Processing of personal data by ecclesiastical entities
In the course of their activities, religious congregations are likely to collect and process personal data regarding their members, employees and faithful or third parties. This activity could be subject to Italian law.
The Italian Privacy Code sets forth the rules and requirements regarding the processing of personal data, sets sanctions for violations of such rules and provides for different regulations depending on the type of data processed.
In case of sensitive data (i.e., data pertaining to, e.g., racial or ethnic origin, political opinions, membership in parties, trade unions, associations, health etc.), the written consent of the data subject and the prior authorization by the Data Protection Authority are required.
The Italian Civil Code provides for certain exceptions in case of Religious Congregations having legal personality in Italy (i.e., civilly recognized ecclesiastical entities):
1) CIVILLY RECOGNIZED ECCLESIASTICAL ENTITIES NOT SUBJECT TO THE ITALIAN PRIVACY LEGISLATION
Civilly recognized ecclesiastical entities which meet both of the following requirements are not subject to the Italian Privacy Code:
- sensitive data are processed solely for institutional religious and worship-related purposes (worship and care of souls, education of the clergy and the religious, missionary purposes, catechesis, Christian education) or for exclusively religious purposes;
- such data are not disclosed or communicated to third parties.
With regards to the data processed for their institutional religious and worship-related purposes which are not disclosed to third parties, civilly recognized ecclesiastical entities are subject to the General decree of the Italian Episcopal Conference of October 20, 1999 (an Italian version of the decree may be found here).
2) CIVILLY RECOGNIZED ECCLESIASTICAL ENTITIES SUBJECT TO THE ITALIAN PRIVACY LEGISLATION
Civilly recognized ecclesiastical entities are subject to the Italian Privacy Code in the following cases:
- when they process sensitive data for purposes other than religious or worship-related: assistance and charity, schooling, education and culture and, in any case, in case of commercial or for-profit activities;
- when the sensitive data processed for religious and worship-related purposes are disclosed or communicated to third parties.