and requires that the DPCmust consider the information obtained
during the Inquiry to decide whether an infringement is occurring or has occurred and, if so, to
decide on the corrective powers, if any, to be exercised. As the sole member of the DPC as
defined in section 15 of the 2018 Act, I perform this function in my role as the decision-maker
in the DPC. In so doing, I am required to assess all of the materials and submissions gathered
during the Inquiry and any other materials that I consider to be relevant, in the course of the
decision-making process.
10. A full schedule of all documentation considered by me for the purpose of the preparation of
this Decision is appended hereto.
11. Having considered the information obtained in the Inquiry, I am satisfied that the Inquiry has
been correctly conducted and that fair procedures have been followed throughout. I will have
regard to any submissions that the Archbishop may decide to make in respect of this Decision
before proceeding to make a final Decision under section 111 of the 2018 Act.
1 Canon 469-470.
C. Factual Background
12. The DPC received a number of complaints, from data subjects who wished to exercise the right
to obtain erasure in relation to their personal data processed in church registers (including
baptism, confirmation and marriage registers) held within the Archdiocese Church registers. All
data subjects had written to either their parish or the Archdiocese asking for the erasure of their
personal data pursuant to Article 17 GDPR. The Archdiocese refused the requests on the basis
that the personal data were still necessary for the purpose for which they were collected and/or
the Church Registers were a record of historical fact and not membership of the Church; and in
any event, such records fell outside the scope of the GDPR.
13. Prior to the commencement of the Inquiry, the DPC put the Archbishop on notice of the
complaints received relating to the retention of personal data by the Catholic Church by way of
certain records relating to individuals contained in Church Registers. The complainants’ ability
to exercise their data protection rights in respect of church records relating to them, such as
the right to access the personal data and the right to obtain erasure of the personal data was
outlined in this correspondence. Further, the DPC raised the issue of identifying the controller
of these church records. The DPC confirmed its intention to commence an own volition inquiry
under section 110 of the 2018 Act, noting that this inquiry would not be focused specifically on
any individual complaint but would seek to address, in a collective manner, the general issues
arising from all complaints received on this particular issue.
14. By correspondence to the DPC dated 18 June 2019, Monsignor Callan, for and on behalf of the
Archdiocese of Dublin, expressed inter alia the opinion that baptism registers did not come
within the material scope of the GDPR, as set out in Article 2(1) of the GDPR. Monsignor Callan
stated that baptism registers are maintained in hard copy, are not organised in alphabetical
order, are not processed by automated means and he submitted that they do not consist of a
filing system within themeaning of Article 4(6) of the GDPR.Monsignor Callan further provided
a reasoned opinion as to why the parish priest and not the Archbishop was the controller of all
personal data held in the Church Registers.
15. The DPC issued an Inquiry Commencement Letter (‘the Commencement Letter’) to the
Archbishop on 20 December 2019 notifying that the DPC had commenced an Inquiry under and
in accordance with section 110(1) of the 2018 Act.
16. The decision to commence the Inquiry was taken as the DPC had formed the preliminary view
that the Church Registers were within the material scope of the GDPR and that the Archbishop
was a controller and/or joint controller of the personal data contained in these Church
Registers.
17. The Inquiry is an own volition inquiry conducted by the DPC relating to the refusal by the
Archdiocese of Dublin (‘the Archdiocese’) of certain data subjects’ requests to obtain the
erasure of their personal data. The Archdiocese refused the requests on the basis that the
personal data were still necessary for the purpose for which they were collected and/or the
Church Registers were a record of historical fact and not membership of the Church; and in any
event, such records fell outside the scope of the GDPR. Having considered the issues arising, the
DPC decided to commence an own volition inquiry pursuant to Section 110 of the 2018 Act for
the purpose of assessing the extent to which the Archbishop of Dublin complied with its legal
obligations pursuant to data protection law.
18. The Commencement Letter set out that the Inquiry would formally document the facts as they
relate to the subject of the Inquiry. The relevant facts ascertained prior to the commencement
were set out in the Commencement Letter. The facts, as established during the course of the
Inquiry, are set out below in this Decision.
19. Having received the Archbishop’s submissions, the DPC prepared an Inquiry Issues Paper to
document the relevant facts established and the issues that fell for consideration by me as
Decision-Maker for the purpose making a decision under section 111 of the 2018 Act in respect
of this Inquiry. The DPC furnished the Archbishop with the Inquiry Issues Paper on 9 February
2022 and invited the Archbishop’s submissions on any inaccuracies and/or incompleteness in
the facts.
20. The Archbishop provided comments on the Inquiry Issues Paper on 31 March 2022. The
comments provided additional information relating to the facts as set out in the Inquiry Issues
Paper. The comments on the Inquiry Issues Paper were analysed and I considered them as part
of the Draft Decision.
21. On 4 November 2022, I provided the Draft Decision to the Archbishop. The Archbishop was
afforded the opportunity to make submissions on the proposed infringement that was
identified in the Draft Decision and the corrective power that I proposed to exercise. On 1
February 2023, the Archbishop made submissions on the Draft Decision. I have had full regard
to those submissions and I have reached conclusions that an infringement of data protection
legislation has occurred and that it is necessary to exercise certain corrective powers. This
infringement and corrective powers are set out in this Decision.
D. Scope of the Inquiry and the Application of the GDPR
22. The scope of the Inquiry, which was set out in the Commencement Letter, was to examine the
following aspects of GDPR and the 2018 Act, in connection with the processing of personal data
of data subjectswho no longer wish to have their personal data recorded in all Church Registers:
i. Article 5(1)(e) – the principle of storage limitation;
ii. Article 6 – lawful basis for processing personal data;
iii. Article 9 – lawful basis for processing special category personal data;
iv. Article 16 – the right of a data subject to the rectification of inaccurate
personal data concerning him or her;
v. Article 17 – the right of a data subject to obtain erasure of personal data
concerning him or her;
vi. Article 89 – safeguards and derogations relating to processing of personal
data for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes; and
vii. the relevant provisions in the 2018 Act - which gives further effect to those
provisions, specifically sections 36, 42, 54, and 61;
23. The Commencement Letter stated that the Inquiry might also take into account the
Archbishop’s compliance with Article 5(2) of the GDPR (the principle of accountability), in
addition to his compliance with Article 31 of the GDPR, (co-operation with the supervisory
authority).
24. Following a consideration of the Archbishop’s submissions, the DPC narrowed the focus of the
Inquiry from all Church Registers, to all Baptism Registers held in the Archdiocese only,
including the ‘Parish Registers’ and those held in the Chancellery i.e. the register of baptisms of
persons who are adopted (the ‘Adopted Persons Baptism Register’) and the register of
baptisms for baptisms that took place in Holy Cross College, Clonliffe (the ‘Clonliffe College
Registers’).
E. Issues for Determination
25. Having reviewed the Inquiry Issues Paper and the other relevant materials, I consider that the
following issues arose for determination:
Material Scope - The DPC expressed a preliminary view in the Commencement Letter
that the personal data and special category personal data contained in the church records (now
in respect of all Baptism Registers in the Archdiocese only) form part of a filing system within
the meaning of Article 4(6) of the GDPR. It is acknowledged, that the Archbishop disagrees with
this view and has made a number of submissions asserting that the Baptism Registers are
outside of thematerial scope of the GDPR. As such, the following issues arise for determination
with respect to whether the personal data contained in the Baptism Registers fall within the
material scope of the GDPR:
i. whether the processing of the personal data contained in the Baptism Registers is
undertaken wholly or partly by automated means;
ii. in circumstanceswhere the processing is other than by automatedmeans,whether
the Baptism Registers form part of a filing system or are intended to form part of a
filing system, having regard to the definition of filing system under Article 4(6) of
the GDPR; and
iii. whether any of the exemptions to the scope of the GDPR as set out in Article 2(2)
apply to the processing of the Baptism Resisters.
Controllership - The DPC expressed a preliminary view in the Commencement Letter
that the Archbishop was the (sole) controller in respect of the personal data contained in Church
Registers (now in respect of the Baptism Registers only). Subsequently, the DPC confirmed to
the Archbishop that it was also considering the proposition that both the Archbishop and the
parish priest, having recourse inter-alia to Canon Law, may determine to different extents the
purposes and means of processing in relation to the Baptism Registers, leading to a position of
joint controllership. The Archbishop disagrees with this position and has made a number of
submissions in the course of the Inquiry refuting sole or joint controllership of the Baptism
Registers emphasising both the role of the parish priests and the Chancellor in this regard. As
such, the following issue arises for determination based on a consideration of the submissions
of the Archbishop to date:
i. the extent to which the Archbishop alone and / or jointly with the parish priest or
others determines the purpose and means of the processing of the personal data
and special category personal data contained in the Baptism Register which are
now the subject of this Inquiry;
Legal Bases for processing - In circumstances where I form a preliminary view that (i)
the personal data contained in the Baptism Registers falls within the material scope of the
GDPR; and (ii) the Archbishop is the relevant controller or joint controller of the personal data
contained in Baptism Registers, I must then, based on the submissions received from the
Archbishop to date, form a view as to the Archbishop’s compliance with Articles 6 and 9 of the
GDPR, in particular on the following issues:
i. In relation to the processing of personal data and special category personal data of
data subjects who no longer wish to have their personal data recorded in any
Baptism Registers:
a) whether the Archbishopmay rely on legitimate interests for the processing
of Baptism Registers, in accordance with on Article 6(1)(f) of the GDPR, in
circumstances where the processing is necessary for the purposes of the
legitimate interests pursued by the Archbishop;
b) whether, and to what extent the Archbishop’s interests (or those of a third
party) in retaining the personal data and special category personal data are
overridden by the interest or fundamental rights and freedoms of the data
subjects and accordingly whether the Archbishop is entitled to rely on
Article 6(1)(f) for the processing of the personal data and special category
personal data;
c) whether the Archbishop is entitled to rely on Article 9(2)(d) of the GDPR
for the processing of the special category personal data contained in the
Baptism Registers, which permits processing carried out in the course of
the Archbishop’s legitimate activities as a foundation, association or non-
profit body with a religious aim where the processing relates solely to
members or former members of the body or to persons who have regular
contact with it in connection with its purposes and where the special
category personal data are not disclosed outside the body without the
consent of the data subjects; if so, whether the Archbishop put in place the
required appropriate safeguards for such processing under Article 9(2)(d);
and
d) in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under
Article 5(1)(b) of the GDPR and the principle of lawfulness fairness and
transparency under Article 5(1)(a) of the GDPR.
ii. In relation to any further processing (processing beyond the original purpose of
collection) of personal data and special category personal data of data subjects
who no longer wish to have their personal data recorded in the Baptism Registers:
a) whether the Archbishop may rely on legitimate interests for the
processing, in accordance with on Article 6(1)(f) of the GDPR, in
circumstances where the processing is necessary for the purposes of the
legitimate interests pursued by the Archbishop;
b) whether, and to what extent the Archbishop’s interests (or those of a third
party) in further processing the personal data and special category
personal data are overridden by the interest or fundamental rights and
freedoms of the data subjects and accordingly whether the Archbishop is
entitled to rely on Article 6(1)(f) for the further processing of personal data
and special category personal data;
c) whether the Archbishop is entitled to rely on Article 9(2)(j) of the GDPR for
the further processing of special category personal data contained in the
Baptism Registers, which permits processing which is necessary for
archiving purposes in the public interest, scientific or historical research
purposes in accordance with Article 89(1) of the GDPR; if so, whether the
Archbishop put in place the required appropriate safeguards for such
processing in accordance with Article 89(1) of the GDPR, which ensure that
technical and organisational measures are in place in particular in order
ensure respect for the principle of data minimisation;
d) whether the processing of special category personal data is necessary and
proportionate for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with
Section 54 of the 2018 Act;
e) whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, (i) suitable and specific measures have
been taken by the Archbishop to safeguard the fundamental rights and
freedoms of data subjects; (ii) the processing respects the principle of data
minimisation (Article 5(1)(c) of the GDPR); and (iii) where the purposes can
be fulfilled by processing which does not permit or no longer permits
identification the processing is fulfilled in that manner, in accordance with
Section 42 of the 2018 Act;
f) whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, data subject rights have lawfully been
restricted in accordance with Section 61(1) and 61(2) of the 2018 Act to
the extent that the exercise of any of those rights would be likely to render
impossible, or seriously impair, the achievement of those purposes, and
such restriction is necessary for the fulfilment of those purposes; and
g) in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under
Article 5(1)(b) of the GDPR and the principle of lawfulness fairness and
transparency under Article 5(1)(a) of the GDPR.
The right to obtain rectification – Article 16 - In circumstances where I form a view
that (i) the personal data and special category personal data contained in the Baptism Registers
falls within the material scope of the GDPR; and (ii) the Archbishop is the relevant controller or
joint controller of the personal data contained in the Baptism Registers, I must then, based on
the submissions received from the Archbishop to date, form a preliminary view as to the
Archbishop’s compliance with Article 16 of the GDPR, in particular on the following issues:
i. whether a data subject has the right to obtain from the Archbishop the rectification
of inaccurate personal data concerning him or her;
ii. whether the recording of a data subject’s sacrament of baptism in the Baptism
Registers, in circumstances where the data subject no longer consider themselves
to be a member of the Catholic Church, constitutes inaccurate or incomplete
personal data within the meaning of Article 16 of the GDPR, with reference to the
Archbishop’s compliance with the principle of accuracy under Article 5(1)(d) of the
GDPR in this regard;
iii. whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain rectification of their sacramental status or
their status as members of the Catholic Church in the church records contained in
the Baptism Registers or where the personal data is found to be incomplete, have
the right to have this personal data completed, including by means of providing a
supplementary statement; and
iv. whether, in circumstances where a right to rectification exists, the data subjects’
rights may be restricted by the Archbishop pursuant to Section 61(2) of the 2018
Act, where the processing is for historical research purposes and the exercise of
the right would be likely to render impossible or seriously impair, the achievement
of these purposes and the restriction is necessary for the fulfilment of those
purposes.
The right to obtain erasure – Article 17 - In circumstances where I form a preliminary
view that (i) the personal data and special category personal data contained in the Baptism
Registers falls within the material scope of the GDPR; and (ii) the Archbishop is the relevant
controller or joint controller of the personal data contained in the Baptism Registers, I must
then, based on the submissions received from the Archbishop, form a view as to the
Archbishop’s compliance with Article 17 of the GDPR, in particular on the following issues:
i. whether a data subject has the right to obtain from the Archbishop the erasure of
personal data concerning him or her, in circumstances where one of the grounds
listed under Article 17(1)(a)-(f) of the GDPR applies;
ii. whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain erasure of their personal data in the
Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR; and
iii. whether, a data subject’s right to erasure may be lawfully dis-applied by the
Archbishop to the extent that processing is necessary:
a) for exercising the right to freedom of expression and information, pursuant
to Article 17(3)(a) of the GDPR;
b) for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1), pursuant
to Article 17(3)(d) of the GDPR; or
c) for exercising the right to freedom of religion.
Storage Limitation - In circumstances where I form a view that (i) the personal data
and special category personal data contained in the Baptism Registers falls within the material
scope of the GDPR; and (ii) the Archbishop is the relevant controller or joint controller of the
personal data contained in the Baptism Registers, I must then, based on the submissions
received from the Archbishop, form a view as to the Archbishop’s compliance with the principle
of storage limitation contained in Article 5(1)(e) of the GDPR, in particular on the following
issues:
i. whether the personal data and special category personal data contained in the
Baptism Registers are kept in a form which permits identification for no longer than
is necessary;
ii. whether the personal data and special category personal data contained in the
Baptism Registers are processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and are subject to the implementation of the appropriate
technical and organisational measures in order to safeguard the rights and
freedoms of the data subject; and
iii. whether, in circumstances where the personal data and special category personal
data is processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes, it may be stored for longer
periods.
F. Analysis of the Issues for Determination
a) MATERIAL SCOPE
Issue 1 for determination: whether processing of personal data contained in the Baptism
Registers is undertaken wholly or partly by automated means
Relevant Provisions
26. Article 2(1) of the GDPR states that the GDPR applies
“to the processing of personal data wholly or partly by automated means and to the
processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system”.
27. Article 4(1) of the GDPR defines “personal data” as
“any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person”.
28. Article 4(2) of the GDPR defines “processing” as
“any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction”.
29. Article 4(6) of the GDPR defines a “filing system” as
“any structured set of personal data which are accessible according to specific criteria,
whether centralised, decentralised or dispersed on a functional or geographical basis”.
30. Recital 15 of the GDPR is also of assistance in interpreting the meaning of a filing system:
“in order to prevent creating a serious risk of circumvention, the protection of natural
persons should be technologically neutral and should not depend on the techniques used.
The protection of natural persons should apply to the processing of personal data by
automated means, as well as to manual processing, if the personal data are contained or
are intended to be contained in a filing system. Files or sets of files, as well as their cover
pages, which are not structured according to specific criteria should not fall within the
scope of this Regulation”
31. The DPC expressed a preliminary view in the Commencement Letter that the personal data
contained in church records (now in respect of the Baptism Registers only) forms part of a filing
system within the meaning of Article 4(6) of the GDPR.
Relevant Background
32. The focus of this Decision is on the Baptism Registers held within the Archdiocese of Dublin only,
and not on any other church registers or church records held in this Archdiocese, whether in
parishes or otherwise. This is on the basis that the sacrament of baptism is considered the
gateway to the other sacraments (in accordance with canon 849).
33. The Catholic Church is governed by its own internal body of law, the Code of Canon Law (‘Canon
Law’). The most recent version of the Code of Canon Law was codified and promulgated in
1983.2 While the position in Canon Law is not determinative of the position under Irish or EU
law, it is a relevant consideration to which I will have regard in considering all issues, which arise
for determination within this Decision. The relevance of Canon Law to the inquiry is set out at
paragraphs 254 and 255.
34. I note that canon 535 §1 requires that each parish keep certain parochial registers for “baptisms,
marriages, deaths, and others as prescribed by the conference of bishops or the diocesan bishop.
The pastor is to ensure that these registers are accurately inscribed and carefully preserved”.3
Certain other church registers are held by the Archdiocese in the Chancellery office of the
Diocesan Office, including the Adopted Persons Baptism Registers and the Clonliffe College
Baptism Registers.
2 The DPC has referred throughout this Decision to Canon Law as set out by the Vatican, https://www.vatican.va/archive/cod-
iuris-canonici/cic_index_en.html:
https://wipolex.wipo.int/en/legislation/details/9033.
3 Further to Canon 895 and Decree No. 6 of the Irish Episcopal Conference as promulgated in Intercom December
1987/January 1988.
35. The Church Registers held in the parishes and in the Chancellery office indicate the sacramental
status of a person in the Roman Catholic Church. Baptism is the first and most basic sacrament
of Christian initiation and as confirmed by the Archbishop, it can only be received once.4 A
person must be baptised before they can receive any other sacrament, such as the sacraments
of confirmation, marriage or Holy Orders. As such, the Roman Catholic Church maintains a
record of all those persons who have been baptised so that in the event an individual wishes to
receive another sacrament, their baptismal status can be ascertained in advance. Therefore,
the Baptism Register is the reference point from which any other parish can ascertain whether
a person has been baptised. When an individual subsequently receives another sacrament, the
Baptism Registermust be noted accordingly as those other sacraments can also only be received
once also. The maintenance and retention of such records is essential to the administration of
the Roman Catholic Church.5
36. Any changes regarding the sacramental status of a person must be annotated in the Baptism
Register wherein their baptism is recorded, in accordance with canon 535 §2 (even where also
recorded in a separate register, e.g. confirmation register or marriage register).6
37. Baptism Registers are maintained in hard copy. According to the Archbishop, referring to
parochial registers, “the hard copy, bound volume is the only authentic, authoritative register”.7
Individual baptism registers may contain entries spanning a number of years. The Baptism
Register is replaced only when it is full. A full Baptism Register is stored in the Parish. Baptism
Registers are only transferred from a Parish into the Diocesan archive when a Parish is
suppressed.
38. The entries in a Baptism Register are made when individuals are presented for baptism, in
chronological order, based on the date of presentation. There is no prescribed form for baptism
registers, though they will include the following fields:
• Christian name of person for baptism
• Surname
• Born/Day/Month/
• Name of Parent(s)/guardian(s)
• Residing at Domicile
• Duly Baptised – Day/Month
• Celebrant of Baptism
• Name(s) of Godparent(s).
4 Submissions dated 15 October 2020, page 24.
5 Submissions dated 15 October 2020, page 24.
6 This is set out in canon 535 §2, which states that: “In the baptismal register are also to be noted confirmation and those
things which pertain to the canonical status of the Christian faithful by reason of marriage, without prejudice to the
prescript of _can. 1133, of adoption, of the reception of sacred orders, of perpetual profession made in a religious
institute, and of change of rite. These notations are always to be noted on a baptismal certificate“.
7 Submissions dated 16 March 2020, page 31.
39. The sample Baptism Register pages provided by the Archbishop to the DPC also typically include
a field at the top of each page to fill in the year in which those baptisms took place.8 Pro-forma
register books for baptism, confirmation, marriage or death are commercially available from
religious goods shops with these specific fields designated.
40. Baptism Registers are annotated with any further matters pertaining to the canonical status of
a person, for example if a person receives further sacraments, such as confirmation, marriage
or the reception of holy orders. Annulments of marriages will also be annotated in the baptism
register. In order to annotate a baptism register entry following a confirmation, a confirmation
card is completed, which allows the parish in which the confirmation took place record the
confirmation in its confirmation register. The information on the card is then used to annotate
the baptism register (if this occurred in a different parish, the confirmation card is sent to that
parish), after which the confirmation card is destroyed. Similarly, where a marriage occurs, a
pre-defined form used by all parishes is completed. This form is forwarded to the parish inwhich
the baptism of the individuals took place. That parish then annotates the baptism register to
reflect the fact of marriage.
41. Generally, a manual search of the baptism register will be carried out by the various parishes
when required to do so for the purposes of retrieving or annotating these records.Where there
is no index for the register, a search through hard copy records is required.9
42. In 2018, the Archdiocese entered 13,234 baptisms into baptism registers, 16,929 confirmations
into confirmation registers and 1,334 marriages into marriage registers. I note that each
marriage and confirmation registered was annotated into the relevant baptism registers
(though not necessarily baptism registers located within the Archdiocese).10
43. The Baptism Register is consulted by the parish priest when a request for a baptism certificate
is made by an individual (or their parents/guardian if under 16 years of age). Requests for
certificates normally arise when a person is preparing to receive another sacrament, such as
confirmation ormarriage. If a person contacts a parish looking for baptism records, they receive
a form, which enables them to apply for a copy of their baptism certificate.
44. In specific circumstances, alteration may also be made to a baptism register entry, for example
where a person changed their name by deed poll. The Directives and Guidelines for Sacramental
and Pastoral Practice (2011) (the “Guidelines”) state that any alteration to the baptism register
must be authorised through the Chancellery,11 in particular that “the express permission of the
Chancellery is required before any alteration or emendationmay bemade in an entry in any such
parochial register”.12 Documentary evidence is generally required to ground such a request for
an alteration.
8 Submissions dated 15 October 2020, Schedule of Documents, (pages 212-213 of the PDF submission).
9 Submissions dated 15 October 2020, page 5.
10 Submissions dated 16 March 2020, page 7.
11 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of PDF submission).
12 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.5 (page 23 of the PDF submission).
45. Although deletions of entries contained within the baptism registers are not permitted, there is
no canonical prohibition on the recording of additional details in a baptism register. The
prohibition on the alteration of the Baptism Registers is not expressly set out in Canon Law.
46. In these cases, the parish priest either will apply to the Chancellery for authorisation to make
that change, or will direct the applicant to contact the Chancellery themselves. In certain limited
circumstances, the parish priest may then make a change. The Archbishop provided the DPC
with examples of letters from the Chancellery to a parish priest requesting that certain
amendments bemade to an entry in a baptism register. These letters indicated that information
which is to be altered is not deleted or erased, but, in the case of an error in a date of birth or a
change of name, a line is drawn through the out of date information, the new information is
inserted and a note is made of the corrected information. A direction is placed in the baptism
register, e.g. “Future certificates to reflect changes made”.13
47. The Archbishop informed the DPC that he is aware of “informal” methods of indexing these
registers though he is unaware of the extent of this practice within the parishes of the
Archdiocese. In respect of the Archbishop’s own parish, St Mary’s Pro-Cathedral, a hardcopy
indexing system is in place. Based on the extract provided by the Archbishop, this index appears
to consist of an alphabetical list of individuals who have been baptised, within a particular time
frame (in this case, between 1915 and 1918). Also, each entry in the index is accompanied by a
number indicating the location of the entry in the baptism registers.14
48. The Archbishop is also aware of practices such as scanning copies of the baptism registers and
the use of electronic database systems or “pastoral management systems” to record such
information.15 Microfilmed copies of baptism registers have been created and shared with the
National Library of Ireland. In the instance of the Adopted Persons Baptism Register held in the
Chancellery, an electronic version of this is maintained, “for easy searching”.16
49. With respect to storage of the Baptism Registers held in parishes, each parish is required to
have an archive, in which parochial books are to be kept, together with any and other
documents which itmay be necessary or useful to preserve. In general, parish baptism registers
are kept in safe rooms which are fireproofed and which are only accessible by the parish priest
and certain other authorised personnel.17
50. With respect to storage of the registers, Baptism Registers held in the Chancellery Office were
previously stored at Clonliffe College. Following the sale of the Clonliffe College buildings, the
Chancellery Office is now located in the Archbishop’s House, Drumcondra Road, Dublin 9 and
the Diocesan Offices have appropriate security measures in place, with entry to the Chancellery
being only permitted by the staff members.
13 Submissions dated 15 October 2020, Schedule of Documents, page 193.
14 Submissions dated 15 October 2020, Schedule of Documents, page 234.
15 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of PDF submission); Appendix 3 of the Guidelines provide
guidance on the “Requirements for the Secure Maintaining of Duplicate Electronic Sacramental Records in Parishes”
which appears to envisage parishes employing electronic records of Church Registers.
16 Submissions dated 15 October 2020, page 1.
17 Submissions dated 16 March 2020, page 29. See also storage requirements set out at Canon 535 §4.
51. With respect to retention periods, the Baptism Registers are retained in perpetuity.18
52. The Baptism Registers are private records and are not generally accessible by the public. The
“Archbishop dictates policy with regard to access” to the Baptism Registers.19
Relevant Case Law
53. In the judgment of the Court of Justice of the European Union (“CJEU”) in C-25/17 Jehovan
Todistajat the CJEU considered the meaning of a filing system.When considering the definition
of “filing system” contained in Article 2(c) of Directive 95/46/EC the CJEU stated that:
“a ‘filing system’, referred to by that provision, covers a set of personal data collected in
the course of door-to-door preaching, consisting of the names and addresses and other
information concerning the persons contacted, if those data are structured according to
specific criteria which, in practice, enable them to be easily retrieved for subsequent use.
In order for such a set of data to fall within that concept, it is not necessary that they
include data sheets, specific lists or other search methods”.20
54. The CJEU also stated that in relation to the specific criteria used,
“the specific criterion and the specific form in which the set of personal data collected by
each of the members who engage in preaching is actually structured is irrelevant, so long
as that set of data makes it possible for the data relating to a specific person who has
been contacted to be easily retrieved”.21
55. Also considered is the recent judgment of the Court of Appeal of England and Wales, Dawson-
Damer v Taylor Wessing,22 in which the Court set out four criteria for determining whether a
relevant filing system,within themeaning of the UK Data Protection Act 1998 (which gave direct
effect to Directive 95/46/EC), was in place:
“First, are the files a “structured set of personal data”? Secondly, are the data accessible
according to specific criteria? Thirdly, are those criteria “related to individuals”? Fourthly,
do the specific criteria enable the data to be easily (or “readily” as the 1998 Act puts it)
retrieved?”23
56. Although these cases were decided before the GDPR came into force (and bearing in mind that
Damer v Wessing is only of persuasive authority), the consideration in these cases of the
meaning of a filing system remains somewhat relevant, in circumstances where the definition
of filing system remains the same under Article 2(c) of Directive 95/46/EC and Article 4(6) of the
GDPR.
18 Submissions dated 16 March 2020, page 31.
19 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines for Parishes
(October 2017), (page 32 of the Guidelines document and/or page 167 of the PDF submissions).
20 Case C-25/17, Jehovan Todistajat, EU:C:2018:551, paragraph 62.
21 Case C-25/17, Jehovan todistajat, EU:C:2018:551, paragraph 61.
22 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352.
23 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 90.
57. Although Recitals 15 and 27 of Directive 95/46/EC note that a filing system is to be “structured
according to specific criteria relating to individuals, so as to permit easy access to the personal
data in question”, the current and updated position under Recital 15 of the GDPR does not
contain any reference to a requirement for a filing system to be structured so as to permit “easy
access”.
Archbishop’s Submissions
58. The Archbishop accepts that the information recorded in the Baptism Registers constitutes
personal data in accordance with Article 4(1) of the GDPR; however, he disagrees with the view
of the DPC that Baptism Registers fall under the material scope of the GDPR. The Archbishop
has made numerous submissions on this point.
59. The Archbishop submitted that the Baptism Registers are not subject to the GDPR, as the entries
in the Baptism Registers that contain personal data and special category personal data are not
processed by automated means and do not form part of a filing system within the meaning of
the GDPR.24
60. The Archbishop submitted that the hardcopy baptism registers, which contain personal data,
do not form part of a filing system, as they do not provide “easy access” as “it is not possible to
search same using specific criteria”.25 The Archbishop referred to the CJEU judgment of C-25/17
Jehovan Todistajat in this regard, and the finding of the CJEU that a filing system must be
“structured in order to allow easy access to personal data”. In particular, the Archbishop noted
three elements that were set out in that judgment as the requirements of a filing system:
“(i) The data must be structured by reference to specific criteria;
(ii) The criteria must be “related to individuals”;
(iii) The specific criteria must enable the data to be easily retrieved.
It is submitted that the baptism registers do not fulfil either (i) or (iii) of these criteria”.
24 Submissions dated 16 March 2020, pages 12-13.
25 Submissions dated 16 March 2020, page 13.
61. The Archbishop also submitted that the date of baptism is “entirely random” and “does not
correspond to age or date of birth”26 and as such does not qualify as a “specific criteria” within
the meaning of the GDPR or the elements set out by the CJEU in C-25/17 Jehovan Todistajat. In
C-25/17 Jehovan Todistajat, the CJEU stated that it was clear from Recitals 15 and 27 of Directive
95/46/EC the content of a filing system must be structured in order to allow easy access to
personal data and that it was clear from these recitals that the specific criteria “must be
‘relat[ed] to individuals”.27 The Archbishop asserted that the DPC has not demonstrated how
the criteria in question with respect to the Baptism Registers relate to individuals and in that
regard, the Archbishop referred to the following passage in C-25/17 Jehovan Todistajat also:
“Thus, it appears that the personal data collected in the course of the door-to-door
preaching at issue in the main proceedings are structured according to criteria chosen in
accordance with the objective pursued by that collection, which is to prepare for
subsequent visits and to keep lists of persons who no longer wish to be contacted. Thus,
as it is apparent from the order for reference, those criteria, among which are the name
and address of persons contacted, their beliefs or their wish not to receive further visits,
are chosen so that they enable data relating to specific persons to be easily retrieved”
(emphasis added by Archbishop).28
62. Further, the Archbishop submitted that the personal data contained in the Baptism Registers
are not easily retrieved as:
“information about a person’s baptism can only be retrieved from a baptism register
through a manual, line-by-line, page-by-page, search of likely dates as to when the
baptism occurred. This can be complicated by the fact that, in some cases, a person will
not know the Parish of his or her baptism… There is no central database which allows
identification of the place of a person’s baptism and it would be for the person concerned
to provide information as to the likely place of baptism, so that the registers in that Parish
can be searched”.29
63. The Archbishop also noted the following points:
“a person’s current address may not be sufficient in determining a Parish of baptism. A
person may now reside in Glasnevin Parish, but at the time of baptism resided in Iona
Road Parish;
date of birth does not give any indication of date of baptism. In the past, children were
generally baptised within a few days of birth. However, more recently, there can be a
period of six months or more between the date of birth and date of baptism, making the
identification of the date of baptism much more difficult.
a search of baptism registers for a particular entry requires a trawl through large books
of handwritten records, sometimes resulting in the unsuccessful search of books of the
baptism registers in several parishes. In some cases, information in the baptism register
is irretrievable as it simply cannot be found”.
26 Submissions dated 16 March 2020, page 14.
27 C-25/17 Jehovan todistajat, paragraph 57.
28 C-25/17 Jehovan todistajat, paragraph 60; Submissions dated 16 March 2020, page 15.
29 Submissions dated 16 March 2020, page 15.
64. It is on this basis that the Archbishop contends that the Baptism Registers do not meet the
requirements to be a filing system as set out in C-25/17 Jehovan todisajat, with these not being
structured according to a specific criteria and not being easily retrievable as a manual page-by-
page search is required to locate the entries containing a data subject’s personal data in the
Baptism Registers.
65. The Archbishop also referred to the Advocate General’s Opinion for case C-73/07
Tietosuojavaltuutettu v SatakunnanMarkkinaporssi Oy30 of the CJEU, in which the issue of filing
systems was considered in the context of the publication of alphabetical lists in regional
newspapers of data obtained from Finnish tax authorities. These comprised of the names of
data subjects and their income bracket organised by municipality, and a text messaging service
provided relating to that publication.31 In that Opinion, the Advocate General’s view was that
the publication of the tax data in question in this case constituted a filing system. The
Archbishop distinguished the Baptism Registers from the alphabetical lists of tax data, arguing
that unlike the lists in this case, the Baptism Registers are “not structured so as to be accessible
according to particular criteria, but rather contains entries in chronological order only. The dates
themselves do not correspond to any identifiable date relating to the person baptised, ie entries
are not listed by date of birth”32.
66. The Archbishop also referred to a judgment of the Supreme Court of Spain, case STS
4646/2008,33 which related to whether baptism registers (referred to as ‘Baptism Books’ in the
translation) constituted a filing system. The Court stated that:
“…it cannot be accepted that such personal data referred to by the Instance Court is
contained in the Baptism Books as an organised collection as required by Art. 3(b) of OL
15/99, but rather a pure accumulation of information that would be difficult to search,
access and identify as they are not ordered alphabetically, nor by date of birth, but only
by baptism dates, with the Parish having to know where it took place, and with it not
being accessible to third parties other than the baptised individual […] we must conclude
that the Baptism Books are not files in the clear and specific terms as they are considered
as per OL 15/99 (Art. 3(b), as well as in the definition thereof in Art. 2 of EC Directive
95/46” (emphasis added by Archbishop).
67. The Archbishop contends that the view of the Spanish Court in that case, whereby “a mere
chronological ordering – there by a baptism date – is insufficient to give rise to the presence of
a relevant filing system, resonates with the approach which has been taken in other Member
States in other contexts”.34
30 ECLI:EU:C:2008:727.
31 Submissions dated 16 March 2020, page 16.
32 Submissions dated 16 March 2020, page 16-17.
33 Translation provided by the Archbishop with submissions dated 16 March 2020. No official translation available.
34 Submissions dated 16 March 2020, page 17.
68. The Archbishop also noted that the judgment in case STS 4646/2008 has been re-applied more
recently in a lower court in Spain in SAN4404/2018.35 In that judgment, the court described
baptism registers as follows:
“…a pure accumulation of information that would be difficult to search, access and
identify as they are not ordered alphabetically, nor by date of birth, but only by the
baptism dates, with the Parish having to know where it took place, and with it not being
accessible to third parties other than the baptized individual, as baptism certificates for
other parties cannot be requested.”
69. The Archbishop also pointed to guidance of the UK Information Commissioner’s Office (“ICO”)
from 2011 regarding filing systems:
“Although the information in your files is held purely in chronological order, is your filing
system sufficiently well structured to allow you ready access to specific information about
a particular individual without extensive manual searching through the set of records?
Yes – you have a relevant filing system. Where information is held in a set of manual
records which is sufficiently well structured to allow ready access to specific information
about particular individuals the set will form a relevant filing system for the purposes of
the DPA.
No– you do not have a relevant filing system. Given that you cannot readily [access]
specific information about particular individuals you should consider whether the set is
sufficiently well structured for your business purposes or whether it simply constitutes an
unstructured manual record archive. Consider whether it is sensible/useful to retain these
records in this form” (Emphasis added by Archbishop).36
70. The Archbishop also noted separate ICO guidance which stated that “[w]here a set of
information contains only a single category of information held in chronological order the set
will not usually comprise a relevant filing system unless the set is structured by reference to
individuals or criteria relating to individuals” (Emphasis added by the Archbishop)37.
71. Further, the Archbishop pointed to the case of Shatter v Data Protection Commissioner38
indicating that this case “underscore[s] an apparent requirement for “evidence” if a
determination is to be made that a relevant filing system exists”.39
72. The Archbishop also referred to the case of Dawson-Damer v TaylorWessing40, stating that this
judgment “supports and confirms the position that mere chronological order – or, as with the
baptism registers, the fact that entries aremade sequentially, namely in the next space following
– is insufficient for a ‘filing system’ to arise”.41
35 Translation provided by the Archbishop with submissions dated 16 March 2020 Submission.
36 Frequently asked questions and answers about relevant filing systems, https://ico.org.uk/media/for-
organisations/documents/1592/relevant_filing_systems_faqs.pdf
37 Determining what information is ‘data’ for the purposes of the DPA, https://ico.org.uk/media/for-
organisations/documents/1609/what_is_data_for_the_purposes_of_the_dpa.pdf; Submissions dated 16 March 2020, page 18.
38 Shatter v Data Protection Commissioner [2017] IEHC 670.
39 Submissions dated 16 March 2020, page 19.
40 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352.
41 Submissions dated 16 March 2020, page 20.
73. In reference to electronic filing systems and indexes which may be in place in certain parishes
for the Baptism Registers, the Archbishop stated in his submissions that “he does not know the
indicative number of such Parishes using any such system”.42 However, the Archbishop
submitted “[f]rom a canon law perspective, there is no difficulty with the permanent erasure of
any electronically-held records of baptism or other sacraments, as any electronically held version
is not authoritative”.43
Legal Analysis
Issue 1 for Determination:
Whether processing of personal data contained in the Baptism Registers is undertaken wholly or partly
by automated means
Personal Data and Special Category Data
74. As a preliminary point, I wish to acknowledge that the Archbishop has not contested, during the
course of the Inquiry, that the information recorded and then retained in the Baptism Registers
is personal data and special category personal datawithin themeaning of Article 4(1) and Article
9(1) of the GDPR.
75. The Archbishop stated that the following categories of data are typically recorded and retained
in the Baptism Registers:
• Christian name of person for baptism
• Surname
• Born/Day/Month
• Name of Parent(s)/guardian(s)
• Residing at Domicile
• Duly Baptised – Day/Month
• Celebrant of Baptism
• Name(s) of Godparent(s).
76. In addition, Baptism Registers are annotated with certain further matters pertaining to the
canonical status of a person, such as whether they received the sacraments of confirmation,
marriage or holy orders.
77. I am satisfied that the above categories of data constitute personal data within the meaning of
Article 4(1) of the GDPR, being “information relating to an identified or identifiable natural
person”. Further, I am satisfied that the data listed above, which reveals “religious or
philosophical beliefs” of a natural person, constitutes special category personal data within the
meaning of Article 9 of the GDPR.
42 Submissions dated 15 October 2020, page 9.
43 Submissions dated 16 March 2020, page 32.
Processing of personal data undertaken wholly or partly by automated means
78. Article 2(1) of the GDPR states:
“This Regulation applies to the processing of personal data wholly or partly by automated
means and to the processing other than by automatedmeans of personal datawhich form
part of a filing system or are intended to form part of a filing system”.
79. The Archbishop submitted that he is aware of practices such as scanning copies of the baptism
registers and the use of electronic database systems or “pastoral management systems” to
record such information.44 Further, microfilmed copies of baptism registers were created and
shared with the National Library of Ireland.
80. The Archbishop submitted that the extent to which all separate parishes hold information in
electronic form is not known to him. In respect of the Adopted Persons Baptism Register held
by the Archbishop, this register, which is held in hard copy, is ordered by date of receipt of
notifications from the Adoption Board and “consists of the original pages sent to the
Archdiocese by the Adoption Board upon an Adoption Order being granted”.45 The Chancellery
filed the entries in the Adopted Persons Baptism Register in the order the notifications were
received. There is an electronic version of the Adopted Persons Baptism Register in the
Chancellery and information from each notification received was entered to make the search
easier when requested to issue a baptismal certificate.
81. Appendix 3 of the Guidelines, as previously stated, also sets out for parish priests the
“Requirements for the Secure Maintaining of Duplicate Electronic Sacramental Records in
Parishes”. As such, it is clearly envisaged that certain electronic or automated processing of the
personal data collected in the Baptism Registers may take place. Appendix 3 sets out that:
• The handwritten registers are considered the only authentic copy of sacramental
records. The manual register must always be consulted when issuing a certificate;
• The handwritten registers must be maintained and the registers themselves are never
to be destroyed or discarded;
• Sacramental records nonetheless may be duplicated on secure computers with no
public access;
• These electronic files should be made secure through the use of password protection
and encryption to ensure that only those who should have access can do so, ie the
Parish Priest and those whom he has authorised to assist him in the work of
maintaining and updating sacramental records such as, Parish secretary or sacristan;
• The inputtingof data into the computer should only be carried out by those authorised
by the Parish Priest;46
44 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of PDF submission) which provide guidance on the
“Requirements for the Secure Maintaining of Duplicate Electronic Sacramental Records in Parishes”; this appears to
envisage parishes employing electronic records of Church Registers.
45 Submissions dated the 15 October 2020, page 1.
46 This was intended to read “inputting” not “imputing” in the Guidelines per submissions dated 16 March 2020, page 32.
• Amendments and alterations to the electronic files should simply reflect alterations
which have already been made in the handwritten registers. Any amendment to a
register needs the prior written permission and authorisation from the Chancellery;
• No copying of electronic files should be made beyond the back-up copy which should
always be kept in a very secure place;
• The same confidentiality applies to both the handwritten registers and to the
electronic records.
82. The Archbishop has also submitted that the “the hard copy, bound volume is the only authentic,
authoritative register” 47 and with respect to any electronically-held records that “there is no
difficulty with the permanent erasure of any electronically held records of baptism or other
sacraments, as any electronically held version is not authoritative”.48 The Archbishop also stated
that, when “[i]nformation about a person’s baptism can only be retrieved from a baptism
register through a manual, line-by-line, page-by-page, search of likely dates as to when the
baptism occurred”.49
83. It is my view that, while separate electronic duplicate records of the personal data and special
category personal data contained in the Baptism Registers may be processed wholly or partly
by automated means, I accept that the hard copy Baptism Registers themselves are not
processed by automated means. The hard copy Baptism Registers require manual processing in
order to insert new entries and locate previous entries (even where electronic records may
assist in locating certain records) when checking sacramental status or issuing a certificate. I
also accept that the hardcopy Baptism Registers are the authoritative, official version of the
records and as such, must in practice be consulted (processed) manually, in order to issue a
baptismal certificate, check the sacramental status of a person prior to them receiving another
sacrament, such as confirmation, and to annotate an individual’s entry in the Baptism Register
with any such further sacraments received.
84. Although the hard copy Baptism Registers are the authoritative, official version of the records,
it is my view that any electronic duplicate records of the Baptism Registers and any personal
data and special category personal data contained in the electronic pastoral management
systems constitutes processing by automated means and as such also falls within the material
scope of the GDPR. This has also been accepted by the Archbishop in his submissions.50
47 Submissions dated 16 March 2020, page 31.
48 Submissions dated 16 March 2020, page 32.
49 Submissions dated 16 March 2020, page 15.
50 Submissions dated 16 March 2020, page 12.
Issue 2 for Determination: In circumstances where the processing is other than by automated
means, whether the Baptism Registers form part of a filing system or are intended to form
part of a filing system, having regard to the definition of filing system under Article 4(6) of the
GDPR.
85. I must now consider whether, in circumstances where the hardcopy Baptism Registers are
processed other than by automated means, the Baptism Registers form part of a filing system
or are intended to form part of a filing system, having regard to the definition of a filing system
under Article 4(6) of the GDPR.
86. The relevant provisions, which have been set out above, are Article 2(1), 4(1), 4(6) and Recital
15 of the GDPR.
87. The component elements of a filing system as set out under Article 4(6) of the GDPR are as
follows:
• any structured set of personal data;
• which are accessible according to specific criteria;
• whether centralised, decentralised or dispersed on a functional or geographic basis.
88. The definition of a filing system for the purposes of data protection law has been considered in
case law, although these interpretations are primarily in relation to the now repealed Directive
95/46 as opposed to the GDPR. In case C-25/17 Jehovan todistajat, the CJEU indicated that:
“as is made clear from recitals 15 and 27 of Directive 95/46, the content of a filing system
must be structured in order to allow easy access to the personal data. Furthermore,
although Article 2(c) of that directive does not set out the criteria according to which that
filing system must be structured, it is clear from those recitals that those criteria must be
‘relat[ed] to individuals’. Therefore, it appears that the requirement that the set of
personal data must be ‘structured according to specific criteria’ is simply intended to
enable personal data to be easily retrieved”51 (emphasis added)
89. As such, Jehovan todistajat indicates that a filing system must be structured to allow “easy
access” to the personal data contained within it. Further, the criteria according to which a filing
system is structured must be related to the individual data subjects in question. The CJEU went
on to state that, in respect of the specific criterion and the specific form in which a filing system
is structured, it is “irrelevant” so long as the set of data makes it possible for the data relating
to a specific person to be easily retrieved.52
90. In Dawson-Damer v TaylorWessing53, the English Court of Appeal also considered the meaning
of a filing system under UK Data Protection Act 1998, which transposed Directive 95/46 into UK
law. This case is only of persuasive authority. The Court set out four criteria for determining
whether a relevant filing system, within the meaning of the UK Data Protection Act 1998, was
in place:
51 C-25/17 Jehovan todistajat, paragraph 57.
52 C-25/17 Jehovan todistajat, paragraph 61.
53 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352
“First, are the files a “structured set of personal data”? Secondly, are the data accessible
according to specific criteria? Thirdly, are those criteria “related to individuals”? Fourthly,
do the specific criteria enable the data to be easily (or “readily” as the 1998 Act puts it)
retrieved?”54
91. The Court of Appeal stated that the CJEU in Jehovan todistajat “did not consider the Directive to
be prescriptive as to the form of a relevant filing system. Instead the test is the functional one of
whether specific criteria enable the data to be easily retrieved”.55
92. Of note however, is Recital 15 of Directive 95/46/EC which provides that a filing system is to be
“structured according to specific criteria relating to individuals, so as to permit easy access to
the personal data in question” and Recital 27 of Directive 95/46/EC which states that a filing
system “must be structured according to specific criteria relating to individuals allowing easy
access to the personal data” are not repeated under the GDPR.
93. The wording of Recital 15 GDPR, set out above at paragraph 30, clearly differs from Recitals 15
and 27 of Directive 95/46 in that it does not refer to “easy access” or indeed to access at all, nor
does it specify that the specific criteria must be “relating to individuals”. Instead, the first
sentence of Recital 15 of the GDPR commences with preventing a risk of circumvention of the
application of the Regulation by data controllers: “in order to prevent creating a serious risk of
circumvention, the protection of natural persons should be technologically neutral and should
not depend on the techniques used”. It further states that: [t]he protection of natural persons
should apply to the processing of personal data by automated means, as well as to manual
processing, if the personal data are contained or are intended to be contained in a filing system”.
94. Therefore, it is my view that the definition of a filing system under the GDPR is intended to be
interpreted in a wider manner than the definition of a filing system under Directive 95/46
(guided by Recitals 15 and 27), in that the definition of a filing system is now by reference to a
“any structured set of personal data” which is “accessible” according to specific criteria.
95. That said, I note the UK Court of Appeal’s comment in paragraph 91 of Dawson-Damer v Taylor
Wessing wherein it stated the following:
“Mr White challenged the Judge’s conclusion (relevant to the third question) that the
specific criteria needed to be “related to individuals”. We consider, however, that that
requirement is implicit in Article 2(c). It is difficult to see how personal data could be
accessible according to specific criteria unless those criteria are in some way related to
individuals.”
54 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 90.
55 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 83.
96. The Court of Appeal further stated:
“A criterion may be closely related to an individual (for example it might be his or her
name or National Insurance number), or it may be remotely related to an individual (for
example the street in which he lives). The degree of specificity of the criterion does not
preclude a finding that the criterion relates to an individual. One needs to bear in mind,
nevertheless, that a very general criterionmay be less likely to enable easy or ready access
to the data. The Directive and the Act are clear in requiring a causative link between the
criterion and ease of access of the data”56 (emphasis added).
97. In Jehovan todistajat the CJEU stated that:
“the specific criterion and the specific form in which the set of personal data collected by
each of the members who engage in preaching is actually structured is irrelevant, so long
as that set of data makes it possible for the data relating to a specific person who has
been contacted to be easily retrieved”57
98. It is my view that the tests set out under Jehovan todistajat and Dawson-Damer v Taylor
Wessing (only of persuasive authority), such as the specific criteria “relating to individuals”
which structures the filing system must enable “easy access” to the personal data or allow it to
be “easily retrieved” are not the determinative factors in the interpretation of the definition of
a filing system under the GDPR.
99. Notwithstanding this, I continue to have regard to the case law as set out above. This case law
considers the definition of a filing system with reference to Directive 95/46, and the extent to
which the personal data in a filing system is easily retrievable or readily available based on the
specific criteria relating to individuals which structures the filing system. Although it is certainly
less decisive in this present context as these principles have no legislative basis under the GDPR.
That said, I am of the view that the specific criteria must have some link to accessing the
personal data but does not need to be closely related to that individual.
In addition, it is my view that the personal data and special category personal data in the
Baptism Registers need not necessarily be easily accessible or easily retrieved by way of a
specific criteria which relates to individuals, in order for the Baptism Registers to fall under
the definition of a filing system within the meaning of Article 4(6) of the GDPR.
100. I will now consider whether the Baptism Registers fall within the definition of a filing system as
specifically set out under Article 4(6) of GDPR with reference to whether they are:
• any structured set of personal data;
• accessible according to specific criteria; and
• centralised, decentralised or dispersed on a functional or geographic basis.
56 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 96.
57 C-25/17 Jehovan todistajat, paragraph 61.
Structured Set of Personal Data
101. First, to be included as part of a filing system, the personal data must be a “structured set of
personal data”.
102. As part of his submissions, the Archbishop provided sample pages of a Baptism Register. These
pages identify the personal data and special category personal datawhich is recorded in respect
of an individual when they are baptised; the pages also set out clear fields for the input of this
information in relation to that individual, including:
• christian name;
• surname;
• date of birth;
• name of parents;
• address;
• date of baptism;
• name of parish priest/curate or minister;
• name of god-parents; and
• canonical circumstances to be indicated (e.g. adult, convert, conditional or Private
baptism, foundling etc).58
103. The Baptism Register samples also indicate fields for the recording of details relating to other
sacraments received by an individual. These fields include the following:
• confirmed (by whom, church where, day, month, year);
• contracted marriage, (with whom, diocesan church, where; day, month, year; and
• indicate reception of diaconate or solemn religious profession.
104. There is also a column to indicate whether a baptism certificate was issued. The sample Baptism
Register pages provided by the Archbishop to the DPC also typically include a field at the top of
each page to fill in the year in which the baptisms on that page took place.59
105. While the Archbishop has indicated (and I accept) that the sample Baptism Register is not
indicative of every template of Baptism Register used by every parish in the Archdiocese, I note
that canon 877 §1 is also explicit as to the information which is to be recorded when a baptism
is registered.60
106. With respect to whether the Baptism Registers are structured according to a specific criteria,
the Archbishop submitted that they are not.
58 Submissions dated 15 October 2020, Schedule of Documents, page 212, 213
59 Submissions dated 15 October 2020, Schedule of Documents, page 212, 213.
60 Canon 877 §1 states that “The pastor of the place where the baptism is celebrated must carefully and without any delay
record in the baptismal register the names of the baptized, with mention made of the minister, parents, sponsors,
witnesses, if any, the place and date of the conferral of the baptism, and the date and place of birth”.
107. The entries for each individual, which must include the personal data as described above, are
entered chronologically into the Baptism Register, in order of when the baptism occurs. Once a
Baptism Register is full, a new Baptism Register is commenced. In respect of the Adopted
Persons Baptism Register, the entries were inputted chronologically by date of receipt of
notifications from the Adoption Board.
108. Each parish is required to maintain its own parochial registers, including a baptism register. As
such, the Baptism Registers are structured according to the parish in which they are recorded.
The Adopted Persons Baptism Register is recorded by the Chancellery on behalf of the
Archbishop and is not structured on the basis of the parish in which the baptism took place, but
chronologically according to the date of notification by the Adoption Board to the Chancellery
only.
109. In my view, the Baptism Registers can be considered a “structured set of personal data”, which
is structured according to (a) the parish in which the baptism took place (save for the Adopted
Persons Baptism Register); and (b) the date on which each baptism took place, or in the case of
the Adopted Persons Baptism Register, the date upon which notifications were received from
the Adoption Board.
Accessible According to Specific Criteria
110. I will now consider whether the Baptism Registers, as a structured set of personal data and
special category personal data, are accessible according to specific criteria. Baptism Registers
are kept in each parish of the Archdiocese and are structured by entries which include certain
fields of personal data. These entries are therefore ordered by place of baptism and in turn
included in that parish Baptism Register chronologically by the date upon which the baptism
took place (or the date a notification was received from the Adoption Board in the case of the
Adopted Persons Baptism Register).
Specific Criteria: place and date of baptism
111. The Archbishop has submitted that it is not possible to search the Baptism Registers using
specific criteria.61 In particular, the Archbishop has submitted that the criteria by which the
Baptism Registers are structured - date of baptism/date of receipt of notification “is entirely
random. It does not correspond to age or date of birth, and people can be, and are, baptised as
all manner of ages”.62
112. The Archbishop also submitted that the Baptism Registers are “not structured so as to be
accessible according to particular criteria, but rather contains entries in chronological order only.
The dates themselves do not correspond to any identifiable date relating to the person baptised,
i.e. entries are not listed by date of birth”.63
113. The Archbishop also submitted that the Baptism Registers do not conform with the
requirements as set out in C-25/17 Jehovan todistajat to be a filing system, not being structured
according to a specific criteria and not being easily retrievable.
61 Submissions dated 16 March 2020, page 13.
62 Submissions dated 16 March 2020, page 14.
63 Submissions dated 16 March 2020, page 16-17.
114. With respect to Jehovan todistajat, the Archbishop also submitted that the DPC had not
demonstrated how the criteria in question with respect to the Baptism Registers relates to
individuals and referred to the following passage from Jehovan todistajat:
“Thus, it appears that the personal data collected in the course of the door-to-door
preaching at issue in the main proceedings are structured according to criteria chosen in
accordance with the objective pursued by that collection which is to prepare for
subsequent visits and to keep lists of persons who no longer wish to be contacted. Thus,
as it is apparent from the order for reference, those criteria, among which are the name
and address of persons contacted, their beliefs or their wish not to receive further visits,
are chosen so that they enable data relating to specific persons to be easily retrieved”64.
115. The judgment in Jehovan todistajat set out that the specific criteria must be “related to
individuals“.65 Having regard to the facts in that case as to whether the notes taken by door-to-
door Jehovah’s Witness preachers constituted a filing system within the meaning of Directive
95/46/EC, the CJEU stated that:
“the specific criterion and the specific form in which the set of personal data collected by
each of the members who engage in preaching is actually structured is irrelevant, so long
as that set of data makes it possible for the data relating to a specific person who has
been contacted to be easily retrieved”.66
116. The CJEU in Jehovan todistajat concluded that data collected by individual members of the
Jehovah’sWitnesses Community, in the course of door-to-door preaching as a memory aid and
on the basis of geographical area to facilitate the organisation of subsequent visits, including
the name and address,were structured in such away that data relating to specific persons could
be easily retrieved and thus formed part of a filing system for the purposes of Directive
95/46/EC.
117. The Archbishop also referred to a judgment of the Supreme Court of Spain, Case STS
4646/2008,67 which related to whether baptism registers (referred to as ‘Baptism Books’ in the
translation) constituted a filing system. The Spanish Court stated that baptism registers in that
context were “a pure accumulation of information that would be difficult to search, access and
identify as they are not ordered alphabetically, nor by date of birth, but only by baptism dates,
with the Parish having to know where it took place, and with it not being accessible to third
parties other than the baptised individual […]”.68 The Archbishop also noted that the judgment
in Case STS 4646/2008 has been re-applied more recently in a lower court in Spain in
SAN4404/2018.69
64 C-25/17 Jehovan Todistajat, paragraph 60.
65 C-25/17 Jehovan Todistajat, paragraph 57.
66 C-25/17 Jehovan Todistajat, paragraph 61.
67 Translation provided by the Archbishop with 16 March 2020 Submission. No official translation available.
68 Translation provided by the Archbishop with 16 March 2020 Submission, page 17; No official translation available.
69 Translation provided by the Archbishop with 16 March 2020 Submission. No official translation available.
118. The Archbishop argued that the view of the Spanish Court in that case, that “a mere
chronological ordering – there by a baptism date – is insufficient to give rise to the presence of
a relevant filing system, resonates with the approach which has been taken in other Member
States in other contexts”.70
119. Firstly, I note that Baptism Registers are compiled and thus structured by two specific criteria,
namely, location of parish/place of baptism and date of baptism. Therefore, in circumstances
where the Baptism Registers form a dispersed set of data, and each parish maintains its own
Baptism Register, once an individual knows their place and date of baptism, they would be able
to locate their relevant personal data contained within the Baptism Register.
120. I disagree with the Archbishop on the point that a baptism date (a chronological ordering) is not
a sufficient criteria upon which a filing system may be structured. Indeed, the CJEU in Jehovan
todistajat stressed that “the specific criterion and the specific form in which the set of personal
data […] is actually structured is irrelevant, so long as that set of data makes it possible for the
data relating to a specific person who has been contacted to be easily retrieved”71 (emphasis
added). This would indicate that a criteria which structures a set of data in a chronological
fashion is as valid as any other structure.
121. Further, with respect to the Spanish cases of Case STS 4646/2008 and SAN4404/2018, I note
that these decisions are of persuasive value only and are not binding on the DPC. I respectfully
disagree with the Spanish Court’s finding that the data collected in the Baptism Books was a
“pure accumulation” of information. In my view, the personal data is collected with the clear
intention of future access and disclosure. The collection of the data serves a purpose other than
recording for recording’s sake, and it has a direct relationship to the data subjects referenced.
122. The Baptism Registers serve a particular purpose, mainly to ensure the proper administration
of sacraments by recording the sacrament of baptism and annotating further sacraments.
Therefore, the Baptism Register is more than merely an accumulation of data; the Baptism
Register is an essential record for the Church in the administration of sacraments, which is
accessed regularly by this specific criteria of location and date of baptism by the parishes
themselves for the purposes of the performance of its administrative function regarding the
sacraments. I am of the view that, even in circumstances where the Baptism Registers were only
ordered chronologically by baptism date, this provides a clear criteria by which they were
ordered and by which they can be searched.
123. I note also that the Archbishop has pointed in his submissions to ICO guidance from 2011
entitled “Frequently asked questions and answers about relevant filing systems”, in particular:
“Although the information in your files is held purely in chronological order, is your filing
system sufficiently well structured to allow you ready access to specific information about
a particular individual without extensive manual searching through the set of records?
70 Submissions dated 16 March 2020, page 17.
71 C-25/17 Jehovan todistajat, paragraph 61.
Yes – you have a relevant filing system. Where information is held in a set of manual
records which is sufficiently well structured to allow ready access to specific information
about particular individuals the set will form a relevant filing system for the purposes of
the DPA.
No – you do not have a relevant filing system. Given that you cannot readily [access]
specific information about particular individuals you should consider whether the set is
sufficiently well structured for your business purposes or whether it simply constitutes an
unstructured manual record archive. Consider whether it is sensible/useful to retain these
records in this form”.72
124. I note that this is guidance only and relies on the determinative factor of whether there is ready
access to the personal data, based on the position under the now repealed Directive 95/46. As
I have previously indicated, the GDPR is to be interpreted to take a wider view of filing systems,
not specifying that “easy access” is required, nor that the specific criteria must be “relating to
individuals”, as with the now repealed Directive 95/46.
125. In addition, and in consideration of the passages of the above ICO guidance referred to by the
Archbishop, it must be noted that Baptism Registers, are recorded and maintained in order to
fulfil a central role in the administration of certain sacraments in the Church. Indeed, by the
logic of the ICO, it seems that the Baptism Registers are “sufficiently well structured” for the
analogous “business purposes” of the Church, as they are used frequently for the administration
of the Church. They serve a clear purpose and use within the Church, which stems directly from
the ability of the parishes to be able to search, locate, annotate and alter personal data relating
to specific individuals, based on the parish of baptism and the date of baptism alone (and in the
case of the Adopted Persons Baptism Registers the date of notification alone).
126. The Archbishop has also indicated that he is aware of “informal” methods of indexing these
registers though he is unaware of the extent of this practice within the parishes of the
Archdiocese. In respect of the Archbishop’s own parish, St Mary’s Pro-Cathedral, a hardcopy
indexing system has been put in place. Based on the extract provided by the Archbishop, this
index appears to consist of an alphabetical list of individuals who have been baptised, within a
particular time frame (in this case, between 1915 and 1918). Each entry in the index is also
accompanied by a number indicating the location of the entry in the baptism registers. 73
127. There is no doubt that where specific criteria is used to structure a set of personal data through
an indexing system for ease of access to the personal data contained within the Baptism
Registers no argument can arise as to whether such specific criteria relates to an individual,
being indexed by the name of the individuals themselves.
72 Frequently asked questions and answers about relevant filing systems, https://ico.org.uk/media/for-
organisations/documents/1592/relevant_filing_systems_faqs.pdf
73 Submissions dated 15 October 2020, Schedule of Documents, page 233-235.
128. The Archbishop also referred to case C-73/07 Tietosuojavaltuutettu v Satakunnan
Markkinaporssi Oy74 before the CJEU. In particular, the Archbishop referred to Advocate
General Kokott’s Opinion75 and the reference in that Opinion to the fact that the published tax
data in this case, which related to the publication of tax data in certain newspapers in Finland,
constituted a filing system, being structured in alphabetical order. The Archbishop argued that
this stands in contrast to the Baptism Registers, which are not “not structured so as to be
accessible according to particular criteria, but rather contains entries in chronological order
only”.76 As I have previously stated, chronological ordermay be a sufficiently specific criteria by
which to structure a filing system, in particular where the criteria is the date and location of
baptism. Again, a filing systemwhichwas hypothetically ordered chronologically by date of birth
would clearly be considered to be structured by a specific criteria related to an individual. I am
of the view that the same logic applies to a set of data structured chronologically by date and
location of baptism.
129. In his submissions, the Archbishop also referred to the High Court case of Shatter v Data
Protection Commission77 stating that this case highlights an “apparent requirement for
“evidence” if a determination is to be made that a relevant filing system exists”. The DPC
respectfully notes that this case is fact specific which concerned an email “internal to An Garda
Síochána” shown, but not provided to Mr. Shatter. From my perspective, an assessment as to
whether a filing system within the meaning of the GDPR is in place consists of a factual
assessment as to whether the elements of a filing system as set out in Article 4(6) are present.
Such an assessment must be done on a case-by-case basis.
130. The Archbishop also referred to Dawson-Damer v Taylor Wessing, which applied Jehovan. The
Archbishop stated that the Dawson-Damer case “concerned only ‘35 paper files’… which stands
in contradistinction to the considerably greater number of records at issue here”.78 The
Archbishop also noted that the Court of Appeal stated that “the 35 files were completely
unstructured beyond their chronological compilation under the description ‘Yuills Trusts’ ". The
Archbishop indicated in his submissions that the above passages supports his view that “mere
chronological order – or, as with the baptism registers, the fact that entries are made
sequentially, namely in the next space following – is insufficient for a ‘filing system’ to arise”.79
131. I do not accept the view submitted by the Archbishop and consider that the structure of Baptism
Registers cannot be compared to the factual scenario set out in Dawson-Damer v Taylor
Wessing. A significant difference in fact pattern is that the 35 paper files in TaylorWessing were
arranged by reference to the “corporate client, the trustee”,80 not by reference to individuals
and contained all relevant material relating to the legal matters ongoing for the trustee.
74 Tietosuojavaltuutettu v Satakunnan Markkinaporssi Oy ECLI:EU:C:2008:727.
75 Opinion AG Kokott Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinaporssi Oy ECLI:EU:C:2008:266.
76 Submissions dated 16 March 2020, page 16.
77 Shatter v Data Protection Commissioner [2017] IEHC 670.
78 Submissions dated 16 March 2020, page 19.
79 Submissions dated 16 March 2020, page 20.
80 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 95.
132. By contrast, the Baptism Registers are firstly organised on a geographical basis, by parish. The
Baptism Register is divided into separate ledgers that contain all baptisms for a specific time
period for that parish. Each page of entries in the Baptism Register of a parish contains the year
of baptism for entries on that page. Each entry then is entered chronologically by date of
baptism and contains personal data for each individual, that individual’s Lawfully Married
Parents and the minister.
133. This is to be distinguished from the situation in Dawson-Damer v TaylorWessing, wherein it was
necessary to examine every page of every file to ascertain whether it contained personal data
of the relevant data subjects. The files were not structured by any criteria to the extent that
knowing any details relating to the data subjects would assist in locating the relevant personal
data, as the files were not structured by reference to the data subjects in any way. The Court of
Appeal noted that “[t]he only way that data could be retrieved was by physically examining the
files page by page. The criterion “Yuills Trusts” was so unspecific as to be of little or no assistance
in the retrieval of personal data relating to the individual beneficiaries”.81 The structure of the
filing system in that case did not enable access except with the use of manual search of the
entire set of data.
134. In the instance of the Baptism Registers, knowing the parish of baptism of the data subject and
the date of baptism of the data subject allows the personal data to be accessible, by narrowing
a search to the specific registers held in a particular parish, and to the one Baptism Register
book concerned with the relevant time frame. The search will be narrowed even further when
with a quick preliminary view of the Baptism Register, the pages dealing with the correct year
are located.
135. Pursuant to Article 4(6) GDPR, the criteria is “any” structured set of personal data, that being
“centralised, decentralised or dispersed on a functional or geographical basis.” Furthermore,
this criteria does not need to be “particularly sophisticated”,82 and the “specific criterion and
the specific form” of the data as to how it is structured is “irrelevant”83. I also note Advocate
GeneralMengozzi’s Opinion in Jehovan todistajat, where a broad approach was taken as to the
criteria that can be used to determine how a filing system is structured. Advocate General
Mengozzi found that members of the Jehovah Witness Community can, to an extent, also
become a “criterion”. He stated:
“To a certain extent, the member himself becomes a criterion structuring the data set in
so far as the religious community allocates areas geographically. The community knows,
therefore, that data relating to a particular person living in a specific neighbourhood may
have been collected by a particular member. Even if the religious community does not
indicate to itsmembers the nature of the data collected, the latter can be inferred de facto
from the objective pursued, that is to say, preparation for subsequent visits”.84
81 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 97.
82 Opinion AG Mengozzi, Case C-25/17 Jehovan todistajat, ECLI:EU:C:2018:57, paragraph 57.
83 C-25/17, Jehovan todistajat, paragraph 61.
84 Opinion AG Mengozzi, Case C-25/17 Jehovan todistajat, paragraph 57.
136. I have already given my view that the specific criteria by which data may be structured into a
filing system is not required under the GDPR to closely relate to an individual. Furthermore, I
have difficulty accepting how, in this instance, the date of a person’s baptism, and/or the parish
of their baptism does not relate to the individual, even if those criteria do not provide a one to
one match.
137. The Archbishop stressed that the Baptism Registers “are not searchable by commonly available
information, such as a name, address, date of birth or such similar information that would
generally allow a data controller to retrieve personal data”.85 He submitted that the date of
baptism does not relate to the date of birth of the person or their address and are “entirely
random”. I do not see how the date of a person’s baptism, or the parish of their baptism is any
different functionally , than say the date of a person’s birth or the place of a person’s birth.
While most people will know the date and place of their birth, if they were unaware of this, it
would not discount it as a criteria relating to them for the purposes for any filing system inwhich
such criteria is used.
138. Similarly, the Archbishop contends that many people do not know the date of their baptism or
the place in which they are baptised.86 Again, I fail to see how this lack of knowledge on an
individual’s part would prohibit such criteria from being firstly related to them as an individual;
and secondly used to structure a set of data and make the personal data contained within that
set accessible. It stands to reason of course that if a particular individual does not have the
relevant information as to their own date of baptism or parish of baptism this would hinder the
search within a filing system, but would not discount an entire set of structured data from being
a filing system in itself.
Specific Criteria: Accessible
139. The Archbishop submitted that “the data in the baptism registers is not easily retrieved.
Information about a person’s baptism can only be retrieved from a baptism register through a
manual, line-by-line, page-by-page, search of likely dates as to when the baptism occurred. This
can be complicated by the fact that, in some cases, a person will not know the Parish of his or
her baptism”.87 Elsewhere he stated that in order to find an entry in the formal defection
register “ideally some idea of when the date of petition was submitted would be required, to
narrow the scope of the manual search”.88
140. The Archbishop submitted that there is no “central database” which details a person’s place of
baptism and it would be up to the person themselves to provide information on their place of
baptism. The Archbishop has also submitted that certain parishes have indexing systems in
place in addition to digital copies of the Baptism Registers and pastoral management systems
in place.
141. The Archbishop also noted that:
• “A person’s current address may not be sufficient in determining a Parish of baptism”;
85 Submissions dated 16 March 2020, pages 15, 16.
86 Submissions dated 16 March 2020, page 15.
87 Submissions dated 16 March 2020, page 15.
88 Submissions dated 15 October 2020, page 2.
• “date of birth does not give any indication of date of baptism. In the past, children
were generally baptised within a few days of birth. However, more recently, there can
be a period of six months or more between the date of birth and date of baptism,
making the identification of the date of baptism much more difficult”;
• “a search of baptism registers for a particular entry requires a trawl through large
books of handwritten records, sometimes resulting in the unsuccessful search of books
of the baptism registers in several parishes. In some cases, information in the baptism
register is irretrievable as it simply cannot be found”.89
142. The Archbishop submitted that, as a result, the Baptism Registers cannot meet the criteria of
being “easily retrieved”. He noted that the records are held in hard copy bound volumes and
“are not structured sets but simply list baptisms in the chronological order that they take place
in the Parish”. As such, they are not searchable by commonly available information, such as a
name or address, in contrast to the data referred to in Jehovan todistajat.90
143. The Archbishop also drew the attention of the DPC to Dawson-Damer v TaylorWessing in which
it was stated, in respect of the criteria of what constitutes a filing system:
“One needs to bear in mind, nevertheless, that a very general criterion may be less likely
to enable easy or ready access to the data. The Directive and the Act are clear in requiring
a causative link between the criterion and ease of access of the data”91.
144. I note the two Spanish Supreme Court judgments highlighted by the Archbishop which found
that the baptism registers would be difficult to search, access and identify as they are not
structured alphabetically or by date of birth but by baptism date, with the parish having to know
the church where the baptism took place, and not being accessible to third parties other than
the baptised individual.92
145. In addition, I note in Dawson-Damer v Taylor Wessing that the Court of Appeal stated the files
in question were “completely unstructured beyond their chronological compilation”.93 The
Archbishop finds this statement “supports and confirms the position that mere chronological
order” is insufficient for a filing system to arise.94 I note also that the Court of Appeal in Taylor
Wessing found that:
“the “ready access” required under the Directive and the Act must be enabled by the
criteria, that is to say by the structure of the files. If access to the relevant data requires
the use of trainees and skilled lawyers, turning the pages of the files and reviewing the
material identified, that is a clear indication that the structure itself does not enable ready
access to the data”.95
89 Submissions dated 16 March 2020, page 15.
90 Submissions dated 16 March 2020, pages 15, 16.
91 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 96.
92 SAN4404/2018.
93 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 99.
94 Submissions dated 16 March 2020, page 20.
95 Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352, paragraph 99.
146. As previously set out, the Baptism Registers are structured according to the place and date of
baptism. I have already distinguished Taylor Wessing from the facts of this Inquiry in that a
complete manual search of the files was required in that case as they were not structured by
any criteria relating to individuals. I do not accept that a limited amount of manual searching
means that personal data in a filing system is not accessible for the purposes of the GDPR. This
is especially so where it has been demonstrated that the filing system in question in this Inquiry,
the Baptism Registers, are relied upon to provide relevant information for the purposes of
issuing baptismal certificates or to annotate a further sacrament. On this basis, it must be the
case that the personal data contained within the Baptism Registers is accessible. Given the
frequency with which the parishes administer sacraments such as confirmation and marriage,
itmust also be the case that the personal data contained within the Baptism Register are readily
accessible.
147. The ICO guidance on filing systems formulates a rule of thumb “temp test” in order to assist
organisations in determining whether a relevant filing system is in place, focussing on the
accessibility or otherwise of files. The test was also mentioned in Taylor Wessing96 and was
noted by the Archbishop in his submissions. This temp test is set out by the ICO as follows:
“If you employed a temporary administrative assistant (a ‘temp’), would they be able to
extract specific information about an individual from your manual records without any
particular knowledge of your type of work or the documents you hold?
The ‘temp test’ assumes that the temp in question is reasonably competent, requiring only
a short induction, explanation and/or operating manual on the particular filing system in
question for them to be able to use it.”
148. It is noteworthy that this test is based on the legislative regime under the now repealed
Directive 95/46. In circumstances where a temporary administrative assistant was required to
locate a particular entry within the Baptism Register of a particular parish, would they be able
to do so? The answer to that question is yes. Based on the samples provided by the Archbishop,
Baptism Register tends to be marked with a range of years and the year of baptism is set out at
the top of each page. As such, the correct section of the Register would be located with relative
ease by a personwho has no experience with the type of documents the Church holds. Although
some limited manual searching would be required, it would not preclude the administrative
assistant from locating the correct entry. Searching the register would bemore straightforward
if an indexing or pastoral management system exists within the parish.
149. Of crucial importance of course, is the fact that itwas intended that the Baptism Registers would
enable the searching and consultation of particular entries. As the Archbishop submits, the
purpose for which the personal data in the baptism registers is processed, is that it is essential
for the administration of the Church.97
96 Taylor Wessing [2020] EWCA Civ 352, paragraph 79.
97 Submissions dated 15 October 2020, page 23.
150. The Archbishop has submitted that the personal data and special category personal data
contained in the Baptism Registers undergo a number of processing activities:
i. Collection and recording of data for the purposes of recording the baptism;
ii. Storage of the Baptism Register;
iii. Alteration of the Baptism Register on request of the baptised person or his/her parents
(where the baptised person is a minor), or annotation with details of a person’s
confirmation, marriage/annulment and ordination/laicisation (or adoption);
iv. Retrieval, consultation and use of the register, at the request of the baptised person
(or his/her parents) for the administration of other Sacraments, namely confirmation,
marriage and holy orders. The Baptism Register may also be consulted in the context
of annulments of marriages or laicisation of priests; and
v. Disclosure of extracts (baptismal certificates) from the register by transmission upon
request to individual, identified baptised persons, or authorised persons acting on their
behalf, or upon inspection by [the Archbishop] on the occasion of a Parish Visitation.98
151. Of particular relevance to a consideration of the accessibility of Baptism Registers as part of a
filing system or intended to form part of a filing system is point (iv) and (v) of this list as set out
above. Initially certificates can be issued to the person baptised or to the parents of the person
baptised, detailing the date and parish of baptism. Furthermore, there is a requirement to
subsequently annotate the baptism register if a person receives another sacrament
(confirmation, marriage or holy orders). According to the Archbishop, “very often, these
sacraments will be administered in other parishes”99 and must then be annotated in the parish
in which the baptism took place, necessitating a search for the correct entry in that parish
Baptism Register. As this is a regular administrative action carried out by the Church in the
furtherance of the administration of the sacraments, this demonstrates the accessibility of the
baptism registers as a filing system.
152. The Archbishop also gave a clear indication in his submissions of the scale upon which the
Baptism Registers are searched on a yearly basis. In 2018, the Archdiocese entered 13,234
baptisms into baptism registers, 16,929 confirmations into confirmation registers and 1,334
marriages into marriage registers. I note that each marriage and confirmation registered will
have been annotated into the relevant baptism registers also (though not necessarily baptism
registers located within the Archdiocese). In the instance of each confirmation and marriage as
listed above, the Baptism Register would have to have been accessed, searched with the
information retrieved and subsequently annotated to reflect this.
153. In effect, the Baptism Registers may require a limited level of manual searching, once the
correct parish is identified. A certain amount ofmanual searching cannot exempt personal data
from the scope of the GDPR, simply because the manual searching tends to make retrieval of
the personal data slower or more cumbersome.
98 Submissions dated 6 September 2021, pages 2-3.
99 Submissions dated 16 March 2020, page 27.
154. Even if a page-by-page search were required, this would be limited to the years of the baptisms
in question, which are clearly marked at the top of each page in the Baptism Register.100 The
year in question is identified with relative ease and, depending on the number of baptisms
which have taken place in a given parish, it is likely that no more than 10 to 20 pages at a
maximum on average would need to be manually searched before the correct entry is
identified.
155. It is clear that the Baptism Registers were intended to operate to facilitate the searching of
entries manually in this manner. It is also clear that the Baptism Registers are sufficiently
structured according to the criteria of the parish in question and the date of baptism to allow
the Archdiocese function at a sufficient level to uphold a “key tenet” of the Catholic Church101
and to allow the proper recording of the sacramental status of an individual and the checking
of that status where necessary. Indeed, the Archbishop submitted in this regard that the
Baptism Register is “essential for the administration of the affairs of the Catholic Church”.102
156. I also have regard to the fact that the GDPR allows for a wider interpretation of a filing system
than was previously the case with the equivalent definition under Directive 95/46. This more
expansive interpretation serves to protect the fundamental rights and freedoms of natural
persons.
157. On that basis, I do not support the Archbishop’s argument that the personal data in the Baptism
Registers is not easily accessible. I find that the specific criteria of date and parish of baptism
(along with the name of the individual) would provide ready access to the personal data in
question, in circumstances where this filing system, (and in some instances with the assistance
of electronic searching), is used on a regular basis by all the parishes in the Archdiocese.
158. While I acknowledge that the Archbishop has submitted that manual searching must take place
to locate entries after a certain point, I am firmly of the view that ready access to personal data
is possible, particularly when regular reliance is placed on this system including accessing this
personal data by the parishes of the Archdiocese when the need arises.
Centralised, Decentralised or Dispersed on a Functional or Geographic basis.
159. Baptism Registers in the Archdiocese are structured, for the most part, on a geographical basis,
being decentralised and dispersed among the parishes of the Archdiocese. Each parish records
in its respective registers the baptisms that took place there, in accordance with the date of
baptism. There are two exceptions to this.
100 Submissions dated 15 October 2020, Schedule of Documents, pages 212.
101 Submissions dated 16 March 2020, page 44.
102 Submissions dated 16 March 2020, page 50.
160. The first exception is that the Chancellery holds the Clonliffe College Registers which should, as
outlined by the Archbishop, in fact ”be held in the parish of North William Street Parish, which
is the proper place of preservation”. The Archbishop submitted that Clonliffe College was in the
territory of NorthWilliam Street Parish and Clonliffe College itself as a seminary had no right to
confer sacraments of initiation (baptism and confirmation) or to maintain registers to record
those sacraments. The Archbishop submitted that the Clonliffe College Registerswere recorded
“for the sake of ensuring that, in the event that NorthWilliam Street Parish omitted to record a
notification of a conferral of the sacrament which had occurred in Clonliffe College, a record
would remain in the place where the sacrament was conferred.” The Archbishop also submitted
that this “is not an unusual practice in parishes where chaplaincies are located away from the
parish church”.103
161. While not held in the parish church or offices, I am of the view that the Clonliffe College
Registers are held within the bounds of the North William Street Parish itself and as such are
part of the filing system of Baptism Registers in the Archdiocese which is decentralised and
dispersed through the parishes of the Archdiocese.
162. The second exception is the Adopted Persons Baptism Register. This register is held in the
Chancellery on a centralised basis104 and consists of entries relating to baptisms which took
place in various parishes in the Archdiocese between 1982 and 2011. The Adopted Persons
Baptism Registers is ordered by when the Chancellery was notified by the Adoption Board of
the details of an adopted child and the details of their baptism. The original entry in the parish
of baptism then ceased (meaning the original baptismal entry is annotated and that no baptism
certificate may issue from the parish of baptism).
163. In my view the Adopted Persons Baptism Registers also forms part of the filing system of the
Baptism Registers within the Archdiocese. In circumstances where a person’s baptism entry
needs to be annotated or a baptismal certificate needs to be issued, the criteria of parish of
baptism and date of baptism still apply (unless an individual is already aware that they must
contact the Chancellery). As stated in the “Adopted Persons’ Baptismal Register Cessation of
Parish Entry” form provided by the Archbishop with the 16 March 2020 Submission, the parish
is required to annotate the following beside the relevant baptism entry ”Refer all requests for
certificates/notifications to the Chancellery”.
Issue 3 for Determination: Whether any of the exemptions to the scope of the GDPR as set
out in Article 2(2) applies to the processing of the Baptism Registers
164. I must now consider whether, in circumstances where it is my view that that the personal data
and the special category personal data contained in the Baptism Registers, not being processed
by automated means, and forming part of a filing system, are exempt from the GDPR under
Article 2(2) of the GDPR.
165. Article 2(2) of the GDPR outlines certain types of processing of personal data to which the GDPR
does not apply, in particular processing:
a) in the course of an activity which falls outside the scope of Union law;
103 Submissions dated 23 July 2021, page 3.
104 Submissions dated 15 October 2020, page 3.
b) by the Member States when carrying out activities which fall within the scope of
Chapter 2 of Title V of the TEU;
c) by a natural person in the course of a purely personal or household activity;
d) by competent authorities for the purposes of the prevention, investigation, detection
or prosecution of criminal offences or the execution of criminal penalties, including
the safeguarding against and the prevention of threats to public security.
166. I will now address each of these categories in turn.
167. The exemption contained in Article 2(2)(a) applies in circumstances where the processing in
question relates to activities which fall outside the scope of Union law. Although activitieswhich
fall outside the scope of Union law are not defined in the GDPR and are not set out in an
exhaustive form in Union law, Articles 2 to 6 of the TFEU set out the exclusive and shared
competences of the European Union with respect to Member States.
168. While churches and religious associations are not specifically stated as being part of the
exclusive or shared competencies of the Union in Articles 2 to 6 of the TFEU, Article 17(1) of the
TFEU states that “The Union respects and does not prejudice the status under national law of
churches and religious associations or communities in the Member States”. Article 17(2) of the
TFEU also states that “Recognising their identity and their specific contribution, the Union shall
maintain an open, transparent and regular dialogue with these churches and organisations”.
169. As such, it is clearly envisaged under Union law that churches and religious organisations would
interact with Union law in some capacity. Further, the Charter of Fundamental Rights (the
‘Charter’) does encompass the Union’s protection of fundamental rights of European Union
citizens relating to religion, in particular under Article 10 (freedom of thought, conscience and
religion) and Article 12 of the Charter.
170. I note that in the case C-25/17 Jehovan todistajat,105 the ECJ accepted that “the door-to-door
preaching practised by members of a religious community, such as the Jehovah’s Witnesses
Community, is not one of the activities excluded from the scope of Directive 95/46, by virtue of
the first indent of Article 3(2) thereof.”106 The exclusions set out in Article 2 of the GDPR mirror
those originally set out in the previous data protection directive.
171. Therefore, I am of the view that the exemption under Article 2(2)(a) of the GDPR does not apply
to the processing of personal data and special category personal data held in the Baptism
Registers of the Archdiocese, not being processing relating to an activity which falls outside the
scope of Union law.
105 C-25/17 Jehovan todistajat ECLI:EU:C:2018:551.
106 Ibid, at paragraph 19
172. The exemption contained in Article 2(2)(b) applies in circumstances where the processing in
question relates to activities which fall within the scope of Chapter 2 of Title V of the TEU.
Chapter 2 of Title V of the TEU sets out the EU’s Common Foreign and Security Policy. It is clear
that the processing in the context of this Inquiry, being the processing of personal data and
special category personal data held in the Baptism Registers of the Archdioceses, does not relate
to the EU’s Common Foreign and Security Policy. As such, the exemption under Article 2(2)(b)
of the GDPR does not apply to this processing.
173. The exemption contained in Article 2(2)(c) of the GDPR applies in circumstances where the
processing in question is by a natural person in the course of a purely personal or household
activity.
174. The processing of personal data and special category personal data contained in Baptism
Registers is processed in certain circumstances by the Church as an organisation and in an
official capacity, for the purposes of its administration by keeping records of sacraments
undertaken.
175. Therefore, I am satisfied that the exemption contained in Article 2(2)(c) of the GDPR does not
apply in circumstances where the processing of the personal data and special category personal
data contained in the Baptism Registers is not undertaken by a natural person in the course of
a purely personal or household activity.
176. The exemption contained in Article 2(2)(d) of the GDPR applies to processing by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, including the safeguarding against and
the prevention of threats to public security. Processing of personal data and special category
personal data contained within the Baptism Registers of the Archdiocese is not undertaken by
a competent authority for any processing activities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention of threats to public security.
As such, the exemption contained in Article 2(2)(d) of the GDPR does not apply to this
processing.
Findings
177. I find that:
a) The personal data and special category personal data recorded in Baptism Registers
and which is subsequently processed by way of digital indexes, is processing wholly or
partly by automated means for the purposes of the GDPR. However, the hardcopy
Baptism Register is the sole official record of importance for the purposes for which
the personal data and special category personal data is processed in the first instance.
I find that the personal data and special category personal data which is contained in
the hardcopy Baptism Register is not processedwholly or partly by automatedmeans;
b) The hardcopy Baptism Registers form part of a filing system or are intended to form
part of a filing system, having regard to the definition of filing system under Article
4(6) of the GDPR;
c) No exemptions as set out in Article 2(2) of the GDPR apply to the processing of the
personal data and the special category personal data contained in the Baptism
Registers.
178. As such, the GDPR applies to the personal data and special category personal data contained in
the Baptism Registers.
b) CONTROLLERSHIP
Issue for determination: whether the Archbishop or the parish priest alone and / or jointly
with others determines the purposes and means of the processing of the personal data and
special category personal data contained in the Baptism Registers, which are now the subject
of this Inquiry
Introduction
179. The DPC expressed a preliminary view at the commencement of this Inquiry that, in
circumstanceswhere the personal data contained in the church records falls within thematerial
scope of the GDPR, the Archbishop was the (sole) controller in respect of the personal data
contained in these records (now the scope focusses on the Baptism Registers only).
Subsequently, the DPC confirmed to the Archbishop that it was considering the proposition that
both the Archbishop and the parish priest, having recourse to inter-alia Canon Law, may
determine to different extents the purposes and means of processing in relation to the Church
Registers (now the Baptism Registers only), leading to a position of joint controllership.
180. It is acknowledged that the Archbishop disagrees with this position, and has made a number of
submissions during the course of the Inquiry refuting sole or joint controllership of the Baptism
Registers and emphasising both the role of the parish priests and the Chancellor in this regard.
181. To contextualise the question of controllership vis-à-vis processing, this Inquiry is concerned
only with Baptism Registers held within the Archdiocese of Dublin to include those held in the
parishes and the Chancellery, the Adopted Persons Baptism Register and the Clonliffe College
Registers. The overall processing activities each of these Registers concern the recording,
storage, retention, alteration and special annotation of the personal data contained within
these Baptism Registers.107 However, this Inquiry is only concerned with data processing as it
relates to the rectification and erasure of personal data contained within these Registers.
182. As set out above, the issue for determination is whether the Archbishop or the parish priest
alone and/or jointly with others determines the purposes and means of processing personal
data. There are 197 parishes within the Archdiocese of Dublin entrusted to the pastoral care of
the Archbishop.108 It is impracticable for the DPC to make separate inquiries of all parish priests
of all 197 parishes within the Dublin Diocese; this is particularly so in circumstances where the
Archbishop of Dublin administers to and is responsible for his own Archdiocese. Therefore, the
DPC engaged solely with the Archbishop of Dublin. The analysis contained in this Inquiry on the
question of sole or joint controllership of personal data is therefore based on the DPC’s
engagement with the Archbishop of Dublin.
183. As the engagement by the DPC was solely with the Archbishop of Dublin, the DPC has exercised
its discretion to inquire primarily into the role of the Archbishop of Dublin and to determine
whether the Archbishop of Dublin either solely or jointly determines the purposes and means
of processing the personal data and special category contained within the Baptism Registers
which are the subject of this Inquiry.
107 Submissions dated 6 September 2021, page 2.
108 Submissions dated 1 February 2023, [1], citing Canon 381 §1 and Canon 515 §1.
184. As the subsequent analysis will demonstrate, my view is that the Archbishop of Dublin, jointly
with the parish priest, determines the purposes and means of processing activities for the
purposes of collection and recording of the personal data contained within the Parish Baptism
Registers held within the Archdiocese of Dublin.
185. I am of the view that the Archbishop of Dublin solely determines the purposes and means of all
other processing activities on personal data contained within the Parish Baptism Registers
within the Archdiocese of Dublin that are the subject of this Inquiry.
186. In submissions dated 1 February 2023, the Archbishop disputed the findings in the two
paragraphs above109 and made a global submission that “the draft Decision’s conclusions and
findings in respect of controllership are legally in error, with the exception of the proposed
findings in relation to the controllership of the Adopted Persons Baptism Register. In regard to
the other proposed findings, the Archbishop respectfully points to the submissions as made
above, and the submissions made on his behalf during the currency of the investigation to
date.”110
187. In preparing this final Decision, I have carefully considered the Archbishop’s submissions,
including the global submission about the issue of controllership. I have included edits to the
text of the Draft Decision to address specific points raised in paragraphs 1 to 19 of the
submissions of 1 February 2023. However, the submissions of 1 February 2023, in combination
with the other submissions received in the course of the investigation do not convince me to
change the conclusions reached in the Draft Decision regarding controllership. I have therefore
retained those findings in this Decision, but have addressed the submissions on the specific
points raised by the Archbishop on 1 February 2023 in the relevant sections of this Decision.
188. I am also of the view that the Archbishop of Dublin is the sole controller of the personal data
contained within the Clonliffe College Registers and the Adopted Persons Baptism Register for
all processing activities.
Canon Law
189. The Roman Catholic Church in Ireland is divided into dioceses and parishes, but from a civil law
perspective, civil legal obligations attach to the office holders in each diocese and parish, being
the diocesan bishop and parish priest respectively. In respect of the Archdiocese, the
Archbishop is the relevant office holder111 and is the diocesan bishop of the Archdiocese.
190. In accordancewith canon 515 §1 a diocesan bishop is conferredwith authority over the parishes
in the diocese. Canon 515 §2 further states that it is for the diocesan bishop only to erect,
suppress or alter parishes. Under Canon Law, the diocesan bishop is conferred with the
authority to appoint parish priests, in accordance with canon 519 and canon 523. The diocesan
bishop also has the power to determine the suitability of individuals for the office of pastor
(parish priest) in accordance with canon 521 §3.
109 See paragraphs 2 and 3
110 Submissions of 1 February 2023, page 6.
111 Submissions dated 16 March 2020, page 3.
191. Canon Law confers powers on a diocesan bishop within his diocese consistent with the
fulfilment of his office.112 Some relevant provisions are set out hereunder:
• Canon 381 §1: “A diocesan bishop in the diocese entrusted to him has all ordinary,
proper, and immediate power which is required for the exercise of his pastoral function
except for cases which the law or a decree of the Supreme Pontiff reserves to the
supreme authority or to another ecclesiastical authority”;
• Canon 391 §1: “It is for the diocesan bishop to govern the particular church entrusted
to him with legislative, executive, and judicial power according to the norm of law”;
• Canon 391 §2: “The bishop exercises legislative power himself. He exercises executive
power either personally or through vicars general or episcopal vicars according to the
norm of law. He exercises judicial power either personally or through the judicial vicar
and judges according to the norm of law”;
• Canon 392 §1: “Since he must protect the unity of the universal Church, a bishop is
bound to promote the common discipline of the whole Church and therefore to urge
the observance of all ecclesiastical laws”;
• Canon 392 §2: “He is to exercise vigilance so that abuses do not creep into
ecclesiastical discipline, especially regarding the ministry of the word, the celebration
of the sacraments and sacramentals, the worship of God and the veneration of the
saints, and the administration of goods“;
• Canon 393: “The diocesan bishop represents his diocese in all its juridic affairs”;
• Canon 473 §1: “A diocesan bishop must take care that all the affairs which belong to
the administration of thewhole diocese are duly coordinated and are ordered to attain
more suitably the good of the portion of the people of God entrusted to him”;
• Canon 491 §1: “A diocesan bishop is to take care that the acts and documents of the
archives of cathedral, collegiate, parochial, and other churches in his territory are also
diligently preserved and that inventories or catalogs are made in duplicate, one of
which is to be preserved in the archive of the church and the other in the diocesan
archive”;
• Canon 491 §2: “A diocesan bishop is also to take care that there is an historical archive
in the diocese and that documents having historical value are diligently protected and
systematically ordered in it”;
• Canon 491 §3 “In order to inspect or remove the acts and documentsmentioned in §§1
and 2, the norms established by the diocesan bishop are to be observed”.
192. Local normsmay be prescribed by the Archbishop and the Irish Episcopal Conference of Bishops.
112 Submissions of 1 February 2023, [4].
193. In addition, the diocesan bishop enjoys a power of inspection of baptism registers pursuant to
canon 535 §4. This permits the Archbishop to inspect the Baptism Registers held in parishes
during the course of a “visitation” to the parishes of the Archdiocese. The purpose of this
inspection is to ensure that the registers are maintained by the parish priest as he is obligated
to do in his parish, in accordance with Canon Law. In practice, the Archbishop states that this
would involve looking at the last entry in the registers and checking the register was up to
date113. Upon completion of a parish visitation, the Archbishop will complete a report that is
given to the parish priest. This may offer recommendations for certain improvements within
the parish if required.114
194. Canon 1276 §1 also places a responsibility on the Archbishop to “exercise careful vigilance over
the administration of all goods which belong to the public juridic persons subject to him, without
prejudice to legitimate titles which attribute more significant rights to him”. Canon 1287 §1 also
requires that clerical and lay administrators of any ecclesiastical goods whatever (which have
not been legitimately exempted from the power of governance of the diocesan bishop) are
“bound by their office to present an annual report to the local ordinary”.
195. The Archbishop also provides support services to parish priests in the Archdiocese via his
diocesan offices, “including, but not limited to, areas such as education, finance and
communications, property, chancellery, human resources, investment portfolio management
and advice, pastoral relationship management, accounting services and regulatory compliance
and reporting services.” To facilitate this sharing of resources, each Pastor has signed a Data
Processing Agreement in 2016 and an updated Agreement in 2019. These agreements state that
the Archbishop acts as a processor for the parish priest acting as controller.115 These are
considered further at a later point in this Decision.
196. The Archbishop is assisted in his functions by the diocesan curia, as set out in canon 469, which
states that the diocesan curia consists of those institutions and persons which “assist the bishop
in the governance of the whole diocese, especially in guiding pastoral action, in caring for the
administration of the diocese, and in exercising judicial power”. The curia consists of the chief
officials of the Archdiocese. Canon Law allows the Archbishop, as the diocesan bishop of the
Archdiocese, to appoint those who will exercise the offices in the diocesan curia, further to
canon 470.
113 Submissions dated 16 March 2020, page 7.
114 Submissions dated 15 October 2020, page 12.
115 Submissions dated 16 March 2020, page 5.
197. Within every diocesan curia, a diocesan bishop must appoint a chancellor.116 Canon 471 §1
requires that all those admitted to the offices of the curia, which includes the chancellor, must
“promise to fulfil their function faithfully according to the manner determined by the law or by
the bishop”. The diocesan bishopmay also “freely remove” the chancellor from office according
to canon 485117. The principal task of a chancellor as defined in canon 482 §1 is “to see to it that
the acts of the curia are gathered, arranged and safeguarded in the archive of the curia”. The
Chancellery, the office of the Chancellor, also offers advice on certain matters, including Canon
Law, to the Archbishop, the priests of the Archdiocese and the Diocesan Agencies, in order to
ensure good canonical practice.
198. The Chancellery also issues guidance on Canon Law matters for parish priests of the
Archdiocese, which is contained in the ‘Directives and Guidelines for Sacramental and Pastoral
Practice’ (the Guidelines). The Guidelines contain general advice concerning, among other
things, the management of baptism records in accordance with Canon Law. The Guidelines
provide detailed instructions on a number of topics including applying to be baptised, on how
to record baptism details in specific situations, issuing baptismal certificates, access to
baptismal registers, and alterations to the baptism register. In respect of alterations to a
baptism register, the Guidelines state that “[t]he express permission of the Chancellery is
required before any alteration or emendation may be made in any entry in any such parochial
register”.118 The Guidelines also set out that “the primary purpose of registration is to record
the fact of Baptism and to establish the identity of the one who received the sacrament”.119
199. The moderator and financial administrator, other members of the Diocesan Offices, also
provide guidance to parish priests of the Archdiocese via the Administrative Regulations and
Guidelines for Parishes (October 2017) (the “Administrative Regulations”) relating to, among
other things, parish property, finances, data protection, archiving, parish registers and record
management. For instance, with regard to parish registers the Administrative Regulations
provide that “Catholic Parish church records are private records and the public do not have an
automatic right of access to them. The Parish Priest is custodian of the registers but the
Archbishop dictates policy with regard to access”.120
116 Canon 482§1: “In every curia a chancellor is to be appointed whose principal function, unless particular law establishes
otherwise, is to take care that acts of the curia are gathered, arranged, and safeguarded in the archive of the curia. See
also canon 470: “The appointment of those who exercise offices in the diocesan curia pertains to the diocesan bishop”.
117 Canon 485: “The chancellor and other notaries can be freely removed from office by the diocesan bishop, but not by a
diocesan administrator except with the consent of the college of consultors”.
118 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.5 (page 23 of the PDF submission). See section 1.12 which states that
“[a]ny alteration to the Baptismal Register must be authorised though the Chancellery” (page 12 of the PDF submission).
119 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.5 (page 10 of the PDF submission).
120 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations, October 2017, section E1
(page 32 of the Regulations and/or page 167 of the PDF submission).
200. In respect of property, the Administrative Regulations states that “[a]ll property of parishes and
agencies of the diocese must be vested in the St. Laurence O’Toole Diocesan Trust”. The St
Laurence O’Toole Diocesan Trust is a company limited by guarantee which acts as a trustee “for
property and instruments of every kind owned by or used in connection with the Roman Catholic
Church in the Diocese of Dublin or held or to be held in trust for any charitable purpose
whatsoever…”.121
201. The Guidelines and the Administrative Regulations are not formally published or promulgated
by the Archbishop as norms, and as such do not have the force of Canon Law. Where a parish
priest deviates from the Guidelines or Administrative Regulations, further action will be taken
only where the deviation relates to a particular canon in Canon Law or to a particular provision
of civil law. In circumstances where the deviation is amatter of civil law, the finance secretariat
or human resources department of the Diocesan Officesmay intervene. In circumstances where
the deviation relates to sacramental or canonical practice, the Chancellery may intervene.122
The Role and Position of the Parish Priest vis-à-vis the Archbishop under Canon Law
202. Each diocese is made up of parishes, and each parish “has a relationship with the Diocese in
canon law”.123 A parish is described under canon 515 §1, as “a certain community of Christian
faithful stably constituted in a particular church, whose pastoral care is entrusted to a pastor
(parochus) as its proper pastor (pastor) under the authority of the diocesan bishop”.124
203. The diocesan bishop is conferredwith the power to bring a parish into being, according to canon
515 §2.125 Once he has heard the advice of the Presbyteral Council, the Bishop can proceed to
establish a parish.126 In the establishing of a parish, it automatically gains juridic personality,
which means that it is, under Canon Law, a legal person subject to rights and obligations.127
204. In accordancewith canon 519 the pastoral care of the parish is entrusted to the pastor, or parish
priest, by the diocesan bishop. Canon 519 states that “The pastor (parochus) is the proper pastor
(pastor) of the parish entrusted to him, exercising the pastoral care of the community committed
to him under the authority of the diocesan bishop in whose ministry of Christ he has been called
to share, so that for that same community he carries out the functions of teaching, sanctifying,
and governing, also with the cooperation of other presbyters or deacons and with the assistance
of lay members of the Christian faithful, according to the norm of law”128.
121 Memorandum of Association of St. Laurence O’ Toole Diocesan Trust, page 1.
122 Submissions dated 15 October 2020, pages 15-16.
123 Submissions dated 16 March 2020, page 3.
124 This version of the Code of Canon Law is as stated on https://www.vatican.va/archive/cod-iuris-
canonici/eng/documents/cic_lib2-cann460-572_en.html#Art._1 (accessed 20 February 2023). The Submissions of 1
February 2023 appear to use a different source with a variation in the text, which matches that on
http://www.intratext.com/IXT/ENG0017/_P1T.HTM (accessed 20 February 2023).
125 Canon 515 §2 states: “It is only for the diocesan bishop alone to erect, suppress or alter Parishes. He is neither to erect,
suppress nor alter notably parishes, unless he has heard the presbyteral council.”
126 Canon 127.
127 Canon 515 §3.
128 See also canon 521 §3, 522 and 523.
205. The parish priest has all the ordinary power which comes from his office as exercised under the
authority of the Archbishop pursuant to canon 131 §1 and canon 515 §1.129 In the Guidelines at
section 4.3 it is stated that “Parish Priests and Moderators are the legal representatives of the
parish”, however, they do “need the Archbishop’s permission if they wish to initiate or contest
legal proceedings on behalf of the parish”130 and they are answerable to their ecclesiastical
superior. In the submissions of 1 February 2023, the Archbishop clarified that: “… the property
of the Parish belongs to the Parish. The powers of the Parish Priest are not gained by virtue of
or through the person who made the Parish Priest’s appointment.”131
206. Canon 273 provides that “[c]lerics are bound by a special obligation to show reverence and
obedience to the Supreme Pontiff and to their own ordinary”. A bishop cannot command
anything from a parish priest forbidden by law; nor can he prohibit what the Code of Canon Law
clearly permits.
207. Among the duties attached to the office of pastor (parish priest), canon 535 §1 prescribes the
duty to maintain parochial registers. Canon 535 §1 provides that “[e]ach Parish is to have
parochial registers, that is, those of baptisms, marriages, deaths, and others as prescribed by
the conference of bishops or the diocesan bishop. The pastor is to see to it that these registers
are accurately inscribed and carefully preserved”.
208. The Archbishop stated in his submissions that:
“ The Parish Priest is responsible for all applications and activities concerning the baptismal
register, such as:
• the creation of the original, handwritten, record of baptism;
• the responsible disposal of the baptismal application form, completed by the
parent(s)/guardian(s), once the baptism has taken place and has been written up in
the register;
• the issuing of baptismal certificates;
• the annotation of the baptismal record with details of a person’s confirmation,
marriage/annulment and ordination/laicisation;
• the maintenance of security and confidentiality of baptismal registers;
• the making of decisions as to who may access the baptismal register”.132
209. Further, the parish priest is tasked with ensuring that baptism registers do not fall into
unauthorised hands and that they, along with other parochial registers, are stored or archived
correctly within the parish.133
129 This sentence reflects the text suggested in the submission of 1 February 2023.
130 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.3 (page 23 of the PDF submission).
131 Submissions of 1 February 2023 at page 2.
132 Submissions dated 16 March 2020, page 5.
133 Canon 535 §4.
210. On issuing a baptismal certificate, the parish priest must make sure that all documents
emanating from the registers are sealed with the parish seal and bear his signature, or the
signature of his delegate.134
211. When an individual requests the alteration of a baptism record (for instance where the
individual has changed their name), the parish priest must either request authorisation from
the Chancellery to make the change or the parish priest directs the individual to contact the
Chancellery directly. The parish priest cannot make any changes to an entry in the baptism
register without contacting the Chancellery (aside from making notations of other sacraments
received). This is evident from the Guidelines, drafted by the Chancellery, which states that
“[t]he express permission of the Chancellery is required before any alteration or emendation
may be made in any entry in any such parochial register”.135
212. Once the request for authorisation is raised by a parish priest, an investigation is carried out by
the Chancellery. The Chancellor will relay the findings of the investigation in written form to the
parish priest who then makes an annotation of the change in the baptism register. The original
data (even where it is an error) remains in place in the baptism register.136
The Chancellery
213. The involvement of the Chancellery in the processing activities of annotation and alteration is
relevant. The Chancellor deals with Canon Law matters in the Archdiocese.137
214. The Chancellery is an office of the Archdiocese which assists the Chancellor in the discharge of
his functions within the diocesan curia of the Archdiocese. The Archbishop may freely appoint
the heads of the various curial offices and may introduce any improvements that may be
necessary in the curia, and to correct anything that does not conform to canonical discipline.138
The Chancellor’s role in Canon Law is set out in canon 482 §1 ”to take care that acts of the curia
are gathered, arranged and safeguarded in the archive of the curia”. In the Archdiocese, the
Chancellor, along with his office, the Chancellery, is tasked by the Archbishop with dealing with
issues of Canon Law and archiving which arise in the Archdiocese on behalf of the Archbishop.
134 Canon 535 §3; see also submissions dated 16 March 2020, page 31.
135 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 4.5 (page 23 of the PDF submission).
136 Submissions dated 16 March 2020, page 6.
137 See also https://dublindiocese.ie/archdiocese-overview/diocesan-offices/.
138See passage number 176 of the Directory for the Pastoral Ministry of Bishops (2004)
https://www.vatican.va/roman_curia/congregations/cbishops/documents/rc_con_cbishops_doc_20040222_apostolorum-
successores_en.html
215. While the Archbishop in his submissions has maintained that the Chancellery acts
independently as an advice-giving body, it is clear from Canon Law that the Chancellor is
appointed directly by the Archbishop as part of the diocesan curia.139 The Chancellor may also
be removed at any time by the Archbishop.140 The clear primacy of the Archbishop here is
further emphasised by canon 469, which states that the diocesan curia consists of those
institutions and persons, which “assist the bishop in the governance of the whole diocese,
especially in guiding pastoral action, in caring for the administration of the diocese, and in
exercising judicial power”. Canon 471 §1 requires that all those admitted to the offices of the
curia must “promise to fulfil their function faithfully according to the manner determined by the
law or by the bishop”.
216. I note that the Chancellery, a Diocesan office, which forms part of the diocesan curia, to “assist
the bishop in the governance of the whole diocese”141 issues guidance on Canon lawmatters for
parish priests, which is contained in the Guidelines. According to the Archbishop, these
Guidelines contain general advice concerning the management of baptism records in
accordance with Canon Law only and that the “Archbishop does not impose these requirements
on the Parish”142. In my view, the guidance provides detailed instructions on a number of topics
including on retention of Baptism Registers, on issuing baptismal certificates, on access to
Baptism Registers, and on alterations to Baptism Registers. It also sets out that “the primary
purpose of registration is to record the fact of Baptism and to establish the identity of the one
who received the sacrament”.143
217. It is evident that the role of the Chancellery under Canon law is that of assistance to the
Archbishop in his governance of the Archdiocese, in particular with respect to Canon law
matters. Further, the principal duty of the Chancellor is stated [in the Report] as “his principal
duty is to attend to canon law matter on behalf of the Archdiocese”.144
218. The Archbishop states in his submissions that the Chancellery is an office which provides only
advice to the parish priest, the Archbishop and diocesan agencies, and has no power to impose
the Canon Law on those parties.145 The Archbishop has asserted that in offering canonical advice
to a parish priest “the Chancellery is acting on behalf of the Parish Priest, and not as mentioned
above, for and on behalf of the Archbishop when and if giving any guidance or direction on data
protection issues to Parish Priests within the Archdiocese of Dublin”.146
139 Canon 482.
140 Canon 485.
141 Canon 469.
142 Submissions dated 16 March 2020, page 11.
143 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.5 (page 10 of the PDF submission).
144 Report by Commission of Investigation into Catholic Archdiocese of Dublin commissioned by the Minister for Justice and
Equality (published 29 November 2009), Appendix 3, page 24; https://www.justice.ie/en/JELR/Pages/PB09000504
https://www.justice.ie/en/JELR/DACOI%20Appendices.pdf/Files/DACOI%20Appendices.pdf
145 Submissions dated 16 March 2020, page 6; Submissions dated 15 October 2020, pages 15-16.
146 Submissions dated 15 October 2020, page 14.
219. However, I respectfully reject the notion that the Chancellery acts only on behalf of the party
asking advice (such as the parish priest) at any given time, only providing advice and not
imposing the Archbishop’s interpretation of the Canon Law (or indeed the civil law).
220. On the contrary, the Chancellor is appointed by the Archbishop to assist in the governance of
the Archdiocese. The Chancellormust “promise to fulfil their function faithfully according to the
manner determined by the law or by the bishop”.147 The Chancellormay be “freely” removed by
the Archbishop.148 The Archbishop has confirmed that should a disagreement arise between the
Chancellor and the Archbishop, it would be resolved as follows:
“If the wish of the Archbishop were unlawful, the Chancellery would brief him accordingly.
If the Archbishop refused in the light of this advice to alter his position, the Chancellery,
at that point, would not act against his wishes. Rather, it would inform the Archbishop
that in light of the issue in question, that he or the Chancellery should refer the matter for
decision to a higher authority, namely the Holy See”.149
221. Further, the Archbishop has noted in his submissions that he disseminates guidance to the
Archdiocese “through the Chancellery”150 to assist with the interpretation of Canon Law. I do
not accept that in this instance the Chancellery is providing advice only, but I take the view that
the Chancellery is disseminating the decisions taken by the Archbishop.
222. As such, the Archbishop has not demonstrated to my satisfaction the way in which the
Chancellor acts independently and how he is not under the authority of the Archbishop, who
governs the Archdiocese unequivocally with respect to the Canon Law by legislative, executive
and judicial power, according to the norm of law.151 Therefore, for the purposes of this Decision,
I have taken the view that, on balance, the Chancellery acts for and on behalf of the Archbishop
as part of the diocesan curia, in all its interactions with parish priests of the Archdiocese. The
Chancellery’s guidance and advice to parish priests is an extension of the function of the
Archbishop himself.
Relevant Provisions
223. Article 4(7) of the GDPR defines a ‘controller’ as:
“the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by
Union or Member State law”.
147 Canon 471 §1.
148 Canon 485.
149 Submissions dated 23 July 2021, page 2.
150 Submissions dated 16 March 2020, page 11
151 Canon 391 §1.
224. Article 26(1) of the GDPR provides that:
“[w]here two ormore controllers jointly determine the purposes andmeans of processing,
they shall be joint controllers. They shall in a transparent manner determine their
respective responsibilities for compliance with the obligations under this Regulation, in
particular as regards the exercising of the rights of the data subject and their respective
duties to provide the information referred to in Articles 13 and 14, by means of an
arrangement between them unless, and in so far as, the respective responsibilities of the
controllers are determined by Union or Member State law to which the controllers are
subject”.
225. Article 5(2) of the GDPR requires that controllers “be responsible for, and be able to
demonstrate compliance” with the principles of relating to the processing of personal data as
set out in Article 5(1) of the GDPR.
Relevant Case Law and Guidance
226. Inmaking his submissions regarding controllership, the Archbishop referred to three judgments
of the CJEU, case C-210/16Wirtschaftsakademie,152 case C-25/17 Jehovan todistajat153 and case
C-40/17 Fashion ID,154 which have previously provided guidance on the meaning of a controller,
and joint controllership. All three cases concerned the notion of a controller and joint controller
under Directive 95/46/EC, however, the judgments still offer useful guidance as to the
interpretation of a controller and joint controller under the GDPR. This case law has interpreted
the concept of a controller broadly, with reference to case C-131/12 Google Spain and
Google.155
227. In C-25/17 Jehovan todistajat, the CJEU stated that “a natural or legal person who exerts
influence over the processing of personal data, for his own purposes, and who participates, as a
result, in the determination of the purposes and means of that processing, may be regarded as
a controller within the meaning of Article 2(d) of Directive 95/46”156. Further, the CJEU also
stated that “neither the wording of Article 2(d) of Directive 95/46 nor any other provision of that
directive supports a finding that the determination of the purpose andmeans of processingmust
be carried out by the use of written guidelines or instructions from the controller”.157
228. In C-210/16 Wirtschaftsakademie, the CJEU found that in respect of joint controllers, the
“existence of joint responsibility does not necessarily imply equal responsibility of the various
operators involved in the processing of personal data. On the contrary, those operators may be
involved at different stages of that processing of personal data and to different degrees, so that
the level of responsibility of each of them must be assessed with regard to all the relevant
circumstances of the particular case”.158
152 C-210/16 Wirtschaftsakademie Schleswig-Holstein EU:C:2018:388.
153 C-25/17 Jehovan todistajat ECLI:EU:C:2018:551.
154 C-40/17 Fashion ID ECLI:EU:C:2019:629.
155 C-131/12 Google Spain and Google, EU:C:2014:317, paragraph 34.
156 C-25/17 Jehovan todistajat, paragraph 68.
157 C-25/17 Jehovan todistajat, paragraph 67.
158 C-210/16 Wirtschaftsakademie, paragraph 43.
229. In C-25/17 Jehovan todistajat, the CJEU stated that the concept of a controller may “concern
several actors taking part” in processing of personal data who “may be involved at different
stages of that processing of personal data and to different degrees”.159 In all three judgments,
the CJEU stated that joint responsibility does not require the parties to have access to the
personal data concerned under Directive 95/46/EC.160
230. In C-40/17 Fashion ID, the CJEU stated that a party would be a controller “jointly with others
only in respect of operations involving the processing of personal data for which it determines
jointly the purposes and means”.161
231. The DPC also had regard, when conducting the Inquiry, to the EDPB’s Guidelines 07/2020 on the
concepts of controller and processor in the GDPR (‘the EDPB Guidelines 07/2020’)162, which are
referenced throughout this analysis.
Archbishop’s Submissions
232. In his submissions as to the Archbishop’s role as a controller of the Baptism Registers, the
Archbishop stated his position is that “the data controller in respect of baptism registers is the
Parish Priest”. The Archbishop emphasised that he “is not entitled to remove the registers from
the Parish, he is not entitled to alter entries in the registers and he has no power to compel a
Parish Priest to alter a register”.163
233. The Archbishop submitted that a parish, though created by a Bishop, takes on a wholly separate
juridic statuswhen created. The parish priest as appointed by the bishop and then acts on behalf
of the parish:
“The Pastor governs with the ordinary power granted to him by virtue of his office (canon
131§1). As such, the Parish Priest makes his own decisions, but such decisions are made
in a spirit of the Bishop’s concerns and policies. As the one who governs the juridic person
of the Parish (canon 1279§1), the pastor (Parish Priest) alone represents the Parish in all
juridical matters (canon 532)”.164
234. Any obligations placed on the parish priest to keep records of sacraments administered are
“imposed on Parishes and Parish Priests as a matter of canon law. They are not imposed on the
Parish Priest by ArchbishopMartin”.165 Further, the Archbishop submitted “[l]egal ownership of
the property rights in these registers belongs to the Parish. It is not available to the Archbishop,
either in civil law or in Church law, to enter a Parish and remove a register, or to enter a Parish
and alter or erase a record even if he were minded to do so”.166
159 C-25/17 Jehovan Todistajat, paragraph 66.
160 C-210/16 Wirtschaftsakademie, paragraph 38; C-25/17 Jehovan Todistajat, paragraph 69;and C-40/17 Fashion ID,
paragraph 69.
161 C-40/17 Fashion ID, paragraph 74.
162 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, Adopted on 07 July 2021.
163 Submissions dated 16 March 2020, page 2.
164 Submissions dated 16 March 2020, page 4.
165 Submissions dated 16 March 2020, page 4.
166 Submissions dated 16 March 2020, page 4.
235. The Archbishop has stated that insofar as baptism records are concerned, the Archbishop “plays
only a very limited role”. For example, “if a request for a baptism certificate is received by the
Archbishop, it will be sent, by the Chancellery, to the relevant Parish Priest, so that the request
can be directly fulfilled by him. Archbishop Martin does not play any other role in responding to
the request”.167
236. The Archbishop submitted that the Chancellery is a Diocesan Office, which deals mainly with
Canon Law matters. The Archbishop submitted that the Chancellery “serves as a resource to
give advice on canonical issues to the Archbishop, his staff, Parish Priests and Diocesan agencies.
Where the Chancellery advises on a matter of canon law, it is not defining canon law and
imposing it on the Parish Priest, but rather providing assistance to the Parish Priest in the
interpretation of canon law, and guidance on its operation”.168
237. With regard to data protection requests, the Archbishop stated that the Chancellery “evaluates
queries, in accordance with canon law, and with the advice of civil lawyers, on how to
proceed”.169 This advice is then relayed to the recipient (which may be by the Archbishop, a
parish priest, or a diocesan agency). The Archbishop stated that the actions thereafter fall under
the jurisdiction of the recipient on how they will proceed.
238. The Archbishop stressed that the Chancellery “only offers advice”. It in no way compels the
recipient to follow the advice, much akin to a person seeking legal advice from a solicitor”.170 In
response to queries regarding the Chancellery and the use of the word “authorise” with respect
to requests for alterations to the Baptism Registers171, the Archbishop stated that the
Chancellery “does not “authorise” an amendment in the sense of the giving official permission
by someone in a position of authority. A better termmight perhaps be “advise””. The Archbishop
also emphasised that “in confirming that the request is a legitimate one, the Chancellery is
confirming whether the individual has a right to have their baptismal record amended. It is then
a matter for the relevant Parish Priest to give effect to this right and lawful amendment, where
it arises”.172
239. The Archbishop stated that “most, if not all, of the queries received by the Chancellery originate
in the Parish” and as such it is the parish priest who makes contact with the Chancellery, and
the advice is relayed to him for further action. The Archbishop stated that, in offering canonical
advice to parish priests on any issue, “the Chancellery is acting on behalf of the Parish Priest,
and not, as mentioned above, for and on behalf of the Archbishop when and if giving any
guidance or direction on data protection issues to Parish Priests within the Archdiocese of
Dublin”.173
167 Submissions dated 16 March 2020, page 6.
168 Submissions dated 16 March 2020, page 6.
169 Submissions dated 15 October 2020, page 14.
170 Submissions dated 15 October 2020, page 14.
171 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.12 states “Any alteration to the Baptismal register must be authorised
through the Chancellery” (page 12 of the PDF submission).
172 Submissions dated 23 July 2021, page 1.
173 Submissions dated 15 October 2020, page 14.
240. The Archbishop stated that where a parish priest raises such a matter with the Chancellery, an
investigation of thematter is carried out by canon lawyers, and the staff of the Chancellery. The
Archbishop also stated that “this investigation is carried out by the Chancellery on behalf of the
Parish Priest, because he is the custodian of the records”.174 The Chancellor will then relay the
findings of the investigation “in written form to the Parish Priest, and as data controller, he
makes an annotation of the change in the appropriate column of the register”.175
241. As previously outlined in this Decision the Archbishop submitted that, should a disagreement
arise between the Archbishop and the Chancellery, “[i]f the wish of the Archbishop were
unlawful, the Chancellery would brief him accordingly. If the Archbishop refused in the light of
this advice to alter his position, the Chancellery, at that point, would not act against his wishes.
Rather, it would inform the Archbishop that in light of the issue in question, that he or the
Chancellery should refer the matter for decision to a higher authority, namely the Holy See”.176
242. The Archbishop points out that he did not create the requirement to maintain the Baptism
Registers, this is imposed directly on the parish priest by virtue of Canon Law.177 However, the
Archbishop submitted that he does enjoy a power of inspection of the Baptism Registers when
he makes a visitation to a parish, pursuant to canon 535 §4, to “ensure that the registers are
being maintained by the Parish Priest as he is obligated to do in his Parish in accordance with
canon law”178. The Archbishop submitted that this inspection is “superficial” and “[i]n practice,
thismeant that the Archbishop would look at the last entry in the registers and check the register
was up to date, in a very general sense”. The Archbishop further submitted that “in the context
of the functional analysis that governs the concept of the data controller, the inspection power
cannot be regarded as significant”.179
243. With respect to the relationship between the Archbishop and the parish priest, the Archbishop
submitted that:
“while a priest’s ministry is dependent upon that of his bishop, and every priest promises
respect and obedience to his bishop at ordination, it is a common mistake to think of a
Parish Priest as a kind of “branch manager” or “tenant farmer” of a bishop… A bishop is
free to establish policies for all Parishes in his diocese provided that they do not conflict
with universal canon law or divine law. However, within the boundaries established by
canon law, divine law and civil law, it is the Parish Priest’s job to lead the parish and to
determine how best to govern the community with which he has been entrusted”.180
174 Submissions dated 16 March 2020, page 6.
175 Submissions dated 16 March 2020, page 6.
176 Submissions dated 23 July 2021, page 2.
177 Submissions dated 16 March 2020, page 11.
178 Submissions dated 16 March 2020, page 7.
179 Submissions dated 16 March 2020, page 7.
180 Submissions dated 15 October 2020, page 16.
244. In this regard, the Archbishop also noted that a bishop does have “the authority to oblige any
priest or member of the faithful to do, or not do, a particular thing he may determine to be
detrimental to the wider community. He can do this through a “precept”, a kind of canonical
injunction directed at a specific person or situation”.181 The Archbishop further submitted that
pursuant to canon 49:
Precepts are decrees “by which an obligation is directly and lawfully imposed on a specific
person or persons to do or to omit something, especially in order to urge the observance
of a law”. They are rarely used.”182
245. Further, the Archbishop noted that although bishops have the authority to appoint parish
priests within their diocese,
“[a] bishop is not free, however, to remove or transfer a Parish Priest from his office
without following a detailed and non-negotiable process defined by canon law […] In
short,while no priest has a right to an assignment or toministry, once a priest is appointed
a Parish Priest, he cannot be removed from his office or from his ministry, without serious
cause and without observation of the canon law’s procedural requirements”.183
246. The Archbishop also submitted that upon completion of a visitation the Archbishop is to prepare
a report that is to be given to a parish priest. With respect to this report, the Archbishop
submitted that:
“It is in this report that any shortcomings of the Parish Priest in his duty to maintain and
preserve the parish registers would be highlighted by the Bishop, and recommendations
offered on how he can better fulfil this duty. Any recommendations made are likely to be
taken seriously by the Parish Priest and brought to Parish Council/Parish Finance
Committee for discussion, but there is no power on the part of the Archbishop to compel
compliance with specific recommendations”.184
247. The Archbishop further submitted that, with respect to the two executed agreements relating
to the microfilming project of church registers in the Archdiocese in the 1980s and 1990s:
“[i]t is apparent in these agreements that co-ownership in relation to the records
concerned was asserted by the Archbishop. A careful review of correspondence relating
to these agreements indicates that no analysis was undertaken at the time of their
execution as to the assertion of ownership on the part of the Archbishop in common with
the Parish Priest concerned. Questions relating to ownership and control of records have
necessarily been considered in depth for the purpose of this inquiry and in the context of
the requests made by the DPC. We are satisfied that these agreements were mistaken in
asserting co-ownership on the part of the Archbishop”.185
181 Submissions dated 15 October 2020, page 19.
182 Submissions dated 1 February 2023, page 3.
183 Submissions dated 15 October 2020, page 17.
184 Submissions dated 15 October 2020, page 12.
185 Submissions dated 15 October 2020, page 21.
248. Further, the Archbishop submitted that in applying the law to the facts that “[t]he position of
the Archbishop is that the Parish Priest is the data controller in respect of baptism records” and
that:
“[t]he Parish Priest is the one responsible for the collection of the data in the first instance,
it he who arranges the sacrament of baptism and he who manages the making of the
record in the register. The data in the baptism register exists because the Parish Priest has
permitted the baptism to take place in his Parish.Where a baptism certificate is issued, it
is the Parish Priest that consults the register and issues the certificate. The Parish Priest
has ongoing access to the registers and it is he that bears the responsibility of ensuring
their security and confidentiality. It is the Parish Priest who controls access to the register
for individuals, and he who decides whether someone has a valid reason for seeking
access to the register, in compliance with the principles of canon law. Legal ownership of
the property rights in these registers belongs to the Parish”.186
249. With respect to the above cases, the Archbishop submitted that:
“the most succinct statement of the law may be found in Fashion ID, which defined the
controller as a person “who exerts influence over the processing of personal data, for his
own purposes, and who participates, as a result, in the determination of the purposes and
means of that processing.” There can be no doubt that the Parish Priest exerts influence
in the processing of personal data. An analogy can be drawn with the website operators
in Wirtschaftsakademie and Fashion ID. In those cases the operators merely facilitated
the collection of personal data by Facebook. Here, the Parish Priest not only collects the
data, but remains responsible for the processing stage. He furthermore remains in
possession of the data on a continuous and indefinite basis, and controls access to that
data by all outside parties, including the person to whom the record relates. There can be
no doubt that the Parish Priest, therefore, is a data controller”.187
186 Submissions dated 16 March 2020, page 10.
187 Submissions dated 16 March 2020, page 11.
250. In respect of questions relating to joint controllership, the Archbishop submitted that the
situation of the Archbishop could be distinguished from the above mentioned cases as follows:
“The Archbishop does not create the requirement to maintain baptism registers, nor did
he initiate it. The processing arises as a requirement of canon law, imposed directly on the
Parish Priest. Similarly, the fact of a power of investigation on the part of the Archbishop
does not mean that he initiated or caused the processing to happen. Second, insofar as
the vast majority of entries on the baptism register are concerned, the Archbishop will
never have any control or interaction with them at any point. While the Archbishop
(through the Chancellery) disseminates guidance, this is to assist in the interpretation of
canon law. The Archbishop does not impose these requirements on the Parish. The only
point at which the Chancellery has any influence over a particular entry on the register is
where an amendment is sought to be made, in the circumstances set out above. In such a
case, the Chancellery will advise the Parish Priest as to the results of its investigation as
to the application of canon law to the particular amendment sought. The investigation is
carried out on behalf of the Parish Priest. The Archbishop submits that this minimal role
does not constitute “decisive influence” in the sense contemplated by the CJEU”.188
251. The Archbishop further stated that:
“the role of Archbishop Martin can be distinguished from that of the website
administrators in Wirtschaftsakademie and Fashion ID insofar as the Chancellery only
ever interacts directly with a tiny number of entries on the register, whereas the website
operators caused all data collected via the cookies in question to be gathered.
Furthermore, the role of ArchbishopMartin can be distinguished from the situation of the
religious community in Jehovan todistajat, because there, the data was collected by the
members and then sent (at least in part) to the central church community, organised and
stored by it. This never occurs in the case of the Chancellery, which accesses data only in
the limited circumstances set out above. Similarly, the theoretical power of inspection
does not involve the Archbishop gathering in the data, storing or organising it”.189
Legal Analysis
252. Havingmade the determination in this Decision that Baptism Registers comewithin thematerial
scope of the GDPR, the DPC now considers the following issue:
whether the Archbishop or the parish priest alone and / or jointly with others determines
the purposes and means of the processing of the personal data and special category
personal data contained in the Baptism Registers which are now the subject of this
Inquiry.
188 Submissions dated 16 March 2020, page 11.
189 Submissions dated 16 March 2020, pages 11-12.
Legal Analysis: Canon Law
253. As a preliminary point, it is noted that Canon Law is the internal law of the Roman Catholic
Church and is the principal framework by which the Roman Catholic Church is governed. Canon
Law was revised in 1983 and is the current applicable Code. 190 In addition, provisions relating
to Baptism Registers are contained within Canon Law, which also identifies the respective roles
of the Archbishop and the parish priest regarding these registers.
254. Canon Law is not determinative of the position of controllership under data protection law.
However, Canon Law is clearly a relevant consideration; it assists in understanding, within the
Archdiocese itself, the role and influence the parties have on the governance of parish affairs
and on the decision-making power regarding Baptism Registers.
255. At the outset, I accept the position that Canon Law, from a civil law perspective,must be viewed
as a species of foreign law in accordance with O’Callaghan v O’Sullivan – “[t]he Canon law of
the Roman Catholic Church is foreign law, which must be proved as a fact and by the testimony
of expert witnesses according to the well-settled rules as to proof of foreign law”.191 It ismy view
that, pursuant to the decision in O’Callaghan v O’Sullivan, Canon Law in Ireland is a foreign law
that does not exempt people resident in the State from compliance with the obligations
imposed by the Constitution of Ireland, European Union law and the laws enacted
thereunder.192
256. The Archbishop is considered the representative at law for the Archdiocese of Dublin, which is
not a distinct legal person in its own right, though both dioceses and parishes have distinct
juridical personality under Canon Law.193 The Archbishop is autonomous in the Archdiocese and
is accountable directly to the Holy See.194 The Archbishop has control over the day-to-day
management of the Archdiocese, as long as he remains compliant with Canon Law.195 The
Archbishop governs the Archdiocese of Dublin with the ordinary power which comes from his
office as exercised under the authority of the Pope pursuant to canon 381.196 In accordance with
canon 391 §1, it is for the Archbishop to govern the Archdiocese with “legislative, executive,
and judicial power according to the norm of law”.
257. The EDPB Guidelines 07/2020 state there is “no limitation as to the type of entity which may
assume the role of controller. It might be an organisation, but it might also be an individual or a
group of individuals”.197 As such, the DPC has turned to the Archbishop rather than the
Archdiocese to assess his role as controller (either joint or sole) in the context of this Inquiry.
190 The version of the Code of Canon Law referred to by the DPC is the Canon Law Society of America’s translation, available
on the Vatican website at https://www.vatican.va/archive/cod‐iuris‐canonici/cic_index_en.html
191 O’Callaghan v O’Sullivan [1925] 1 IR 90 at 113.
192 This sentence is based on the submission of 1 February 2023 at paragraph 8.
193 Canons 373, 515 §3.
194 Report by Commission of Investigation into Catholic Archdiocese of Dublin (29 November 2009) at paragraph 3.16
195 Ibid at 3.17.
196 As submitted by the Archbishop in the Submissions of 1 February 2023, at paragraph 9.
197 EDPB Guidelines 07/2020, paragraph 17.
258. I accept that the Archbishop does not solely, or with the conference of bishops, impose the
requirements to record the Baptism Registers on the parish priests of the Archdiocese, or
impose the requirement to record certain personal data in the Baptism Registers as set out in
canon 877 §1. These are requirements, which are imposed by Canon Law. However, Canon Law
does impose a duty on diocesan bishops to govern their dioceses and to represent their diocese
in all juridic affairs. A diocesan bishop is empowered under Canon Law to use his legislative and
executive power to govern his diocese.198 As such, the Archbishop may direct the manner in
which Canon Law is applied by the parishes of the diocese via the issuing of local laws or
directions, whichmay take a number of forms.199 Canon 391 §2 notes that “the bishop exercises
judicial power either personally or through the judicial vicar and judges according to the norm
of [Canon] law.”
259. The Diocesan Curia, via the Chancellery, assists the diocesan bishop in governing by
implementing the directions and norms set down by the Archbishop. For instance, the
Chancellery is the office that authorises or gives permission to parish priests tomake alterations
to Parish Baptism Registers in some instances.
260. As such, Canon Law does not direct the exact purposes for, and means by which, many of its
requirements are to be fulfilled. This is instead determined by the diocesan bishop, at his
discretion, as this discretion is conferred on him under Canon Law.
Legal Analysis: Identifying a Controller: Preliminary Points
261. As a preliminary point, the key test for identifying whether a person, natural or legal, is a
controller is set out in Article 4(7) of the GDPR. A person shall be a controller if they alone or
jointly with others “determines the purposes and means of the processing of personal data”.
Article 26(1) of the GDPR similarly states that in the instance where “two or more controllers
jointly determine the purposes and means of processing, they shall be joint controllers”.
262. I have had regard to the EDPB Guidelines 07/2020 in consideration of this issue. In particular, I
note that the EDPB Guidelines clarify that an assessment of controllership, or indeed joint
controllership, is a factual assessment.200 This is because the concept of a controller is a
functional concept, which aims to “allocate responsibilities according to the actual roles of the
parties”.201
263. I note the view of the EDPB where it states “the concepts of controller and processor are also
autonomous concepts in the sense that, although external legal sources can help identifyingwho
is a controller, it should be interpreted mainly according to EU data protection law”.202
198 Canon 375 defines bishops as, inter alia, “ministers of governance”
199 Canons 391 §1, 391 §2, 392 §1, 392 §2, 393, 369, 375 §1.
200 Opinion of Advocate General Mengozzi, paragraph 68 in Case C-25/17 Jehovan todistajat, ECLI:EU:C:2018:57 –
“excessive formalism would make it easy to circumvent the provisions of Directive 95/46 and that, consequently it is
necessary to rely upon a more factual than formal analysis in order to assess whether the religious community plays an
effective role in determining the objectives and practical means of processing”
201 EDPB Guidelines 07/2020, paragraph 12.
202 EDPB Guidelines 07/2020, paragraph 13.
264. The EDPB Guidelines 07/2020 state that in order to identify the controller in respect of certain
personal data:
“One should look at the specific processing operations in question and understand who
determines them by first considering the following questions: "why is this processing
taking place?” and “who decided that the processing should take place for a particular
purpose?”203
265. This involves analysis of the person or persons who ultimately determines the purposes of
processing.
266. The EDPB Guidelines 07/2020 also note that with respect to the means of processing, a
controllermust determine the essential rather than the non-essentialmeans of processing. The
EDPB notes that essential means are:
“closely linked to the purpose and the scope of the processing, “Essential means” are
means that are closely linked to the purpose and the scope of the processing, such as the
type of personal data which are processed (“which data shall be processed?”), the
duration of the processing (“for how long shall they be processed?”), the categories of
recipients (“who shall have access to them?”) and the categories of data subjects (“whose
personal data are being processed?”)”.204
267. The EDPB Guidelines 07/2020 also confirm that a controller must decide on both the purposes
and the means of processing.205
Legal Analysis: Joint Controller: Preliminary Points
268. The DPC has also considered whether a joint controllership exists over the personal data
contained within the relevant Baptism Registers. Joint controllers are defined under Article
26(1) of the GDPR as two or more controllers, which “jointly determine the purposes and the
means of processing”. To identify a joint controller relationship, the DPC considers the EDPB
Guidelines 07/2020 and the case law of CJEU.
269. The EDPB Guidelines state “[j]oint controllership exists when entities involved in the same
processing carry out the processing for jointly defined purposes. This will be the case if the
entities involved process the data for the same, or common, purposes”.206
203 EDPB Guidelines 07/2020, paragraph 20.
204 EDPB Guidelines 07/2020, paragraph 40.
205 EDPB Guidelines 07/2020, paragraphs 35, 36.
206 EDPB Guidelines 07/2020, paragraph 59.
270. The EDPB Guidelines further state:
“Joint participation in the determination of purposes and means implies that more than
one entity have a decisive influence over whether and how the processing takes place. In
practice, joint participation can take several different forms. For example, joint
participation can take the form of a common decision taken by two or more entities or
result from converging decisions by two or more entities regarding the purposes and
essential means”.207
271. The EDPB sets out that a common decision in this context means “deciding together and
involves a common intention in accordance with the most common understanding of the term
“jointly” referred to in Article 26 of the GDPR”.208
272. Converging decisions are defined by the EDPB as follows:
“Decisions can be considered as converging on purposes and means if they complement
each other and are necessary for the processing to take place in such manner that they
have a tangible impact on the determination of the purposes and means of the
processing”.209
273. The EDPB also notes that an important criterion in identifying a converging decision between
joint controllers is “whether the processing would not be possible without both parties’
participation in the purposes and means in the sense that the processing by each party is
inseparable, i.e. inextricably linked”.210
274. Recent CJEU case law has interpreted the concept of a joint controller broadly. As confirmed by
the CJEU in C-210/16 Wirtschaftsakademie, joint responsibility does not require the parties to
have access to the personal data concerned.211 In Wirtschaftsakademie, it was also noted by
the CJEU that:
“existence of joint responsibility does not necessarily imply equal responsibility of the
various operators involved in the processing of personal data. On the contrary, those
operators may be involved at different stages of that processing of personal data and to
different degrees, so that the level of responsibility of each of them must be assessed with
regard to all the relevant circumstances of the particular case”.212
275. This was also affirmed by the CJEU in C-25/17 Jehovan todistajat.213
207 EDPB Guidelines 07/2020, paragraph 54.
208 EDPB Guidelines 07/2020, paragraph 55.
209 EDPB Guidelines 07/2020, paragraph 55.
210 EDPB Guidelines 07/2020, paragraph 55.
211 C-210/16 Wirtschaftsakademie, paragraph 38.
212 C-210/16 Wirtschaftsakademie, paragraph 43.
213 C-25/17 Jehovan Todistajat, paragraph 66.
276. The CJEU also noted in its judgment for case C-40/17 Fashion ID that “it appears that a natural
or legal person may be a controller, within the meaning of Article 2(d) of Directive 95/46 jointly
with others only in respect of operations involving the processing of personal data for which it
determines jointly the purposes and means”.214
Legal Analysis: Data Processing Agreements
277. As a further preliminary matter, I have considered the two template data processing
agreements which the Archbishop provided during the course of the Inquiry, the 2016 data
processing agreement (‘the 2016 DPA’) and the 2019 data processing agreement (‘the 2019
DPA’) (together the ‘DPAs’). These DPAs were agreed between the parish priest for each parish
and the Archbishop.
278. In respect of the DPAs, I have had regard to the EDPB Guidelines 07/2020, which states in
particular that:
“the legal status of an actor as either a “controller” or a “processor” must in principle be
determined by its actual activities in a specific situation, rather than upon the formal
designation of an actor as being either a “controller” or “processor” (e.g. in a contract).
This means that the allocation of the roles usually should stem from an analysis of the
factual elements or circumstances of the case and as such is not negotiable”.215
279. I have reviewed the DPAs and am of the view that the DPAs are not determinative in indicating
the roles that the Archbishop and the parish priests play in respect of the processing of the
personal data and special category personal data contained in the Baptism Registers for the
purposes of data protection law.
280. First, the 2016 DPA designates the Archbishop as the processor and the parish priests, as listed
in the Schedule, as controller. This is similarly set out in the 2019 DPA. I note that the 2016 DPA
refers to the duties of inspection and oversight (canons 535 and 1276) placed on the Archbishop
in recitals A and B. Recital B notes that “In ease of enabling the Archbishop of Dublin to comply
with the requirements of the Code of Canon Law, in particular but not limited to Can. 535 and
Can. 1276, the Parties desire to enter into this Agreement.”
281. In general, recitals of an agreement tend not to contain operative provisions, but assist in the
interpretation of the operative provisions. Typically, recitals do not override the operative
provisions of an agreement. The 2016 DPA makes clear that the recitals form part of the
agreement within the definition of “Agreement”.
214 C-40/17 Fashion ID, paragraph 74.
215 EDPB Guidelines 07/20, paragraph 12.
282. Recital D of the 2016 DPA states:
“The Archbishop of Dublin, acting as Data Processor, provides a range of management
and support services to each Data Controller, including but not limited to, shared services
support in areas such as education, finance and communications, property, chancellery,
human resources, investment portfolio management and advice, pastoral relationship
management, accounting services and regulatory compliance and reporting services (the
“Purpose”).”
283. Clause 3 of the 2016 DPA sets out the obligations of the Data Processor (the Archbishop) under
the agreement. Clause 3.2.1 requires that the Data Processor will “only deal with and process
the Relevant Personal Data for the Purpose of, and subject to, the instructions received from the
Data Controller and in compliance with this Agreement”.
284. The “Relevant Personal Data” is defined in Clause 1.1 of the 2016 DPA as “Personal Data
controlled by the Parish Priest in relation to a Parish including, but not limited to Personal Data
relating to, the parishioners of a Parish”.
285. It is not clear to the DPC what involvement the Archbishop’s duties of oversight and inspection
have regarding his purported role as a processor under this agreement. Neither of these duties
are encompassed under the defined “Purpose” of the 2016 DPA and are referred to only in the
recitals as opposed to the operative provisions. In any event, I am not convinced that a duty of
oversight and inspection conferred on the Archbishop independently by Canon Law could, in
practice, be executed by the Archbishop acting as a processor, on the instruction of the parish
priest. 216 In such circumstances, the Archbishop could not properly fulfil such oversight without
using his own discretion.
286. On that basis, it is my view that the 2016 DPA does not adequately demonstrate that, with
respect to the processing of personal data and special category personal data in the Baptism
Registers, the Archbishop acts as a processor regarding his duties of inspection and governance.
Indeed, the “Purpose” in the 2016 DPA is confined to matters, which do not touch on these
functions. The 2016 DPA limits the Archbishop’s role as a processor to the “Purpose” and limits
the Archbishop’s obligation under this agreement to take instruction from the parish priest as
a controller in respect of the “Purpose” only.
287. Second, the 2019 DPA is also an agreement between the parish priest and the Archbishop
purportedly in the roles of controller and processor respectively. The 2019 DPA seeks to comply
with changes introduced by the GDPR. The Archbishop’s roles of oversight, governance and
inspection are referred to in the recitals only, similarly to the 2016 DPA, and are not brought
into the operative provisions of the agreement.
216 In paragraph 11 of the 1 February 2023 Submissions, the Archbishop clarified in relation to this paragraph that the
Parish Priest is also bound by obligations and duties under Canon Law.
288. Recital D of the 2019 DPA refers to the “Services” as being:
“A range of management and support services to each Controller, including but not
limited to, shared services support in areas such as education, finance and
communications, property, chancellery, human resources, investment portfolio
management and advice, pastoral relationship management, accounting services and
regulatory compliance and reporting services (the “Services”)”
289. Recital E of the 2019 DPA states:
“The Data Controller may provide the Processor (and the Processor Personnel) with
Relevant Personal Data and the Processor (and the Processor Personnel) may process
Relevant Personal Data on behalf of the Controller for the purpose of providing the
Services.”
290. Clause 3 of the 2019 DPA sets out the details of the processing activities:
“[t]he subject-matter and duration of the processing carried out by the Processor on
behalf of the Controller together with the nature and purpose of the processing, the type
of personal data and categories of data subjects are described in Schedule 2, which forms
an integral part of this Agreement”.
291. Clause 4 of the 2019 DPA specifies, as required by Article 28(3)(a) of the GDPR, that “the
Processor shall only Process the Relevant Personal Data on the written instructions of the
Controller”, unless required by law to do otherwise. Relevant Personal Data is defined in Clause
1.1 of the 2019 DPA as “Personal Data controlled by the Parish Priest in relation to a Parish
including, but not limited to Personal Data relating to, the parishioners of a Parish, as set out in
Schedule 2”.
292. Clause 2 of the 2019 DPA sets out that the “[t]he Processor may process Data to the extent
necessary to provide the Services to the Controller” only. Schedule 2 of the 2019 DPA also sets
out that the data processed by the processor concerns a number of categories of data subjects,
including “individuals participating in ceremonies or rites conducted by the Controller
(marriages, baptisms, confirmations etc)”.
293. Similar to the 2016 DPA, the activities for which the Archbishop acts as a processor under the
2019 DPA does not encompass his roles of oversight and inspection, though these are
mentioned in the 2019 DPA at Recital A. The 2019 DPA clearly states that the Archbishop may
process the personal data only for providing “the Services to the Controller”, and this must be
on the written instructions of the parish priest. On consideration of the above, the DPC finds it
difficult to see how the Archbishop’s inspection and oversight roles could be encompassed by
the Services of the 2019 DPA, as processing activities delegated to a processor.
294. The Archbishop does not in practice take instruction from the parish priest on the manner in
which he conducts his inspections, or his obligations under canon 1276, and it seems to the DPC
that taking any such instructions would be contrary to the duty of oversight and inspection
placed on him by Canon Law in any event. While the 2019 DPA seeks to demonstrate that this
is the case, it limits itself to the provision of the Services only, even in circumstances where the
categories of data subjects included seeks to cover those who have participated in ceremonies
or rights. The actual role of the Archbishop, in my view would not entail taking instruction from
the parish priest with respect to functions under canon 535 and canon 1276, and even if it did,
the 2019 DPA does not adequately capture such processing activities.
295. Therefore, the DPC does not accept the 2016 DPA or the 2019 DPA as evidence, which reflects
the actual role the Archbishop plays in relation to the processing of the personal data and the
special category personal data contained in any of the Baptism Registers. The DPAs may on
paper designate the role of processor to the Archbishop, however, considering the concept of
a ‘controller’ and ‘processor’ as functional concepts,217 functionally the DPAs do not encompass
the actual role the Archbishop plays when it comes to the processing of the personal data and
special category personal data in the Baptism Registers.
296. In coming to this conclusion, I have regard in particular to the EDPB Guidelines 07/20 which
state that:
“It may also be that the contract contains an explicit statement as to the identity of the
controller. If there is no reason to doubt that this accurately reflects the reality, there is
nothing against following the terms of the contract. However, the terms of a contract are
not decisive in all circumstances, as this would simply allow parties to allocate
responsibility as they see fit. It is not possible either to become a controller or to escape
controller obligations simply by shaping the contract in a certain way where the factual
circumstances say something else. If one party in fact decides why and how personal data
are processed that party will be a controller even if a contract says that it is a
processor”.218
297. Therefore, I have formed the view that the DPA Agreements do not establish, for the purposes
of data protection law, that the Archbishop is a data processor or that the parish priest is a
controller, but that the Archbishop has a role to play as a data controller regarding the
processing of personal data contained within the Baptism Registers. As to whether the
Archbishop is sole controller or joint controller with the parish priest depends on the processing
activities involved with the Baptism Registers.
Identification of the relevant Baptism Registers
298. In order to examine whether the Archbishop, alone or jointly with others (such as the parish
priest), determines the purposes and means of processing of the personal data and special
category personal data contained in the Baptism Registers, it is necessary for the DPC to look at
the various Baptism Registers separately.
217 EDPB Guidelines 07/2020, paragraph 12.
218 EDPB Guideline 07/2020, paragraphs 28, 29.
299. The Baptism Registers will be considered separately within the context of the relevant
processing activities. The three registers that form the Baptism Registers are the Parish Baptism
Registers, Clonliffe College Register and the Adopted Persons Register.
Parish Baptism Registers
300. The Parish Baptism Registers consist of the Baptism Registers which are held within each parish
of the Archdiocese, according to canon 535 §1. The content of the Parish Baptism Registers is
set out in various provisions of the Code of Canon law, such as canon 535 §2 and canon 877 §1.
Clonliffe College Register
301. The Clonliffe College Register consists of the register of baptisms for baptisms that took place
in Holy Cross College, Clonliffe, dating between 1913 and 1999. This register is held in the
Chancellery Office, though the Archbishop submits that it should be properly held in the parish
of NorthWilliam Street in which the former seminary Clonliffe College was located. The content
of the Clonliffe College Registers is set out in various provisions of the Code of Canon Law, such
as canon 535 §2 and canon 877 §1.
Adopted Persons Baptism Register
302. The Adopted Persons Baptism Register is a central baptism register for all adopted children
(adopted after baptism). Between 1982 and 2011, it recorded the details of an adopted child
and of their baptism, as sent by the Adoption Board to the Archdiocese. The Adopted Persons
Baptism Register is ordered by the date of receipt of notifications from the Adoption Board, not
by order of date of baptism, as are the Parish Baptism Registers and the Clonliffe College
Registers. This register was recorded by the Chancellery and is held in the Chancellery Office on
behalf of the Archbishop.
Identification of the Relevant Processing Activities for the purposes of this Inquiry
303. In addition to retention, the Archbishop has indicated that the following processing activities
take place regarding the Baptism Registers:
Collection and recording of data for the purposes of recording the baptism;
Storage of the Baptism Register
Alteration of the Baptism Register on request of the baptised person or his/her
parents (where the baptised person is a minor), or annotation with details of a
person’s confirmation, marriage/annulment and ordination/laicisation (or adoption);
Retrieval, consultation and use of the Baptism Register, at the request of the baptised
person for the administration of other Sacraments, namely Confirmation, Marriage
and Holy Orders. The Baptism Register may also be consulted in the context of
annulments of marriages or laicisation of priests; and
Disclosure of extracts (baptismal certificates) from the Baptism Register by
transmission upon request to individual, identified baptised persons, or authorised
persons acting on their behalf, or upon inspection by the Archbishop on the occasion
of a Parish Visitation.219
304. In case C-40/17 Fashion ID, the CJEU stated, “the processing of personal datamay consist in one
or a number of operations, each of which relates to one of the different stages that the
processing of personal data may involve”.220 As such, I consider that the relevant processing
activities as they relate to this Inquiry are the retention (retention and storage), erasure
(deletion) and rectification (annotation/special annotation) of personal data contained within
the various Baptism Registers.
305. Further, as the subject of this Inquiry relates primarily to rectification and erasure, I have
considered the processing activity of collection and recording of personal data in the Baptism
Registers because all other data processing activities flow from that point. I am of the opinion
that it is not necessary to examine all possible processing activities as they are not relevant for
the purposes of this Inquiry. I also consider it necessary to identify whether the Archbishop is a
controller or joint controller of the personal data for such processing activities as identified and
which are relevant for the purposes of this Inquiry.
219 Submissions dated 6 September 2021, pages 2-3.
220 C-40/17 Fashion ID ECLI:EU:C:2019:629, paragraph 72.
306. The Archbishop also noted that in circumstances where “a person no longer wishes to be
identified as a member of the Catholic Church, the only processing activity likely to continue is
the storage of the baptism register”.221 However, the Archbishop also submitted that
“[e]xceptionally, the entry in respect of that person may be retrieved, consulted and disclosed in
rare circumstances where the person concerned or his/her spouse has requested an annulment
(ie within the Church and not an annulment under civil law), or the even rarer circumstances
where the person concerned is a priest and wishes to be laicised”. I am not convinced that these
statements cover all possible processing activity of the personal data belonging to the data
subject.Whether or not a person no longer wishes to be identified as a member of the Catholic
Church, the personal data and special category personal data stored on the Baptismal Register
in relation to that person remains accessible for disclosure to the parish priest who retains it,
and is readily available when accessing any other records on that page of that volume.
Collection and Recording
The Archbishop
307. The Archbishop is considered the representative at law for the Archdiocese of Dublin, which is
not a distinct legal person in its own right, though both dioceses and parishes have distinct
juridical personality under Canon Law. The Archbishop is autonomous in the Archdiocese and is
accountable directly to the Holy See.222 The Archbishop has control over the day-to-day
management of the Archdiocese, as long as he remains compliant with Canon law.223 In
accordance with canon 391 §1, it is for the Archbishop to govern the Archdiocese with
“legislative, executive, and judicial power according to the norm of law”.
308. In general, the Archbishop is under an obligation placed on him by canon 473 §1 “to take care
that all the affairs which belong to the administration of the whole diocese are duly coordinated
and are ordered to attain more suitably the good of the portion of the people of God entrusted
to him”.
309. The administration of the diocese “to attain more suitably the good of the portion of the people
of God entrusted” to the Archbishop includes the recordings and proper keeping of registers, in
my view. This is particularly in light of the Archbishop’s submissions that “[i]t is essential for the
administration of the affairs of the Catholic Church tomaintain a register of all people who have
been baptised in the Church”224. I am of the view that if the proper recording of relevant
sacraments is a core aspect of the administration of the Catholic Church, then it must also be
central to the administration of the affairs of the diocese.
221 Submissions dated 6 September 2021, page 2.
222 Paragraph 3.16, Report by Commission of Investigation into Catholic Archdiocese of Dublin (29 November 2009).
223 Ibid.
224 Submissions dated 16 March 2020, page 50.
310. Canon 515 §1 and canon 519 also provide thatwhile a parish is entrusted to a pastor, it is “under
the authority of the diocesan bishop”. Passage number 221 of the Directory for the Pastoral
Ministry of Bishops (2004) states that the “weight of responsibility to govern the diocese falls
squarely on the shoulders of the Bishop”.225
311. Canon 396 §1 places an obligation on the Archbishop to make a visitation to the parishes of the
Archdiocese. During his visitation, the Archbishop has stated that he is to:
“examine the administration and maintenance of the parish, including places of worship,
liturgical vessels and appointments, parish registers and other goods. Nevertheless, some
aspects of this task may be left to the Vicars forane or other suitable clerics (683) just
before or after the visit, so that the Bishop can concentrate on personal meetings during
the visit itself, as befits a true Shepherd (684)”.226
312. Though the Archbishop stated in his submissions that the emphasis is on the pastoral nature of
the visitation, the original text of the above passage from number 221 of the Directory for the
Pastoral Ministry of Bishops (2004), places an italicised emphasis on the words “administration
and maintenance”, not evident in the excerpt included in the Archbishop’s submission.227
313. The Archbishop had also submitted that a power of inspection exists under canon 535 §4,
allowing him to inspect Baptism Registers during the course of a visitation. In practice, this
entails the Archbishop looking at the last entry of the register and checking that the register is
up-to-date.228
314. Following a visitation, the Archbishop is to prepare a report of the visit, which can include
“offering recommendations for certain improvements in the life of the parish, with special
reference to the state of divine worship, pastoral work and any other important initiatives”.229
315. Further, canon 1276 §1, places a responsibility on the Archbishop to “exercise careful vigilance”
over the administration of all goodswhich belong to public juridic persons subject to him (which
would include the parishes of the Archdiocese).
225See
https://www.vatican.va/roman_curia/congregations/cbishops/documents/rc_con_cbishops_doc_20040222_apostoloru
m-successores_en.html.
226 Page 12, 15 October 2020 Submission, with reference to the Directory for the Pastoral Ministry of Bishops (2004) no.
221.
227See
https://www.vatican.va/roman_curia/congregations/cbishops/documents/rc_con_cbishops_doc_20040222_apostoloru
m-successores_en.html.
228 Page 7, 16 March 2020 Submission.
229 Directory for the Pastoral Ministry of Bishops (2004) no. 224: This was also submitted by the Archbishop in the 15
October 2020 Submission.
316. The Guidelines (The Directives and Guidelines for Sacramental and Pastoral Practice) also set
out specific guidance on the collection and recording of personal datawhen recording a baptism
in particular or unusual circumstances, for example, in section 1.6, “The Child of a CivillyMarried
Couple”230. With respect to the Guidelines, the Archbishop submitted that:
“[i]n cases where the Directives or Guidelines are not followed, further action can be taken
against the priest who deviates from them, but only where the deviation relates directly
to a particular canon in the Code of Canon Law, or a particular element of civil law”.231
317. In determining the controllership status of an entity or individual, consideration must be given
as to whether the Archbishop determines the purpose and means of processing.
318. The obligation to collect and record personal data at the time of baptism emanates from Canon
Law. Some sacraments are only administered once, and only if one is baptised. As such, it is
essential, according to the Archbishop, tomaintain a record of all those persons who have been
baptised232 as this keeps a record of “the administration of certain sacraments in the Church”233
which is “essential for the administration of the Church”.234
319. The Archbishop is obliged under canon 473 §1 “to take care that all the affairs which belong to
the administration of the whole diocese are duly coordinated and are ordered to attain more
suitably the good of the portion of the people of God entrusted to him”. The parishes of the
Archdiocese are under the authority of the Archbishop further to canons 515 §1 and 519. As
such, I am satisfied that the Archbishop has a practical duty of oversight regarding the
administration of the Archdiocese and exercises authority over the parishes of the Archdiocese.
This, in my view, includes matters “essential for the administration of the Church” such as the
recording of baptisms.
320. The Archbishop submitted that any obligations placed on the parish priest to keep records of
sacraments administered are “imposed on Parishes and Parish Priests as amatter of canon law.
They are not imposed on the Parish Priest by ArchbishopMartin”235. I accept that the Archbishop
does not set the obligation in Canon Law for the parish priest to collect and record data relating
to baptisms. However, in my view, the Archbishop still plays a central role in overseeing the
execution of these duties, in addition to enforcing those interpretations of Canon Law among
the parishes that he oversees. The Archbishop submitted, “the Archbishop (through the
Chancellery) disseminates guidance, this is to assist in the interpretation of canon law”.236
Further, the Archbishop is in a position to promulgate norms, which take on the force of Canon
Law, and as such is in a position to steer and augment Canon Law obligations placed on the
parish priest, which form the basis of the purposes of processing for this processing activity.
321. The Archbishop plays a significant role in determining the purpose of processing for the
collection and recording of the data for the Baptism Registers by virtue of his administrative
function and his oversight of the duties and obligations placed on the parish priest.
230 Page 10, Schedule accompanying the 15 October 2020 Submission.
231 Page 15, 15 October 2020 Submission.
232 Page 34, 16 March 2020 Submission.
233 Page 34, 16 March 2020 Submission.
234 Page 23, 15 October 2020 Submission.
235 Page 4, 16 March 2020 Submission.
236 Page 11, 16 March 2020 Submission.
322. In the case of the Adopted Persons Baptism Register and the Clonliffe College Register, I am of
the same view, that the Archbishop plays a central role in determining the purposes of
processing with respect to collection and recording of data relating to a baptism. Although the
personal data and special category personal data contained in the Adopted Persons Baptism
Register is also contained in a separate Parish Baptism Register, this does not alter the position
that the Archbishop (occasionally also via the Irish Episcopal Bishop’s Conference) steers the
purpose of the collection and recording as he sees fit and exerts influence on the purposes of
the processing. The Clonliffe College Register, may, for the purposes of the above discussion,
be assessed in the same manner as a Parish Baptism Register; I accept that the Archbishop
exerts influence over the Clonliffe College Register in the same manner as that of a Parish
Baptism Register for the processing activities of collection and recording. This is because the
former seminary of Clonliffe College, which collected and recorded the personal data, had
juridic personality in its own right within the Archdiocese, much like a parish does. 237
323. The Archbishop, by enforcing Canon Law and providing guidance, norms, recommendations and
issuing precepts to individuals in the parishes in his Archdiocese,238 as well fulfilling his duties of
governance and oversight, defines the parameters through which the personal data and special
category personal data of those who are baptised is collected and recorded.
324. Canon 391 states that “It is for the diocesan bishop to govern the particular church entrusted to
him with legislative, executive, and judicial power according to the norm of law... He exercises
legislative power himself. He exercises executive power either personally or through vicars
general or episcopal vicars according to the norm of law. He exercises judicial power either
personally or through the judicial vicar and judges according to the norm of law.” My view is
that the Archbishop may decide certain key elements about the purposes of personal data
processing in his diocese through his exercise of those functions of the Canon Law.
325. The Archbishop’s power of inspection has been set out above. The Archbishop also submitted
that the “purpose of this superficial inspection is not to ascertain the information contained in
the registers, rather it is to ensure that the registers are being maintained by the Parish Priest
as he is obligated to do in his Parish according to canon law”.239
326. I note that it is within the competence of the Archbishop to determine the extent and depth of
the inspection, whether superficial or otherwise, however, this does not negate the power of
inspection the Archbishop holds, regardless as to how he wishes to implement that power.
327. Following a visitation and inspection, the Archbishop writes a report to the parish priest
containing recommendations for improving practices if necessary. The Archbishop has stated
that, though these recommendations are “likely to be taken seriously by the Parish Priest”, there
is “no power on the part of the Archbishop to compel compliance with specific
recommendations”.
237 Canon 238 §1.
238 As per submissions of 1 February 2023, paragraph 13.
239 Ibid.
328. The Archbishop may not have an express power under Canon Law that compels compliance
with the recommendations of his report following visitation and inspection; however, in
practice the Archbishop exerts significant factual influence240 over the parish priest. In addition,
the Archbishop has a number of other powers conferred by Canon Law, which allow him to
exert decisive influence241 on the parish priest. In this way, the Archbishop operates an effective
decision-making power242 over the means of processing.
329. The Archbishop did concede that “a priest’s ministry is dependent upon that of his bishop, and
every priest promises respect and obedience to his bishop at ordination”. However, the
Archbishop asserted: “it is a common mistake to think of a parish priest as a kind of ‘branch
manager’ or ‘tenant farmer’ of a bishop”. The Archbishop also acknowledged that a bishop is
“free to establish policies for all Parishes in his diocese provided that they do not conflict with
universal canon law or divine law”.243
330. I note in particular the priests’ duty of obedience to their bishop, based on canon 273, which
states: “[c]lerics are bound by a special obligation to show reverence and obedience to the
Supreme Pontiff and to their own ordinary”. At ordination, a priest is required to take an oath
of obedience as they are asked by their bishop “Do you promise respect and obedience to me
and my successors?”244 to which the priest responds, “I do”.245 I also note246 that norms
published and promulgated by the Archbishop take on the force of Canon Law, and must be
obeyed by the parish priests of the Archdiocese.247
240 See paragraph 25, EDPB Guidelines 07/2020.
241 Paragraph 78, C-40/2017 Fashion ID.
242 See paragraph 20, EDPB Guidelines 07/2020.
243 Page 16, 15 October 2020 Submission.
244 Paragraph 3.28 Murphy Report.
245 Page 1, Obedience to the bishop by the diocesan priest in the 1983 Code of Canon Law by Francis James Schneider
J.C.D., dissertation, 1990, Catholic University of America.
246 A statement in the Draft Decision (that canonical obedience was restricted to matters prescribed in Canon Law) was
removed on foot of Submission of 1 February 2023 paragraph 6.
247 See for example canon 491 §3 “In order to inspect or remove the acts and documents mentioned in §§1 and 2, the norms
established by the diocesan bishop are to be observed”.
331. Any recommendations in a report following a visitation and inspection, which may seek to
change the means by which the parish priest is collecting and recording data to record a
baptism, are framed by the Archbishop as recommendations only. However, it is clear that the
oath of obedience placed on a parish priest to his diocesan bishop will create an expectation in
practice that the parish priest will obey any such recommendations. The submissions of
1 February 2023 dispute this view, on the basis that any such guidelines have “no compelling
force”, as they “have not been promulgated by the Archbishop according to Canon Law.” The
absence of compelling force in a bishop’s instructions do not convinceme to altermy conclusion
that in practice, the oath of obedience will create an expectation that parish priests obey
recommendations of their diocesan bishops.
332. I remain of the view that any policy put in place by the Archbishop for the parishes of the
Archdiocese are likely to be complied with by parish priests, based on each parish priest’s duty
of obedience. Although the Archbishop has argued: “[w]hile the Archbishop (through the
Chancellery) disseminates guidance, this is to assist in the interpretation of canon law. The
Archbishop does not impose these requirements on the Parish”,248 the DPC respectfully rejects
the implication that the Archbishop is not aware, when disseminating such guidance, of the
decisive influence his policies will have over the actions of parish priests in the Archdiocese.
333. Furthermore, the Archbishop, possessing executive power, can issue instructions to the parish
priest to clarify Canon Law and to set out the manner in which it should be observed.249 This
would allow the Archbishop to clarify the obligations of the parish priest to collect and record
the data relating to a baptism under canon 535 and under canon 877. In this regard, I note that
canon 138 states: “ordinary executive power as well as power delegated for all cases must be
interpreted broadly”.
334. The Archbishop also has the power to issue precepts under canon 35 and canon 49.250 A precept
may be issued in respect of a particular priest. The issuing of a precept enables the Archbishop
to make a ruling of sorts on what that priest is permitted to do, even in circumstances where
the priest may in the ordinary course make decisions as to the running of the parish. The
Archbishop has confirmed that this is the case, stating that he does have the “authority to oblige
any priest or member of the faithful to do, or not to do, a particular thing he may determine to
be detrimental to the wider community. He can do this through a “precept”, a kind of canonical
injunction directed at a specific person or situation”251. It is my view that such a power allows
the Archbishop to effectively override any decisions or actions of the parish priest in respect of
processing personal data in the Baptism Registers, if he so wishes.
248 Page 11, 16 March 2020 Submission.
249 Canon 34 and canon 1276 §2.
250 Canon 35 states that “A singular administrative act, whether it is a decree, a precept, or a rescript, can be issued by one
who possesses executive power within the limits of that person’s competence, without prejudice to the prescript of can.
76, §1”and canon 49 states that “A singular precept is a decree which directly and legitimately enjoins a specific person
or persons to do or omit something, especially in order to urge the observance of law”.
251 Page 17, 15 October 2020 Submission.
335. It is also necessary to consider whether the Archbishop is in a position to determine the
essential rather than the non-essential means of processing with respect to the collection and
recording of data for the purposes of recording a baptism. As stated by the EDPB, the essential
means of processing are closely linked to the purpose and the scope of processing, such as “the
type of personal data which are processed (‘which data shall be processed?’), the duration of
the processing (‘for how long shall they be processed?’), the categories of recipients (‘who shall
have access to them?’) and the categories of data subjects (‘whose personal data are being
processed?’)”.252
336. For the purposes of collecting and recording, the Archbishop has oversight over the affairs of
the parishes in his Archdiocese, which includes what data shall be processed by collection and
recording a baptism entry.253 The Archbishop’s power of inspection, derived from canon 535 §4,
allows him to provide recommendations to the parish priest with respect to the Parish Baptism
Registers and how they have been recorded.While the Archbishop has asserted that he has no
power to compel compliance from the parish priest with such recommendation, they are “likely
to be taken seriously by the Parish Priest”.254 I am satisfied that it is reasonable to assume that
in practice the relationship between the Archbishop and the parish priest is such that the
recommendations are more likely than not to be followed by the parish priest, which is largely
due to the oath of obedience to his bishop taken by the parish priest on ordination.
337. With respect to the Clonliffe College Register, though the Archbishop does not in practice
exercise his power of inspection over this register as it is housed in the Chancellery Office rather
than a parish, he can still exercise his power to do so. The Archbishop is in a position to exert
material influence on the means of processing with respect to the Clonliffe College Register
notwithstanding that it is not held within a parish but in the Archbishop’s House itself.
338. With respect to the Adopted Persons Baptism Register, I am of the view that the Archbishop
directly and solely influenced the collection and recording of this register held in the Chancellery
Office also on behalf of the Archbishop. The Archbishop solely determined the means of
processing with respect to the collection and recording for this register, in particular, the type
of personal data recorded (the personal data which was provided on the notifications from the
Adoption Board), and the categories of data subjects whose personal data was included in the
Adopted Persons Baptism Register.
252 Paragraph 40, EDPB Guidelines 07/2020.
253 Canon 473 §1, canon 1276 §1.
254 Page 12, 15 October 2020 Submission.
339. As such, while the source of the Archbishop’s authority to exercise control may be Canon Law,
it ismy view that the Archbishop, in practice, determines the purposes andmeans of processing
of the personal data and special category personal data in the Baptism Registers. The
submissions of 1 February 2023 contest this view, stating that “the purpose of processing of the
personal data and special category personal data contained in the Baptism Registers is
determined by Canon Law, which the Archbishop plays no role in initiating. Further, the
Archbishop does not prescribe the means of recording or collecting personal data or special
category personal data in the Baptism Registers.” I note that although canon 535 §1 states that
“the pastor is to see to it that these registers are accurately inscribed…”, the earlier sentence in
that same canon states that “Each parish is to have parochial registers… as prescribed by the
conference of bishops or the diocesan bishop.” On the basis of this Canon and the reasoning set
out earlier in this section of the Decision, I remain of the view that the Archbishop exerts a de
facto influence over the activity of collecting and processing the personal data and so is a
controller.
340. Although the Archbishop has argued that his ““power of investigation” “does not mean that he
initiated or caused the processing to happen”, 255 it is my view that given the right to visitation
and inspection conferred on the Archbishop,256 and his responsibility for governance and
oversight of the parishes of the Archdiocese, that the Archbishop has a central role in
determining the manner, purpose and means of the collection and recording of the personal
data contained within the Baptism Registers, to such a degree as to be identified as a data
controller.
Controllership: Collection and Recording:
The Parish Priest
341. The parish priest is under an obligation, further to canon 535 and canon 877, to collect and
record certain personal data when recording a baptism and other sacraments257. Canon 535 §1
states “the pastor is to see to it that these registers are accurately inscribed and carefully
preserved”. Canon 877 §1 prescribes the personal data which must be recorded by the parish
priest “without delay”.
342. Canon 515 §1 states that a parish is entrusted to a parish priest “as its proper pastor (pastor)
under the authority of the diocesan bishop”. In general, the parish priest has also been conferred
a governance role over his parish via his office, further to canon 131 §1. In accordance with
canon 519, the parish priest is entrusted with, “exercising the pastoral care of the community”
and carrying out the “functions of teaching, sanctifying, and governing”.
343. Certain functions are also “especially entrusted” to the parish priest in accordance with canon
530. One of these functions is “the administration of baptism”. In accordance with canon 532,
the parish priest represents his parish in all juridic affairs and is to “take care that goods of the
parish are administered according to the norm of _ cann. 1281-1288”.
255 Page 11, 16 March 2020 Submission.
256 Submissions dated 15 October 2020, page 12.
257 See further canon 535 §2.
344. The Archbishop has submitted that the parish priest is “responsible for all applications and
activities concerning the baptismal register” including “the creation of the original, handwritten,
record of baptism”258. Further, the Archbishop submitted that:
“[t]he Parish Priest is the one responsible for the collection of the data in the first instance,
it he who arranges the sacrament of baptism and he who manages the making of the
record in the register. The data in the baptism register exists because the Parish Priest has
permitted the baptism to take place in his Parish”259.
345. I accept that the parish priest is obliged under Canon Law, in particular canon 535 and canon
877, to collect and record certain details relating to baptisms (and certain other sacraments) in
registers. The DPC also accepts that “the parish priest governs the parish with the ordinary
power which comes from his office as exercised under the authority of the Archbishop pursuant
to canon 131 §1 and canon 515 §1.”260 Therefore, the DPC also accepts that the parish priest
has a degree of autonomy as to the governance and administration of his parish, including the
manner in which he executes the duties and obligations placed on him by Canon Law.
346. As previously stated in this Decision, the purpose for which the personal data of data subjects
is collected and recorded is because it is central to the administration of the Church. As the
sacrament of baptism can only be administered once, it is necessary to collect and record
certain details relating to the baptised person in the Baptism Registers.
347. It is the view of the DPC that the parish priest has the ability to determine the purpose for which
personal data are collected and recorded in the Baptism Registers. The parish priest may
undertake his obligations under Canon Law in such a way as to collect and record, for example,
more personal data and special category personal data than is strictly necessary under Canon
Law.
348. I am of the view that the parish priest has discretion as to the means he uses to collect and
record the personal data and special category personal data in the Parish Baptism Register.
Neither Canon Law nor the Archbishop have prescribed all the means by which the personal
data is collected, though certain requirements are in place surrounding the type of personal
data which are processed and the categories of data subjects.
258 Page 5, 16 March 2020 Submission.
259 Page 10, 16 March 2020 Submission.
260 Submission of 1 February 2023 at paragraph 17.
349. Canon Law requires the recording of certain information as per canon 877; however, this does
not preclude the parish priest from recording additional information or choosing his preferred
format for recording the hardcopy Parish Baptism Register. I note that the submission of
1 February 2023 includes the statement that “the Parish Priest essentially has very little choice
in what may be recorded here. Cannon Law requires the Parish Priest of the place of baptism to
record the information specified in canon 877 §1 in the Baptismal Register.” 261 This submission
does not convince me to alter the views set out in the first sentence of this paragraph. While
Canon 877 §1 specifies certain minimum information, the submissions do not dispute that the
parish priest can add additional information to the register. Further, the parish priest may also
determine the essential means of processing of the personal data, via collection and recording,
by the use electronic forms of indexing and recording the entries. The parish priest may choose
the types of personal data processed in this way, the duration of such processing and the
categories of data subjects whose personal data is processed. The option to use electronic
means is envisaged in Appendix 3 to the Guidelines, as published by the Chancellery, which sets
out requirements for “the Secure Maintaining of Duplicate Electronic Sacramental Records in
Parishes”, “Software Requirements for Electronic Sacramental Records” and “Scanning of Parish
Registers”. I am of the view that the use of these means, while envisaged as a possibility by the
Archbishop, is not prescribed and it is for the parish priest himself to determine whether to
process the personal data and special category personal data by electronic means.
350. As such, I am satisfied that the parish priest, in the case of the Parish Baptism Registers,
determines the means of processing to such an extent as to include essential means of
processing. Consequently, I am of the view that the parish priest exerts a decisive influence over
the processing activities contained in the Parish Baptism Register by reference to the collection
and recording of personal data in those Registers.
Conclusion: Controller of Collection and Recording
Parish Baptism Register
351. I am satisfied that both the Archbishop and the parish priests engage in controllership decisions
relating to the collection and recording of personal data in the Parish Baptism Registers and are
therefore joint controllers.
352. I am satisfied that the processing would not be possible without both parties’ participation in
deciding, albeit to different extents, the purposes and means of processing and that the
processing by each party is inextricably linked. The DPC reiterates the content of paragraph 38
of the C-210/16Wirtschaftsakademie judgment, and the fact that one of the parties not having
access to the personal data processed is not a sufficient reason to exclude the concept of joint
controllership. This is relevant within the context of the Parish Baptism Registers whereby the
Archbishop does not have day-to-day access to them.
261 Submissions of 1 February 2023, [19]
353. Both the parish priests and the Archbishop have obligations under Canon Law, as detailed in
sections 191 and 347, which are inextricably linked. Both the decisions of the parish priest and
the Archbishop as to how they comply with their obligations determine the purpose of
processing which is the recording of the sacrament of baptism to ensure it is only administered
once. As previously set out, this is an important tenet in the administration of the Catholic
Church.
354. While it is for the parish priest to determine how the personal data and special category
personal data is collected and recorded, he must comply with his obligations under canon
535 §1, canon 877 §1 and the guidance of the Archbishop. It is also within the competence of
the parish priest to collect additional personal data or record it in an electronic format as well
as recording it electronically to create an index. The Archbishop has oversight of the process to
ensure that themanner inwhich the personal data is collected and recorded by the parish priest
complies with Canon Law, such as whether it is accurately inscribed and diligently preserved.262
The Archbishop is empowered to alter the means of processing used by the parish priest via
recommendations in the report sent to the parish following a visitation, via guidance in the
Guidelines, or by publishing a norm. The Archbishop can also issue directions via precepts to
the parish priests and the parish priests operate under an oath of allegiance to the Archbishop
under Canon Law. Therefore, both the decisions of the parish priest and the Archbishop
complement each other in determining the means of processing and have a tangible impact on
the determination of the means of processing.
355. As such, I am of the view that within the framework of Canon Law, it falls to both the diocesan
bishop (the Archbishop in this instance) and the parish priest to determine the purposes and
means of processing of personal data in the Parish Baptism Registers in respect of the personal
data and special category contained therein. With regard to the personal data collected and
recorded in the Parish Baptism Registers, the Archbishop and the parish priests are joint
controllers in circumstances where both jointly determine the purposes and means of
processing.
262 Canon 535 §1, Canon 545 §4, canon 473, canon 491 §2 and canon 396 §1.
Conclusion: Controller of Collection and Recording
Clonliffe Parish Register
356. Although the Archbishop has submitted that the Clonliffe College Registers are in fact rightfully
Parish Baptism Registers of North William Street Parish, I am of the view that these registers
have never been under the practical influence of the parish priest of North William Street.
Recorded to “ensure that, in the event that North William Street Parish omitted to record a
notification of a conferral of the sacrament which had occurred in Clonliffe College, a record
would remain in the place where the sacrament was conferred”263, the parish priest of North
William street has not in reality ever had influence over the purpose andmeans of the collection
and recording of the personal datawhich is held in the Clonliffe College Registers. In that regard,
the Archbishop, being the person who holds the Clonliffe College Registers following the
dissolution of the Clonliffe College seminary, and who played and continues to play a role of
oversight and governance in the administration of his Archdiocese, is the controller of the
personal data contained within it for the processing activity of collecting and recording.
Conclusion: Controller of Collection and Recording
Adopted Persons’ Baptism Register
357. In respect of the Adopted Persons’ Baptism Register, I am of the view that the Archbishop is the
sole controller of the personal data and special category personal data contained within it for
all processing activities.
358. The personal data and special category personal data was collected and recorded in the
Adopted Persons Baptism Register between 1982 and 2011, by the Chancellery on behalf of the
Archbishop. The information contained in this register was provided to the Archbishop by way
of notifications received from the Adoption Board. The parishes in which the data subjects were
originally baptised did not provide the personal data directly to the Archbishop.
359. Further to Decree 10 of the Irish Episcopal Bishop’s Conference (at which the Archbishop’s
predecessor would have had an opportunity to provide his views and input), a centralised
baptism register for adopted children was to be kept in each diocese. As such, the obligation to
keep this centralised register and all the processing activities flowing from this fell on the
Archbishop himself, being the leader of his diocese.264
263 Page 3, 23 July 2021 Submission.
264 Promulgated in Intercom December 1987/January 1988. Decree No. 10 states that “It was decided that a central
baptismal register for all adopted children be kept in each diocese. This is to be kept either at the diocesan Curia or in a
parish or centre specially designated by the diocesan Bishop for this purpose. It has been agreed that the (civil) Adoption
Board would, on the adoption of a child, send to this office all relevant information necessary for the issuing of baptismal
certificates”.
360. In order to adhere to this obligation, which he himself would have had influence over at the
Irish Episcopal Bishop’s Conference, the Archbishop determines the purposes of processing the
personal data contained in the Adopted Persons Baptism Register. As previously stated, the
Archbishop is in a position to provide guidance on the interpretation of Canon Law, and issue
decrees and norms on behalf of his Archdiocese, and to implement these in whatever manner
he sees fit (as long as this adheres to Canon law, divine law and civil law).265
361. The Chancellery has put in place an electronic version of the register also, which indicates the
determination of the essential means of processing. The Archbishop also determines, based on
the notifications received from the Adoption Board, which types of personal data contained in
the notification would be collected and recorded and which categories of data subjects
(adopted children) would be entered into the Adopted Persons’ Baptism Register, what
duration the processing would take and the possible recipients of the personal data contained
in the Adopted Persons Baptism Register.
362. As such, I am of the view that the Archbishop solely influences the collection and recording of
this register, which is held in the Chancellery Office also on behalf of the Archbishop. The
Archbishop solely determines the means of processing with respect to collection and recording
for this register, in particular, the type of personal data recorded (the personal data which was
provided on the notifications from the Adoption Board), and the categories of data subjects
whose personal data was included in the Adopted Persons Baptism Register.
Storage and Retention
The Archbishop
363. Baptism Registers are stored and retained for the purposes of maintaining a record of those
who have received the sacrament of baptism. These records are essential to the administration
of the Catholic Church.
364. Under canon 491 §1, a diocesan bishop is required to “take care that the acts and documents
of the archives of cathedral, collegiate, parochial, and other churches in his territory are also
diligently preserved and that inventories or catalogs are made in duplicate, one of which is to be
preserved in the archive of the church and the other in the diocesan archive.” The requirement
of the Archbishop to ensure documents are “diligently preserved”, whether in the various
parishes within the diocese or in the Archbishop’s house, mandates that the Archbishop must
ensure a particular standard is met according to his own judgment.
365. I am of the view that this demonstrates an element of controllership by the Archbishop, as he
is the person with sole competence and discretion in terms of setting the relevant standard. Of
note also in canon 491 §1 is the requirement that “catalogs” or “inventories” of archives “of the
church” are made and the provision places the responsibility on the Archbishop to ensure this
is done.
265 See canon 381§1 and 391§1.
366. Further, canon 491 §3 provides that the Archbishop’s norms must be observed “in order to
inspect or remove acts and documents mentioned in §§1 and 2”, being the acts and documents
of an archive in the parish or in the Archdiocese. I am of the view that this provision also points
to the important role the Archbishop’s norms play in exerting influence on both the purposes
and the means of processing the personal data contained in the Baptism Registers, both those
held in the Chancellery and the parishes.
367. Canon 1276 §1 also requires the Archbishop to exercise “careful vigilance over the
administration of all goods which belong to public juridic persons subject to him without
prejudice to legitimate titles which attribute more significant rights to him”. This provision
requires the Archbishop to exercise vigilance over the goods of the parishes in his Archdiocese.
This would include the storage of the Parish Baptism Registers held in these parishes, the
Clonliffe College Registers and the Adopted Persons Baptism Registers in the Chancellery
(situated in the Archbishop’s House). As this provision does not define “careful vigilance”, I am
satisfied that Canon Law affords the Archbishop discretion as he sees fit in the implementation
of this obligation.
368. Further, canon 1276 §2 requires that “ordinaries are to take care of the ordering of the entire
matter of the administration of ecclesiastical goods by issuing special instructions within the
limits of universal and particular law”. This provision, in the view of the DPC, envisages that the
Archbishop will use his discretion in exercising his vigilance and oversight over the Baptism
Registers (among other things) to issue special instructions to the juridic personalities in his
diocese to order the administration of such goods.
369. As previously set out, I am of the view that any recommendations, instructions, directions and
guidance provided by the Archbishop to the parish priests of the Archdiocese, will be likely to
be interpreted as a requirement by the parish priest, in light of the oath of obedience to
ecclesiastical superiors undertaken by each priest on ordination. The Archbishop has confirmed,
“part of the Parish Visitation could include the Bishop, or his delegate, not only inspecting that
the registers are kept up to date, but also that they are carefully stored and preserved in the
parish”.266
370. As previously set out, under canon 35 and canon 49, the Archbishop has the power to issue
singular precepts to priests in this Archdiocese requiring them to store and retain the Baptism
Registers in a certain way, or to refrain from doing so. The Archbishop is not limited in the
subjectmatter of a precept, though itmust not conflict with divine law, other Canon Law or civil
law.
371. In respect of guidance and instruction to the parish priests, the Archbishop issued, via the
Chancellery, the Administrative Regulations, most recently in October 2017 and previously in
November 2008 (the ‘November 2008 Administrative Regulations’) and August 2002 (the
‘August 2002 Administrative Regulations’).
266 Submissions dated 15 October 2020, page 12.
372. Section E of the Administrative Regulations set out guidance for the parish priest regarding
“Preservation and Storage”, “Fire Prevention” and “Security”.267 Under “RecordsManagement”,
the Administrative Regulations set out the “suggested length of time records are kept”. With
respect to Baptism Registers, the length of time for storage and retention is “permanent”.
373. The previous iterations of the Administrative Regulations are more definitive as to the role the
Archbishop plays with regard to the Baptism Registers. The November 2008 Administrative
Regulations contains similar guidance on the Baptism Registers with regard to “Preservation
and Storage”, “Fire Prevention” and “Security”268. However, the November 2008 Administrative
Regulations also states that:
“Catholic parish church records are private records and the public do not have an
automatic right of access to them. They are the property of the church, coming under
the jurisdiction of the local bishop as is the case with all aspects of parochial
administration” (emphasis added).269
374. Both the November 2008 Administrative Regulations and the August 2002 Administrative
Regulations state on their cover pages that “Unless indicated otherwise, the following
regulations and guidelines apply to each parish and agency in the diocese”.270
375. The Archbishop submitted that the DPC should not read anything into the change of language
between the different versions of the Administrative Regulations, stating:
“Nothing should be read into the fact that there was a change in the language between
the two documents. The documents are intended for the guidance of parishes, for the
most part run by a Parish Priest, secretary (usually employed on a part-time basis) and
volunteers. Therefore, the guidelines need to be drafted in such a way that they are
accessible to that audience. As such, nothing turns on the fact that a sentence appeared
in one version and not the other. It is simply a matter of drafting” 271
376. With regard to this submission, I am of the view that the Administrative Regulations (each draft)
are the intended directions of the Archbishop, which are delivered via the diocesan curia, to the
parish priests of the diocese.
267 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines for Parishes
(2017), Schedule E (page 167 of PDF submission).
268 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines (2008), section
L1-L4 (Preservation, Storage, Fire Prevention, Security) (pages 107-109 of the PDF submission).
269 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines (2008), section
L (Archives/Parish Registers) (page 107 of the PDF submission).
270 Submissions dated 15 October 2020, Schedule of Documents, Administrative Regulations and Guidelines (2008) (page 73
of the PDF submission); Administrative Regulations and Guidelines (2002) (page 41 of the PDF submission).
271 Submissions dated 23 July 2021, page 2.
377. In his submissions, the Archbishop also noted that Baptism Registers are stored and retained in
perpetuity.272 There is no express provision in Canon Law requiring Baptism Registers be
retained and stored in perpetuity, only that they are carefully or diligently preserved.273 Further,
the Archbishop submitted that “[a] central requirement of canon law in this regard is that
entries are never deleted from baptismal records”;274 this is with reference to canon 535 §1
which requires Baptism Registers (and other sacramental registers) be preserved. Though the
duty set out under canon 535 §1 is a duty placed on the relevant parish priest, it is clear from
the Archbishop’s submission that he has a role to play in interpreting and disseminating the
appropriate approach, in his view, to Canon Law, among the parishes of the Archdiocese.
378. Notwithstanding the fact that there is no express requirement under Canon Law to store
Baptism Registers in perpetuity, or any express prohibition against deleting/destroying entities
(this is not expressly contained in canon 535 §1), the Archbishop has clearly stated that “records
are retained in perpetuity” and that “entries are never deleted from baptismal records” in any
circumstances. In the Draft Decision, I noted that this indicates the Archbishop’s defining role
in determining the purposes and essential means of processing when it comes to storage and
retention. In the submissions of 1 February 2023, the Archbishop clarified that:
“the Archbishop does not require the Baptism Registers to be retained in perpetuity. This
is a long-standing tradition of the Catholic Church, dating back centuries. For example, in
France, parish registers have been in use since the Middle Ages. The oldest surviving
registers there date from 1303.”
379. I accept this clarification. However, it does not lead me to change the conclusions around the
Archbishop’s influence over storage and retention, for the reasons set out below and elsewhere
in this Decision. In particular, Appendix 3 of the Guidelines published by the Chancellery in 2011,
for the benefit of the parish priests, states “[t]he handwritten registers must be maintained and
the registers themselves are never to be destroyed or discarded”.275
380. I am satisfied that with respect to storage of the Parish Baptism Registers, the Archbishop has
sufficient control of the purposes of processing and disseminates his views to the parish priests
in the form of guidance and instruction, in particular, via Guidelines and the Administrative
Regulations, which explicitly set out that the Baptism Register entries are not to be deleted and
should be stored and retained permanently.
272 Submissions dated 16 March 2020, page 31.
273 Canons 535 §1, 491
274 Submissions dated 16 March 2020, pages 4-5.
275 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3 (page 27 of the PDF submission).
381. With respect to the Clonliffe College Register and the Adopted Persons Baptism Register, the
Archbishop holds these registers in the Chancellery. As far as storage and retention is
concerned, including duration or length of processing, organisation and preservation of the
registers while in storage and security measures in place in the Chancellery, it appears to the
DPC that the Archbishop is the only person who enforces and makes these decisions.While the
Clonliffe College Register is, according to the Archbishop, a Parish Baptism Register, I have been
provided with no evidence that the parish priest of NorthWilliam Street has any input as to the
storage environment of the Clonliffe College Register, or that on balance he exerts any tangible
influence over the duration of the storage and retention.
382. The Archbishop has submitted that both the Clonliffe College registers and the Adopted
Persons’ Baptism Registers are kept securely. The Chancellery Offices, located at the
Archbishop’s house is under the jurisdiction of the Archbishop. He is responsible for the
administration and good ordering of the goods in his diocese and I am satisfied that ultimately
he is in charge of the security arrangements, which are in place in the Archbishop’s House, even
where such tasks may be delegated to others in the diocesan curia in certain instances. The
Archbishop is obligated under Canon Law to ensure that there is an historical archive in the
Archdiocese and that “documents having historical value are diligently protected and
systematically order in it”.276 I am satisfied that, given the necessity (according to the
Archbishop) of retaining the Baptism Registers even after the death of the individuals whose
baptisms are recorded in them, the Clonliffe College Register and the Adopted Person Baptism
Register are ‘documents’which have an historical value and which, being in the Dublin Diocesan
Archives, are to be diligently protected and systematically ordered by the Archbishop.
383. Based on the above analysis, I am of the view that the Archbishop does exert a decisive influence
over the processing of the personal data and special category personal data contained in all
Baptism Registers for the purposes of storage and retention. The DPC next considers whether
this is sole or joint controllership.
Controllership: Storage and Retention
The Parish Priest
384. The parish priest is under an obligation further to canon 535 §1 to ensure that the Parish
Baptism Registers are “carefully preserved”. Further, the parish priest is also tasked with
ensuring that the Parish Baptism Registers are stored correctly and do not fall into unauthorised
hands, in accordance with canon 535 §4. Canon 535 §4 requires that each parish has a storage
area or archived “in which the parochial registers are protected”.
276 Canon 491§2.
385. The Archbishop submitted that the parish priest is responsible for the “the maintenance of
security and confidentiality of baptismal registers”277 and has also submitted that each Parish is
required to have an archive in which Parish Baptism Registers are kept, and that these are
normally kept in safe rooms, which are fireproofed and are accessible only by authorised
personnel.278
386. The Archbishop has asserted that the parish priest “has ongoing access to the registers and it is
he that bears the responsibility of ensuring their security and confidentiality”.279 According to
the Archbishop, the parish priest not only collects the personal data but also “remains in
possession of the data on a continuous and indefinite basis, and controls access to that data by
all outside parties, including the person to whom the record relates. There can be no doubt that
the Parish Priest, therefore, is a data controller”.280
387. My initial view is that, while the parish priest does remain in possession of the personal data in
the Parish Baptism Registers on a ”continuous and indefinite basis”, this duration of processing
has been pre-determined by the Archbishop and is specified to the parish priest through the
Archbishop’s instructions and guidance. Such instructions and guidance are based on the
Archbishop’s interpretation of Canon Law.281
388. Further, I am of the view that while the parish priest is responsible for day-to-day storage and
retention of the Parish Baptism Registers, the Archbishop does provide clear guidance on the
minimum standards expected with regard to retention, security, preservation and fire safety for
the Parish Baptism Registers.282 Indeed, the Dublin Diocesan Archives Guidance provided by the
Archbishop notes explicitly that with respect to Parish Records, “No items are to be disposed of
through sale, donation, or other means before they have been assessed by the archivist and
without the explicit permission of the Archbishop”.283
389. I have had regard to the “non-essential means” of processing as set out in the EDPB Guidelines
07/20. It states: ”Non-essentialmeans” concernmore practical aspects of implementation, such
as the choice for a particular type of hard-or software or the detailed security measures which
may be left to the processor to decide on.
390. I am of the view that the parish priest has a discretion as to the means he uses to store the
personal data contained with the Parish Baptism Registers. Neither Canon Law nor the
Archbishop’s guidance have prescribed all themeans by which the personal data is to be stored,
though certain guidance is in place as to how the parish priest may best preserve his archive
and ensure that it is secure against unauthorised third parties.
277 Submissions dated 16 March 2020, page 5.
278 Submissions dated 16 March 2020, page 29.
279 Submissions dated 16 March 2020, page 10.
280 Submissions dated 16 March 2020, page 11.
281 Submissions dated 16 March 2020, page 11.
282 Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 3.6.1 (page
256 of the PDF submission) and Administrative Regulations, November 2008, section L (pages 107-109 of the PDF
submission).
283 Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 3.6.1 (page
256 of the PDF submission).
391. I am of the view that for the purposes of storage of personal data contained within the Parish
Baptism Registers that the parish priest is engaged with the “non-essential means” of such
processing and is therefore not a data controller for this purpose. This is because the storage of
the parish Baptism Registers by the parish priest is concerned with the practical implementation
of the Archbishop’s instruction and, based upon the EDPB guidance, it is within the discretion
of the parish priest to decide upon certain storage measures once they conform overall to and
are within the overall parameters of the instructions of the Archbishop as data controller.
392. I do not accept either that the parish priest, short of disobeying the instructions of the
Archbishop and by extension the Archbishop’s interpretation of Canon Law, determines the
duration of the processing, which must be perpetual and which has been clearly set out by the
Archbishop.
393. Based on the above, I am of the view that the parish priest does not exert influence over the
processing of the personal data and special category personal data contained in the Parish
Baptism Registers for the purposes of storage.
Conclusion: Controllership: Storage
394. I am of the view that the Archbishop solely engages in decisions relating to the storage of the
personal data in the Parish Baptism Registers.
395. With respect to the purposes of processing, both the Archbishop and the parish priest have
obligations under Canon Law that are inextricably linked. The parish priest is under an obligation
to carefully preserve the Parish Baptism Registers and to ensure that they are protected in an
adequate storage area, further to canon 535 §1 and canon 535 §4 respectively. The Archbishop
is under an obligation to ensure the affairs that relate to the administration of the Archdiocese
are duly coordinated and ordered. However, it is the Archbishop who has issued clear guidance
as to how the Parish Baptism Registers should be stored and it is the parish priest who must
ensure that this guidance is followed, even though hemay have some discretion as to the “non-
essential means” of processing.
396. With respect to the means of processing, the parish priest must comply with his obligations
under canon 535 §1 and canon 535 §4, in addition to the guidance provided by the Archbishop.
The parish priestmay have some discretion, but this is in relation to the non-essential means of
processing. The Archbishop however determines the means of processing, having a role of
oversight to ensure that the manner in which the personal data is stored by the parish priest
complies with Canon Law, such as whether they have been diligently preserved284, and in
compliance with the guidance he has put in place via the Administrative Regulations. The
Archbishop is empowered to alter the means of processing used by the parish priest via
recommendations in the report sent to the parish following a visitation further to canon 535 §4
or via a precept.
397. As such, I am satisfied, based on the evidence presented to it, that the Archbishop is the sole
controller for the purposes of the storage of the Parish Baptism Registers.
284 Canons 535 §1, 545 §4, 491 §2, 396 §1.
Conclusion: Controllership: Retention
398. On careful consideration of the evidence before me, I am of the view that the Archbishop is the
sole controller for the purposes of the retention of the personal data and special category
personal data contained in the Parish Baptism Registers.
399. I have considered the judgment of C-40/17 Fashion ID, in this regard, in particular the CJEU’s
statement at paragraph 40 that a personmay be a controller jointly with others “only in respect
of the operations involving the processing of personal data for which it determines jointly the
purposes and means”. On consideration of this processing activity, the DPC does not regard the
parish priest to act in the role of a joint controller in respect of retention, not being involved in
jointly determining the purposes andmeans for the retention of the personal data in the Parish
Baptism Registers.
400. From the evidence provided, it is the view of the DPC that the Archbishop solely determines the
purposes and means of the retention of the personal data in the Parish Baptism Registers. It is
the Archbishop who has determined that the personal data in these registers must be retained
indefinitely and never deleted in order that the purposes of processing are fulfilled. As such, the
parish priest has no control over the essential means of processing of the Parish Baptism
Registers when it comes to retention, in particular the duration of the processing.285
401. The essential means of processing for retention of the personal data in perpetuity are not
agreed jointly between the Archbishop and the parish priest and there has been no evidence
presented to the DPC that there is any joint participation in determining the purposes and
means in this regard. The DPC rejects that there is any evidence that the parish priest solely
determines the means and purposes of processing with respect to retention. The Guidelines
from the Archbishop as set out above clearly state that the Parish Baptism Register entries are
never to be deleted or destroyed. According to the Dublin Diocesan Archives guidance, the
Parish Baptism Registers are not to be disposed of by anymeans, without the explicit permission
of the Archbishop.286
402. As such, in respect of the processing activity of retention, I am of the view that the Archbishop
solely controls the purposes and means of processing and therefore is the sole controller of the
personal data for this processing activity.
Conclusion: Controllership
Clonliffe College Registers
285 EDPB Guidelines 07/20, paragraph 40.
286Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 3.6.1 (page
256 of the PDF submission) and Directives and Guidelines for Sacramental and Pastoral Practice, Draft, The Chancellery,
2011, Appendix 3 (page 27 of the PDF submission).
403. Although, as previously set out, the Archbishop submits that the Clonliffe College Register is
rightfully a Parish Baptism Register, it has never been in the possession of the North William
Street parish (or at least this was the case up until July 2021 as far as I am aware). The Clonliffe
College Register is stored in the Chancellery Office/Diocesan Archives at the Archbishop’s House
and the Archbishop is the only person (having regard to the delegation of the task to others in
the diocesan curia) who determines the purposes and means of processing for the storage of
this register, including security, fire prevention, preservation etc. The DPC rejects any
implication that the parish priest of North William Street has any practical or realistic input as
to the purposes and means of storage for this register.
404. Insofar as retention is concerned, further to my views as set out above, the Archbishop is also
the sole controller of the Clonliffe College Register in respect of this processing activity.
Conclusion on Controllership: Storage and Retention
Adopted Persons Baptism Register
405. I am of the view that the Archbishop is the sole controller of the personal data and special
category personal data in the Adopted Persons Baptism Register for all processing activities,
and refers to my views previously set out herein in this regard.
Alteration of Baptismal records
Preliminary Points
406. As a preliminary point, I note that in the context of this Inquiry, the meaning of annotation of
the Baptism Registers and alteration of the Baptism Registers must be distinguished.
407. When an individual undertakes certain sacraments, such as confirmation or marriage, a note of
this is made in the Baptism Register entry for that person. (‘Standard Annotation’). Further,
when a person’s marriage is annulled by the Church, or when a person formally defects from
the Church, this would also be annotated into the Baptism Register. In the case of when a
baptised person prior to 2011 was adopted, their original baptism entry in the Parish Baptism
Register ‘ceased’ by way of a notation only. This notation was placed beside the entry, referring
all requests to the Chancellery (a ‘Special Annotation’).
408. This is to be distinguished from an alteration (‘Alteration’) to the Baptism Register,which is also
of a form of annotation. When an entry to the Baptism Register requires alteration, which may
occur for a number of reasons, for example a change of name or an error in the recording of a
date of birth, the entry is not deleted. The Archbishop has submitted that entries in the Baptism
Register are never deleted. Rather, when an alteration or emendation is required, the incorrect
or out of date information will be struck through and a note of the correct information will be
made on the Baptism Register, above or below the struck through entry.287
287 Submissions dated 16 March 2020, page 6.
409. However, for the purposes of this Decision, a Standard Annotation will refer to routine
annotations of the Baptism Register, which take place when information on further sacraments
received is recorded on the Baptism Register. A Special Annotation will refer to an instance
where the parish priest it notified by the Chancellery of the addition of a specific note to an
entry in a Baptism Register (often also changing the sacramental status of a person). An
Alteration will refer to the less common instances where a Baptism Register entry is annotated
with a view to altering or changing the information which is already present in that entry, due
to an error or inaccuracy.
Standard Annotation, Special Annotation and Alteration
410. The Archbishop has submitted that, with respect to alteration and annotation of the Baptism
Registers, “he is not entitled to alter entries in the registers and he has no power to compel a
Parish Priest to alter a register”288. I have previously set out herein, the obligations of the
Archbishop regarding governance and oversight within the Archdiocese, in addition to his
powers to compel a parish priest to take certain actions by way of a precept. As such, the DPC
finds it difficult to accept the Archbishop’s assertion that he has no power to compel the parish
priest to alter a Parish Baptism Register.
411. I previously stated my view that the Archbishop’s power of inspection, coupled with the parish
priest’s oath of obedience effectively means that the Archbishop exerts influence over the
Annotations which the parish priest makes in the Parish Baptism Registers, being subject to
scrutiny and possible recommendations from the Archbishop.
412. In the submissions to the DPC by the Archbishop, I note that there are suggestions therein, that
the Archbishop, via the Chancellery, exerts influence over themanner in which the Annotations
and Alterations may occur with reference to the personal data contained in the Baptism
Registers.
413. The Archbishop also asserted that the Chancellery “only offers advice. It in no way compels the
recipient to follow the advice, much akin to a person seeking legal advice from a solicitor”289.
However, I note the following:
• section 1.12 of the Guidelines state that “[a]ny alteration to the Baptismal Register
must be authorised through the Chancellery”;
• section 4.5 of the Guidelines state that “[t]he express permission of the Chancellery is
required before any alteration or emendation may be made in any entry in any such
parochial register”; and
• Appendix 3 of the Guidelines, explicitly states, “[a]ny amendment to a register needs
to the prior written permission and authorisation from the Chancellery”.290
288 Submissions dated 16 March 2020, page 2.
289 Submissions dated 15 October 2020, page 14.
290 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, (pages 12, 23, 27 of the PDF submission).
414. The Archbishop has argued that the Chancellery does not in fact ““authorise” an amendment in
the sense of the giving official permission by someone in a position of authority. A better term
might perhaps be “advise””291. While the Archbishop states that in respect of the term
“authorise” “[i]ts usual meaning is where official permission or approval is given for something
to happen. It is important to note that it is not used in that sense where the Chancellery is
concerned”, the DPC respectfully rejects this assertion by the Archbishop.
415. Taking the ordinary meaning of phrases such as “must be authorised”, “express permission”, or
“written permission” it is untenable to suggest that such phrases in fact mean that the
Chancellery will advise only, and that they would be universally understood to be read that way
by parish priests and others in receipt of the Guidelines. Further, the Archbishop has not
demonstrated why these words do not retain their ordinary meaning “where the Chancellery is
concerned” or why this might be. On balance, I am satisfied that if “advise” was the meaning
intended by the Archbishop and the Chancellery in the Guidelines, it would have in fact been
used instead of the language of authorisation and permission.
416. It is not solely the Guidelines, which reflect the language of authorisation in the Archbishop’s
and Chancellery’s communications with parish priests. In a letter dated 24 September 2018,292
a parish priest is requested by the Chancellery to amend an entry in the Parish Baptism Register.
The parish priest is requested to write “Chancellery Auth. 24th September 2018” beside the
change in the Observation Column293 and that the alteration to the date of birth of the data
subject be executed as follows:
“i) In the Date of Birth Column place an asterisk, draw a line through the “9th” and,
above or below insert the “10th”.
ii) In the Observation Column place an asterisk and the following: “Future certificates
to reflect changes made: pub.doc: Chancellery Auth. 24th September 2018”.294
417. The same type of notation is present in a letter of 22 October 2018 requesting an alteration,
“Chancellery Auth. 22nd October 2018”295. In the letter dated 22 October 2018, the Chancellery
instructed the parish priest to rectify the surname of a data subject, which was recorded in the
Parish Baptism Register. The Chancellery instructed the parish priest of St Luke the Evangelist
parish alter the entry as follows:
“i) In the Surname column place an asterisk, before the name […] and, insert the
name […]
ii) In the Observation Column place an asterisk and the following: “Future certificates
to be issued in the name […] pub.doc: Chancellery Auth. 22nd October 2018”
291 Submissions dated 23 July 2021, page 1.
292 Submissions dated 15 October 2020, Schedule of Documents, (page 194 of the PDF submission).
293 Submissions dated 15 October 2020, Schedule of Documents, (page 194 of the PDF submission).
294 Submissions dated 15 October 2020, Schedule of Documents, (page 194 of the PDF submission).
295 Submissions dated 15 October 2020, Schedule of Documents, (page 207 of the PDF submission).
418. I am satisfied that these references indicate that the parish priestmust record whenmaking the
Alteration that the Chancellery’s authorisation has been obtained and the Alteration is
legitimatelymade. In addition to this, in an email to the data subject in respect of the 22 October
2018 request, the Chancellery writes “[w]e have authorised the parish of St Luke the Evangelist
to amend […] Baptismal Certificate”.296 This further strengthens my view that the ordinary
meaning of the word “authorise” is intended with respect to the Chancellery’s involvement in
Annotations and Alterations. This arises in circumstances where it is used with laypeople who
may not be privy to any purported special status surrounding the Chancellery.
419. The Archbishop states that:
“the Chancellery acts as a form of legal advisor to a Parish Priest in that it carries out
an investigation of the particular circumstances surrounding the requested
amendment and confirms to the Parish Priest whether it is legally possible, according
to canon law, to effect the amendment. In this regard, the Chancellery confirms
whether the request is a legitimate one […]
As such, in confirming that the request is a legitimate one, the Chancellery is
confirming whether the individual has a right to have their baptismal record
amended. It is then a matter for the relevant Parish Priest to give effect to this right
and lawful amendment, where it arises”.297
420. Similarly, the Archbishop also stated that:
“This advice is then relayed to the recipient (which in any particular case could be the
Archbishop, a Parish Priest, or a Diocesan Agency). The action(s) thereafter fall under
the jurisdiction of the recipient on how they will proceed”.298
421. I am of the view that the only recipient of “advice” from the Chancellery with any element of
discretion in terms of how to proceed is the Archbishop. I am not satisfied that it is possible for
a parish priest or indeed a diocesan agency, to go against the directions of the Chancellery, even
where the parish priest has operational control within his parish. This is in circumstances where
I am satisfied that in respect of Special Annotations and Alterations, the communications issued
from the Chancellery are not in fact advice, but instructions from the Archbishop to be complied
with by the parish priest.
296 Submissions dated 15 October 2020, Schedule of Documents, (page 203 of the PDF submission).
297 Submissions dated 23 July 2021, page 1.
298 Submissions dated 15 October 2020, page 14.
422. As previously stated, in C-131/12 Google Spain, the concept of a controller (in that case with
reference to the definition under Article 2(d) of Directive 95/46) is defined broadly to ensure
the effective and complete protection of data subjects299. It would be remiss to ignore the
practical influence the Chancellery has in guiding, assisting and advising the Archbishop as part
of the diocesan curia) over the actions of the parish priest, when it comes to amending and
annotating the personal data in the Baptism Registers. In order to protect data subject rights
properly, it is necessary to define a controller broadly and to ensure that the influence of
controllers, even when emanating from another body or office, which purportedly has no
power, is properly recognised for what it is.
423. With respect to the Adopted Persons Baptism Register, the Archbishop provided a template
letter with his 16 March 2020 Submission, which is issued to a parish when an individual is
entered on that register centrally. The letter states that:
“The record of Baptism of the person named below is now contained within the
Adopted Persons’ Baptismal Register held in the Chancellery, Archbishop’s House. As
a result, the entry contained in the Baptismal Register of your Parish ceases.
No Baptismal certificate may be issued from your parish for this entry”
424. The letter also states that “to effect this, I would ask you to make the following notation in the
comments column of the above entry …”.300 In the view of the DPC, the language in this letter is
a clear statement that the entry in the Parish Baptism Registers has ceased and the parish priest
is now prohibited from issuing a baptismal certificate, by direct instruction from the
Chancellery. This is not advice but a strict direction, though the Chancellery has attempted to
frame the latter part of the letter as a request.
425. The Archbishop stated in respect of this that “[u]ltimately it was a decision of the Parish Priest
concerned to make the relevant annotations in the baptismal register held in the Parish”.301
I have considered this submission by the Archbishop and having had regard to all evidence
presented to the Inquiry, respectfully reject this assertion. The above statement is similar to
prior submissions made by the Archbishop whereby “[i]t is then a matter for the relevant Parish
Priest to give effect to this right and lawful amendment, where it arises” and “[t]he action(s)
thereafter fall under the jurisdiction of the recipient on how they will proceed” respectively.
While technically a parish priest may choose not to make the relevant Special Annotation or
Alteration, just as a parish priest may choose not even to record a legitimate baptism in a
register in the first place, this would be in direct contravention of his duties under Canon Law
and his oath of obedience to the Archbishop, as previously set out.
299 C-131/12 Google Spain, paragraph 34.
300 D-201015 Adopted Persons – cessation of entry in baptismal register letter.
301 Submissions dated 23 July 2021, pages 8-9.
426. The Archbishop has certain authority over a parish priest and can even remove a parish priest
from his office in some instances,302 in addition to a power of oversight of the Baptism Register
at his visitation, after which hemay send a report to the parish detailing improvements that are
required. The fact that a parish priest does not undertake the instructions given to him by the
Chancellery does not indicate he is prima facie a controller in his own right, in circumstances
where the alternative to following the instruction is to be in contravention of the duties and
obligations of his office and possibly incur some degree of sanction.
427. The failure to make a Special Annotation or Alteration requested by the Chancellery would not
be the action of a controller legitimately determining the purposes and means of processing
personal data, but rather, the actions of a processor who has failed to follow the instructions of
a controller. In that circumstance the parish priest would then become a controller, further to
Article 28(10) of the GDPR.303
428. In addition to the foregoing and coupled with the Archbishop’s duties of oversight and
governance, including his power of inspection and the right tomake recommendations, or issue
a precept, extends to the oversight of these annotations in the Baptism Registers also. The
interpretation of Canon Law and its anticipated outcome may be provided by the Archbishop
and disseminated to the parish priests, either as guidance or by recommendations to a
particular parish following an inspection and visitation and this determines the purposes of
processing of the personal data.
429. With respect to other Special Annotations directed by the Chancellery, the Archbishop is
empowered to determine not only that a Special Annotation bemade, but also exactly, how the
annotation is to be phrased. In this regard, I note that the Archbishop, via the Chancellery,
directed that when a person formally defected from the Catholic Church, this would be
annotated on their Parish Baptism Register entry. The template letter which was sent to the
parish priest indicates the exactmanner inwhich the Parish Baptism Register is to be annotated:
“I would be grateful if you would make the following insertion in the observation
column of the Baptismal Register in respect of the Petitioner:
“Cessation of Church membership by formal act of defection recognised: Doc. Apud
Curiam, prot. No FD/XX/09.
All future requested Baptism Certificates should include this observation” .304
430. In circumstances where a baptised person was adopted prior to 2011, the Chancellery also
notified the parish priest of the exact means by which the Parish Baptism Register was to be
annotated, as set out previously. In this instance, the Chancellery would set out the following
entry which was to be made in the comments column of the Parish Baptism Register entry:
302 Submissions dated 15 October 2020, page 19
303 EDPB Guidelines 07/20, page 4 states: “A processor infringes the GDPR, however, if it goes beyond the controller’s
instructions and starts to determine its own purposes and means of the processing. The processor will then be considered
a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions”.
304 Submissions dated 23 July 2021, Booklet of Documents Accompanying Responses to DPC Queries, template letter dated
31 August 2009 on the cessation of church membership sent from the Chancellery (page 21 of the PDF submission).
“Adoption Order granted (DATE), Serial No:
In the name
Refer all requests for certificates/notifications to the Chancellery”.305
431. Further, I note that the Archbishop has in fact offered in his submissions to recommend that a
further annotation be made by the parish priests in circumstances where a person has sought
de facto defection. The Archbishop stated that the “register could be annotated as follows: “No
longer wishes to be identified as a Roman Catholic”.306 This, in my view, indicates that the
Archbishop has the power to determine further annotations, whichmay be placed on the entry
of a data subject in the Baptism Registers, including the Clonliffe College Registers and Adopted
Persons Baptism Registers.
432. As such, the Archbishop determines the essential means of processing when it comes to Special
Annotations, which are specifically directed by the Chancellery, in particular the type of the
personal data processed, the duration of the processing, the data subjects whose personal data
is processed and the form in which the processing must take.
433. Similarly, with regard to Alterations to the Baptism Registers, the Archbishop, via the
Chancellery, specifies exactly the means by which an alteration to an entry is executed. This is
evident from the sample letters dated 24 September 2018 and letter of 22 October 2018
provided by the Archbishop in his submissions, which instruct a parish priest to perform an
Alteration to the Parish Baptism Register.
434. Both of the aforementioned Alterations are set out precisely in their terms, and the parish priest
does not determine any aspect of the essential means of processing for the above alterations.
He must execute these as instructed, transcribing the exact language used by the Chancellery.
It is evident to the DPC that that these Alterations, are to be undertaken in the exact manner in
which the Chancellery has directed that they be done.
435. For Standard Annotations which indicate a change in a person’s sacramental status, further to
canon 535 §2, the Archbishop is empowered to determine the interpretation and
implementation of Canon Law in his Archdiocese. As such, he is empowered to direct themeans
of processing for such annotations if he wishes, in particular, the type of personal data
processed by determining the amount of detailwhich should be provided in such an annotation;
the duration of the processing for an annotation (in perpetuity); and the categories of data
subjects. With respect to the categories of data subjects, the Archbishop is empowered to
determine whether further annotations can be made in the Baptism Register.
436. The parish priest has no power to effect an Alteration without the express permission and
instruction of the Chancellery. Hemay not even formulate thewording of the Alteration himself,
nor can he decide to include more or less personal data, further to his own discretion under
canon 535 §2.
305 Submissions dated 16 March 2020, per template letter provided therein, D-201015 Adopted Persons – cessation of entry
in baptismal register letter.
306 Submissions dated 16 March 2020, page 44.
Controllership: Standard Annotation, Special Annotation and Alteration
Parish Priest
437. The parish priest is obliged under canon 535 §2 to make Standard Annotations on the Parish
Baptism Register. Canon 535 §2 provides that:
“In the baptismal register are also to be noted confirmation and those things which
pertain to the canonical status of the Christian faithful by reason of marriage, without
prejudice to the prescript of _ can. 1133, of adoption, of the reception of sacred orders, of
perpetual profession made in a religious institute, and of change of rite. These notations
are always to be noted on a baptismal certificate”.
438. I accept that the parish priest, for the most part, fulfils this obligation on a day-to-day basis
without reference to the Archbishop and am of the view that he has an element of discretion
as to how this is achieved. Canon 895 states that “[t]he pastor must inform the pastor of the
place of baptism about the conferral of confirmation so that a notation ismade in the baptismal
register according to the norm of _ can. 535, §2”. Canon Law does not specify the personal data
which is to be included in such a notation, just that it must be done to fulfil the requirements of
Canon Law. The parish priest is obliged under Canon Law to make standard annotations in the
parish baptism registers for the purposes of recording the sacramental or canonical status of an
individual, the recording of which is central to the administration of the Church.
439. My view is that any element of discretion that the parish priest may have in terms of the
recording of the standard annotation is part of the non-essential means of processing. It simply
concerns a practical aspect of the implementation of obligations that are set out under Canon
Law, notwithstanding the significance of its administrative function and purpose.
440. The Archbishop has also submitted that the parish priest is responsible for the “annotation of
the baptismal record with details of a person’s confirmation, marriage/annulment and
ordination/laicisation”.307 I note the distinction between these Standard Annotations and
Special Annotations, which require direction or instruction from the Archbishop (via the
Chancellery). Such Special Annotations may include the recording in a Baptism Register of the
annulment of a marriage, the laicisation of a previously ordained individual, the formal
defection of an individual from the Church (which is no longer possible), or annotating the
cessation of an entry in a Parish Baptism Register on the adoption of a baptised individual (this
practice has also ceased).
307 Submissions dated 16 March 2020, page 5.
441. With respect to these Special Annotations, the evidence provided to the DPC by the Archbishop
indicates that, in these instances, such an annotation is only performed by a parish priest when
a specific instruction has been received by the Chancellery to do so. These specific instructions
appear to set out the exactwording and form which the Special Annotation is to take and leaves
no discretion to the parish priest as to how the personal data in question is to be processed.
The wording of such an annotation in the case of a formal defection from the Church has been
previously set out herein together with the wording in the case of the cessation of a baptismal
entry following the adoption of a baptised person.
442. When a parish priest is approached by an individual who wishes an Alteration to be made to
the Baptism Register, the Archbishop has submitted that this will only occur in limited
circumstances. The Archbishop submits that an Alteration can consist of changing the name of
the individual following a change of name by deed poll.308 Amending a factual error in the name
or date recorded are also possible alterations that may be made.309
443. To make an Alteration to a Baptism Register entry, the parish priest must apply to the
Chancellery for “authorisation” if he has been contacted directly by an individual.310 The
Chancellery then undertakes an investigation as to whether the alteration may be carried out.
The Archbishop submitted that the investigation is “carried out on behalf of the Parish Priest as
he is the custodian of the records”.311 The Chancellery then relays the findings to the parish
priest and the parish priest then undertakes the Alteration based on the Chancellery’s findings.
As stated above, I note the clear language used in a number of the documents submitted by the
Archbishop accompanying the submissions, which indicates that the Chancellery must in fact
expressly authorise or give permission for an Alteration to be performed by the parish priest.
The parish priest does not have any discretion in this regard.
444. The DPC respectfully disagrees with the viewpoint presented by the Archbishop that the
Chancellery is working on behalf of the parish priest, providing advice only as to whether an
Alteration should be performed. As previously set out, I am of the view that the parish priest
cannot alter the baptism records unless and until he is permitted to do so by the instructions
from the Archbishop, delivered through the Chancellery.
Conclusion on Controllership:
Standard Annotation, Special Annotation, Alteration
Parish Baptism Registers
445. I am of the view that the Archbishop, in respect of Standard Annotations of entries in the Parish
Baptism Registers, is the sole controller who determines the purposes and means of the
processing of personal data.
308 Submissions dated 16 March 2020, page 6.
309 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.13 (page 12 of the PDF submission).
310 Submissions dated 16 March 2020, page 6.
311 Submissions dated 16 March 2020, page 6.
446. It is the view of the DPC that the Archbishop, in respect of the processing activity of Special
Annotation of entries in the Parish Baptism Registers, is the sole controller who directs the
purposes and means of processing. The Archbishop via the Chancellery instructs the parish
priest as to the exact manner in which a Special Annotation is to be effected. The parish priest
does not determine the purposes or the means of such processing and therefore cannot be
identified as a controller in these circumstances.
447. I am of the view that in respect of the processing activity of Alteration of entries in the Parish
Baptism Registers, the Archbishop is the sole controller who directs the purposes and means of
processing. The Archbishop via the Chancellery instructs the parish priest as to the exactmanner
in which an Alteration is to be effected. The parish priest is required to obtain the express
permission or authorisation for the purposes of an Alteration. The parish priest does not
determine the purposes or the means of such processing and therefore cannot be identified as
a controller in these circumstances.
Clonliffe College Registers
448. I am of the view that the Archbishop is the sole controller of the personal data and special
category personal data in the Clonliffe College Register for the processing activities of Standard
Annotation, Special Annotation and Alteration. Although the Archbishop submits that the
Clonliffe College Register is rightfully a Parish Baptism Register, it was not in the possession of
the NorthWilliam Street parish at the time of the Archishop’s submission.
449. The Clonliffe College Register is stored in the Chancellery Office/Diocesan Archives at the
Archbishop’s House and the Archbishop is the only person (having regard to the delegation of
the task to others in the diocesan curia) who determines the purposes andmeans of processing
for the standard and special annotation and alteration of this register. The DPC rejects any
implication that the parish priest of North William Street has any practical or realistic input on
the purposes and means of Standard Annotation for this Clonliffe College Register.
Adopted Persons Baptism Register
450. I am of the view that the Archbishop is the sole controller of the personal data and special
category personal data in the Adopted Persons Baptism Register this Decision.
Findings
451. While having regard to the findings of joint controllership with the parish priest, I reiterate the
position previously set out which is that the DPC engaged solely with the Archbishop of Dublin
in relation to this Inquiry and my findings are based on the submissions of the Archbishop.
However, it is important to note that this Inquiry relates to the rectification and erasure of
personal data contained within the Baptism Registers (which includes retention and storage)
under Articles 16 and 17 of the GDPR respectively. Earlier sections of this Decision included an
analysis of the collection and recording of personal data because the issue of rectification or
erasure flows therefrom.
452. It is clear to me from the foregoing analysis, that the Archbishop retains sole controllership for
the processing activities of rectification and erasure of personal data contained within the
Baptism Registers. In simple terms, this is so because any such amendment cannot be made by
the parish priest without having first obtained hierarchal approval. While the Archbishop
submits that the Chancellery is the Canon Law office of the Diocesan Curia with no decision-
making power and fulfils only an advisory role, the DPC does not accept for the purposes of data
protection law that this organisational make-up relieves or removes the Archbishop from
consideration as a data controller. The Archbishop decides certain key elements312 about the
purposes of the data processing by his governance of the interpretation of the obligations under
Canon Law and instructing those to the parish priest. The Archbishop issues instructions on how
to comply with certain obligations, via the Chancellery.
453. Therefore, I find that:
a. The Archbishop and the parish priest are joint controllers of the personal data and
special category data contained in the Parish Baptism Registers with respect to the
processing activities of:
i. Collecting and recording.
b. The Archbishop is the sole controller of the personal data and special category data
contained in the Parish Baptism Registers with respect to the processing activities of:
i. Storage and Retention;
ii. Standard and Special Annotation;
iii. Alteration;
c. The Archbishop is the sole controller of the personal data and special category
personal data contained in the Clonliffe College Registers with respect to all
processing activities.
d. The Archbishop is the sole controller of the personal data and special category
personal data contained in the Adopted Persons Baptism Register with respect to all
processing activities.
312 EDPB Guidelines 07/20, paragraph 20.
c) LEGAL BASIS
Issue for determination
Introduction
454. I have made the determinations herein that firstly the Baptism Registers come within the
material scope of the GDPR; and secondly that the Archbishop acts in the capacity as sole
controller for the processing activities, the subject of this Inquiry. As such, the following issues
arise for determination by the DPC in relation to the Archbishop’s compliance with Articles 6
and 9 of the GDPR They are set out as follows:
a. In relation to the processing of personal data and special category personal data of
data subjects who no longer wish to have their personal data recorded in any
Baptism Registers:
i. whether the Archbishopmay rely on legitimate interests for the processing of
Baptism Registers, in accordance with on Article 6(1)(f) of the GDPR, in
circumstances where the processing is necessary for the purposes of the
legitimate interests pursued by the Archbishop;
ii. whether, and to what extent the Archbishop’s interests (or those of a third
party) in retaining the personal data and special category personal data are
overridden by the interest or fundamental rights and freedoms of the data
subjects and accordingly whether the Archbishop is entitled to rely on Article
6(1)(f) for the processing of the personal data and special category personal
data;
iii. whether the Archbishop is entitled to rely on Article 9(2)(d) of the GDPR for
the processing of the special category personal data contained in the Baptism
Registers, which permits processing carried out in the course of the
Archbishop’s legitimate activities as a foundation, association or non-profit
body with a religious aim where the processing relates solely to members or
former members of the body or to persons who have regular contact with it
in connection with its purposes and where the special category personal data
are not disclosed outside the body without the consent of the data subjects;
iv. whether the Archbishop, in processing the special category personal data in
accordance with Article 9(2)(d) of the GDPR, put in place the required
appropriate safeguards for such processing under Article 9(2)(d); and
v. in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under Article
5(1)(b) of the GDPR and the principle of lawfulness fairness and transparency
under Article 5(1)(a) of the GDPR.
b. In relation to any further processing of personal data and special category personal data
of data subjectswho no longer wish to have their personal data recorded in the Baptism
Registers:
vi. whether the Archbishop may rely on legitimate interests for the processing,
in accordance with Article 6(1)(f) of the GDPR, in circumstances where the
processing is necessary for the purposes of the legitimate interests pursued
by the Archbishop;
vii. whether, and to what extent the Archbishop’s interests (or those of a third
party) in further processing the personal data and special category personal
data are overridden by the interest or fundamental rights and freedoms of
the data subjects and accordingly whether the Archbishop is entitled to rely
on Article 6(1)(f) for the further processing of personal data and special
category personal data;
viii. whether the Archbishop is entitled to rely on Article 9(2)(j) of the GDPR for
the further processing of special category personal data contained in the
Baptism Registers, which permits processing which is necessary for archiving
purposes in the public interest, scientific or historical research purposes in
accordance with Article 89(1) of the GDPR;
ix. whether the Archbishop, in further processing the special category personal
data in accordance with Article 9(2)(j) of the GDPR, put in place the required
appropriate safeguards for such processing in accordance with Article 89(1)
of the GDPR, which ensure that technical and organisational measures are in
place in particular in order ensure respect for the principle of data
minimisation;
x. whether the processing of special category personal data is necessary and
proportionate for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with
Section 54 of the 2018 Act;
xi. whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, (i) suitable and specific measures have been
taken by the Archbishop to safeguard the fundamental rights and freedoms
of data subjects; (ii) the processing respects the principle of dataminimisation
(Article 5(1)(c) of the GDPR); and (iii) where the purposes can be fulfilled by
processing which does not permit or no longer permits identification the
processing is fulfilled in that manner, in accordance with Section 42 of the
2018 Act;
xii. whether, in circumstances where processing is established to be necessary
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, data subject rights have lawfully been
restricted in accordance with Section 61(1) and 61(2) of the 2018 Act to the
extent that the exercise of any of those rights would be likely to render
impossible, or seriously impair, the achievement of those purposes, and such
restriction is necessary for the fulfilment of those purposes; and
xiii. in assessing the legal bases relied on by the Archbishop, whether the
Archbishop is compliant with the principle of purpose limitation under Article
5(1)(b) of the GDPR and the principle of lawfulness fairness and transparency
under Article 5(1)(a) of the GDPR.
Relevant Provisions
455. Article 5(1) (a) of the GDPR requires that personal data shall be “processed lawfully, fairly and
in a transparent manner in relation to the data subject”. This is known as the principle of
lawfulness, fairness and transparency.
456. Article 5(1)(b) of the GDPR requires that the personal data be
“collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordancewith Article 89(1), not be considered to be incompatiblewith
the initial purposes (‘purpose limitation’).
457. Article 6 of the GDPR states that processing shall be lawful only if and to the extent that one of
the conditions under Article 6(1) applies. Under Article 6(1)(f), processing shall be lawful in
circumstances where:
“processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the interests
or fundamental rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a child”.
458. Under Article 9 of the GDPR, the processing of special categories of personal data (which
includes personal data revealing religious or philosophical beliefs) is prohibited unless one of
the conditions under Article 9(2) applies. This includes: Article 9(2)(d) permits processing which
is:
“carried out in the course of its legitimate activities with appropriate safeguards by a
foundation, association or any other not-for-profit body with a political, philosophical,
religious or trade union aim and on condition that the processing relates solely to the
members or to former members of the body or to persons who have regular contact with
it in connection with its purposes and that the personal data are not disclosed outside that
body without the consent of the data subjects”; and
459. Article 9(2)(j) permits processing which is:
“necessary for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1) based on Union or
Member State law which shall be proportionate to the aim pursued, respect the essence
of the right to data protection and provide for suitable and specificmeasures to safeguard
the fundamental rights and the interests of the data subject.”
460. Article 89(1) of the GDPR states that:
“Processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance
with this Regulation, for the rights and freedoms of the data subject. Those safeguards
shall ensure that technical and organisational measures are in place in particular in order
to ensure respect for the principle of data minimisation. Those measures may include
pseudonymisation provided that those purposes can be fulfilled in that manner. Where
those purposes can be fulfilled by further processing which does not permit or no longer
permits the identification of data subjects, those purposes shall be fulfilled in that
manner”.
461. Recital 156 of the GDPR provides guidance on further processing under the legal basis of Article
9(2)(j), stating that the:
“further processing of personal data for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes is to be carried out when the
controller has assessed the feasibility to fulfil those purposes by processing data which do
not permit or no longer permit the identification of data subjects, provided that
appropriate safeguards exist (such as, for instance, pseudonymisation of the data).”
462. Recital 158 of the GDPR provides further guidance on the legal basis under Article 9(2)(j), stating
that:
“Where personal data are processed for archiving purposes, this Regulation should also
apply to that processing, bearing in mind that this Regulation should not apply to
deceased persons. Public authorities or public or private bodies that hold records of public
interest should be services which, pursuant to Union or Member State law, have a legal
obligation to acquire, preserve, appraise, arrange, describe, communicate, promote,
disseminate and provide access to records of enduring value for general public interest...”
463. Article 9(2)(j) has also been given further effect in Irish law by section 54 of the 2018 Act,313
which provides that:
“Subject to compliance with section 42, the processing of special categories of personal data
is lawful where such processing is necessary and proportionate for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes”.
464. Section 42 of the 2018 Act states that:
“(1) Subject to suitable and specificmeasures being taken to safeguard the fundamental rights
and freedoms of data subjects, personal data may be processed, in accordance with
Article 89, for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes.
(2) Processing of personal data for the purposes referred to in subsection (1) shall respect the
principle of data minimisation.
(3) Where the purposes referred to in paragraph (a), (b) or (c) of subsection (1) can be fulfilled
by processing which does not permit, or no longer permits, identification of data subjects,
the processing of information for such purposes shall be fulfilled in that manner.”
Relevant Case Law
465. The CJEU in Rigas Satiksme314 set out ‘three cumulative conditions’ to satisfy the lawfulness of
processing under Article 7(f) of Directive 94/46 in the following terms:
“first, the pursuit of a legitimate interest by the data controller or by the third party or
parties to whom the data is disclosed; second, the need to process personal data for the
purposes of the legitimate interests pursued; and third, that the fundamental rights and
freedoms of the person concerned by the data protection do not take precedence”.315
Although Article 7(f) refers to the now repealed Data Protection Directive, its provisions are
comparable to Article 6(1)(f) of the GDPR and therefore the case law remains relevant for the
purposes of interpreting Article 6(1)(f).
313 Article 89 of the GDPR refers to safeguards and derogations relating to processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes
314 C-13/16 Rigas Satiksme 4 May 2017
315 C-13/16 Rigas Satiksme 4 May 2017, paragraph 28.
466. As affirmed in the DPC’s Guidance Note on Legal Bases for Processing Personal Data:
“Controllers who are assessing whether to process data under the legitimate interest legal
basis should consider the three elements needed for this legal basis:
a) Identifying a legitimate interest which they or a third party pursue;
b) Demonstrating that the intended processing of the data subject’s personal data is
necessary to achieve the legitimate interest; and
c) Balancing the legitimate interest against the data subject’s interests, rights and
freedoms”.316
467. In C-524/06 Heinz Huber,317 the CJEU held that the ‘concept of necessity’ must ‘fully reflect the
objective of’ the directive.318
468. In Rigas,319 the CJEU held:
“As regards the condition relating to the necessity of processing personal data, it should
be borne inmind that derogations and limitations in relation to the protection of personal
data must apply only in so far as it strictly necessary…’320
469. The DPC in its Guidance on Legal Bases for Processing Personal Data clarifies the ‘Necessity and
Legitimate Interests’ further in the following terms:
“Once a legitimate interest has been identified, a controller must be able to show that the
processing of personal data is actually necessary for the purpose of that interest. The
necessity test requires controllers to demonstrate that the processing is a reasonable and
proportionate way of achieving their purpose. If a controller can reasonably pursue these
interests in another, less intrusive way, legitimate interests will not provide a legal basis
for processing.
Therefore, when assessing whether processing is necessary for the purpose of pursuing a
legitimate interest, controllers should consider whether the processing actually helps to
further the identified interest, whether it is a reasonable and proportionate way to do so,
and whether there are any less intrusive ways to achieve the same result.
In line with the principle of data minimisation, even where processing may seem
necessary, controllers should ensure that the amount of data processed and extent of that
processing is the minimum amount needed to achieve the stated purpose. As is the case
of other legal bases which involve the concept of necessity, the extent of what precisely is
‘necessary’ for the purposes of any legitimate interest will ultimately depend on the
circumstances of each case, and will also be relevant to the consideration of the balancing
of interests…”.321
316 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 21.
317 C-524/06 Heinz Huber v Bundesrepublik Deutschland, 18 December 2008.
318 C-524/06 Heinz Huber v Bundesrepublik Deutschland, 18 December 2008, paragraph 52.
319 C-13/16 Rigas Satiksme 4 May 2017
320 C-13/16 Rigas Satiksme 4 May 2017, para 30.
321 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 23.
470. In relation to the balancing exercise between the legitimate interests of the data controller and
the fundamental rights and freedoms of the data subjects, Advocate General Bobek in his
Opinion in Rigas stated:
“[s]uch an act of balancing must be carried out on a case-by-case basis”…….“[b]alancing
is the key to the correct application of Article 7(f). It is that operation that makes Article
7(f) wholly distinctive compared to the other provisions of Article 7”.322
471. The DPC’s Guidance Note provides direction regarding the balancing test that is required:
“A balancing test is needed as a controller’s interests will not always align with the
interests of the data subject(s). However, where there is a conflict or tension between
these interests it is not the case that processing can never take place, but rather the
controller can only process the personal data where their interests provide a clear and
proportionate justification for the impact on the individual”.323
472. Finally, the DPC Guidance Note sets out that in relation to the principle of accountability under
Article 5 of the GDPR:
“In line with the principle of accountability, found in Article 5 GDPR, controllers should
keep a record of the assessment they undertook to determine whether the legitimate
interests were overridden by the interests, rights, or freedoms of the data subject. There
is no set way in which controllers have to do this, but it is important that they record their
reasoning in some way, to show that an appropriate decision-making process was utilised
to justify processing, and that data subject rights and freedoms were sufficiently taken
into account. The results of this assessment should also be reviewed if there is a significant
change in the nature or context of the processing operation”.324
Background
473. The DPC acknowledges that the Archbishop is of the view that he is not a controller or a joint
controller of the personal data and special category personal data contained in the parish
Baptism Registers and that the parish priest is the controller of the parish Baptism Registers. As
such, the submissions made by the Archbishop with respect to the lawful bases for processing,
relate to what the Archbishop states are the legal bases relied upon by the parish priests for
such processing of the parish Baptism Registers and the Archbishop’s legal basis for processing
the Baptism Registers held in the Chancellery325 (save for the Clonliffe College Registers, which
the Archbishop has submitted are held in the Chancellery but not on behalf of the Archbishop,
according to his submissions).326
322 C-13/16, Opinion of Advocate General Bobek delivered on 26 January 2017, Valsts policijas Rīgas reģiona pārvaldes
Kārtības policijas at paras 67 & 68 respectively.
323 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 24.
324 DPC Guidance Note: Legal Bases for Processing Personal Data, December 2019, page 24.
325 See section 1.4 of the letter from Mason Hayes Curran on behalf of the Archbishop, accompanying the
16 March 2020 Submission.
326 Submissions dated 23 July 2021, page 3.
For Determination: Processing Issues: In relation to the processing of personal data and special
category personal data of data subjects who no longer wish to have their personal data recorded in
any Baptism Register.
474. In his submissions to the DPC, the Archbishop stated that he and the parish priests rely on the
following legal bases for the processing by way of retention of the personal data and special
category data contained in the Baptism Registers:
• Articles 6(1)(f) of the GDPR, which provides that processing will be lawful where it is
necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject; and
• Article 9(2)(d) of the GDPR, which provides that processing of special categories of
personal data is permitted where the processing is carried out in the course of its
legitimate activities with appropriate safeguards by a foundation, association or any
other not-for-profit body with a religious aim and on condition that the processing
relates solely to members or to former members of the body of persons who have
regular contact with it in connection with its purpose and that the personal data are
not disclosed outside that body without the consent of the consent of the data
subjects.
Archbishop’s Submissions
Article 6(1)(f)
475. The Archbishop submitted that the lawful basis of legitimate interests under Article 6(1)(f) of
the GDPR is often analysed using a three-stage approach, with reference to the CJEU’s judgment
in case C-13/16 Rigas Satiksme,327 namely:
a) identifying a legitimate interest which a controller or a third party pursues;
b) demonstrating that the intended processing of the data subject’s personal data is
necessary to achieve the legitimate interest; and
c) balancing the legitimate interest against the data subject’s interests, rights, and
freedoms.
The Archbishop submitted that the processing in question with respect to this legal basis is the
“maintenance of the name of the data subject on a register of baptised persons”.328
Identifying a legitimate interest
476. With respect to the first of these criteria, the Archbishop identified the legitimate interests
pursued in the processing of the personal data contained in the Baptism Registers. The
Archbishop noted at the outset that with respect to an appropriate legitimate interest “a wide
range of interests may be covered, including commercial interests, individual interests and
broader societal benefits”.329
327 C-13/16 Rigas Satiksme ECLI:EU:C:2017:336, paragraphs 28-31.
328 Submissions dated 16 March 2020, page 44.
329 Submissions dated 16 March 2020, pages 33-34.
477. The Archbishop firstly submitted that the parish priests of the Archdiocese of Dublin “have a
legitimate interest in preserving the information contained in Parish registers, because such
registers (baptism, confirmation and marriage in particular) consist of a record of the
administration of certain sacraments in the Church. The Archbishop also has a legitimate
interest in preserving the information contained in the records held in the Chancellery Office”.330
478. The Archbishop also submitted, “The Roman Catholic Church sees baptism as the first and basic
sacrament of Christian initiation. It is important to note that baptism can only be received once.
As such, it is essential that the Roman Catholic Church maintain a record of all those persons
who have been baptised”.331
479. Similarly, the Archbishop noted that the sacrament of confirmation may only be received once,
and that a marriage between baptised people, validly entered into, cannot be dissolved. As
such, “a careful record is made of the administration of the sacraments of baptism,
confirmation, matrimony and Holy Orders, as, from the perspective of Church teaching, these
sacraments can only be administered once. Insofar as these sacraments are concerned, the
Roman Catholic Church has a particular interest in maintaining an accurate record on a
permanent basis”332. Certain other sacraments may be administered a number of times, such
as the Eucharist, and as such there is no necessity to keep a register.
480. Secondly, the Archbishop submitted that:
“[...] the baptism register is of particular importance as it is considered to be the
“gateway” to all of the records of a person’s life within the Catholic Church. The baptism
register includes a space for notations of future sacraments, namely confirmation, and/or
marriage/Holy Orders.
In order to receive the sacraments of confirmation and marriage/Holy Orders, reference
is alwaysmade to the entries made in the baptism register to establish (1) that the person
has been baptised and (2) there is no impediment to receiving the proposed sacrament,
eg it would not be possible for a man who had received the sacrament of marriage then
to receive the sacrament of Holy Orders.
It is also important to note that the registers are not considered to be a list of members
of the Catholic Church. It is entirely possible and, indeed, perhaps common, that a person
who has received the sacrament of baptism is no longer a practising Catholic or no longer
considers themselves to be a member of the Catholic Church. […] However, the baptism
register at all times remains the reference point from which any other Parish throughout
the world can ascertain whether a person has received any of the other sacraments. This
information is critical in terms of certain key beliefs in the Catholic faith, i.e. that a person
can only receive the sacraments of baptism, confirmation, marriage or Holy Orders
once”.333
330 Submissions dated 16 March 2020, page 34.
331 Submissions dated 16 March 2020, page 34.
332 Submissions dated 16 March 2020, pages 34-35.
333 Submissions dated 16 March 2020, page 35.
481. The Archbishop also noted the case study included in the Data Protection Commissioner’s
Annual Report 2003. In the case study, the Commissioner had concluded that a parish priest
was entitled to refuse a request by a data subject to have their name removed from a parish
Baptism Register, stating “it is my understanding that the data could not be deleted from the
Register as it is essential for the administration of Church affairs to maintain a register of all the
people who have been baptised. Indeed it is of course a factual record of an event that
happened”.334
482. The Archbishop noted that the legitimate interests he had outlined
(i) that it is necessary for the administration of the Church to keep a record of the
sacraments received by individuals; and
(ii) to ensure that certain sacraments are not administered more than once
are underpinned by fundamental rights and protections under the Irish Constitution and the
Charter which among other things, protect the right of religious denominations tomanage their
own affairs.335
483. The Archbishop also noted that Recital 4 of the GDPR “respects the principles enshrined in the
Charter, particularly relating to the protection of conscience and religion”336 and referred to
Recital 165 of the GDPR which states that “[t]his Regulation respects and does not prejudice the
status under existing constitutional law of churches and religious associations or communities
in theMember States, as recognised in Article 17 TFEU”. As such, the Archbishop also submitted,
“data protection law should be interpreted, insofar as possible to respect the fundamental
freedoms of religious organisations”.337
Processing is necessary to achieve the legitimate interest(s)
484. The Archbishop submitted that the processing is necessary, as “complete and accurate records
of all persons who have been baptised must be maintained because it must be possible to
operate a rule that baptism may only be administered once. In the absence of such a record, it
would be impossible to operate this rule, and thus a core aspect of the freedom of religious
practice would be interfered with”.338 The Archbishop also submitted that:
“[t]he only way to maintain such a record is to retain the names of all persons who have
been baptised. There is no other way that the data controller could reasonably pursue this
end. The legitimate interests in maintaining baptismal records cannot be achieved by any
other means and thus the means – the maintaining of the original record – are the least
intrusive method possible, and are necessary for the purposes of the legitimate
interests”.339
334 DPC Annual Report 2003, Case Study 8, page 37.
335 Bunreacht na hÉireann, Articles 44.2.1, 44.2.5; Charter of Fundamental Rights, Article 22.
336 Submissions dated 16 March 2020, page 36.
337 Submissions dated 16 March 2020, page 38.
338 Submissions dated 16 March 2020, page 42.
339 Submissions dated 16 March 2020, page 42.
485. The Archbishop also referred to the CJEU judgment in C-13/16 Rigas Satiksme,which considered
the concept of necessity in this context and theminimum personal data thatwould be necessary
to process in order to give effect to the legitimate interest. The Archbishop stated that in respect
of the Baptism Registers, “the processing in question involves the minimum amount of personal
data necessary to achieve the end, ie, the name of the data subject and the date of baptism”.340
486. When questioned by the DPC as to how the parish or the Archdiocese verifies the sacramental
status of a person (in particular the baptismal status) in circumstances where Baptism Registers
have been irreparably damaged, the Archbishop responded that:
“ The Chancellery on behalf of the Parish, would first obtain objective evidence from the
Bishop of the Diocese where the fire/flood occurred, that this in fact happened.
Following that, the Chancellery would obtain statements from the godparents, being the
official witnesses, regarding the fact of baptism and the approximate date of the event.
Failing that, it would obtain a sworn statement from the parents/siblings/other relations
present on the day, regarding similar details. The person may also be in possession of
photographic evidence of the day.
It may happen that the parents had an old certificate received at the time of the baptism,
which in the circumstances, would also suffice”.341
487. The Archbishop also responded that in circumstances where a person wishes to undertake a
sacrament but the parish or the Archdiocese is unable to verify the sacramental status of that
person:
“ the individual is invited to search the neighbouring parishes in the vicinity of the place of
residence of his parents upon his/her birth. Inmany cases, the Chancellery undertakes this
task on behalf of the individual.
When the Archdiocese, after an extensive enquiry, fails to determine in any way that
baptism has occurred, the person in that event will be conditionally baptised in
accordance with Canon 869 of the Code of Canon Law”.342
Balancing the legitimate interest(s)
488. The final criteria for establishing whether a controller may rely on Article 6(1)(f) of the GDPR as
a lawful basis for processing is a balancing exercise between the legitimate interests being
pursued on the one hand and the interests or fundamental rights and freedoms of the data
subject on the other.
340 Submission dated 16 March 2020, page 43.
341 Submission dated 23 July 2021, page 5.
342 Submission dated 23 July 2021, page 5.
489. In this regard, the Archbishop referred to the Article 29 Working Party Opinion 06/2014, in
particular its statement that “important and compelling legitimate interests may in some cases
and subject to safeguards and measures justify even significant intrusion into privacy or other
significant impact on the interests or rights of the data subjects”.343 The Archbishop also noted
the emphasis the Working Party gave to the role of safeguards in conducting a legitimate
interests balancing exercise.
490. The Archbishop submitted that the legitimate interests pursued with respect to the Baptism
Registers are “undoubtedly serious ones”. The Archbishop submitted that “[w]ithout a complete
baptism register the Catholic Church would be unable to operate a key tenet of its faith, the rule
that a person may only be baptised once”.344 However, the Archbishop asserted:
“the content of the entry on the register does not signify that the data subject is a current
member of the Roman Catholic Church but rather signifies the fact that the person was,
at one point in the past, baptised as a Catholic. As such, the Archbishop submits that, if
this is an infringement of the data subject’s rights and freedoms, it is a very minimal one.
If it does constitute such an infringement, important safeguards are in place to protect
the fundamental rights of the data subject and to ensure that this processing is a
proportionate limitation of the data subject’s rights and freedoms”.345
491. The Archbishop set out the safeguards that have been put in place, which are as follows:
• The Baptism Register is “private and secure” and subject to “strict rules of
confidentiality”; and
• A de facto defection register is maintained in the Archdiocese to “address any concern
that the data subject might have that the register would be regarded as a record of
current membership”. This “mitigates against any concern that a data subject may
have in respect of the register being assumed to provide a record of their present-day
religious status and beliefs”. The Archbishop also noted that while “this register is
maintained by a different data controller (the Archbishop rather than the Parish Priest)
it is a relevant factual safeguard which vindicates the data subject’s rights”.346
492. As a further safeguard the Archbishop noted that, although this is not the current practice of
the parishes in the Archdiocese, the Archbishop “could recommend to Parish Priests that it
would be permissible to adopt a practice whereby the register could be annotated as follows:
“No longer wishes to be identified as a Roman Catholic”.347
493. On that basis, the Archbishop argued that when the “minor interest of the data subject is
balanced against the significant countervailing interests at play and the important safeguards
in place, it is clear that the legitimate interests test is satisfied”.348
343 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, page
30.
344 Submissions dated 16 March 2020, page 44.
345 Submissions dated 16 March 2020, page 44.
346 Submissions dated 16 March 2020, page 44.
347 Submissions dated 16 March 2020, page 44.
348 Submissions dated 16 March 2020, page 44.
494. Further, the Archbishop referred to Recital 47 of the GDPR, which states, “[t]he interests and
fundamental rights of the data subject could in particular override the interest of the data
controller where personal data are processed in circumstances where data subjects do not
reasonably expect further processing”. In considering whether it would be the reasonable
expectation of a data subject that their personal data be processed in this manner, the
Archbishop stated that:
“Persons who have been baptised Catholic are usually aware of the fact, and likely too to
be aware of the fact that a permanent record is made of the baptism. [The Archbishop]
submits that it is widely known that details of baptisms are recorded in Parish registers.
Baptismal records are often, for example, sought by those carrying out genealogical
research. There is no factor that would lead a baptised person to believe that no
permanent record existed. If a person is concerned about the permanent nature of the
record, they may seek to be listed on the de facto defection register”.349
495. The Archbishop also submitted, “to the extent that the processing entails the processing of the
personal data of children, it is important to note that baptism of a child is usually only permitted
with the consent of both parents”.350
496. Finally, the Archbishop noted that, “it should be observed that the balancing analysis depends
on the particular circumstances of the case at hand. The unique purpose and context of baptism
registers should, for this reason, be given special attention”.351
349 Submissions dated 16 March 2020, page 45.
350 Submissions dated 16 March 2020, page 45.
351 Submissions dated 16 March 2020, page 45.
Article 9(2)(d) – activities of a foundation, association or any other not-for-profit body with a
religious aim
497. The Archbishop submitted that, in his view, the following processing activities in respect of the
Baptism Registers would rely on Article 9(2)(d) as their legal basis:
i. Collection and recording of data for the purposes of recording the baptism;
ii. Storage of the Baptism Register;
iii. Alteration of the Baptism Register on request of the baptised person or his/her parents
(where the baptised person is a minor), or annotation with details of a person’s
confirmation, marriage/annulment and ordination/laicisation (or adoption);352
iv. Retrieval, consultation and use of the register, at the request of the baptised person (or
his/her parents) for the administration of other Sacraments, namely Confirmation,
Marriage and Holy Orders. The Baptism Register may also be consulted in the context
of annulments of marriages or laicisation of priests; and
v. Disclosure of extracts (baptismal certificates) from the register by transmission upon
request to individual, identified baptised persons, or authorised persons acting on their
behalf, or upon inspection by [the Archbishop] on the occasion of a Parish Visitation.353
498. The Archbishop noted that he could not “provide definitive information regarding any
processing activities which may or may not be undertaken by Parish Priests (who are the data
controllers)”. The Archbishop further noted, “where a person no longer wishes to be identified
as a member of the Catholic Church, the only processing activity likely to continue is the storage
of the baptism register”. Further, “the entry in respect of that personmay be retrieved, consulted
and disclosed in rare circumstances where the person concerned or his/her spouse has requested
an annulment” or where the person concerned is a priest and wishes to be laicised.354
499. The Archbishop submitted that the conditions of Article 9(2)(d) of the GDPR are fulfilled by the
processing in question, “in that the personal data contained in the baptism registers are
processed in accordance with the legitimate activities of the Catholic Church, the data relates
solely to members or former members of the Catholic Church, or to persons who have regular
contact with it, and those personal data are not disclosed outside that body without the consent
of the data subjects”.355
500. The Archbishop also stated that in respect of membership of the Catholic Church, “[w]hile the
Roman Catholic Church does notmaintain a register ofmembers – as discussed elsewhere in this
submission – it is correct to say that at the point of baptism, the baptised person is properly
considered a member of the Catholic Church. As such, all baptism records relate to either
members or formermembers”.356 The Archbishop also noted that Article 9(2)(d) includes former
members of the body.
352 Up to 2011.
353 Submission dated 6 September 2021, page 2.
354 Submission dated 6 September 2021, pages 2-3.
355 Submissions dated 16 March 2020, page 38.
356 Submissions dated 16 March 2020, page 38.
501. When requested to outline the appropriate safeguards put in place for these processing
activities as specified by Article 9(2)(d), the Archbishop stated that the Adopted Persons
Baptism Register and the Clonliffe College Registers are securely stored in the Chancellery
Offices, and that the parish Baptism Registers, are normally securely kept and “accessible only
by the pastor and authorised Parish personnel”.357 The Archbishop submitted, “The Parish Priest
is to take care that the baptism registers do not fall into unauthorised hands. The Diocesan
Bishop or his delegate is to inspect the archive at the time of the visitation. Older parochial
registers are also to be carefully safeguarded, in accordance with the provisions of particular
law”.358
502. The Archbishop referred to section 2.11 of the Administrative Regulations, which provides that
“Catholic Parish church records are private records and the public do not have an automatic
right of access to them. The Parish Priest is custodian of the registers but the Archbishop dictates
policy with regard to access”.359 The Archbishop also noted in section 2.11 that “[f]or entries
over 100 years old, third parties may request access to specific information contained in the
register”.360
For Determination - Further processing: In relation to any further processing of personal data and
special category personal data of data subjects who no longer wish to have their personal data
recorded in the Baptism Registers
Article 9(2)(j) – Archiving purposes in the public interest, scientific or historical research purposes:
503. The Archbishop submitted that Article 6(1)(f) of the GDPR, is the legal basis upon which the
parish priests and the Archbishop rely for processing personal data contained in the Baptism
Registers, including further processing.
504. The Archbishop submitted that in respect of any further processing of the special category
personal data contained in the Baptism Registers, he also relied on Article 9(2)(j) of the GDPR,
which provides that processing of special categories of personal data is permitted where the
processing is necessary for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) of the GDPR based on
Union or Member State law which shall be proportionate to the aim pursued, respect the
essence of the right to data protection and provide for suitable and specific measures to
safeguard the fundamental rights and the interests of the data subject.
505. According to the Diocesan Archives’ Guidelines to Family History Research, “[d]irect access to
parish registers is not permitted” and “[i]nformation from Parish Registers is only accessible up
to and including 1920”.361
357 Submissions dated 16 March 2020, page 29.
358 Submissions dated 16 March 2020, page 29.
359 Submissions dated 16 March 2020, page 30. Submissions dated 15 October 2020, Schedule of Documents,
Administrative Regulations, October 2017, section E1 (page 167 of the PDF submission).
360 Submissions dated 16 March 2020, page 31.
361 See https://dublindiocese.ie/wp-content/uploads/2021/10/Family-History-1.docx
506. The Archbishop submitted that, in his view, the following processing activities in respect of the
Baptism Registers would rely on Article 9(2)(j) as their legal basis:
I. Collection and recording of data for the purposes of recording the baptism;
II. Alteration of the Baptism Registers on request of the baptised person or his/her
parents (where the baptised person is aminor), or annotationwith details of a person’s
confirmation, marriage/annulment and ordination/laicisation; and
III. Storage of the Baptism Registers.362
507. The Archbishop submitted: “The baptism register is an important historical record, providing an
invaluable record for social historians, sociologists, anthropologists, various academic
researchers and genealogists. In this regard, the baptismal register states a historical fact at a
point in time”.363
508. The Archbishop submitted that the GDPR allows for a number of exemptions in favour of
archiving in the public interest or for historical research purposes and that the Archbishop
“relies on these provisions as a legal basis for the maintenance of the baptism registers, further
or in addition to the grounds set out above. The baptism registers form an important part of the
Church’s wider role in maintaining records and archives”.364
509. For instance, the Diocesan Archives hold a register from St Michan’s Church, Halston Street,
Dublin dating from 1726.365 Themajority of the registers in the Diocesan archives date from the
nineteenth century. Certain of these registers from the 1850s are pro-forma registers,
customised with detailed columns and headings unlike earlier versions. Individual Baptism
Registers will generally contain entries going back a number of years.
510. The Archbishop also referred to Pontifical Commission for the Cultural Patrimony of the Church
circular letter dated 2 February 1997 in which it considered the pastoral function of Church
Archives. The Archbishop also noted the following passage from the article “Protection of
Personal Data and Apostasy: Comparative Law Considerations”:
“Baptismal registers are thus reliable records of the historic event of having been baptized
and not a file, recording members who join and leave the Church”.366
362 Submissions dated 6 September 2021, page 3.
363 Letter from Mason Hayes Curran on behalf of the Archbishop to the DPC dated 16 March 2020 enclosing 16 March 2020
Submission, page 4.
364 Submissions dated 16 March 2020, page 39.
365 Submissions dated 16 March 2020, page 40.
366 ‘Protection of Personal Data and Apostasy: Comparative Law Considerations’ Montserrat Gas-Aixandri, (2015) 57 Oxford
Journal of Church and State, pp. 72-89, page 4.
511. The Archbishop submitted that the purposes for processing the Baptism Registers is necessary
for historical research purposes and for archiving purposes in the public interest. Regarding the
latter, the Archbishop stated that he considers “that the registers maintained are a form of
archiving, and that such can be considered as being in the public interest (notwithstanding the
protections and limitations for the purposes of confidentiality etc which apply)”.367
512. The Archbishop referred to Recital 158 and stated, “we note that Recital 158 refers to ‘services’
which have a ‘legal obligation’ in respect of preservation etc. However, it is not apparent that
this Recital was intended to limit the ambit of Article 17(3)(d). Indeed, a ‘legal obligation’ is
expressly referenced in Article 17(3)(b) but not in Article 17(3)(d). Moreover, a legal obligation
in this respect need not be limited to a statutory obligation, as Recital 41 makes clear”.368
513. The Archbishop further submitted: “there is no distinction to be made in respect of respect of
[sic] processing necessary for archiving purposes in the public interest and processing necessary
for historical purposes”.369 The Archbishop also provided the DPC with two reports outlining the
value of the Baptism Registers for historical research and for archiving purposes in the public
interest.370
514. The Archbishop relied on these reports to demonstrate the “public interest” element required
for “archiving purposes in the public interest” and referred to in Recital 158. In respect of the
“legal obligation” element referred to in Recital 158, the Archbishop submitted that this need
not be limited to a statutory obligation, stating, “the canon law obligations on parish priests to
preserve baptismal and other registers are set out in the Code of Canon Law”.371
515. The Archbishop also referred again to Article 44.2.5° of the Irish Constitution which provides
that every religious denomination shall have the right to manage its own affairs, own, acquire
and administer property, movable and immovable, and maintain institutions for religious or
charitable purposes, in addition to the Charter rights, such as Article 10 which enshrines the
freedom of religion, and Recital 4 of the GDPR.372
516. In respect of the principle of data minimisation, the Archbishop submitted that in relation to
the register of baptism for persons who are adopted, “only the minimal information is retained
for the purpose for which it is collected”. In respect of the parish Baptism Registers, the
Archbishop submitted, “Parish Priests, as a matter of canon law, have no discretion regarding
the informationwhich is required to be required [sic] in baptismal registers,which is in any event,
minimal”.373
367 Submissions dated 16 March 2020, page 45.
368 Submissions dated 16 March, pages 45-46.
369 Submissions dated 15 October 2020, page 30.
370 ‘Value of Church Registers for Archiving Purposes in the Public Interest’ dated 14 October 2020 by John McDonough and
‘Baptismal Registers and Historical Research’ dated 14 October 2020 by Professor John McCafferty.
371 Submissions dated 15 October 2020, page 31.
372 Submissions dated 15 October 2020, page 31.
373 Submissions dated 15 October 2020, page 32.
517. The Archbishop also stated that retention of the Baptism Registers is necessary for historical
research purposes and archiving purposes as, “absent such retention, there can be no guarantee
that such records, and the information therein, will be available in the future.” The Archbishop
referred to the letter dated 17 April 2019 from the Chairman of the National Library to the then
Chancellor stating that “[t]he National Library of Ireland acknowledges and endorses the
importance of the long-term preservation of records, such as church records, which are likely to
be of historical research value. As you noted, the National Library has made digital copies of
historical Catholic Parish records, specifically those over 100 years old, publicly available online.
This has received a very positive response both from Irish citizens and the Diaspora as they are
an important source for Irish family history research”.374
518. The Archbishop also noted that baptism certificates are “often used for persons seeking to
establish Irish citizenship through antecedents (usually grandparents), in the absence of State
records due to the fire in the Customs House in 1921, or prior to the creation of State records”.375
519. In respect of the application of the transparency principle (Article 5(1)(a) of the GDPR) to
processing undertaken for the purpose of archiving in the public interest and historical research
purposes, the Archbishop submitted that information regarding records held in the Diocesan
Archives is available publically online376 and that it “is amatter for individual Parishes to address
the transparency principle in respect of the registers held by them and which are subject to the
GDPR”. In respect to the Adopted Persons Baptism Register, “the Parish of baptism will direct
adopted persons applying for baptismal certificates to the Chancellery”.377
520. When requested to outline the suitable and specific measures put in place for these processing
activities as specified by Article 9(2)(j) and Article 89(1), the Archbishop again referred to his
previous submissions, which are as set out above. The Archbishop also noted that section
36(1)(d) of the 2018 Act states that suitable and specific measures may include “specific
targeted training for those involved in processing operations”. In this regard, the Archbishop
noted that he “organises data protection training days for Parish Priests and members of the
parish administrative teams. It is also open to Parish Priests to organise their own training in
respect of data protection matters”.378
Legal Analysis of the processing of the processing of personal data and special category personal
data.
First Issue for Determination whether the Archbishop may rely on legitimate interests for the
processing of the Baptism Registers, in accordance with Article 6(1)(f) of the GDPR, in circumstances
where the processing is necessary for the purposes of the legitimate interests pursued by the
Archbishop.
374 As provided to the DPC with the 16 March 2020 submission.
375 Submissions dated 16 March 2020, page 46.
376See https://www.dublindiocese.ie/archives/ and https://www.dublindiocese.ie/guidelines-for-family-history-research/.
377 Submissions dated 15 October 2020, page 33.
378 Submissions dated 23 July 2021, page 7.
521. The first issue for determination is in relation to the processing of personal data and special
category personal data of data subjects who no longer wish to have their personal data
recorded in any Baptism Registers.
522. The Archbishop has submitted that the personal data of individuals who no longer wish to have
their personal data recorded in Baptism Registers is processed lawfully on the basis of Article
6(1)(f) of the GDPR, which states that “[p]rocessing shall be lawful only if […] processing is
necessary for the purposes of the legitimate interests pursued by the controller or by a third
party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the
data subject is a child”.
523. I have also considered, when assessing whether this legal basis may lawfully be relied upon by
the Archbishop, recital 47 which states the following:
“The legitimate interests of a controller, including those of a controller to which the personal
data may be disclosed, or of a third party, may provide a legal basis for processing, provided
that the interests or the fundamental rights and freedoms of the data subject are not overriding,
taking into consideration the reasonable expectations of data subjects based on their
relationship with the controller. Such legitimate interest could exist for example where there is
a relevant and appropriate relationship between the data subject and the controller in situations
such as where the data subject is a client or in the service of the controller. At any rate the
existence of a legitimate interest would need careful assessment including whether a data
subject can reasonably expect at the time and in the context of the collection of the personal
data that processing for that purpose may take place. The interests and fundamental rights of
the data subject could in particular override the interest of the data controller where personal
data are processed in circumstances where data subjects do not reasonably expect further
processing. Given that it is for the legislator to provide by law for the legal basis for public
authorities to process personal data, that legal basis should not apply to the processing by public
authorities in the performance of their tasks. The processing of personal data strictly necessary
for the purposes of preventing fraud also constitutes a legitimate interest of the data controller
concerned. The processing of personal data for direct marketing purposes may be regarded as
carried out for a legitimate interest” (emphasis added).
524. I accept that the lawful reliance on the legal basis of legitimate interest is to be assessed based
on three essential conditions, based on Article 6(1)(f) of the GDPR and those set out by the CJEU
in case C-13/16 Rigas Satiksme:379
• identifying a legitimate interest which the controller or a third party pursues;
• demonstrating that the intended processing of the data subject’s personal data is
necessary to achieve the legitimate interest identified; and
• on balancing the legitimate interest against the data subject’s interests, rights, and
freedoms, the legitimate interest is not outweighed by the data subject’s interests, rights,
and freedoms.
379 C-13/16 Rigas Satiksme, paragraph 28.
525. This was further considered by the DPC in its Guidance Note on Legal Bases for Processing
Personal data as previously identified.
526. I will now consider each of these conditions in turn, in order to determine, whether the
Archbishop may lawfully process data subjects’ personal data contained in the Baptism
Registers, in circumstances where the data subjects no longer wish their personal data to be
recorded in the Baptism Registers, based on the legal basis of Article 6(1)(f) of the GDPR.
Identifying a Legitimate Interest
527. In order to rely on the legal basis under Article 6(1)(f) of the GDPR, a controller is required to
identify a legitimate interest that is being pursued, pertaining either to itself or to a third party.
Generally, a legitimate interest can be cover a wide range of situations, however it must be
sufficiently articulated to allow a balancing test to be carried out against the interest and
fundamental rights of the data subject.380 A legitimate interest may arise, according to recital
47, where there is a “relevant and appropriate relationship” between the data subject and the
controller.
528. In his submissions, the Archbishop identified the legitimate interests for processing the personal
data contained in the Baptism Registers. Firstly, he submitted:
“ First, the Parish Priests of the Archdiocese of Dublin have a legitimate interest in
preserving the information contained in Parish registers, because such registers (baptism,
confirmation and marriage in particular) consist of a record of the administration of
certain sacraments in the Church. The Archbishop also has a legitimate interest in
preserving the information contained in the records held in the Chancellery Office”.381
529. The Archbishop also stated that the Roman Catholic Church “sees baptism as the first and basic
sacrament of Christian initiation” which “can only be received once”. As such, “it is essential that
the Roman Catholic Church maintain a record of all those persons who have been baptised”382.
Therefore “a careful record is made of the administration of the sacraments of baptism,
confirmation, matrimony and Holy Orders, as, from the perspective of Church teaching, these
sacraments can only be administered once”. The Archbishop submitted that the Roman Catholic
Church has “a particular interest in maintaining an accurate record on a permanent basis”.383
530. Secondly, the Archbishop submitted that the Baptism Register entries are used to check the
sacramental status of a person prior to receiving another sacrament:
“ In order to receive the sacraments of confirmation and marriage/Holy Orders, reference
is alwaysmade to the entries made in the baptism register to establish (1) that the person
has been baptised and (2) there is no impediment to receiving the proposed sacrament,
eg it would not be possible for a man who had received the sacrament of marriage then
to receive the sacrament of Holy Orders.”
380 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller, section III.3.1.
381 Submissions dated 16 March 2020, page 34.
382 Submissions dated 16 March 2020, page 34.
383 Submissions dated 16 March 2020, pages 34-35.
531. Although the Baptism Register is not a list of members of the Catholic Church, the Archbishop
submitted that it did act as a “reference point for which any other parish throughout the world
can ascertain whether a person has received any of the other sacraments”. The Archbishop
noted that “[t]his information is critical in terms of certain key beliefs in the Catholic faith, ie
that a person can only receive the sacraments of baptism, confirmation,marriage or Holy Orders
once” and that the Baptism Register acted as “a ‘gateway’ to all the records of a person’s life
within the Catholic Church”.384
532. The Archbishop has also submitted that the DPC in its Annual Report of 2003 recognised the
importance of the Baptism Register in case study 8, stating that it was “essential for the
administration of Church affairs to maintain a registers of all the people who have been
baptised”.
533. Further, the Archbishop noted that the legitimate interests outlined; (i) that it is necessary for
the administration of the Church to keep a record of the sacraments, in particular baptism,
received by individuals; and (ii) to ensure that certain sacraments are not administered more
than once are underpinned by fundamental rights and protections under the Irish Constitution
and the Charter, which among other things, protect the right of religious denominations to
manage their own affairs.385
534. I accept that the interests pursued by the Archbishop in this regard are central to the proper
functioning of key aspects of the Roman Catholic faith in Ireland.
535. However, I must also consider, when assessing whether a legitimate interest arises, the
guidance provided by recital 47 of the GDPR. Recital 47 firstly states, “[s]uch legitimate interest
could exist for example where there is a relevant and appropriate relationship between the data
subject and the controller”. In the context of personal data of a data subject being recorded in
Baptism Registers, I accept that such a relevant relationship arises between a data subject who
has undergone certain sacraments in the Catholic Church (whether they consider themselves
to be a member of the Catholic Church or not) and the Archbishop as a representative of that
Church in his Archdiocese with responsibility for the proper governance of that Archdiocese.
536. Recital 47 secondly notes, “the existence of a legitimate interest would need careful assessment
including whether a data subject can reasonably expect at the time and in the context of the
collection of the personal data that the processing for that purpose may take place”. In the
context of the recording and retention of the details of a baptism in the Baptism Registers, I am
of the view that a data subject could reasonably expect the personal data to be processed for
the purposes of ensuring that the data subject has been baptised and to ensure that there is no
impediment to that data subject receiving a further sacrament, such as confirmation or
marriage.
384 Submissions dated 16 March 2020, page 35.
385 Bunreacht na hÉireann, Articles 44.2.1, 44.2.5; Charter of Fundamental Rights Articles 22.
537. I am of the view, that it would be reasonably known among persons who have been baptised in
Irish society, whether such a person actively continues to practice the Catholic faith or not, that
certain sacraments may only be received once in the Catholic Church and that a record is kept
of certain sacraments by the Catholic Church.
538. Further, I note the CJEU in case C-708/18 Asociaţia de Proprietari blocM5A-ScaraA386 held that
a legitimate interest (in that case under Article 7(f) of Directive 95/46) pursued by a controller
or by a third partymust be “present and effective as at the date of the data processing andmust
not be hypothetical at that date”.387
539. In consideration of this requirement laid down by the CJEU, I am of the view that the legitimate
interests pursued by the Archbishop are not hypothetical in nature, and the Archbishop has
provided evidence of the process which is undertaken to verify the sacramental status of a data
subject, often prior to that data subject receiving another sacrament such as that of marriage.
The DPC considers that the legitimate interests asserted by the Archbishop are “present and
effective” in nature during the lifetime of the data subjects whose personal data are recorded
in the Baptism Registers for that reason.
540. Therefore, I am of the view that the interests submitted by the Archbishop to be legitimate
interests within themeaning of Article 6(1)(f) of the GDPR are legitimate and I accept that these
legitimate interests allow for the proper administration of certain sacraments of the Catholic
Church and are central to the Roman Catholic faith, are sufficiently articulated and are real and
present.
Necessity of processing to achieve the legitimate interests
541. I must now turn to consider the second condition required in order to rely on Article 6(1)(f) to
establish lawfulness of processing: that the processing of the personal data is necessary in order
to achieve the legitimate interests pursued.
542. Under EU law, necessity has its own independent meaning and must be interpreted to fully
reflect the objectives of data protection law, as set out in case C-524/06 Heinz Huber v
Bundesrepublik Deutschland (‘Heinz Huber’),388 being the protection of the fundamental rights
and freedoms of natural persons and their right to privacy with respect to the processing of
personal data.389
543. I note that, in accordance with the CJEU’s judgment in C-13/16, Rigas Satiksme, a controller is
required to demonstrate that the data processing does not go beyond what is “strictly
necessary” for the purposes of processing.390 This requires that the Archbishop demonstrates
that the processing is a reasonable and proportionate way of achieving the legitimate interests.
386 C-708/18 Asociaţia de Proprietari bloc M5A-ScaraA ECLI:EU:C:2019:1064.
387 C-708/18 Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 44.
388 C-524/06 Heinz Huber, paragraph 52.
389 C-524/06 Heinz Huber refers to Article 1(1) of Directive 95/46 in paragraph 52. The equivalent provision under the GDPR
is Article 1(2).
390 C-13/16, Rigas Satiksme, paragraph 30.
544. Should there be a less intrusive way to achieve the same interests, then in general, it cannot be
said that the processing is necessary to achieve those interests. In cases C-92/09 and C-93/09
Scheke, Eifert and Hessen, the CJEU held that, where it was possible to “envisage measures
which affect less adversely that fundamental right of natural persons and which still contribute
effectively to the objectives” in question, such measures will not comply with the principle of
proportionality.391 Finally, I note that in order to be considered necessary processing, no equally
effective alternatives to the processing may be available.
545. I note the Archbishop has submitted that the processing of the data is necessary as:
“complete and accurate records of all persons who have been baptised must be
maintained because it must be possible to operate a rule that baptism may only be
administered once. In the absence of such a record, it would be impossible to operate this
rule, and thus a core aspect of the freedom of religious practice would be interfered
with”.392
546. The Archbishop also submitted that:
“[t]he only way to maintain such a record is to retain the names of all persons who have
been baptised. There is no other way that the data controller could reasonably pursue this
end. The legitimate interests in maintaining baptismal records cannot be achieved by any
other means and thus the means – the maintaining of the original record – are the least
intrusive method possible, and are necessary for the purposes of the legitimate
interests”.393
547. I am in agreement with the Archbishop that the personal data processed in the Baptism Register
is generally limited to what is strictly necessary in order to achieve its legitimate interests. I also
accept, in accordance with the requirement of data minimisation, that the data in question is
the minimum amount required to achieve the legitimate interests.
548. Further, the Archbishop has confirmed that, in instances where a baptismal record does not
exist for an individual, the Archbishop may require the individual to provide sworn statements
from their godparents or parents confirming that the baptism took place. In other
circumstances, where the sacramental status of an individual may not be verified, after an
extensive enquiry the individual may be conditionally baptised further to canon 869. 394
391 C-92/09 and C-93/09 Scheke, Eifert and Hessen, ECLI:EU:C:2010:662, paragraph 86.
392 Submissions dated 16 March 2020, page 42.
393 Submissions dated 16 March 2020, page 42.
394 Submissions dated 23 July 2021, page 5.
549. Although these are alternative measures to achieving the legitimate interests set out by the
Archbishop, I consider that these could not be equally effective alternatives to the processing
undertaken by recording and retaining personal data in the Baptism Registers. Given the
importance of the principle in the Catholic Church that certain sacraments may only be
administered once, the reliance on statements of godparents and other witnesses instead of
the official record of the Church (or indeed conditionally baptising a person without any
verification as to whether they have been previously baptised), does not provide the certainty
and effectiveness of the recording of Baptism Registers and is clearly only suited to exceptional
occasions.
550. As such, I am satisfied that the Archbishop has demonstrated that the processing of the data
subject’s personal data is necessary to achieve the legitimate interests outlined.
Balancing the legitimate interests against the interests or fundamental rights and freedoms of the
data subject
551. Finally, I must consider whether the legitimate interests pursued by the Archbishop are not
overridden by the interests, rights or fundamental freedoms of the data subjects. When
undertaking this assessment a number of considerations need to be taken into account.
Moreover, those interestsmust be present and effective at the date of the data processing and
must not be hypothetical in nature.395
Impact of the processing
552. I note that an important consideration to take into account is the consequences for the
individual by the processing of their personal data in Baptism Registers.396 The purpose is not
to prevent any negative impact on the data subject, but to prevent a disproportionate impact.397
Such impact encompasses the different ways in which an individual may be affected - positively
or negatively - by the processing, and should address any possible (potential or actual) positive
and negative consequences of such processing.398
553. Although the Baptism Register does not act as a list of member of the Catholic Church, the
Archbishop has submitted that at the point of baptism, “the baptised person is properly
considered a member of the Catholic Church”.399 For various reasons, data subjects may no
longer wish to be considered members of the Catholic Church. Further, I note that since 2010,
a change was made to Canon law, which resulted in a data subject being unable to defect
formally from the Catholic Church.400
The nature of the personal data
395 C-708/18, Asociaţia de Proprietari bloc M5A-ScaraA 11 December 2019, paragraph 44
396 See WP Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
95/46/EC, assessing the impact of processing, page 37.
397 WP29 Opinion 06/2014 on the notion of legitimate interests, page 41
398 WP29 Opinion 06/2014 on the notion of legitimate interests, page 37
399 Submissions dated 16 March 2020, page 38.
400 Submissions dated 16 March 2020, page 21.
554. The CJEU has clarified that “account must be taken, inter alia, of the nature of the personal data
at issue, in particular of the potentially sensitive nature of those data, and of the nature and
specific methods of processing the data at issue, in particular of the number of persons having
access to those data and the methods of accessing them”.401
555. I note that, pursuant to Article 9(1) of the GDPR, the personal data recorded in the Baptism
Registers is also considered to be special category personal data as it reveals a religious belief.
Special category data is considered more sensitive than other types of personal data and
warrants special protection and consideration. In addition, the personal data recorded in the
Baptism Records also concerns the personal data and special category data of children, who,
under Recital 38 of the GDPR ‘merit specific protection’, this being within the backdrop of
parental consent being obtained at the time of the baptismal event.
556. Further, I note that the processing of the personal data in the Baptism Registers is not intensive
(though it is long in duration); the personal data collected and recorded is not extensive and
consists of no more than is strictly necessary than what is required to pursue the legitimate
interest. In addition, as outlined prior, there are strict rules on who can access this data and it
is limited to select individuals.402
Reasonable expectations of the data subject
557. When balancing the interests, rights and fundamental freedoms of the data subject against the
legitimate interests pursued by a controller or a third party, consideration for the reasonable
expectations of the data subject is required, as set out in recital 47 of the GDPR. The DPC’s views
on the reasonable expectations of the data subject were previously set out in this section.
558. The Archbishop in his submissions states that these “legitimate interests” for the purposes of
data protection law are underpinned by fundamental rights protections pursuant to Article
44.2.1° and Article 44.2.5° of the Irish Constitution and Articles 10 and 22 the Charter of
Fundamental Rights (the ‘Charter’). In particular, the Archbishop notes the right of freedom of
religion with the right to self-determination and the right to manage their own affairs being an
integral part of that right.403
559. In this regard, the rights of data subjects under data protection law should be read in
conjunction with Article 10 of the Charter, which provides for the right to “freedom of thought,
conscience and religion”. This includes “the freedom to change religion or belief and freedom,
either alone or in community with others and in public or in private, tomanifest religion or belief,
in worship, teaching, practice and observance”. This Article reflects also Article 9 of the
European Convention of Human Rights (the “ECHR”). The right to freedom of religion includes
the corollary of that right, the right not to belong to a religion or to practice it. The right to
freedom of religion also protects the right not to manifest or reveal one’s religious beliefs.
401 C-708/18 Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 57.
402 Submissions dated 16 March 2020, page 44.
403 Submissions dated 16 March 2020, pages 36 -38.
560. Article 1(2) of the GDPR provides that the “Regulation protects the fundamental rights and
freedoms of natural persons and in particular their right to the protection of personal data.” The
data subjects in the present context have the right to freedom of thought conscience and
religion, which ought to be weighed against the Archbishop’s legitimate interests in this
instance. In that regard, I note that on the other hand the State also has an obligation to ensure
that it does not impede the normal functioning of religious organisations. The Constitution
protects the functioning of religious organisations, under Article 44.5 - “[e]very religious
denomination shall have the right to manage its own affairs, own, acquire and administer
property, movable and immovable, and maintain institutions for religious or charitable
purposes”. The DPC must seek to balance the rights of the Catholic Church and the Archbishop
against the rights of the data subjects who do not wish to belong to a religious organisation, nor
wish to have their data processed by that religious organisation, nor wish to be seen to be
manifesting their religious beliefs in a way that allows such a belief to be inferred by the
recording and processing of their personal data.
561. Further, Article 12 of the Charter provides for the right to “freedom of association at all levels,
in particular in political, trade union and civic matters, which implies the right of everyone to
form and to join trade unions for the protection of his or her interests”. This right encompasses
the freedom to associate with religious associations. This Article reflects Article 11 of the ECHR.
The freedom of association encompasses a freedom of choice as to how an individual may wish
to exercise their freedom of association. This includes the right not to join an association and
the right to withdraw from an association, which is the corollary to the freedom of association
and is essential for the proper exercise of the rights.404 The rights of data subjects whose
personal data is recorded in the Baptism Registersmust also be weighed by the DPC against the
legitimate interests of the Archbishop in this case.
562. Even in instances where the infringement of the data subject’s interests and/ or rights and
fundamental freedoms occur, this does not necessarily mean that the balance falls in favour of
the legitimate interests being overridden. In circumstances where there is a clear and
proportionate justification for the impact on the data subject’s rights, the processing may still
lawfully occur based on the legitimate interests.
563. In case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos
(AEPD), Mario Costeja Gonzalez (‘Google Spain’)405 the CJEU considered the rights of a data
subject who wished to have links to his personal data removed from a search engine against the
legitimate interests of the search engine in this case. In this case the held that the application
of Article 7(f) (legitimate interests under Directive 95/46) “necessitates a balancing of the
opposing rights and interests concerned, in the context of which account must be taken of the
significance of the data subject’s rights arising from Articles 7 and 8 of the Charter”.406
404 [See following ECHR cases (Sørensen and Rasmussen v. Denmark [GC], 2006, § 54). (Sigurður A. Sigurjónsson v. Iceland,
1993, § 35; Vörður Ólafsson v. Iceland, 2021, § 45)]]
405 ECLI:EU:C:2014:317.
406 C-131/12 Google Spain, paragraph 74.
564. The CJEU sought to balance the rights of the data subject in that case, even where such rights
may be interfered with, against the legitimate interests of third party internet users and
considered that such balancing would have to be done on a case-by-case basis and would
depend on the nature of the personal data among other things. This was also echoed by the
CJEU in C-13/16 Rigas Satiksme, wherein the CJEU stated, “as regards the condition of balancing
the opposing rights and interests at issue, it depends in principle on the specific circumstances
of the particular case”.407
565. The DPC finds that the Archbishop has an overriding justification for the impact on the data
subject’s rights. The Archbishop’s legitimate interests represent the pursuance of central beliefs
in the Catholic Church. The DPC recognises that the right to freedom of thought, conscience and
religion of the Church must also be taken into account when balancing the rights of the data
subjects. As the achievement of the legitimate interests, in this instance, are fundamental to
the proper administration of certain sacraments, in particular baptism, in the Catholic Church,
the failure of which would impact on the rights of a number of members of the Church, I am of
the view that the Archbishop’s legitimate interests are not overridden by the interests, rights
and fundamental freedoms of the data subjects, including those who consider themselves no
longer members of the Church. The Archbishop has legitimate reasons for the impact on the
data subjects’ rights, which stem from the aim of ensuring the proper administration of
sacraments as a whole.
Safeguards
566. The Article 29 Working Party stated in its opinion on legitimate interests, as submitted by the
Archbishop, that “important and compelling legitimate interests may in some cases and subject
to safeguards and measures justify even significant intrusion into privacy or other significant
impact on the interests or rights of the data subjects”.408 It is accepted that adequate and
sufficient safeguards can significantly reduce the impact on data subjects. I note that the
Archbishop has pointed to a number of safeguards that are in place, such as the fact that the
Baptism Registers are kept private and secure and subject to strict rules of confidentiality, only
accessible by a very small number of authorised individuals. Further, the Archbishop has
submitted that a de facto defection register is kept in order to allow those who no longer wish
to have an association with the Church to have this view recorded. The Archbishop has also
offered to direct the parish priests to include an annotation on the Baptism Register stated that
an individual “No longer wishes to be identified as Roman Catholic”, though this is not the
current practice of the Archdiocese.409
567. I am of the view that these safeguards reduce the impact on the data subject’s rights. I am of
the view that an annotation on the Baptism Register itself, clearly indicating the wishes of the
data subject on the baptism entry would be an appropriate method of safeguarding the data
subject’s rights.
407 C-13/16 Rigas Satiksme, paragraph 31.
408 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of
Directive 95/46/EC, page 30.
409 Submissions dated 16 March 2020, page 44.
568. It is my view that in pursuing his legitimate interests, the Archbishop is infringing the rights and
freedoms of data subjects. In such instances, a fair balance must be struck between these
competing rights and interests. The DPC considers that the processing of personal data of
individuals who no longer wish to have their personal data processed may impact on the data
subjects’ rights such as their right to freedom of religion and freedom of association and the
corollary rights. However, I am of the view that the legitimate interests of the Catholic Church
in the proper administration of the sacraments and the Church as a whole, with appropriate
safeguards in place to protect the personal data, overall outweighs the rights and freedoms of
data subjects. The Archbishop’s legitimate interests are justified even with such an impact on
the data subject as they represent central aims and beliefs in the Catholic Church.
569. It is the view of the DPC that the Archbishop may lawfully rely on legitimate interests under
Article 6(1)(f) of the GDPR as a legal basis for processing the personal data of data subjects
which is recorded in the Baptism Register, even in instances where a data subjectmay no longer
wish to be associated with the Catholic Church. The Archbishop has:
• established clear legitimate interests which are being pursued;
• demonstrated the necessity of the processing to achieve these legitimate interests;
and
• subject to certain safeguards, the legitimate interests are not outweighed by the
interests, rights and fundamental freedoms of the data subjects.
Second Issue for Determination
570. The second issue for determination is whether, and to what extent the Archbishop’s interests
(or those of a third party) in retaining the personal data and special category personal data are
overridden by the interest or fundamental rights and freedoms of the data subjects and
accordingly whether the Archbishop is entitled to rely on Article 6(1)(f) for the processing of the
personal data and special category personal data.
571. As stated in the previous section, subject to safeguards, the Archbishop’s interests in retaining
the personal data contained in the Baptism Registers are not overridden by the interest or
fundamental rights and freedoms of the data subjects. The Archbishop is entitled to rely on
Article 6(1)(f) for the processing of the personal data and special category personal data.
Third Issue for Determination
572. The third issue for determination is whether the Archbishop is entitled to rely on Article 9(2)(d)
of the GDPR for the processing of the special category personal data contained in the Baptism
Registers, which permits processing carried out in the course of the Archbishop’s legitimate
activities as a foundation, association or non-profit body with a religious aim where the
processing relates solely to members or former members of the body or to persons who have
regular contact with it in connection with its purposes and where the special category personal
data are not disclosed outside the body without the consent of the data subjects.
573. Article 9(2)(d) of the GDPR permits processing of special category personal data which is:
“carried out in the course of its legitimate activities with appropriate safeguards by a
foundation, association or any other not-for-profit body with a political, philosophical,
religious or trade union aim and on condition that the processing relates solely to the
members or to former members of the body or to persons who have regular contact with
it in connection with its purposes and that the personal data are not disclosed outside that
body without the consent of the data subjects”.
574. Recital 51 also notes that:
“[d]erogations from the general prohibition for processing such special categories of
personal data should be explicitly provided, inter alia, where the data subject gives his or
her explicit consent or in respect of specific needs in particular where the processing is
carried out in the course of legitimate activities by certain associations or foundations the
purpose of which is to permit the exercise of fundamental freedoms”.
575. The Archbishop has submitted that the processing of the special category personal data
contained in the Baptism Registers, in particular the retention of such data in circumstances
where the data subject no longer wishes to be recognised as a member of the Catholic Church,
is in accordance with Article 9(2)(d) of the GDPR.
576. In order to assess whether the Archbishop is entitled to rely on the legal basis under Article
9(2)(d) of the GDPR, I must assess if the required criteria under Article 9(2)(d) are met:
a. the personal data is processed in the course of its legitimate activities;
b. by a foundation, association or any other not-for-profit body with a political,
philosophical, religious or trade union aim;
c. on the condition that the processing relates solely to the members or to former
members of the body or to persons who have regular contact with it in connection
with its purposes; and
d. the personal data are not disclosed outside that bodywithout the consent of the data
subjects.
Criteria a: The personal data are processed in the course of its legitimate activities
577. I have previously established herein that the activities of the Catholic Church for which the
Archbishop processes the personal data and special category personal data, which is contained
in the Baptism Registers, are the legitimate interests of the Archbishop.
578. Further, I also note the guidance of the ICO with respect to the legitimate activities of a not-for-
profit body under Article 9(2)(d). The ICO states that legitimate activities “is fairly broad, and
covers most of what you do, as long as it does not stray outside the purposes and powers set out
in your constitution or governing documents, and is not unlawful or unethical in any way”.410
410 ICO, Special Category data What are the conditions of processing, https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-are-the-conditions-for-
processing/#conditions
579. I accept that these activities, relating to the recording and administering of certain sacraments
in Baptism Registers are legitimate activities of the Catholic Church, being central to the key
beliefs of the Church and being provided for in Canon Law which constitutes the internal rules
of the Catholic Church and sets out the purposes of the Church and the powers provided to
instruments of the Church to achieve this.
Criteria b: By a foundation, association or any other not-for-profit body with a political,
philosophical, religious or trade union aim
580. The Archbishop has submitted:
“that the conditions required by Article 9(2)(d) in this instance are fulfilled, in that the
personal data contained in the baptism registers are processed in accordance with the
legitimate activities of the Catholic Church, the data relates solely to members or former
members of the Catholic Church, or to persons who have regular contact with it, and those
personal data are not disclosed outside that body without the consent of the data
subjects”.411
581. I also note the guidance of the ICO in this regard. With respect to the bodies that may rely on
Article 9(2)(d) as a legal basis for processing special category personal data, the ICO states that
“[y]ou can only rely on this condition if you […] are a not-for-profit body, for example charities,
clubs, political parties, churches, trade unions and other associations if they have a political,
philosophical, or religious aim”412 (emphasis added). Indeed, the ICO goes on to set out the
following example:
“A church processes personal data of its members and supporters in order to run church
activities and provide pastoral care. The church can rely on the not-for-profit condition to
process the data which reveals their religious belief.”413
582. Further, in a 2016 talk given by Cardinal Stefan Wyszyński, at a Conference organised by the
Polish Inspector for Personal Data Protection and published online by the EDPS (European Data
Protection Supervisor), entitled “Personal Data Protection in churches and religious
organisation” the Cardinal noted the following with respect to Article 9(2)(d) (which was still in
draft form):
“The new Regulation will maintain the existing exemption which allows churches and
other bodies with a 'religious... aim' to process sensitive data:
• 'in the course of its legitimate activities...';
• '...with appropriate safeguards';
411 Submissions dated 16 March 2020, page 38.
412 ICO, Special Category data What are the conditions of processing, https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-are-the-conditions-for-
processing/#conditions.
413 Ibid.
• '...on condition that the processing relates solely to the members or to former
members of the body or to persons who have regular contact with it in connection
with its purposes'; and
• on condition that 'the data are not disclosed outside that body without the consent
of the data subject'”.414
583. In consideration of the above, I am satisfied that Article 9(2)(d) is intended to cover religious
organisations that constitute not-for-profit bodies. I accept that the Archbishop is a member of
a not-for-profit body, with a religious aim, that being the Archdiocese of Dublin.
414https://edps.europa.eu/sites/edp/files/publication/16-02-25_personal_data_protection_church_warsaw_en.pdf.
Criteria c: On the condition that the processing relates solely to themembers or to former members
of the body or to persons who have regular contact with it in connection with its purposes
584. The processing in question with respect to the Baptism Registers relates to persons who have
undertaken what is considered the “gateway” sacrament within the Catholic Church415. While
the Archbishop submits that the Baptism Registers do not constitute a list of members of the
Church and nor is a register of members maintained for that intention, the Archbishop has
noted that a “baptised person is properly considered a member of the Catholic Church”. As such
“all baptism records relate either to members or former members”.416
585. I accept that in principle, any individual who has undergone baptism in the Catholic Church
becomes a member of the Catholic Church. If subsequently, that individual no longer wishes to
be amember of the Church; regardless of defection, that individual would be a formermember
of the Church.
586. Therefore, I am satisfied that the processing of the special category personal data in the Baptism
Registers relates only to persons who may properly be considered to be members or former
members of the Church.
Criteria d: The personal data are not disclosed outside that body without the consent of the data
subjects:
587. Article 9(2)(d) also requires that personal data processed by the not-for-profit body not be
disclosed outside that body without the consent of the data subjects. I note that the Baptism
Registers are generally subject to strict confidentiality even within the Church itself and are only
disclosed outside the Church after 100 years have passed.417 The personal data in the Baptism
Registers may on limited occasions be disclosed within the organisation, either by the
Archbishop seeking to instruct the parish priest to make a Special Annotation for example, or
by a parish priest seeking advice from the Archbishop, via the Chancellery. I also note that, on
occasion, a parent or guardian may request a baptismal certificate on behalf of an individual
who had been baptised. This would be in situations where that individual is unable to consent
on their own behalf, due to their age. I have not been provided with any evidence suggesting
that the personal data contained in the Baptism Registers is disclosed outside of the Church
without the consent of those data subjects.
588. Based on the above considerations, I am satisfied that the Archbishop may rely on the legal
basis under Article 9(2)(d) of the GDPR for the processing of data subjects’ special category
personal data during the course of their lifetime, being members or former members of a not-
for-profit body with a religious aim.
415 Submissions dated 16 March 2020, page 26.
416 Submissions dated 16 March 2020, page 38.
417 Submissions dated 15 October 2020, Schedule of Documents, Dublin Diocesan Archives (IE/DDA), section 2.5 (page 243
of the PDF submission).
Fourth Issue for Determination
589. The fourth issue for determination is whether the Archbishop, in processing the special category
personal data in accordance with Article 9(2)(d) of the GDPR, put in place the required
appropriate safeguards for such processing under Article 9(2)(d)
590. I have previously noted that the Archbishop has referred to a number of safeguards that are in
place for the processing of the Baptism Registers. This includes the fact that the Baptism
Registers are kept securely in the parishes, or in the Archbishop’s House and are confidential,
only accessible by a very small number of authorised individuals. Further, the Archbishop has
submitted that a de facto defection register is kept in order to allow those who no longer wish
to have an association with the Church to have this view recorded. The Archbishop has also
offered to direct the parish priests to include an annotation on the Baptism Register stated that
an individual “No longer wishes to be identified as Roman Catholic”, though this is not the
current practice of the Archdiocese.418
591. As previously stated, I am not of the view that the De Facto Defection Register is an appropriate
safeguard. However, I am satisfied that the other safeguards put in place by the Archbishop are
appropriate to safeguard the rights and fundamental freedoms of data subjects.
592. Based on the above considerations, I am satisfied that the Archbishop , in processing the special
category personal data in accordance with Article 9(2)(d) of the GDPR, has in place the required
appropriate safeguards for such processing under Article 9(2)(d).
Fifth issue for Determination
593. The fifth issue for determination is in assessing the legal basis relied on by the Archbishop,
whether the Archbishop is compliant with the principle of purpose limitation under Article
5(1)(b) of the GDPR and the principle of lawfulness, fairness and transparency under Article
5(1)(a) of the GDPR.
594. Regarding processing (as opposed to further processing) and the principle of ‘purpose
limitation’, Article 5(1)(b) of the GDPR provides that the personal data shall be ‘collected for
specified, explicit and legitimate purposes.’ Therefore, for compliance with the principle of
‘purpose limitation’ a data controller must only process data for specified, explicit and
legitimate purposes.
595. With regard to the Baptism Registers as set out previously, the Archbishop has submitted it is
essential for the administration of the affairs of the Catholic Church to maintain a register of all
people who have been baptised in the Church. In addition, baptism is a sacrament, which can
only be administered once and is the gateway to all other sacraments. At baptism, the personal
data collected contains set information as set out at paragraph 38 of this Decision which is
personal data required for the purposes of recording the fact that the individual was baptised.
418 Submissions dated 16 March, page 44.
596. It is the view of the DPC that the data which is processed (as opposed to further processed), in
the baptism registers is for a specified, explicit and legitimate purpose in line with Article
5(1)(b).
597. Regarding processing (as opposed to further processing) and the requirements under Article
5(1)(a) of the GDPR, that personal data must be processed lawfully, fairly and transparently, it
appears to the DPC that the personal data contained in the Baptism Registers, is processed
lawfully under Article 6(1)(f) of the GDPR and this analysis is set out above which includes
appropriate safeguards being in place.
598. Regarding the ‘fair’ component of Article 5(1)(a) of the GDPR, I am of the view that the data is
processed fairly insofar as the data being processed is not processed by deception or in the
absence of the data subject’s knowledge (or legal guardian’s knowledge) and is relevant to an
event that factually occurred.
599. Regarding the ‘transparency’ component of Article 5(1)(a) of the GDPR, Recital 39 of the GDPR
states ‘[i]t should be transparent to natural persons that personal data concerning them are
collected, used, consulted or otherwise processed and to what extent the personal data are or
will be processed.’ The principle of transparency requires that any information and
communication relating to the processing of those personal data be easily accessible and easy
to understand, and that clear and plain language be used.’
600. In relation to the transparency principle in respect of processing undertaken for the purposes
of archiving in the public interest and for historical research purposes, the Archbishop stated:
“It is a matter for individual Parishes to address the transparency principle on respect of
the registers held by them and which are subject to the GDPR. However, in relation to the
register of baptisms of persons who are adopted, the parish of baptism will direct adopted
persons applying for baptismal certificated to the Chancellery”.419
601. On the basis of the foregoing, I am of the view that the Archbishop has infringed the
transparency principle under Article 5(1)(a) of the GDPR, in circumstances where (1) the
Archbishop is of the view that he is not a data controller in the first instance and on that basis
it is a matter more appropriate for the Parish Priest as data controller and (2) the Archbishop
has not provided the DPCwith any evidence as to how he is in compliance with the transparency
principle.
419 Submissions dated 15 October 2020, page 33.
Legal Analysis: Further Processing
602. Regarding further processing of personal data and special category data of data subjects who
no longer wish to have their personal data recorded in the Baptism Registers, the eight separate
issues for determination are set out above in this Decision. Further processing is processing for
a purpose other than that for which the personal data have been collected. Article 5(1)(b) states
that “further processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes shall, in accordance with Article 89(1), not be
considered to be incompatible with the initial purposes.” Reliance is placed on Article 6(1)(f) and
Article 9(2)(j) of the GDPR for such further processing by the Archbishop within the context of
‘[A]rchiving purposes in the public interest and historical research purposes’.
603. Article 9(2)(j) states:
“processing is necessary for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with Article 89(1) based
on Union orMember State law which shall be proportionate to the aim pursued, respect
the essence of the right to data protection and provide for suitable and specific measures
to safeguard the fundamental rights and the interests of the data subject.” (Emphasis
added).
Article 89(1) provides that such processing for archiving purposes in the public interest or
historical research “shall be subject to appropriate safeguards”. This is explained further in
Recital 156 of the GDPR.
604. In the first instance, personal data is being collected and processed by the Church primarily to
document and record the administration of the sacrament of baptism, which is an initiation into
the Catholic faith; as set out previously, this is the basis upon which other sacraments can be
administered and without which other sacraments cannot be administered. Such
administration is “critical in terms of certain key beliefs in the Catholic faith”420 and is a key tenet
in the administration of the Catholic Church.
605. The Baptism Records as a matter of course are essentially required for the lifetime of an
individual as there is no time frame within which an individual receives sacraments, and I have
set out that it is of the view that the Archbishop has a lawful basis for such processing under
Article 9(2)(d) of the GDPR which essentially extends for the lifetime of a data subject.
420 Submissions dated 16 March 2020, page 35
606. The Archbishop, in addition, now relies on Article 9(2)(j) for the further processing of the same
personal data-set for archiving in the public interest and for historical research purposes as he
submits that the “baptism registers form an important part of the Church’s wider role in
maintaining records and archives” and that the “Baptism Registers record the historical fact of
baptisms having taken place. Over time, these registers assume a different importance
becoming a unique archival and/or historic record of enduring value. Baptismal records are
often, for example, sought by those carrying out genealogical research.”421 This appears to be
ancillary to the original purpose of the processing. The archiving processing only arises by virtue
of the initial existence of the Baptism Registers.
607. The Archbishop submits that the “registers maintained are a form of archiving”’422 and that he
is aware “that baptism certificates are often used for persons seeking to establish Irish
citizenship through antecedents (usually grandparents), in the absence of State records due to
the fire in the Customs House in 1921, or prior to the creation of State records”’.423 The historic
Catholic parish records shared with the National Library during the 1940s/1950s had a “cut-off
date of 1880” for reasons of confidentiality.424
608. In addition, the Archbishop provides a comprehensive summary regarding the historic archiving
of church records and states that the “Diocesan Archives hold a register from St. Michan’s
Church, Halston Street, Dublin, dating from 1726. However, the vast majority of the registers in
the Diocesan archives date from the 19th century. Those from the mid-1850s are pro-forma
registers, customised with detailed columns and headings unlike earlier versions”. 425
609. The Dublin Diocesan Archive426 states that the “vast bulk of its holdings are confined to the
nineteenth and twentieth centuries, with the Archives processing only a small amount of
material covering the reigns of twelve Archbishops from 1600-1770”. It further states that it
holds “the papers of eleven successive archbishops of Dublin covering the period 1770 to 2004”
“eight of which are available to researchers’. The reign of the eight Archbishops referred to date
from 1770 to 1972. For Family History Research purposes, it states “information from Parish
Registers is only accessible up to and including 1920”.
610. Recital 158 of the GDPR provides that “public authorities or public or private bodies that hold
records of public interest should be services which, pursuant to Union orMember State law, have
a legal obligation to acquire…..” (Emphasis added). It appears therefore that in order for a data
controller to rely on archiving in the public interests, the legal obligation to process such data
must be set out in law.
611. As set out previously, the Archbishop submitted that the “legal obligation” referred to in Recital
158 need not be limited to a statutory obligation stating “the canon law obligations on parish
priests to preserve baptismal and other registers are set out under the Code of Canon Law”.
421 Submissions dated 16 March 2020, page 52.
422 Submissions dated 16 March 2020, page 45.
423 Submissions dated 16 March 2020, page 46.
424 Submissions dated 15 October 2020, page 19.
425 Submissions dated 16 March 2020, page 40.
426 Archives | Archdiocese of Dublin (dublindiocese.ie); https://dublindiocese.ie/archives/
612. Recital 41 states:
“Where this Regulation refers to a legal basis or a legislative measure, this does not
necessarily require a legislative act adopted by a parliament, without prejudice to
requirements pursuant to the constitutional order of the Member State concerned.
However, such a legal basis or legislative measure should be clear and precise and its
application should be foreseeable to persons subject to it, in accordance with the case-
law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European
Court of Human Rights’”. (Emphasis added)
613. As set out at previously, the position under Canon Law is not determinative of the position
under Irish or EU law. Canon Law is an internal body of law, which governs the internal
operations of the Catholic Church. Recital 41 clarifies that some form of a legal basis is required
which must be clear, concise and foreseeable to individuals and in line with the case law of the
CJEU and the ECtHR. For the purposes of archiving in the public interest, there must be a legal
obligation for the Archbishop to engage in such archiving.
614. Article 91 of the GDPR states:
“(1) Where a Member State, churches and religious associations or communities apply, at
the time of entry into force of this Regulation, comprehensive rules relating to the
protection of natural persons with regard to processing, such rules may continue to apply,
provided that they are brought into line with this Regulation.
(2) Churches and religions associations which apply comprehensive rules in accordance with
paragraph 1 of this Article shall be subject to the supervision of an independent supervisory
authority, which may be specific, provided that it fulfils the conditions laid down in Chapter
VI of this Regulation”.
615. I am not aware of any set of comprehensive data protection rules as referred to in Article 91 at
domestic level in this jurisdiction which relates to the protection of natural persons with regard
to such processing to permit any form of a derogation. Further, there were no submissions
made by the Archbishop on this point. In any event, Article 91(1) clearly sets out that such rules
could only continue to apply on condition they complied with the GDPR.
616. I note the Archbishop’s reference to Article 44.2.5 of Bunreacht na hÉireann and the right of
religious denominations to manage their own affairs. In Jehovan Todistajat (Case C-25/17) at
paragraph 74, the CJEU held that:
“The obligation for every person to comply with the rules of EU law on the protection of
personal data cannot be regarded as an interference in the organisational autonomy of
those communities (see, to that effect, judgment of 17 April 2018, Egenberger, C‐414/16,
EU:C:2018:257, paragraph 58).”427
427 C-25/17 Jehovan Todistajat, EU:C:2018:551, paragraph 74.
617. Based on the foregoing, the GDPR does not interfere with nor can it be construed as interfering
with the autonomy of any religious denomination, including the Catholic Church, from
managing its own affairs. Article 91 of the GDPR indicates that churches, religious associations
or communities must operate within the parameters of data protection law.
618. While I accept for present purposes that the legal obligation for archiving in the public interest
need not necessarily be limited to a statutory obligation (for example, the legal obligation could
be set out in common law), Article 9(2)(j) is underpinned by a legal obligation being placed on
the data controller in the first instance, which it is not presently. It is not sufficient for the
purposes of data protection law for a data controller to rely on its own internal set of rules for
the purposes of Article 9(2)(j) of the GDPR.
619. I note that the Diocesan Archives holds various historic registers dating from 1726. In relation
to further processing for the purposes of historical research, I am of the view, that insofar as
the data subjects named in those historic registers are deceased,428 the GDPR does not apply.
Insofar as there may be some data subjects named in those registers who are still alive, I am of
the view that their personal data is lawfully processed in the first instance under Articles 6(1)(f)
and 9(2)(d) of the GDPR for their lifetime which is the primary purpose of the processing of that
data and not for an ancillary or further processing function.
620. Based on the foregoing, it is the view of the DPC that it is not necessary to consider or analyse
further the other elements contained within the provisions of Article 9(2)(j) of the GDPR that
were set out in the Issues Paper. Namely, whether the processing is necessary, the public
interest element, the proportionality of the processing, the right to data protection or the
safeguards that ought to be in place and on that basis, within the context of this Inquiry, the
remaining issues for determination as set out in the Issues paper, are now moot.
428 Article 4(1) of the GDPR states that the Regulation applies to the personal data of ‘natural persons’. Recital 27 further
clarifies that the GDPR ‘does not apply to the personal data of deceased persons. Member States may provide for rules
regarding the processing of personal data of deceased persons’.
Findings
621. Therefore, I find that:
a. The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) of the
GDPR as a legal basis for the processing of personal data of data subjects which is
recorded in the Baptism Register, even in such instances where a data subject may no
longer wish to be associated with the Catholic Church;
b. Subject to safeguards, the Archbishop’s interests in retaining the personal data
contained in the Baptism Registers are not overridden by the interest or fundamental
rights and freedoms of the data subjects;
c. The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the
processing of data subjects’ special category personal data during the course of their
lifetime, being members or former members of a not-for-profit with a religious aim;
d. The Archbishop, in processing the special category personal data in accordance with
Article 9(2)(d) of the GDPR, has in place the required appropriate safeguards for such
processing under Article 9(2)(d)
e. The Archbishop cannot lawfully rely upon Article 9(2)(j) of the GDPR for the purposes
of further processing the personal data and special category data of those named in
the Baptism Registers, the subject of this Inquiry.
622. As it has now been determined that the Archbishop is the data controller for the processing
activities the subject of this Inquiry. He must now ensure compliance with Article 5(1) of the
GDPR. In particular, as part of his compliance under Article 5(1)(a) of the GDPR vis-à-vis
transparency of processing (and having regard to the provisions of Articles 12 to 14 of the
GDPR), the Archbishop should now make clear that all personal data collected and recorded
and otherwise processed for the purposes of the administration of sacraments, is retained for
the lifetime of that individual.
d) RIGHT OF RECTIFICATION
Issues for determination
623. In relation to the Archbishop’s compliance with the data subject right under Article 16 of the
GDPR, the following issues arise for determination, as set out in the Issues Paper:
a. whether a data subject has the right to obtain from the Archbishop the rectification
of inaccurate personal data concerning him or her;
b. whether the recording of a data subject’s sacrament of baptism in the Baptism
Registers, in circumstances where the data subject no longer consider themselves to
be a member of the Catholic Church, constitutes inaccurate or incomplete personal
data within themeaning of Article 16 of the GDPR, with reference to the Archbishop’s
compliance with the principle of accuracy under Article 5(1)(d) of the GDPR in this
regard;
c. whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain rectification of their sacramental status or
their status as members of the Catholic Church in the church records contained in the
Baptism Registers or where the personal data is found to be incomplete, have the
right to have this personal data completed, including by means of providing a
supplementary statement; and;
d. whether, in circumstances where a right to rectification exists, the data subjects’
rights may be restricted by the Archbishop, pursuant to Section 61(1) of the 2018 Act,
where the processing is for archiving purposes in the public interest, or by section
61(2) of the 2018 Act, where the processing is for historical research purposes and the
exercise of the right would be likely to render impossible or seriously impair, the
achievement of these purposes and the restriction is necessary for the fulfilment of
those purposes.
624. The Baptism Registers contain a record of individuals who have undergone the sacrament of
baptism within the Catholic Church in the Archdiocese, which is central to the administration of
the church. Under canon 535 §1, the Baptism Registers (along with all parochial registers) are
to be “accurately inscribed and carefully preserved” by the parish priest. The parish priest in
certain circumstances may amend parish Baptism Registers. As previously set out, the
Guidelines state at section 1.12 that “[f]acts cannot be changed. Errors can be corrected when
proof is provided. Some emendations however are possible. For example, sometimes people
adopt a new name for themselves or more especially for their children […] any alteration to the
Baptismal Register must be authorised through the Chancellery”429.
429 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.12 (page 12 of the PDF submission).
625. As stated, such amendments require input from the Chancellery, as set out in the Guidelines at
section 4.5: “the express permission of the Chancellery is required before any alteration or
emendation may be made in an entry in any such parochial register”430.
626. Though this Inquiry is an own-volition Inquiry, certain of the complaints received by the DPC
from data subjects prior to the commencement of the Inquiry stated that they no longer
consider themselves members of the Catholic Church. It now falls to me to determine whether
a church record, which continues to list these data subjects and their sacramental status in the
Catholic Church, is inaccurate or incomplete in that context, and whether a right to obtain
rectification may arise in favour of these data subjects should they so wish to request
rectification.
Relevant Provisions
627. Article 16 of the GDPR states that data subjects “shall have the right to obtain from the
controller without undue delay the rectification of inaccurate personal data concerning him or
her. Taking into account the purposes of the processing, the data subject shall have the right to
have incomplete personal data completed, including by means of providing a supplementary
statement”.
628. Article 19 of the GDPR also requires that the “controller shall communicate any rectification or
erasure of personal data or restriction of processing, carried out in accordance with Article 16,
Article 17(1) and Article 18 to each recipient to whom the personal data may have been
disclosed, unless this proves impossible or involves disproportionate effort”.
629. Article 5(1)(d) of the GDPR requires that personal data be “accurate and, where necessary, kept
up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified
without delay” (otherwise known as the principle of accuracy).
630. Recital 39 of the GDPR also states, “[e]very reasonable step should be taken to ensure that
personal data which are inaccurate are rectified or deleted”.
631. Recital 65 of the GDPR also states that “[a] data subject should have the right to have personal
data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such
data infringes this Regulation or Union or Member State law to which the controller is subject.”
632. Section 61 the 2018 Act restricts the exercise of certain data subject rights, including rights
under Article 16, in certain instances. Section 61(1) restricts data subject rights where
processing of data is for archiving purposes in the public interest and section 61(2) of the 2018
Act restricts data subject rights where processing of data is for scientific or historical research
purposes or statistical purposes to the extent that:
(a) the exercise of any of those rights would be likely to render impossible, or seriously
impair, the achievement of those purposes, and
(b) such restriction is necessary for the fulfilment of those purposes.
430 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, section 1.5 (page 23 of the PDF submission).
Relevant Case Law
633. In the judgment of the CJEU in C-434/16 Nowak v Data Protection Commissioner,431 the CJEU
considered the right of rectification within the context of Directive 95/46/EC. The CJEU stated,
in consideration of whether an exam script constituted personal data, and if so whether the
exam answers and the comments by the examiners could be the subject of the right of access
and the right of rectification, that:
“It is apparent from Article 6(1)(d) of Directive 95/46 that the assessment of whether
personal data is accurate and complete must be made in the light of the purpose for
which that data was collected. That purpose consists, as far as the answers submitted
by an examination candidate are concerned, in being able to evaluate the level of
knowledge and competence of that candidate at the time of the examination. That
level is revealed precisely by any errors in those answers. Consequently, such errors do
not represent inaccuracy, within the meaning of Directive 95/46, which would give rise
to a right of rectification under Article 12(b) of that directive.
On the other hand, it is possible that there might be situations where the answers of
an examination candidate and the examiner’s comments with respect to those
answers prove to be inaccurate, within the meaning of Article 6(1)(d) of Directive
95/46, for example due to the fact that, by mistake, the examination scripts were
mixed up in such a way that the answers of another candidate were ascribed to the
candidate concerned, or that some of the cover sheets containing the answers of that
candidate are lost, so that those answers are incomplete, or that any comments made
by an examiner do not accurately record the examiner’s evaluation of the answers of
the candidate concerned”.432
431 C-434/16 Nowak v Data Protection Commissioner ECLI:EU:C:2017:994.
432 C-434/16 Nowak v Data Protection Commissioner, paragraphs 53-54.
Archbishop’s Submissions
634. The Archbishop submitted that baptism records are not inaccurate (in the instance where an
individual no longer considers themselves to be a member of the Catholic Church), stating that
the Baptism Registers “are an accurate record of a particular event having occurred at a certain
time in the past”. In general, the Archbishop noted that if there were an inaccuracy in the record
“such as an incorrect spelling of a name” itwould be possible to correct such as an inaccuracy.433
635. The Archbishop submitted that the Baptism Registers should not be mischaracterised as a “list
of current members of the Catholic Church”. Instead, the Baptism Registers “sets out a person’s
status in respect of certain sacraments, which can be administered only once in a person’s
lifetime. As such, the baptism registermerely indicates a person’s status as baptised, and has no
bearing on their status as regards adherence to the beliefs of, or communion with, the Catholic
Church”.434
636. As such, the Archbishop expressed the view that “unless it has been demonstrated that a factual
inaccuracy exists within the register the Archbishop submits that the right provided for in Article
16 does not apply”.435
637. The Archbishop also noted that Article 16 provides data subjects with the right to have
incomplete personal data completed. In this regard, the Archbishop stated that “the purposes
of the processing is to record a person’s status in respect of certain sacraments. As long as the
registers have beenmaintained and are up-to-date, it cannot be said that the information in this
regard is “incomplete”, so again, the right provided for in Article 16 does not apply”.436
638. The Archbishop also stated in this regard that, although it is not understood to be the current
practice in the parishes of the Archdiocese, “the Archbishop could indicate to Parish Priests that
it would be permissible pursuant to canon law to adopt a practice whereby the register could be
annotated as follows: “No longer wishes to be identified as a Roman Catholic”. However, the
Archbishopwished to stress that it is not accepted that this is orwould be necessary (to facilitate
data subject rights) and that “the adoption of this practice would ultimately be a matter for the
parish priest as the data controller”.437
639. Finally, the Archbishop pointed to section 61(2) of the 2018 Act, which provides that where the
processing of personal data is for historical research purposes, the rights of a data subject under
Article 16 are restricted to the extent that:
“the exercise of any of that right would be likely to render impossible, or seriously
impair, the achievement of those purposes, and such restriction is necessary for the
fulfilment of those purposes”.438
433 Submissions dated 16 March 2020, page 48.
434 Submissions dated 16 March 2020, page 48
435 Submissions dated 16 March 2020, page 48
436 Submissions dated 16 March 2020, page 48
437 Submissions dated 16 March 2020, page 49.
438 Submissions dated 16 March 2020, page 49.
Legal Analysis
640. I have made the finding above that the personal data and the special category personal data
held in the Baptism Register falls within the material scope of Article 2(1) of the GDPR. This is
on the basis that the Baptism Registers form part of a filing system (as defined under Article
4(6) of the GDPR) or are intended to form part of a filing system.
641. I have found that the Archbishop is the sole controller of the personal data and special category
personal data contained in the Parish Baptism Registers for the processing activities of
retention, special annotation and alteration and the sole controller for all processing activities
with respect to the Clonliffe College Registers and the Adopted Persons Baptism Registers. In
addition, I made the finding that the Archbishop’s lawful basis for the processing of such
personal data is pursuant to Article 6(1)(f) and Article 9(2)(d) of the GDPR. Further, I made the
finding that processingwas not lawful under Article 9(2)(j) of the GDPR for archiving in the public
interest and/or for historical research purposes.
642. On the basis of these findings, I must now consider generally whether the right to obtain
rectification under Article 16 of the GDPR applies to the personal data and special category
personal data for which the Archbishop is the controller and which falls within the material
scope of the GDPR. Article 16 of the GDPR provides for two things: firstly, the right of the data
subject to have factually inaccurate personal data rectified and secondly the right to have
incomplete personal data “completed” including by way of a supplemental statement; the latter
must take into account the purposes of processing. For the purposes of Baptism Records, Imust
turn my consideration to whether the data is inaccurate or is it incomplete.
Issue 1 for Determination: whether a data subject has the right to obtain from the Archbishop the
rectification of inaccurate personal data concerning him or her under Article 16 of the GDPR.
643. It is important to note that the right to rectification is not an absolute right and it depends on
the circumstances of the case. An assessment must be made in each instance as to whether
personal data is accurate and complete and this assessment must be made in light of the
purpose for which that data was collected and processed, according to the CJEU in Nowak.439
Although this case considered the relevant issues under Directive 95/46, the principle of
accuracy under the GDPR has remained largely the same.
644. As a controller, the Archbishop is under an obligation to comply with the principle of accuracy
under Article 5(1)(d) of the GDPR, requiring the Archbishop to take every reasonable step “to
ensure that personal data that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay”. Compliance with this obligation must be
demonstrable in accordance with the principle of accountability under Article 5(2), which states
that a controller “shall be responsible for, and be able to demonstrate compliance with,
paragraph 1”.
439 C-434/16 Nowak v DPC, paragraph 53.
645. Further, Article 12(2) of the GDPR places an obligation on a controller to “facilitate the exercise
of data subject rights under Articles 15 to 22”. Article 12(3) of the GDPR also requires that a
controller “shall provide information on action taken on a request under Articles 15 to 22 to the
data subject without undue delay and in any event within one month of receipt of the request”.
646. In circumstances where a controller does not take action on a request, Article 12(4) of the GDPR
requires that the controller:
“shall inform the data subject without delay and at the latest within one month of receipt
of the request of the reasons for not taking action and on the possibility of lodging a
complaint with a supervisory authority and seeking a judicial remedy”.
647. Further to the above provisions, the Archbishop as a controller is under an obligation to
facilitate the exercise of data subject rights under Articles 15 to 22 in respect of the personal
data and special category personal data for which he acts as a controller and which falls within
the material scope of the GDPR. The right to rectification under Article 16 is encompassed in
the controller obligations set out in Article 12.
648. As such, it is my view that a request by a data subject regarding the exercise of their right to
rectification under Article 16 of the GDPR must be facilitated by the Archbishop in line with the
provisions and requirements of Article 16 and as mandated under Article 12(2) of the GDPR
which states “The controller shall facilitate the exercise of data subject rights under Articles 15
to 22.”
Issue 2 for Determination whether the recording of a data subject’s sacrament of baptism in the
Baptism Registers, in circumstances where the data subject no longer consider themselves to be a
member of the Catholic Church, constitutes inaccurate or incomplete personal datawithin themeaning
of Article 16 of the GDPR, with reference to the Archbishop’s compliance with the principle of accuracy
under Article 5(1)(d) of the GDPR in this regard.
649. The Archbishop has indicated that rectification of the Baptism Registers already occurs in some
instances. The Baptism Registers (along with all parochial registers) are to be “accurately
inscribed and carefully preserved” by the parish priest in accordance with canon 535 §1. Parish
priests are only permitted to amend the registers in certain circumstances as set out in the
Guidelines. Documentary evidence is generally required to ground such a request for an
Alteration. In particular, the Guidelines state at section 1.12 that “[f]acts cannot be changed.
Errors can be corrected when proof is provided. Some emendations, however are possible. For
example, sometimes people adopt a new name for themselves or more especially for their
children.” This therefore relates to the rectification of data that is inaccurate as a matter of fact
under Article 16 of the GDPR.
650. The evidence provided to the DPC indicates that where an Alteration is made to an entry in the
Baptism Register, the incorrect or inaccurate personal data is not deleted, but a line is drawn
through it and the new information is inserted and a note is added with a direction to include
the alteration in any future baptism certificates issued.440
440 Submissions dated 15 October 2020, Schedule of Documents, copy of letter, (page 194 of the PDF submission).
651. The GDPR does not define the term “accurate” or “inaccurate”’. While not referring to the
GDPR, section 92(17) of the 2018 Act states that, for the purposes of transposing the right of
rectification under the Law Enforcement Directive,441 personal data are inaccurate if “(a) they
are incorrect or misleading as to any matter of fact”, or (b) they are incomplete in a material
manner”. Further, though less persuasive value from a European Law perspective since the exit
of the United Kingdom from the European Union, the UK Data Protection Act 2018 defines
“inaccurate” in relation to personal data as “incorrect or misleading as to any matter of fact”.442
652. The concept of accuracy is to be interpreted in light of Article 5(1)(d) of the GDPR. Article 5(1)(d)
states that “every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified
without delay” (emphasis added).
653. It is the view of the DPC that, in principle, the correction of factually incorrect data as submitted
by the Archbishop is sufficient for compliance with Article 16 of the GDPR having regard to the
factual inaccuracy of the original recording and processing of the personal data and special
category data.
654. In the context of this Inquiry, I must consider whether the recording and thus processing of
personal data and special category data is inaccurate or incomplete in circumstances where a
data subject no longer wishes to be amember of the Catholic Church. As set out previously, the
issue of a formal/defacto defection from the Catholic Church is not a matter for the DPC; the
issue for the DPC relates to the rectification of personal data and special category data
contained within the Baptism Registers for such individuals. This issue for determination
regarding rectification within this context must be considered within the parameters as to
whether it relates to (a) the inaccuracy of the factual data that is recorded or (b) whether the
factual data is incomplete taking into account the purposes of processing.
655. The Archbishop submitted that certain sacramental registers held in the Archdiocese consist of
a record of the administration of certain sacraments in the Church.443 The Archbishop also
submitted that baptism can only be received once and as such, “it is essential that the Roman
Catholic Church maintain a record of all those persons who have been baptised”.444 The
Archbishop further submitted that the purposes of the processing of the Baptism Register is to
be assured that certain sacraments have been administered once only in a person’s lifetime
(baptism, confirmation,marriage and holy orders) by recording the baptism of an individual and
annotating any future sacraments of confirmation, marriage or holy orders.445
656. The Archbishop has submitted that the Baptism Registers record the occurrence of an event,
that of the administration of the sacrament of baptism. The Archbishop stated that the Baptism
Registers “are an accurate record of particular event having occurred at a certain time in the
past”. However, the Archbishop also submitted that if an inaccuracy exists in that record, such
as the spelling of a name, such an inaccuracy would be corrected.
441 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016.
442 UK Data Protection Act 2018, section 205.
443 Submissions dated 16 March 2020, pages 34-35.
444 Submissions dated 16 March 2020, page 34.
445 Submissions dated 16 March 2020, page 35.
657. A question arises which is whether the Baptism Registers merely record the event of baptism
(and certain further sacraments), and are therefore not inaccurate even where a data subject is
no longer a member of the Catholic Church, or whether the Baptism Registers effectively
operate as a list of the members of the Catholic Church.
658. The Archbishop submitted that in respect of membership of the Catholic Church, “[w]hile the
Roman Catholic Church does not maintain a register of members […] it is correct to say that at
the point of baptism, the baptised person is properly considered a member of the Catholic
Church”. 446 However, the Archbishop also submitted that the content of the entry on the
register does not signify that the data subject is a currentmember of the Roman Catholic Church
but rather signifies the fact that the person was, at one point in the past, baptised as a
Catholic.447
659. I note the Archbishop’s reference to the past decision ofmy predecessor as outlined in the Data
Protection Commissioner’s Annual Report 2003. The former Commissioner, in relation to
Baptism Registers concluded that they were “a factual record of an event that happened”.448
Although Baptism Registers are a factual record of an event that happened, it must be noted
that case study was considered under the Data Protection Acts, 1988-2003, the complainant’s
baptismal records were never located and the complainant did not pursue the matter beyond
the initial stages of complaint-handling; therefore the matter did not progress any further.
660. Based on the purpose for which the Archbishop and the parish priests retain the Baptism
Registers, which is to ensure the proper administration of certain sacraments of the Catholic
Church (in particular that individuals may only undergo these once in their lifetime), it is my
view that the Baptism Registers are intended to record the event of baptism (and any further
sacraments which are annotated).
661. This is as opposed to the Baptism Registers acting as a list of members of the Catholic Church.
Although the Archbishop stated that a person may be called a member of the Catholic Church
once they are baptised, there is no evidence to suggest that the Catholic Church records and
maintains a list of its current members. The Archbishop’s submissions have consistently set out
that the Baptism Registers are to ensure it has a clear record of a person’s sacramental status
within the Church.
662. The Archbishop has recognised that a number of people no longer wish to be considered
members of the Catholic Church and this has been recorded in the Defection Registers. In this
regard, the Archbishop has stated that the purposes of the de facto defection register is to
“address any concern that the data subject might have that the [baptism] register would be
regarded as a record of current membership”. This “mitigates against any concern that a data
subject may have in respect of the register being assumed to provide a record of their present-
day religious status and beliefs”449.
446 Submissions dated 16 March 2020, page 38.
447 Submissions dated 16 March 2020, page 44.
448 DPC Annual Report 2003, case study 8, page 37.
449 Submissions dated 16 March 2020, page 44.
663. The maintenance of a de facto defection register demonstrates that the Archbishop is open to
recording an individual’s views on their membership in the Catholic Church if they so wish.
However, the recording of sacraments in the Baptism Register has the main purpose of
documenting the occurrence of particular events, namely, the administration of sacraments, to
ensure that the same sacrament is not re-administered to the same person.
664. In considering whether the Baptism Register (and subsequent annotations) may be inaccurate
in the context of the purposes forwhich it is processed, in accordance with Article 5(1)(d), I have
noted themain purpose for the recording of sacraments in the Baptism Register is documenting
the occurrence of an event. As the Baptism Register is a factual record of an event that occurred,
it is important to note that any exercise of the right to rectification does not alter the fact that
the event took place. The exercise of the right to rectification regarding inaccurate records is to
rectify the inaccurate data surrounding the processing of that data which recorded that factual
event in the first instance.
665. Within the context of individuals who no longer wish to be a considered a member of or
associated with the Catholic Church, I am of the view that this does not give rise to a right to
rectification as the event, which is recorded in the Baptism Register, still occurred and from a
data processing perspective, remains factually accurate.
666. I am therefore of the view that the recording of a data subject’s sacrament of baptism in the
Baptism Register, in circumstances where the data subject no longer considers themselves to
be a member of the catholic Church, does not constitute inaccurate personal data within the
meaning of Article 16 of the GDPR. This view is ascertained with reference to the Archbishop’s
compliance with the principle of accuracy under Article 5(1)(d) of the GDPR and on the
assumption that all recorded details accurately reflect the event.
667. I wish to note that, in circumstances where the Archbishop assesses a request for rectification
under Article 16 of the GDPR, and concludes that no factual inaccuracy arises with the recorded
data, he must still comply with his obligations under Article 12(3) and or Article 12(4) of the
GDPR, in order to properly facilitate the exercise of data subject rights (which aremore broadly
contained under Articles 15 to 22 of the GDPR). The Archbishop is obliged to ensure that any
communicationwith data subjects under Articles 15 to 22 is in a concise, transparent, intelligible
form in accordance with Article 12(1) of the GDPR. The issue of records being “incomplete” is
considered under the next section.
Issue 3 for Determination - whether data subjects who no longer consider themselves to be members
of the Catholic Church have the right to obtain rectification of their sacramental status or their status
as members of the Catholic Church in the church records contained in the Baptism Registers or where
the personal data is found to be incomplete, have the right to have this personal data completed,
including by means of providing a supplementary statement.
668. I formed the view above that in circumstances where the data subject no longer considers
themselves to be a member of the Catholic Church that the recording of a data subject’s
sacrament of baptism in the Baptism Register does not constitute inaccurate personal data
within the meaning of Article 16 of the GDPR, with reference to the Archbishop’s compliance
with the principle of accuracy under Article 5(1) of the GDPR. As a consequence of same, the
DPC forms the view that individuals who no longer consider themselves to be members of the
Catholic Church do not have the right to obtain rectification of their sacramental status or their
status as members of the Catholic Church, as the recording and processing of the data is not
inaccurate as amatter of fact in the first instance; this is also on the assumption that all recorded
details accurately reflect the event.
669. I now must consider whether, in circumstances where the personal data and special category
data, contained in the Baptism Registers of data subjects who no longer consider themselves to
be members of the Catholic Church, may be considered to be incomplete, and if so, whether
those data subjects may have a right to have this personal data completed by means of
providing a supplementary statement.
670. In his submissions, the Archbishop referenced the DPC Annual Report of 2003.450 The Church in
the instance of that case study had offered to make a note in the data subject’s record of
baptism in circumstances where they wished for their baptism record to be deleted in that “the
person no longer wished to be associatedwith the Catholic church or to be classed as a Catholic”.
This approach was considered by my predecessor at the time to be “appropriate and
considerate”.
671. The Archbishop has also submitted that he could recommend to parish priests that it would be
permissible to adopt a practice whereby the Baptism Register is annotated, in circumstances
where individuals no longer consider themselves a member of the Catholic Church. The
annotation would read “No longer wishes to be identified as a Roman Catholic”.
672. This would, in effect act as a supplementary statement in circumstances where the personal
data and special category personal data is assessed to be incomplete with regard to the data
subject’s sacramental status within the Catholic Church. i.e., the failure to record a data
subject’s wish not to be recognised as amember of the Catholic Church. I wish to note however,
the Archbishop has not accepted that such a supplementary statement would be necessary to
rectify incomplete personal data and special category personal data in this context, only that it
might service to facilitate the concerns of data subjects in this regard.
673. From 1983 to 2010 in the Code of Canon law, a formal act of defection from the Catholic Church
was recognised. Up until 2009, it was possible to defect formally from the Catholic Church by
way of a notification to the Chancellery.
450 DPC Annual Report 2003, case study 8, page 37.
674. From 2010 onwards, following the issue of the document Omnium inMentem by Pope Benedict
XVI in 2009, formal defection was no longer possible. Individuals may still indicate to the
Archbishop that they do not wish to be considered members of the Catholic Church and that
they have defected from the Church in practice. In that instance, their details will be recorded
in the De Facto Defection Register, which is maintained by the Archdiocese of Dublin for this
purpose. No record of the individual’s de facto defection is recorded in the Baptism Registers.
675. This Decision considered the rights of data subjects vis-à-vis Article 10 of the Charter of
Fundamental Rights (right to freedom of thought, conscience and religion) and Article 9 of the
ECHR which considers the right to freedom of religion and the corollary of that right, the right
not to belong to a religion or practice it. Article 12 of the Charter also provides for the right to
freedom of association including the freedom to associate with religions associations. The
corollary of the right to associate is the right to dis-associate. As set out previously, the defection
from the Catholic Church is not a data protection matter, but examining the lawfulness of
processing of personal data is within the remit of the DPC, which includes the processing of
personal data of those who wish to leave or formally defect from the Catholic Church.
676. In this Decision, the DPC analysed the balancing test for the purposes of Article 6(1)(f) of the
GDPR, which concerns the lawfulness of processing by the Catholic Church for members and
former members. Article 1(2) of the GDPR states that “This Regulation protects fundamental
rights and freedoms of natural persons and in particular their right to the protection of personal
data” [emphasis added]. I am satisfied that the inclusion of a supplemental statement on the
Baptism Register supports the interests, rights and freedoms of those data subjects who no
longer wish to be associated with the Catholic Church.
677. Further, I am of the view, that the insertion of a supplemental statement enhances the
balancing exercise under Article 6(1)(f) of the GDPR insofar as it goes towards vindicating data
subjects’ rights vis-à-vis their status/sacramental status while simultaneously the supplemental
status does not impose on the legitimate interests of the Church.
678. This arises in particular in circumstances where the Archbishop has submitted that he could
recommend to parish priests that it would be permissible to adopt a practice whereby the
Baptism Register is annotated with “No longer wishes to be identified as a Roman Catholic”.
However, it is my view that in circumstances where a data subject no longer wishes to be a
member of the Catholic Church, the data subject does not have a right to have a supplementary
statement added to the entry in the Baptism Register. This follows as a logical conclusion from
the finding that the Baptism Register is held for the purpose of recording the event of a baptism
and is not processed as some form of a register of membership.
679. I consider the inclusion of a supplementary statement beneficial, but not a necessary element
of data accuracy, having regard to the purposes for which the personal data on that register is
processed. It is not necessary to insert supplemental statements into the records of baptisms
to vindicate the rights of data subjects who subsequently wish to leave the Catholic Church.
680. The Baptism Register is intended as a record of an individual’s sacramental status. The
Archbishop has described the Baptism Register as “of particular importance as it is considered
to be the “gateway” to all of the records of a person’s life within the Catholic Church”. The
Archbishop has submitted any further changes regarding the sacraments that a person has
received are to be annotated in the Baptism Register.
681. While I acknowledge that registration in the De Facto Defection Register does not change the
canonical status of a person, unlike registration in the formal defection register in the past, or
the sacramental status of a person (not being equivalent to undertaking a sacrament), it is my
view that being registered in the de facto defection register can be a record of a “person’s life
within the Catholic Church”. However, I do not see this De Facto Defection Register as forming
a necessary processing operation under the GDPR. The current entries on that De Facto
Defection Register were made with the consent of the data subjects affected, however the
Archbishop does not hold this register out to be a definitive list of all non-practising exmembers
of the Catholic Church.
682. I am of the view that in the circumstances where the recording and processing of the
sacramental status of a person in the Baptism Register is considered to be personal data and
special category data, and is within the material scope of the GDPR, the recording of the
sacramental status of the personmay be complete in relation to its purpose, even where it fails
to reflect the current status of the individual’s relationship to those sacraments.
683. The fact that that Baptism Register records fail to indicate the status and relationship of the
data subject vis-à-vis the Church does not amount to an infringement of the accuracy principle
set out in Article 5(1)(d) GDPR.
684. Therefore, while a supplemental statement could be a pragmatic solution to provide clarity as
to the factual position of an individual vis-à-vis their canonical status, it is not necessary as the
basic facts recorded remain accurate in and of themselves.
Issue 4 for Determination: whether, in circumstances where a right to rectification exists, the data
subjects’ rights may be restricted by the Archbishop, pursuant to Section 61(1) of the 2018 Act, where
the processing is for archiving purposes in the public interest, or by section 61(2) of the 2018 Act,where
the processing is for historical research purposes and the exercise of the right would be likely to render
impossible or seriously impair, the achievement of these purposes and the restriction is necessary for
the fulfilment of those purposes.
685. As set out under the section on Legal Bases, the DPC formed the view that there is no legal
underpinning for the Archbishop to rely upon Article 9(2)(j) of the GDPR as a lawful basis for the
processing (or further processing) of personal data for the purposes of archiving in the public
interest or for historical research purposes. Under those circumstances, I am of the view that it
is not necessary to consider the issue as set out in the preceding paragraph.
Findings
686. I find that:
a. Data subjects may exercise the right to request rectification, in accordance with Article
16, of the personal data contained in the Baptism Registers. The Archbishop must assess
each request on a case-by-case basis to assess on its own merit whether an inaccuracy
arises as to a matter of fact or whether the personal data is incomplete;
b. In circumstances where a data subject no longer wishes to be a member of the Catholic
Church, the personal data and special category personal data contained in the Baptism
Register is unlikely to be inaccurate, as it records a particular event, which occurred at a
point in time: the receiving of the sacrament of baptism. In such circumstances the
Archbishop will be required to undertake an individual assessment of the request for
rectification and must comply with his obligations under Article 12(3) and Article 12(4) in
order to facilitate the data subject’s rights under Articles 15 to 22 of the GDPR;
c. That Baptism Register does not reflect the data subject’s membership of the Church. The
ongoing processing of personal data in the Baptism Register does not infringe Article
5(1)(d) GDPR. In such circumstances,where a data subject notifies the Archbishop of their
wish to leave the Catholic Church, a supplementary statement may be added by the
Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a
Roman Catholic”, however this is not necessary as a matter of data protection law.
d. Any amendment made to the hard copy authoritative Baptism Registers ought to be
reflected in any copymade of the Registers, whether in electronic form, indexed registers
or otherwise.
e) RIGHT OF ERASURE
Issues for determination
687. In relation to the Archbishop’s compliance with data subject rights under Article 17 of the GDPR,
the following issues arise for determination:
a) whether a data subject has the right to obtain from the Archbishop the erasure of
personal data concerning him or her, in circumstanceswhere one of the grounds listed
under Article 17(1)(a)-(f) of the GDPR applies;
b) whether data subjects who no longer consider themselves to be members of the
Catholic Church have the right to obtain erasure of their personal data in the Baptism
Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR; and
c) whether, a data subject’s right to erasure may be lawfully dis-applied by the
Archbishop to the extent that processing is necessary:
a. for exercising the right to freedom of expression and information, pursuant
to Article 17(3)(a) of the GDPR;
b. archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1), pursuant to
Article 17(3)(d) of the GDPR; and
c. for exercising the right to freedom of religion.
Relevant Provisions
688. Article 17(1) of the GDPR states that data subjects “shall have the right to obtain from the
controller the erasure of personal data concerning him or her without undue delay and the
controller shall have the obligation to erase personal data without undue delay where one of
the following applies:
a) the personal data are no longer necessary in relation to the purposes for which they
were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to
point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal
ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society
services referred to in Article 8(1).
689. The right to obtain erasure under one of these grounds shall not apply, according to Article 17(3)
of the GDPR, to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member
State law to which the controller is subject or for the performance of a task carried out
in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h)
and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes in accordance with Article 89(1) in so far as the right referred to
in paragraph 1 is likely to render impossible or seriously impair the achievement of the
objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
690. Article 19 of the GDPR requires that the
“controller shall communicate any rectification or erasure of personal data or restriction
of processing, carried out in accordance with Article 16, Article 17(1) and Article 18 to
each recipient to whom the personal data may have been disclosed, unless this proves
impossible or involves disproportionate effort”.
691. Article 21(1) provides:
“The data subject shall have the right to object, on grounds relating to his or her particular
situation, at any time to processing of personal data concerning him or her which is based
on point (e) or (f) of Article 6(1), including profiling based on those provisions. The
controller shall no longer process the personal data unless the controller demonstrates
compelling legitimate grounds for the processing which override the interests, rights and
freedoms of the data subject or for the establishment, exercise or defence of legal claims”.
692. Recital 65 states:
“In particular, a data subject should have the right to have his or her personal data erased
and no longer processed where the personal data are no longer necessary in relation to
the purposes for which they are collected or otherwise processed, where a data subject
has withdrawn his or her consent or objects to the processing of personal data concerning
him or her, or where the processing of his or her personal data does not otherwise comply
with this Regulation. That right is relevant in particular where the data subject has given
his or her consent as a child and is not fully aware of the risks involved by the processing,
and later wants to remove such personal data, especially on the internet. The data subject
should be able to exercise that right notwithstanding the fact that he or she is no longer
a child.”
693. Recital 69 requires that
“ personal data might lawfully be processed because processing is necessary for the
performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller, or on grounds of the legitimate interests of a controller
or a third party, a data subject should, nevertheless, be entitled to object to the processing
of any personal data relating to his or her particular situation. It should be for the
controller to demonstrate that its compelling legitimate interest overrides the interests or
the fundamental rights and freedoms of the data subject.”
Relevant Background: Baptism Registers
694. The Baptism Registers contain a record of individuals who have undergone the sacrament of
baptism within the Catholic Church in Ireland, which is central to the administration of the
Church. Under canon 535 §1, the Baptism Registers (along with all parochial registers) are to be
“accurately inscribed and carefully preserved” by the parish priest.
695. The Guidelines, at Appendix 3, state that “[t]he handwritten registers are considered the only
authentic copy of sacramental records. […]The manual register must always be consulted when
issuing a certificate. The handwritten registersmust bemaintained and the registers themselves
are never to be destroyed or discarded”.451
696. Though this is an own-volition Inquiry, certain of the complaints received by the DPC from data
subjects prior to the commencement of this Inquiry stated that they wished to have their
personal data erased from Church records, including Baptism Registers, in circumstances where
they no longer consider themselves to be members of the Catholic Church. The DPC seeks to
ascertain whether a right to obtain erasure arises in this context.
697. It is noted that should the right to erasure be considered to exist within the context of the
Baptism Registers, the only data that could be erased would be the personal data of the
individual who made the request. The remainder of the data would not be erased under such a
request as that refers to the personal data of others for example, the names of parents or
godparents.
451 Submissions dated 15 October 2020, Schedule of Documents, Directives and Guidelines for Sacramental and Pastoral
Practice, Draft, The Chancellery, 2011, Appendix 3, (page 27 of the PDF submission).
Archbishop’s Submissions
698. In considering whether a right to obtain erasure arises with respect to the Baptism Registers,
the Archbishop submitted that the right to erasure only arises where one of six conditions or
grounds under Article 17(1) have been fulfilled. With respect to Article 17(1)(a) – (f), the
Archbishop submitted that these grounds do not apply for the reasons as set out hereunder:
• Article 17(1)(a) – the Archbishop submitted that this ground does not apply, as set out
in previous responses regarding the legal bases for processing, because the processing
continues to be necessary.452
• Article 17(1)(b) – the Archbishop submitted that he “does not rely on consent as basis
for processing personal data” in the Baptism Registers, and accordingly this ground
does not apply.453
• Article 17(1)(c) – the Archbishop submitted that this ground is “based on an invocation
of the right to object in Article 21 when processing is based on Article 6(1)(f).454
However, the Archbishop submits that compelling legitimate grounds for the
processing have been demonstrated which override the interests, rights and freedoms
of the data subject, with the result that Article 17(1)(c) is inapplicable”.455
699. In response to queries regarding the interests or fundamental rights and freedoms of data
subjects the Archbishop considered in this context, as against the compelling legitimate grounds
for the processing, and submitted that “[i]n respect of Parish baptismal registers, again, it is the
Archbishop’s submission that hard copy, unindexed baptismal registers fall outside the scope of
the GDPR. Insofar as any electronic or indexed hard copy registers are held by individual Parish
Priests, it would be a matter for that Parish Priest to carry out the balancing test in respect of
the individuals concerned”.456
700. The Archbishop further submitted that the retention of personal data by the parishes of church
records “is unlikely to cause a barrier to individuals accessing services or opportunities, physical
harm, financial loss, identity theft, fraud, or any other significant economic or social
disadvantage (such as discrimination, loss of confidentiality or reputational damage). The
Parishes do not derive any economic benefit from the retention of the personal data, nor is it
used for any other purpose; other than at some future point being relevant to historical or public
interest research”.457
452 Submissions dated 16 March 2020, page 49.
453 Submissions dated 16 March 2020, page 50.
454 Submissions dated 16 March 2020, page 50, footnote 72 states: “or Article 6(1)(e) which is not relevant in this context.”
455 Submissions dated 16 March 2020, page 50.
456 Submissions dated 15 October 2020, page 27.
457 Submissions dated 15 October 2020, page 27.
701. In respect of the rights of data subjects, which are to be considered in this context, the
Archbishop listed the following European Convention on Human Rights (the ‘ECHR’) and Charter
rights:
• Article 8 ECHR – Right to respect for private and family life;
• Article 9 ECHR/Article 10 Charter - Freedom of thought, conscience and religion; and
• Article 8 Charter – Protection of Personal Data.
702. With respect to the Adopted Persons Baptism Register, the Archbishop submitted, “this register
exists to protect the delicate balance between the legal obligation not to make traceable the
connection between an adopted person and their birth parents, the right to privacy of the birth
parents and the right of those persons to know more information about their family history. It is
submitted that this is a complex area, in which attempts have been made to legislate further
and to bring clarity to the position”.458
703. With respect to the compelling legitimate grounds for the processing considered by the
Archbishop, the Archbishop referred to his previous submissions. With respect to the factors
that were taken into account in deciding that the compelling legitimate interests pursued by
the data controller would override the interests or fundamental rights and freedoms of the data
subject, the Archbishop submitted that in relation to the parish Baptism Registers, “any
potential impacts appear to be minimal. The information concerned is stored confidentially, it is
not accessible to the public, it is not used for any profit-making purpose, but rather to record a
person’s status in respect of sacraments administered within the Church”.459
704. The Archbishop submitted that the Article 17(1)(d) ground does not apply, as set out in previous
responses regarding the legal bases for processing.460
705. The Archbishop submitted that Article 17(1)(e) and Article 17(1)(f) grounds are “not relevant
and do not apply in this context”.461
706. The Archbishop further submitted that, even where a request from a data subject to obtain
erasure is received “the processing of the personal data continues to be necessary for the
purposes for which it was collected” as it is “essential for the administration of the affairs of the
Catholic Church to maintain a register of all people who have been baptised in the Church. It is
a factual record of an event that happened”462 and noted again that this positionwas recognised
by the Data Protection Commissioner in his 2003 Annual Report.
458 Submissions dated 15 October 2020, page 28.
459 Submissions dated 15 October 2020, page 29.
460 Submissions dated 16 March 2020, page 50.
461 Submissions dated 16 March 2020, page 50.
462 Submissions dated 16 March 2020, page 50.
707. The Archbishop also noted that:
“Moreover, also relevant in this regard is the right of every religious denomination “to
manage its own affairs”, which has specific constitutional status under Art. 44.2.5°. It is
not accepted that it has been shown that the displacement of this important right would
be “necessitated by the obligations of membership of the European Union” for the
purposes of Article 29.4.6 of the Constitution”.463
708. The Archbishop again stated that although it is not accepted that any such action would be
necessary, it may be permissible for parishes to annotate the Baptism Registers with a
statement such as “No longer wishes to be identified as a Roman Catholic” to address any
concerns the DPC may have, as an alternative to erasure464. In this regard, the Archbishop also
referred to the European Court of Human Rights judgment ofWegrzynowski and Smolczewski v
Poland465, in particular paragraphs 65 and 66, and The EU General Data Protection Regulation
edited by Kuner et al466. The Archbishop also noted again that the Data Protection
Commissioner in Case Study 8 of his 2003 Annual Report also had regard to an offer of an
annotation made by a parish priest.
709. Finally, the Archbishop submitted that even if one of the grounds or conditions under Article
17(1) were met, an exemption to the right of erasure under Article 17(3) of the GDPR would
apply.
Article 17(3)
710. The Archbishop confirmed that he considered it necessary, pursuant to Article 17(3)(d), to
process church records held in church registers for archiving purposes in the public interest and
for historical research purposes.
711. With respect to processing for archiving purposes in the public interest, the Archbishop referred
to his previous responses in respect to Article 9(2)(j). The Archbishop submitted, “The Baptism
Registers record the historical fact of baptisms having taken place. Over time, these registers
assume a different importance becoming a unique archival and/or historic record of enduring
value. Baptismal records are often, for example, sought by those carrying out genealogical
research”.467
463 Submissions dated 16 March 2020, page 50.
464 Submissions dated 16 March 2020, page 50.
465 Application No. 33846/07, 16 July 2013.
466 Page 479 and pages 1260-61.
467 Submissions dated 16 March 2020, page 52.
712. With respect to processing for historical research purposes, the Archbishop noted that although
the meaning of the term historical research is not set out, is does include “both historical
research and research for genealogical purposes, as is clear from Recital 160”.468. The
Archbishop also noted, “Baptism Registers record the historical fact of baptisms having taken
place. Over time, these registers assume a different importance becoming a unique archival
and/or historic record of enduring value”.469
713. In respect of the safeguards in accordance with Article 89(1) that have been put in place in order
to safeguard the rights and freedoms of the data subject, the Archbishop submitted that the
“baptism registers are subject to strict confidentiality requirements”. In addition, the Archbishop
noted that if “a person wishes to leave the Church, and to have this fact acknowledged and
recorded, a register for those who wish their de facto defection from the Church to be recorded
is now maintained by the Chancellery Office on behalf of the Archbishop”.470
714. In response to why the Archbishop is of the view that granting the right to erasure would likely
render impossible or seriously impair the achievement of the objectives of that processing, the
Archbishop stated that:
“In order for historical research and/or archiving in the public interest to be properly
conducted it is necessary for records to be full and complete. Deletions of various of the
records would leave ‘gaps’ for the future historian or researcher, which would seriously
impair their research. The relevant archive would become known as being incomplete and
limited. Also important in this regard is the unique nature of a baptismal record. It
contains information that would not be replicated in State archives for example.
Moreover, as already noted, baptismal records are often consulted by genealogical
researchers”.471
715. The Archbishop also submitted that the exemption under Article 17(3)(a) applies, which refers
to processing which is necessary for exercising the right of freedom of expression and
information, in particular in relation to Church members in the Archdiocese. As submitted by
the Archbishop:
“in order to receive the sacraments of confirmation and marriage/Holy Orders,
reference is always made to the entries made in the baptism register to establish (1)
that the person has been baptised and (2) there is no impediment to receiving the
proposed sacrament […]
Erasure of records or of entries on records risks significantly undermining these
important considerations, e.g. if someone were to seek and obtain erasure of a
baptismal register which indicated that the person was married, and later, subsequent
to such erasure, sought receive the sacrament of Holy Orders, or conceivably even the
sacrament of marriage again.
468 Submissions dated 16 March 2020, page 52.
469 Submissions dated 16 March 2020, page 52.
470 Submissions dated 16 March 2020, page 53.
471 Submissions dated 16 March 2020, page 53.
In that respect, it is noted that certain case law has interpreted the concept of freedom
of expression as extending to expressive association, and thus it is submitted that the
concept of expression is capable to extending to protect the associative interest in
denominational rules and governance (quite apart from being this protected under Art.
44.2.5) Accordingly Art. 17(3)(a) is engaged”.472
Electronic Copies of the Baptism Registers and the Right to Obtain Erasure
716. The Archbishop has previously submitted that the “hard copy, bound volume is the only
authentic, authoritative register”.473 The manual Baptism Register must always be consulted
when issuing a baptismal certificate.474 The Archbishop has also submitted that certain
electronic records of registers may be kept within parishes, such as scanned copies of the
manual registers or information from the registers contained in electronic database systems.475
717. The Archbishop submitted that in relation to these electronic records “[f]rom a canon law
perspective, there is no difficulty with the permanent erasure of any electronically-held records
of baptism or other sacraments, as any electronically held version is not authoritative”.476
Legal Analysis
718. I havemade a finding above that the personal data and special category data held in the Baptism
Registers falls within thematerial scope of Article 2(1) of the GDPR; I have alsomade the finding
in this Decision that the Archbishop is the data controller in respect of all processing activities
of the personal data and special category data contained in the Baptism Registers, the subject
of this Inquiry.
719. It is also important for data subjects to note that their personal data is not just processed on
the legal basis of their consent. Article 6(1) of the GDPR provides that personal data can be
lawfully processed by data controllers on the basis of one of six grounds as set out under this
Article and the consent of the data subject is only one such basis. In addition, although Article
9 (1) of the GDPR prohibits the processing of special category personal data (such as religious
beliefs), Article 9(2) of the GDPR provides a list of exceptions to that prohibition and the explicit
consent of the data subject is only one such exception. As set out previously in this Decision, I
am satisfied that the Catholic Church lawfully processes the personal data and special category
data contained within the Baptism Registers under Article 6(1)(f) and Article 9(2)(d) of the
GDPR.
472 Submissions dated 16 March 2020, page 54.
473 Submissions dated 16 March 2020, page 31.
474 Submissions dated 16 March 2020, page 31.
475 Submissions dated 16 March 2020, page 12.
476 Submissions dated 16 March 2020, page 32.
720. In the normal course of events, data subjects first exercise their data protection rights as against
the data controller, with recourse to the DPC should an issue arise. Article 12(2) of the GDPR
states that the “controller shall facilitate the exercise of data subject rights under Articles 15 to
22”. Article 12(3) of the GDPR provides that the “controller shall provide information on action
taken on a request under Articles 15 to 22 to the data subject without undue delay and in any
event within one month of receipt of the request”. Provision is made for an extension of time
for up to two further months in limited circumstances and the data subject must be notified if
an extension of time is required prior to the expiry of the one-month time frame, setting out
the reasons for the delay.
721. In order for the right to erasure to apply, one of the conditions as set under Article 17(1) must
apply. In addition, under Article 17(3), data controllers can lawfully refuse an erasure request.
It is worth noting at this point that data protection rights are not absolute rights.
722. The personal data contained within the Baptism Registers is collected in the first instance to
record the fact that a baptism has taken place which is the first sacrament an individual receives
when entering into the Catholic faith. The Archbishop has submitted that the recording of this
event is necessary for the purposes of the administration of Church affairs and for the
administration of the sacraments, some of which can only be received once and none of which
can be received unless that individual is baptised in the first instance. The personal data
contained within the Baptism Registers is therefore the reference point for both. The
Archbishop has also submitted that the recording and processing of the personal data in the
Baptism Registers is necessary for the purposes of pursuing the Church’s legitimate interest and
there is no other less intrusive way in which the objectives of the Church can be achieved.
723. The DPC received complaints from numerous individuals who wish to exercise their right to
erasure and have their personal data removed from the Baptism Registers. A number of these
complainants also wish to defect from or leave the Catholic Church. As set out previously in this
Decision, the process of defection from the Catholic Church is not a matter with which the DPC
can assist; that is a matter between the Catholic Church and the individual complainants. The
DPC’s jurisdiction is limited in that its parameters in this Inquiry are defined, not by how an
individual can or should be permitted to defect from or leave an organisation such as the
Church, but by the lawfulness of the processing of personal data that is taking place and the
exercise of data subjects’ rights as set out in data protection law. Although the act of a defection
from the Catholic Church and the erasure of an individual’s personal data from the Baptism
Registers are somewhat interlinked, for the purposes of data protection law they are two
entirely different issues.
724. However, I note that certain data subjects who no longer wish to have their personal data
contained in the Baptism Registers may have subjective reasons in seeking to have it removed,
which stem from their personal relationship with the Catholic Church and the ongoing
processing may cause distress for such data subjects.
725. In relation to the Archbishop’s compliance with the data subject right under Article 17 of the
GDPR I need to consider whether a data subject has the right to obtain from the Archbishop the
erasure of personal data concerning him or her, in circumstances where one of the grounds
listed under Article 17(1)(a)-(f) of the GDPR applies.
726. Based on the foregoing, I will now proceed to consider each ground under Article 17(1) of the
GDPR and consider its applicability within the parameters of this Inquiry.
Article 17(1)(a)
727. Article 17(1)(a) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
are no longer necessary in relation to the purposes for which they were collected or otherwise
processed”.
728. If an individual wishes to exercise their right to erasure under Article 17(1)(a) of the GDPR, on
the basis that the personal data is no longer necessary for the purposes for which it was
collected or otherwise processed, it will be incumbent at that stage for the data controller to
identify and demonstrate that the processing remains necessary, and that there is no
alternative option available to achieve the objective of the data controller.
729. Article 17(1)(a) of the GDPR does not state that a balancing exercisemust be undertaken similar
to that of Article 6(1)(f) of the GDPR, it simply states that the data must be erased unless the
processing of the data is still necessary. If it is still necessary to process the data, then there is
no erasure of the data.
730. The submissions of the Archbishop regarding the significance and importance of the Baptism
Registers in the administration of the Church have been set out above. The Guidelines establish
that these Registers are the only authentic copy of sacramental records, which must be always
maintained and never destroyed. This position has been elaborated upon in the Archbishop’s
submission, which have been referenced throughout this Decision. Under such circumstances,
the Archbishop submits that, in the furtherance of the administration of the Church and for the
correct administration of the sacraments, the processing continues to be necessary.
731. As set out previously in this Decision, the Archbishop submitted “[w]ithout a complete baptism
register the Catholic Church would be unable to operate a key tenet of its faith, the rule that a
person may only be baptised once.” This essentially means that the need for the processing of
the personal data for those who have been baptised into the Catholic faith will remain intact
for their lifetime simply because, at any stage in one’s life, a sacrament may be administered
(or an annulment may be permitted) and the Baptism Register will need to be noted
accordingly. There is essentially no expiry date for the administration of sacraments for the life
of an individual baptised into the Catholic faith.
732. If it is the case that the data controller is of the view that the processing of personal data
continues to be necessary, the data controller is obliged to inform the data subject as to how
this is so. The element of “necessity” must also be grounded on a lawful basis under Articles
6(1) and 9(2) of the GDPR, as there is a continuation of processing of personal data. At all times,
the processing of personal data must have a lawful basis.
733. I note that some complainants wish to leave or defect from the Catholic Church and want to
exercise their right to erasure of their personal data contained within the Baptism Registers. As
set out previously in this Decision, the act of leaving the Catholic Church and the exercise of the
right to erasure, while intertwined, are separate issues for the purposes of data protection law
and the DPC cannot make a finding or determination on an individual’s wish to defect from or
leave the Catholic Church and can only consider the processing of the personal data contained
within the Baptism Registers.
734. I note that in response to some of the complainants who wished to have their data erased from
the Baptism Registers, reliance was being placed on the fact that the registers are of archival
and historical value and therefore the data could not be erased as its ongoing processing was
necessary for such purposes. It has been set out above, that I have formed the view that the
Archbishop cannot rely on Article 9(2)(j) of the GDPR, as there is no legal basis underpinning
this processing as required.
735. As set out above, for the right to erasure to apply under Article 17(1)(a) of the GDPR, the
personal data must be no longer necessary in relation to the purposes for which they were
collected or otherwise processed. It is clear from the submissions of the Archbishop that once
a decision has beenmade to enter into the Catholic faith, the record and processing of personal
data surrounding that sacramental event remains necessary for the lifetime of that person, as
it is a necessary record for the administration of the Church and the administration of
subsequent sacraments.
736. It appears therefore to me that the absence or non-availability of this record would hinder the
Catholic Church in the furtherance of its objectives as set out. The retention of the personal
data and special category personal data remains necessary for the purposes for which it was
collected by the Catholic Church in terms of the administration of Church affairs, for the lifetime
of the data subject.
The determination vis-à-vis Article 17(1)(a)
737. Based on the foregoing, I am of the view that a data subject does not have the right under Article
17(1)(a) of the GDPR to obtain from the Archbishop the erasure of personal data concerning
him or her.
Article 17(1)(b)
738. Article 17(1)(b) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the data subject
withdraws consent on which the processing is based according to point (a) of Article 6(1), or
point (a) of Article 9(2), and where there is no other legal ground for the processing”.
739. Article 17(1)(b) of the GDPR and the withdrawal of consent is contingent on the processing of
the personal data in question being processed in the first instance on the basis of consent under
Article 6(1)(a) and Article 9(2)(a) of the GDPR. As set out under the section on Legal Bases of
this Decision, the Archbishop is relying on Article 6(1)(f) and Article 9(2)(d) of the GDPR for the
processing of personal data contained within the Baptism Registers. Although further reliance
has been placed on Article 9(2)(j) of the GDPR by the Archbishop, I am of the view that the
Archbishop cannot rely on this provision for the processing of personal data contained within
the Baptism Registers.
The determination vis-à-vis Article 17(1)(b)
740. Based on the foregoing, I am of the view that the personal data contained within the Baptism
Registers was not and is not processed on the legal basis of consent under Article 6(1)(a) and
explicit consent under Article 9(2)(a) of the GDPR. Therefore, data subjects cannot rely on
withdrawal of consent pursuant to Article 17(1)(b) of the GDPR for the erasure of the personal
data processed in the Baptism Registers. This applies in circumstances where the individual is a
current member of the Catholic Church or whether they no longer consider themselves a
member of the Catholic Church.
Article 17(1)(c)
741. Article 17(1)(c) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where:
“the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2)”.
742. Article 21(1) provides that:
“The data subject shall have the right to object, on the grounds relating to his or her
particular situation, at any time to processing of personal data concerning him or her
which is based on point (e) or (f) of Article 6(1), including profiling based on those
provisions. The controller shall no longer process the personal data unless the controller
demonstrates compelling legitimate grounds for the processing which override the
interests, rights and freedoms of the data subject or for the establishment, exercise or
defence of legal claims.”
743. The foregoing provisions identify that for Article 17(1)(c) of the GDPR to apply, Article 21 must
be invoked by an individual in the exercise of their right to erasure and that the processing of
the personal data by the data controller must be under either Article 6(1)(e) or 6(1)(f). The
Archbishop relies on Article 6(1)(f) of the GDPR for such processing so therefore, once Article
21 is invoked, the other component elements of Article 17(1)(c) and Article 21 must be
considered.
744. Of relevance are Recitals 65 and 69 of the GDPR. Recital 65 states that a “data subject should
have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’
where the retention of such data infringes this Regulation or Union or Member State law to
which the controller is subject.” In other words, it considers that the right to erasure arises
where the processing is unlawful. Recital 69 states, “[w]here personal data might lawfully be
processed because performance is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller, or on grounds of
the legitimate interests of a controller or a third party, data subject should, nevertheless, be
entitled to object to the processing of any personal data relating to his or her particular
situation.” In other words, the processing is lawful in the first instance and there is an objection
to the processing that requires a balancing exercise.
745. Article 21(1) of the GDPR provides that the data controller must demonstrate “compelling
legitimate grounds” which override the rights and freedoms of the data subject, failure of which
requires the erasure of the data by the data controller. Therefore, not only does the data
controller need to identify that he has a legitimate interest, which overrides the rights and
freedoms of the data subject, he must demonstrate that the legitimate interest is one that is
“compelling”.
746. WP29 Guidelines on Automated individual decision-making and Profiling for the purposes of
Regulation 2016/67, adopted on 6 February 2018 and endorsed by the EDPB state:
“It is clear from the wording of Article 21 that the balancing test is different from that
found in Article 6(1)(f). In other words, it is not sufficient for a controller to just
demonstrate that their earlier legitimate interest analysis was correct. This balancing test
requires the legitimate interest to be compelling, implying a higher threshold for
overriding objections”.477 [Emphasis added]
747. The foregoing demonstrates that the burden is on the data controller to identify that not only
do they have a legitimate interest which overrides the fundamental interests and freedoms of
the data subjects, but that it is one that is compelling, with a higher standard than under Article
6(1)(f) of the GDPR and this should be made clear to any data subject who wishes to exercise
their right on these grounds.
748. The Archbishop states that:
“Article 17(1)(c) is based on an invocation of the right to object in Article 21 when
processing is based on Article 6(1)(f). However, the Archbishop submits that compelling
legitimate grounds for the processing have been demonstrated which override the
interests, rights and freedoms of the data subject, with the result that Article 17(1)(c) is
inapplicable”.478
477 WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, last
revised and adopted on 6 February 2018, page 19; These Guidelines have been endorsed by the EDPB:
https://edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en
478 Submissions dated the 16 March 2020, page 50
749. He further states that the processing of the personal data contained within the Baptism
Registers:
“is essential for the administration of the affairs of the Catholic Church to maintain a
register of all people who have been baptised in the Church. It is a factual record of an
event that happened. This position was recognised by the Irish Data Protection
Commissioner in 2003”.479
750. When specifically asked to identify “‘the compelling legitimate grounds for the processing
considered by the Archbishop”, the Archbishop referred the DPC to their previous
submissions.480 Those submissions relate to the elements of Article 6(1)(f) and Article 9. In that
regard the Archbishop sets out the legitimate interests for the processing of personal data in
the Baptism Registers which are, amongst other things, that Baptism Registers (and others)
consist of a record of the administration of certain sacraments in the Church; that baptism is
the first and basic sacrament of Christian initiation which can only be received once and
therefore it is essential that a record of same bemaintained; the Baptism Register is of particular
importance as it is the “gateway” to all the records of a person’s life within the Catholic Church;
the Register has space for the recording of other sacraments that can also only be administered
once; that the information contained within the Baptism Registers is “critical” in terms of certain
key beliefs in the Catholic faith; that the importance of the permanency of the record was
recognised by the Data Protection Commissioner in his Annual Report in 2003; that these
legitimate interests are underpinned by fundamental rights protections under the Irish
Constitution and the Charter of Fundamental Rights of the European Union; the Baptism
Registers are central to the management of the affairs of the Church. In relation to Article
9(2)(d) of the GDPR, the Archbishop submits that the personal data contained in the Baptism
Registers are processed in accordance with the legitimate activities of the Catholic Church.481
751. When specifically asked to identify the factors which led to the decision that the compelling
legitimate interests pursued by the Data Controller would override those interests or
fundamental rights and freedoms of the Data Subject, the Archbishop stated:
“it is noted that the collection and retention of information regarding individuals in the
Formal Defection register and de facto defection registers is at the request of the
individuals themselves. It is submitted that a request for retention is implicit in a request
for entry into the register. It is therefore considered that any impact on the interests or
fundamental rights and freedoms of those individuals is either minimal, or non-existent.
479 Submissions dated the 16 March 2020, page 50
480 Submissions dated the 15 October 2020, page 28.
481 Submissions dated 16 March 2020, pages 33- 42.
In relation to Parish baptismal registers, the Archbishop would also note that any
potential impacts appear to be minimal. The information concerned is stored
confidentially, is not accessible to the public, is not used for any profit-making purpose,
but rather to record a person’s status in respect of certain sacraments administeredwithin
the Church.”482
752. It is my view that any exercise of the right to erasure under Article 17(1)(c) of the GDPR must
be accompanied by the right to object under Article 21 of the GDPR where the burden of proof
regarding the compellability of the legitimate interests (under Article 21(1)) must be borne by
the data controller. Having regard to the analysis of the legitimate interests of the Archbishop
considered in the section analysing Article 6(1)(f) above, I am of the view that the legitimate
interests of the Archbishop when considered in the circumstances of these particular requests
collectively also constitute “compelling”’ legitimate grounds for the purposes of Article 21(1) of
the GDPR. In this regard, I have taken into account the higher threshold for “legitimate grounds”
as envisaged by the WP 2018 Guidelines (endorsed by the EDPB and referred to above). This
applies in circumstances where the individual is a current member of the Catholic Church or
whether they no longer consider themselves a member of the Catholic Church.
Article 17(1)(d)
753. Article 17(1)(d) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
have been unlawfully processed”.
754. For an individual to exercise their right to erasure under Article 17(1)(d) of the GDPR, the
personal datamust have been unlawfully processed. A data controller unlawfully processes data
when it is processed in the absence of a legal basis under Article 6(1) of the GDPR and or fails
to fall one of the exceptions under Article 9(2) of the GDPR in the case of special category data.
755. Under the section on Legal Basis, this Decision analysed the lawful bases for the processing of
the personal data and special category data. Set out therein are my findings which are that the
processing of personal data containedwithin the Baptism Registers is lawful under Article 6(1)(f)
of the GDPR and Article 9(2)(d) of the GDPR. I alsomade a finding that the Archbishop could not
rely on Article 9(2)(j) of the GDPR for the purposes of processing or further processing the
personal data and special category data of those named in the Baptism Registers, the subject
of this Inquiry.
The determination vis-à-vis Article 17(1)(d)
756. Based on the foregoing, it is the view of the DPC that as the personal data contained within the
Baptism Register is lawfully processed, data subjects cannot rely on Article 17(1)(d) of the GDPR
for the erasure of the personal data processed in the Baptism Registers.
482 Submissions dated 15 October 2020, page 29.
757. As set out above, the processing/recording of personal data surrounding sacramental events is
a necessary record for the administration of the Church. It appears to me that the absence or
non-availability of this record would hinder the Catholic Church in the furtherance of its
objectives as set out. On that basis, this processing, which remains necessary, has a lawful basis
under Article 6(1)(f) and Article 9(2)(d) of the GDPR. Therefore, an individual who no longer
consider themselves a member of the Catholic Church cannot rely on Article 17(1)(d) of the
GDPR for the erasure of the personal data processed in Baptism Registers.
Article 17(1)(e)
758. Article 17(1)(e) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
have to be erased for compliance with a legal obligation in Union or Member State law to which
the controller is subject”.
The determination vis-à-vis Article 17(1)(e)
759. In relation to the Archbishop’s compliance with the data subject right under Article 17 of the
GDPR, whether a data subject has the right to obtain from the Archbishop the erasure of
personal data concerning him or her, in circumstances where one of the grounds listed under
Article 17(1)(a)-(f) of the GDPR applies;
760. In relation to the Archbishop’s compliance with the data subject right under Article 17 of the
GDPR, whether data subjects who no longer consider themselves members of the Catholic
Church have the right to obtain erasure of their personal data in the Baptism Registers under
the grounds set out at Article 17(1) of the GDPR.
761. The Archbishop is not subject to any legal obligation in either Union or in Member State law,-
that requires the erasure, by him, of the personal data or special category data of any individual
whose data is processed and recorded within the Baptism Registers, the subject of this Inquiry.
On that basis, Article 17(1)(e) is not applicablewithin the facts and circumstances of this Inquiry.
Article 17(1)(f)
762. Article 17(1)(f) provides that the data subject has the right to obtain the erasure of personal
data and the controller shall be obliged to erase the personal data where “the personal data
have been collected in relation to the offer of information society services referred to in Article
8(1)”.
The determination vis-à-vis Article 17(1)(f)
763. The data controller is the Archbishop and does not offer information society services. On that
basis, Article 17(f) of the GDPR is not applicable within the facts and circumstances of this
Inquiry.
Restrictions on the Right to Erasure
764. For determination are the issues as to whether, a data subject’s right to erasuremay be lawfully
dis-applied by the Archbishop to the extent that processing is necessary:
• for exercising the right to freedom of expression and information, pursuant to
Article 17(3)(a) of the GDPR;
• archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1), pursuant to Article 17(3)(d) of
the GDPR; and
• for exercising the right to freedom of religion.
765. As the foregoing analysis demonstrates, the right to erasure of a data subject’s personal data
and special category data contained with the Baptism Registers under Article 17(1) of the GDPR
does not exist. Consequently, Article 17(3) of the GDPR does not apply. Under those
circumstances, it is not necessary to consider the applicability of any of the restrictions on the
exercise of an individual’s right to erasure as set out in the preceding paragraph as the point is
now moot.
Finding
766. Therefore, I find that:
a. A data subject has not got the right to obtain from the Archbishop the erasure of
personal data concerning him or her as none of the provisions under Article 17(1)(a)-
(f) of the GDPR apply;
b. Data subjects who no longer consider themselves to be members of the Catholic
Church do not have the right to obtain erasure of their personal data in the Baptism
Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
c. Under those circumstances, the provisions of Article 17(3) do not apply.
f) STORAGE LIMITATION
Issues for determination
767. In relation to the Archbishop’s compliance with the principle of storage limitation as contained
in Article 5(1)(e) of the GDPR, the following issues arise for determination:
a. whether the personal data and special category personal data contained in the
Baptism Registers are kept in a form which permits identification for no longer than is
necessary;
b. whether the personal data and special category personal data contained in the
Baptism Registers are processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and are subject to the implementation of the appropriate
technical and organisational measures in order to safeguard the rights and freedoms
of the data subject;
c. whether, in circumstances where the personal data and special category personal
data is processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes, it may be stored for longer
periods.
Relevant Provisions
768. Article 5(1)(e) of the GDPR sets out the principle of storage limitation and requires that personal
data be:
“kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data may
be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to implementation of the
appropriate technical and organisational measures required by this Regulation in order
to safeguard the rights and freedoms of the data subject.”
Archbishop’s submissions
769. The Archbishop submitted that he is “satisfied that the requirements of Article 5(1)(e) are
met”.483
770. He further submitted that “it is essential for the administration of the sacraments of baptism,
confirmation, marriage and holy orders to be assured that these sacraments have been
administered once only in a person’s lifetime. De-identification of the record would undermine
the purpose for which the record is created andmaintained. Therefore the storage of these data
is necessary on a permanent basis, for the purposes for which the data are processed”.484
483 Submissions dated 16 March 2020, page 47.
484 Submissions dated 16 March 2020, page 47.
771. The Archbishop also noted that Articles 5(1)(e) “permits the storage of personal data for longer
periods if it is for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes and is subject to implementation of appropriate technical and
organisational measures in order to safeguard the rights and freedoms of the data subject”.485
The Archbishop referred to his previous submissions relating to the technical and organisational
measures which apply to the Baptism Registers “and which safeguard the rights and freedoms
of the data subject”.486
Legal Analysis
First Issue for Determination: Whether the personal data and special category personal data
contained in the Baptism Registers are kept in a form that permits identification for no longer than is
necessary
772. The importance of the recording and processing of personal data in the Baptism Registers vis-
à-vis the administration of Church affairs, per the Archbishop’s submissions, has been identified
throughout the course of this Decision. The Archbishop also indicated that de-identification of
the personal data and special category personal data in the Baptism Registers would
“undermine the purpose for which the record is created and maintained”.487
773. Article 5(1)(e) of the GDPR requires a controller to keep personal data “in a form which permits
identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed”. This means that a controller must delete or anonymise personal
data once it is no longer necessary for the purposes for which they were originally collected.
774. The Archbishop contends that it remains necessary to keep the personal data and special
category personal data contained in the Baptism Registers in a form, which permits
identification on a “permanent basis”, for the purposes of the administration of certain
sacraments of the Catholic Church.
775. With respect to whether it is necessary to retain the personal data and special category personal
data in a form, which permits identification to achieve the purposes of processing, the concept
of necessity is relevant. This conceptwas considered earlier in this Decision under legal bases.488
485 Submissions dated 16 March 2020, page 47.
486 Submissions dated 16 March 2020, pages 29-31.
487 Submissions dated 16 March 2020, page 47.
488 C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk ECLI:EU:C:2003:294, paragraph 88.
776. The Archbishop has stated that de-identification of the personal data and special category
personal data in the Baptism Registers would “undermine the purpose for which the record is
created and maintained”489 which is for the administration of certain sacraments and to ensure
such sacraments are not administered more than once in a person’s lifetime. As set out earlier,
there is no set timeframe in a person’s life vis-à-vis the administration of sacraments and on
that basis, the Baptism Registers remain live registers for the lifetime of that person. In respect
of the reasonableness and proportionality of retaining this personal data on a permanent basis,
it is difficult to ascertain how individuals who have been baptised could be otherwise identified
correctly, during their lifetime, for the purposes of administering further sacraments, without
the retention of a minimum amount of personal data and special category personal data such
as is contained in the Baptism Register. Such data includes:
“ 1. Christian name of person for baptism
2. Surname
3. Born/Day/Month
4. Name of Parent(s)/guardian(s)
5. Residing at Domicile
6. Duly Baptised – Day/Month
7. Celebrant of Baptism
8. Name(s) of Godparent(s)”490
777. Further sacraments administered are annotated in the Baptism Registers. As such, I am of the
view that the retention is reasonable and necessary to achieve the stated purposes.
778. In my view, no equally effective alternative to retaining a minimum amount of personal data
and special category personal data in a form, which permits identification, is apparent. In
circumstances where the personal data and special category personal data must permit
identification in order to achieve the purpose in question, retention of anonymised data would
not be a suitable equally effective alternative measure. Further, in circumstances where it is
conceivable that individuals who have undergone baptism in the Archdiocese may share the
same name, the same birth date or may have parents who share similar names, it is
proportionate for the Archdiocese to retain a minimum amount of personal data and special
category data. This should be limited to the personal data listed above in order to ensure that
the sacramental status of an individual may be sufficiently verified. The retention of less
personal data and special category personal data would likely be marginally less intrusive to
data subjects, however, itmay significantly lessen the effectiveness of themeasures in order to
achieve the stated purpose.
489 Submissions dated 16 March 2020, page 47.
490 Submissions dated 16 March 2020, page 25.
779. I am satisfied that keeping personal data and special category personal data in the Baptism
Registers in a form which permits identification remains necessary during the life time of the
data subjects in question who have undergone baptism in the Archdiocese. This is in order to
achieve the purpose of correctly administering certain sacraments thatmay only be undertaken
once in a person’s lifetime.
780. I also wish to note that the GDPR does not apply to the personal data and special category
personal data of deceased persons, further to Recital 27 of that Regulation. As such, the
Archbishop is not under an obligation to comply with the principle of storage limitation once
the lifetime of the data subjects in question ends.
Second Issue for Determination
781. The second issue for determination is whether the personal data and special category personal
data contained in the Baptism Registers are processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and are subject to the implementation of the appropriate technical
and organisational measures in order to safeguard the rights and freedoms of the data subject
782. The Archbishop stated that the personal data and the special category personal data which is
contained in the Baptism Registers are “essential for the administration of the affairs of the
Catholic Church”,491 in particular to maintain a record of people who have been baptised and to
set out a “person’s status in respect of certain sacraments, which can be administered only once
in a person’s lifetime”492. The Archbishop stated that the purpose for which this personal data
and special category personal data was collected is also “to record the fact that a person
received the sacrament of baptism into the Roman Catholic Church on a particular date”493.
783. Further, in respect to archiving purposes in the public interest and historical research purposes,
the Archbishop stated, “The Baptism Registers record the historical fact of baptisms having
taken place. Over time, these registers assume a different importance becoming a unique
archival and/or historic record of enduring value. Baptismal records are often, for example,
sought by those carrying out genealogical research”.494
784. With respect to appropriate technical and organisational measures in place in order to
safeguard the rights and freedoms of the data subject, the Archbishop stated that the following
technical and organisational measures were in place:
• the Adopted Persons Baptism Registers and the Clonliffe College Registers are securely
stored in the Chancellery Offices;
• the parish Baptism Registers are normally “kept in safe rooms, fire-proofed, and are
accessible only by the pastor and authorised Parish personnel”495;
491 Submissions dated 16 March 2020, page 50.
492 Submissions dated 16 March 2020, page 48.
493 Submissions dated 16 March 2020, page 54.
494 Submissions dated 16 March 2020, page 52.
495 Submissions dated 16 March 2020, page 29.
• the parish priest is under an obligation “to take care that the baptism registers do not
fall into unauthorised hands. The Diocesan Bishop or his delegate is to inspect the archive
at the time of the visitation. Older parochial registers are also to be carefully
safeguarded, in accordance with the provisions of particular law”;496 and
• the Archbishop “organises data protection training days for Parish Priests and members
of the parish administrative teams. It is also open to Parish Priests to organise their own
training in respect of data protection matters”497.
785. I have previously considered whether the personal data and special category personal data
contained in the Baptism Registers may lawfully be processed relying on archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes (Article
9(2)(j)) as the legal basis for processing. It is my view that the Archbishop may not rely on
archiving purposes in the public interest and historical research purposes as a legal basis for
processing for the reasons as previously set out.
786. As the central purpose for processing the data contained in the Baptism Registers is in order to
keep an accurate record of the sacramental status of individuals with such processing having a
lawful basis under Article 6(1)(f) and Article 9(2)(d) of the GDPR, it is not necessary to consider
the technical and organisational measures pursuant to Article 9(2)(j) and or Article 89(1) of the
GDPR.
Third Issue for Determination:
787. The third issue for determination is whether, in circumstances where the personal data and
special category personal data is processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes, it may be stored for longer
periods
788. As set out above, the central purpose for processing the data contained in the Baptism Registers
is for the purposes of maintaining an accurate record of the sacramental status of individuals.
Consequently as there is no limitation during the life of a person as to when sacraments can be
administered and the records can lawfully be maintained for the lifetime of an individual.
Therefore, any evaluation of storage data for ‘”longer periods” than one’s lifetime is moot.
Findings
789. I find that the Archbishop did not infringe the principle of storage limitation contained in Article
5(1)(e) of the GDPR. In particular, I make the following findings:
a. The personal data and the special category personal data contained in the Baptism
Registers are kept in a form that permits identification for no longer than is necessary
which is essentially for the lifetime of an individual. I am satisfied that this is necessary,
given the purpose for which the Baptism Registers aremaintained and it does not give
rise to an infringement by the Archbishop regarding the principle of storage limitation.
496 Submissions dated 16 March 2020, page 29.
497 Submissions dated 23 July 2021, page 7.
b. The personal data and the special category personal data contained in the Baptism
Registers are not processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR.
c. As the personal data is lawfully processed under Article 6(1)(f) and Article 9(2)(d) of
the GDPR during the lifetime of the data subjects who are members and or former
members of the Catholic Church, the issue of longer storage periods under Article
9(2)(j) and or Article 89(1) of the GDPR does not arise.
g) SUMMARY OF FINDINGS
790. Having carefully considered the submissionsmade by the Archbishop I now summarisemymain
findings in this Decision, which are as follows:
a. Material Scope:
i. That hardcopy Baptism Registers form part of a filing system or are intended to form
part of a filing system, having regard to the definition of filing system under Article
4(6) of the GDPR;
ii. That no exemptions under Article 2(2) of the GDPR apply to the processing of the
personal data and special category data contained within the Baptism Registers.
b. Controllership:
i. That the Archbishop and Parish Priests are joint controllers of the personal data and
special category data contained in the Parish Baptism Registers with respect to the
processing activities of collection and recording of data only;
ii. That the Archbishop is the sole controller of the personal data and special category
data in the Parish Baptism records with respect to the processing activities of storage
and retention, standard and special annotation and alteration;
iii. That the Archbishop is the sole controller of the personal data and special category
data in the Clonliffe College Registers with respect to all processing activities;
iv. That the Archbishop is the sole controller of the personal data and special category
data contained in the Adopted Persons Baptism Register with respect to all processing
activities.
c. Legal Bases
i. That the Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) of
the GDPR as a legal basis for the processing of personal data of data subjects which is
recorded in the Baptism Register, even in such instances where a data subject no
longer wishes to be associated with the Catholic Church;
ii. That subject to safeguards, the Archbishop’s interests in retaining the personal data
contained in the Baptism Registers are not overridden by the interests or fundamental
rights and freedoms of the data subjects;
iii. That the Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for
the processing of data subjects’ special category data during the course of their
lifetime, being members or former members of a not-for-profit with a religious aim;
iv. That the Archbishop, in processing the special category personal data in accordance
with Article 9(2)(d) of the GDPR, has in place the required appropriate safeguards for
such processing under Article 9(2)(d);
v. That the Archbishop cannot lawfully rely upon Article 9(2)(j) of the GDPR for the
purposes of further processing the personal data and special category data of those
named in the Baptism Registers, the subject of this Inquiry.
d. Rectification
i. That data subjects may exercise the right to request rectification, in accordance with
Article 16, of the personal data contained in the Baptism Registers;
ii. That the Archbishop must comply with his obligations under Article 12(3) and Article
12(4) of the GDPR in order to facilitate requests in relation to data subject’s rights
under Articles 15 to 22 of the GDPR;
iii. That in circumstances where a data subject no longer wishes to be a member of the
Catholic Church a supplementary statement could be added by the Archbishop to the
Baptism Register entry stating “No longerwishes to be identified as a Roman Catholic”;
iv. Any amendment made to the hard copy authoritative Baptism Registers ought to be
reflected in any copy made of the Registers, whether in electronic form, indexed
registers or otherwise.
e. Erasure
i. That a data subject has not got the right to obtain from the Archbishop the erasure of
personal data concerning him or her as none of the provisions under Article 17(1)(a)-
(f) of the GDPR apply;
ii. That data subjects who no longer consider themselves to be members of the Catholic
Church do not have the right to obtain erasure of their personal data in the Baptism
Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
iii. In the circumstances where a ground under Article 17(1) have not been met the
provisions of Article 17(3) do not apply.
f. Storage Limitation
i. That the personal data and the special category personal data contained in the
Baptism Registers are kept in a form that permits identification for no longer than is
necessary which is essentially for the life time of an individual;
ii. That the personal data and the special category personal data contained in the
Baptism Registers are not processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) of the GDPR;
iii. That as the personal data is lawfully processed under Article 6(1)(f) and Article 9(2)(d)
of the GDPR during the lifetime of the data subjects who are members and or former
members of the Catholic Church, the issue of longer storage periods under Article
9(2)(j) and or Article 89(1) of the GDPR does not arise.
Recommendations
791. One of the issues for determination in this Decision was the issue of controllership. This arises
in circumstanceswhere the Archbishop is of the view that hewas not and is not a data controller
of the relevant Parish Baptism Registers and that the Parish Priest was and is in fact the data
controller. On that basis the Archbishop submitted “[I]t is a matter for individual Parishes to
address the transparency principle in respect of registers held by them and which are subject to
the GDPR. However, in relation to the register of baptisms of persons who are adopted, the
Parish of baptism will direct adopted persons applying for baptismal certificates to the
Chancellery”.498
792. The imposition of obligations and duties under the GDPR flow from controllership and one of
those obligations is transparency of processing which is provided for under Article 5(1)(a) of the
GDPR. In light of the findings of this Decision, that the Archbishop is the joint controller along
with the parish priests for collection and recording and sole controller of the relevant Baptism
Registers with respect to the processing activities of storage and retention, standard and special
annotation and alteration, certain obligations and duties fall to him to fulfil, including his
obligations and duties in relation to transparency under Article 5(1)(a) of the GDPR.
793. I am of the view that it is necessary and proportionate for the purpose of ensuring compliance
with the GDPR that I make the following orders to the Archbishop as controller
i. update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data
controller for the processing of personal data and special category data held in all
Baptism Registers within his Archdiocese;
ii. set out in the Privacy Policy the lawful basis of such processing together with the
retention periods for such personal data;
iii. set out in their Privacy Policy that the subsequent administration of certain
sacraments to an individual are annotated in the Baptism Register, explaining why this
is so;
iv. ensure that the parishes within the Archdiocese make the relevant notice accessible
and available to those undertaking sacraments.
498 Submissions 15 October 2020 page 33
G. Finding Regarding Article 5(2)
794. The scope of this inquiry included an analysis of compliance with Article 5(1)(e) GDPR and the
associated ability to demonstrate that compliance. In the circumstances, the personal data was
retained for a purpose that was to document that certain baptisms occurred on specific dates.
I do not find any infringement of Article 5(2) GDPR in relation to demonstrating this principle of
storage limitation in relation to the original entries in the Baptismal Registers. Therefore, I find
that the Archbishop did not infringe Article 5(2) GDPR.
H. Decision on Corrective Powers
795. I have set out above, pursuant to section 111(1)(a) of the 2018 Act, my decision to the effect
that the Archbishop has infringed Article 5(1)(a) of the GDPR. This finding was made in
paragraph 622.
796. Under section 111(2) of the 2018 Act, where the DPCmakes a decision (under section 111(1)(a)),
it must, in addition, make a decision as to whether a corrective power should be exercised in
respect of the controller or processor concerned and, if so, the corrective power to be exercised.
The remaining question for determination in this Decision is whether or not that infringement
merits the exercise of any of the corrective powers set out in Article 58(2) GDPR and, if so, which
corrective powers.
797. Article 58(2) GDPR sets out the corrective powers that supervisory authorities may exercise in
respect of non-compliance by a controller or processor. In deciding whether to exercise those
powers, Recital 129 provides guidance as follows:
…each measure should be appropriate, necessary and proportionate in view of ensuring
compliance with this Regulation, taking into account the circumstances of each individual
case…
798. Having carefully considered the infringement identified in this Decision, I have decided to
exercise a certain corrective power in accordance with section 115 of the 2018 Act and Article
58(2) GDPR. In summary, the corrective power that I have decided is appropriate to address the
infringement in the particular circumstances is:
An order to the Archbishop to update the Privacy Notice in the manner outlined in
paragraph 793.
I. Order to amend the Privacy Policy
799. Under Article 58(2)(d) GDPR, supervisory authorities have the power “to order the controller or
processor to bring processing operations into compliance with the provisions of this Regulation,
where appropriate, in a specified manner and within a specified period.”
800. Vindication of the rights available to data subjects pursuant to Chapter III of the GDPR depends
upon, inter alia, the clear identification of the controller.
801. In light of the identified infringement of Article 5(1)(a) GDPR, I order the Archbishop to make
the updates to the Privacy Policy specified in paragraph 793 by one month from the date of the
Final Decision in this Inquiry.
J. Right of appeal
802. This Decision is issued in accordance with section 111 of the 2018 Act. Pursuant to section
150(5) of the 2018 Act, the Archbishop has the right to appeal against this decision within 28
days from the date on which notice of the Decision is received by it.
Appendix 1: LIST OF ABBREVIATIONS/ RELEVANT TERMS
the 2018 Act
the Archbishop/Archdiocese
Canon Law
the Chancellor
the Chancellery
Data Protection Act 2018
the Archbishop of Dublin/Archdiocese of
Dublin
Canon Law is the internal law of the Roman
Catholic Church
assists the Archbishop in the governance of
the Archdiocese
is an office of the Archdiocese which assists the
Chancellor in the discharge of his functions
within the diocesan curia of the Archdiocese
the Charter Charter of Fundamental Rights of the
European Union
the CJEU Court of Justice of the European Union
the Decision the Decision of the Data Protection
Commission delivered in the context of an
own-volition inquiry
the DPC Data Protection Commission (previously the
Data Protection Commissioner prior to the
entry into application of the Data Protection
Act 2018)
the Commissioner Data Protection Commissioner established
pursuant to the Data Protection Acts 1988–
2003
the Complaints Complaints received in the DPC pursuant to
Article 77 of the GDPR
the Complainants Natural persons who lodged the complaints
the Directive Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the
protection of individuals with regard to the
processing of personal data and on the free
movement of such data
EDPB European Data Protection Board
GDPR Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016
on the protection of natural persons with
regard to the processing of personal data and
on the free movement of such data, and
repealing Directive 95/46/EC
the Inquiry The inquiry commenced pursuant to Section
110 of the 2018 Act