Promoting religious believes, no worries about GDPR. Wrong assumption

May religious communities not worry about GDPR and personal data transfer?

It is not uncommon that religious communities send their members from door to door to promote their creed and to recruit new followers. During such promotional activities prospect followers’ personal information is usually collected and stored.

Hence, several questions, such as: Do religious communities need to worry about the GDPR’s requirements, when performing such data collection? Can the results of such collection be considered as a ‘filing system’ as defined Article 4/6 of the GDPR? Or could they benefit from the exemption set in Article 9/2. d with respect to the processing prohibition laid down in Article 9/1 (N.B. the exemption applies to“processing .. carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”)?

In many countries where religion plays a significant role (e.g. Spain, Poland, Ireland, Italy, Germany, etc.) specialists reading and interpreting the GDPR felt that there had been an intention to offer entities pursuing a religious aim a way out from a compliance obligation with the GDPR’s provisions.

How the European Court of Justice feels about the issue.

The problem is not exactly new as it had been raised already under the general EU Privacy Directive (no. 46/95) and had landed before the Grand Chamber of the European Court of Justice (case no. C-25/17), which issued its decision on July 10, 2018. The case was submitted by the Finish Supreme Administrative Court, wondering whether a ban imposed by the Finish Data Protection Board with respect to the processing of personal information collected (through notes about persons unknown to the religious group) by the Jehovah’s Witnesses Community in the course of their members’ door-to-door preaching, was compliant with EU Law.

In its decision the EUCJ:

- found that“the collection of personal data by members of the Jehovah’s Witnesses Community in the course of door-to-door preaching is a religious procedure carried out by individuals” and “not an activity of the State authorities and cannot therefore be treated in the same way as the activities referred to in Article 3(2), first indent, of Directive 95/46”,

- considered that “door-to-door preaching, in the course of which personal data are collected by members of the Jehovah’s Witnesses Community, is, by its very nature, intended to spread the faith of the Jehovah’s Witnesses Community among people who .. do not belong to the faith of the members who engage in preaching. Therefore, that activity is directed outwards from the private setting of the members who engage in preaching” and that “some of the data collected by the members of that community who engage in preaching are sent by them to the congregations of that community which compile lists from that data of persons who no longer wish to receive visits from those members. Thus, in the course of their preaching, those members make at least some of the data collected accessible to a potentially unlimited number of persons”,

- hence, concluded that “the collection of personal data by members of a religious community in the course of door-to-door preaching and the subsequent processing of those data does not constitute either the processing of personal data for the purpose of activities referred to in Article 3(2), first indent,” (activities of a State) ”of that directive or the processing of personal data carried out by a natural person in the course of a purely personal or household activity, within the meaning of Article 3(2), second indent, thereof “,

- then went on to evaluate whether in the specific case the“data processed form part of or are intended to form part of a filing system” and – considering “that the personal data collected in the course of the door-to-door preaching … are structured according to criteria chosen in accordance with the objective pursued by that collection, which is to prepare for subsequent visits and to keep lists of persons who no longer wish to be contacted. Thus .. those criteria .. are chosen so that they enable data relating to specific persons to be easily retrieved”– felt that the practice performed resulted in a ‘filing system’ as it resulted in “a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted” and “structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use .. for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods”.

- finally, dealt with the problem of whether“a religious community may be regarded as a controller, jointly with its members who engage in preaching, with regard to the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community,” and of “whether it is necessary for that purpose for the community to have access to those data, or whether it must be established that the religious community has given its members written guidelines or instructions in relation to that processing”, and

- came to the conclusion that “a religious community is a controller, jointly with its members who engage in preaching, … organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.”

Therefore, the EUCJ provided the referring Finish Court with the following three criteria for deciding the case:

- the “collection of personal data by members of a religious community in the course of door-to-door preaching and the subsequent processing of those data”could not be automatically considered as exempt from the requirements of the former general data protection directive,

- the definition of a ‘filing system’ as referred to in Article 2(c) of Directive 95/46 “covers a set of personal data collected in the course of door-to-door preaching, … if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use” and to “..fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods,

- under Article 2(d) of Directive 95/46 “..a religious community is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.”

Religious Communities are not exempt from GDPR compliance.

Though having been issued with respect to a different legal framework (i.e. the provisions of Directive no. 95/46), there are no reasons for not considering those criteria perfectly valid also under the GDPR regime. Hence religious communities need to assess the impact of the GDPR on their activities.