Next Article in Journal
Against Quasi-Fideism
Next Article in Special Issue
The Legal Status of Religious Freedom in Romania: Legal Provisions and Cross-Cutting Issues
Previous Article in Journal
Paul and Rhetoric Revisited: Reexamining Litfin’s Assumptions on Pauline Preaching in 1 Corinthians
Previous Article in Special Issue
“The Law of Christian Freedom in the Spirit”: New Impulses for Church Legislation
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Religions
Volume 16
Issue 3
10.3390/rel16030364
religions-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Data Protection and Religious Freedom in the EU in the Context of the Catholic Church in Poland

by
Piotr Kroczek
Faculty of Canon Law, The Pontifical University of John Paul II in Krakow, ul. Kanonicza 25, 31-002 Krakow, Poland
Religions 2025, 16(3), 364; https://doi.org/10.3390/rel16030364
Submission received: 28 January 2025 / Revised: 2 March 2025 / Accepted: 9 March 2025 / Published: 13 March 2025
(This article belongs to the Special Issue The Right to Freedom of Religion: Contributions)
Review Reports Versions Notes

Abstract

:
The protection of personal data and religious freedom represent two fundamental rights that can be potentially in conflict in the European Union legal framework. The purpose of this paper is to critically analyze Articles 91 and 17 of the General Data Protection Regulation (GDPR 2016) in order to examine their implications for the exercise of religious freedom in both the personal and the institutional realms. The research employs a comprehensive legal analysis, examining potential interpretations of the articles in the context of the Catholic Church and of Poland. The findings suggest that while Article 91 introduces data protection requirements for religious associations, it does not inherently threaten religious freedom. However, the study highlights significant risks arising from potential misinterpretations of Article 91, particularly regarding the concepts of “comprehensive rules” and “brought into line with” GDPR standards. The same applies to Article 17 and the “right to be forgotten”, whose absolute application can interfere with freedom of religion. The research concludes that careful, nuanced interpretation of the GDPR is crucial to maintaining both personal data protection and religious freedom. The paper ultimately argues that the articles of the GDPR can be understood as a mechanism for safeguarding religious freedom rather than constraining it, provided it is applied regarding the diverse doctrinal principles of different religious organizations.

1. Introduction

The protection of personal data is considered a fundamental human right. It is strongly emphasized in EU primary law, e.g., Article 16(1) of the Treaty on the Functioning of the European Union (TFUE 2012) stating that “Everyone has the right to the protection of personal data concerning them” and Article 8(1) of the Charter of Fundamental Rights of the European Union (Charter of Rights 2012)—“Everyone has the right to the protection of personal data concerning him or her”.
The implementation of this right in EU countries is currently regulated primarily by the General Data Protection Regulation 2016/679 (GDPR) and the national laws of the EU Member States. The title of this regulation points to its purpose. It is “on the protection of natural persons regarding the processing of personal data”. This objective is widely regarded as a legitimate and reasonable one. Its implementation appears to be an important element of the policy of each country, as well as of the whole EU. Large-scale machine processing of data, which can be combined with identification or profiling by artificial intelligence, can pose a real danger to the privacy of the individuals. In general, people are aware of this threat. We live in a world in which, as the truism says, “information gives power”, including power over people (Tricker 1993, p. 129). Information about an individual who is potentially a customer or voter can be particularly valuable for politicians or business (Katsh 1995, p. 111). Therefore, the GDPR addresses these risks and can provide protection against them. The regulation itself can have a positive impact on social life and the sense of security of the individuals. The so-called “GDPR-absurd” results rather from ignorance, misinterpretation, and misapplication of the GDPR, while “GDPR-panic” is rather unjustified (Ojczyk 2019).
In the context of the title of the paper, which concerns the protection of personal data and religious freedom, one should ask oneself: How can the protection of personal data do any harm to religious freedom or vice versa? Prima facie both these rights, i.e., (1) the right to the protection of personal data and (2) the right to religious freedom, extend the scope of human freedom. So why should their scopes conflict with each other?
This paper demonstrates that such a collision is possible. To prove this, the following issues of the GDPR will be critically examined: (1) the presence of Article 91 of the GDPR, (2) possible misinterpretations of the Article in question, (3) problem of religious associations or their rules arising after the entry of the GDPR into force, and (4) Article 17 of GDPR and right to the erasure of data processed by the religious associations.
The data protection law constitutes an element of legal systems within the European Union Member States. These states simultaneously maintain laws addressing religion generally and specific legislation governing religious associations. There exist both juridical similarities and significant differences between these regulations across countries, manifesting at both constitutional and sub-constitutional levels (Doe 2011, pp. 259–260).
Given the diverse legal landscapes concerning religious associations in relation to data protection across EU Member States, the following analysis will primarily focus on the legal framework of the Republic of Poland and the Catholic Church as a case study. Nevertheless, it is important to acknowledge that the arguments presented in this paper may be adapted, with appropriate contextual considerations, to apply to other jurisdictional settings throughout the European Union.

2. Article 91 of the GDPR and Religious Freedom

It is essential to begin by acknowledging that “The European Union (EU) has laws and other regulatory instruments on religion directed to both the EU institutions and its twenty-seven Member States” (Doe 2011, p. 1). However, EU law does not contain specialized legal frameworks often referred to as “ecclesiastical law” or “confessional law” that would regulate in detail the relationships between the EU and religious associations.
This absence of detailed regulation stems from the unique status religious associations hold within EU legal structures. This special position is explicitly established in Article 17(1) of the Treaty on the Functioning of the European Union (TFEU), which states: “The Union respects and does not prejudice the status under national law of churches and religious associations or communities in the Member States”.
This means that EU Member States can determine the position of religious associations in their national domestic laws law or international laws which have been incorporated into national law (Doe 2011, p. 14).
The EU does not have the competence to unify and build one model of relations across the EU (Krukowski 2015, p. 335). Nevertheless, as indicated in the literature on the subject, such a solution was only present in the initial phase of EU legislation. This resulted from the fact that, initially, European integration focused mainly on the economic aspects of interstate cooperation. As can be seen, state ecclesiastical law is currently attracting increasing interest from EU law (Łopatowska-Rynkowska 2012, art. 17). It can be assumed that this trend will intensify and strengthen as the legal ties between states and the progressive unification of law between them become stronger.
The evidence of this interest of the EU in religious matters is precisely Article 91 of the GDPR. The provisions in question refer to the existing data protection rules of churches and religious associations. For further consideration, these provisions should be cited: “1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation. 2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation”.
Some lawyers find the presence of this article surprising and consider it a violation of religious freedom. One of them recognized that “the competence to create standards of religious law and thus to interfere in the internal affairs of churches and religious associations is not an activity falling within the scope of the EU” (Zając 2018, p. 64). Consequently, pursuant to Article 2(2)(a) of the GDPR, which states that “This Regulation does not apply to the processing of personal data: in the course of an activity which falls outside the scope of European law”, they claim that assigning the regulatory role of the GDPR to religious associations under Article 91 of the GDPR constitutes a threat or even a violation of religious freedom. The presented opinion does not merit acceptance.
Firstly, the EU cannot be denied the right to enact law regulating the activities of religious associations as one of the categories of many entities which are subject to EU law. There is no reason why religious associations should fall completely out of the scope of the EU legislator, simply because they have the specific and unique status of a religious association. Such a situation could, moreover, give rise to allegations of discrimination against either religious associations or entities which are not religious associations.
It should be noted, however, that the activities of religious associations are already regulated, for example, by the fact that certain EU regulations apply to religious associations, not as such, but as entities in laws. The principle of equality in law must be always applied. Religious associations are, in principle, covered by EU law, just like other legal entities (Buttarelli 2018).
The above reasoning is without prejudice to recital (165) of the GDPR, which refers to Article 17 of the TFEU and states that the GDPR shall not prejudice the status granted to churches and religious associations or communities under the constitutional law in force in the EU Member States and shall not prejudice this status by data protection regulations. The expression “does not prejudice” does not mean, after all, that EU law does not affect in any way the functioning of religious associations (Łopatowska-Rynkowska 2012, art. 17).
The EU has the competence to legally determine the standards of data protection and data processing in the EU—even based on Article 16 of the TFEU, which states in Section 1 that “Everyone has the right to the protection of personal data concerning them”. These standards can be imposed on religious associations as operating within the EU.
Secondly, in the opinion referred to above, there is an unjustified alignment of the scope of the terms: (1) state ecclesiastical law and (2) the internal law of the religious association. State ecclesiastical law is a set of rules from many branches of law relating to the freedom of conscience and religion of the individuals and the legal status of religious associations in the national legal system (Mezglewski et al. 2011, p. XXI). The regulations are enacted by a competent secular legislative body, which is independent and usually does not interfere with the internal affairs of religious associations.
The internal law of a religious association, on the other hand, is usually an endogenous law regulating the ad intra and ad extra activity of the religious association. A religious association, however, does not operate in a legal vacuum, but it takes part in legal transactions under the secular law.
Thirdly, Article 91 of the GDPR includes the possibility of excluding religious associations from uniform protection of the GDPR after meeting the conditions set out in the Article in question, and thus highlights in EU law the principle of autonomy of religious associations also known from the Polish regulations. It is crucial to highlight that numerous religious associations have yet to fully utilize the opportunities offered by Article 91 of the GDPR. As a direct consequence, the complete regulatory framework of the GDPR applies to all their operational activities, including those specifically religious in nature. The situation in Poland serves as an illustrative example: among the 190 religious associations that are officially recognized by the state, merely 15 have formally notified the supervisory authority of their compliance with Article 91 requirements. It is noteworthy that in certain EU countries, such as France and Czechia, even religious institutions possessing extensive internal legislation, like the Catholic Church, have not yet fulfilled the requirements of the GDPR, resulting in their comprehensive subjection to the regulation.
It is true that there may be a collision between the internal (usually endogenic) law of religious associations and secular, that is, state regulations. However, unless secular law stipulates that religious doctrine or the law of a religious association directly related to this doctrine shall be violated, there shall be no unauthorized interference in the internal affairs of the religious association. Strategies exist for addressing potential collision scenarios, for example, in the law of the Catholic Church, by the legal institution of dispensation, i.e., loosening of the so-called purely ecclesiastical law in a particular case (Codex Iuris Canonici 1983, can. 87), or through other legal institutions that have a similar function or purpose of dispensation. These are as follows: tolerantia canonica, dissimulatio, epikia, permissio, and licentia (Kroczek 2017, pp. 234–245).
An irresolvable or irremovable conflict between norms would arise if personal data were subject to religious worship. This situation is not unthinkable, given the phenomenon of so-called “joke religions” (Nowicki 2011, pp. 57–90), or in the situation when the processing of a specific personal data is absolutely necessary to achieve the objectives of the religious association directed towards meeting the religious needs of the members or fulfilling the religious functions of the religious association.
It should be noted that, in general, the presence of Article 91 of the GDPR—i.e., a fundamental legal solution concerning the regulation of personal data protection processed by religious associations—should be considered a provision that does not interfere with religious freedom.

3. Threats to Religious Freedom in the Misinterpretation of Article 91 of the GDPR

However, the provisions of Article 91 of the GDPR may pose a threat to religious freedom in the event of misinterpretation. The results of the application of the norms derived from such defective interpretation can harm religious associations and religious freedom.
First, religious associations may be forced to fulfill obligations that the GDPR does not actually impose. Secondly, the internal activities of religious associations, that is, their statutory activities which are usually closely connected to religious doctrine, may be a subject to the GDPR. These two possible situations are already a serious violation of religious freedom, understood both individually and communally, as they disrespect the autonomy (self-governance) of religious associations.
Regarding the dangers of misinterpreting Article 91 of the GDPR, it should be noted that the GDPR, like any other EU law, uses legal expressions that are not always consistent with those typical of national laws in EU Member States. This can cause problems with interpreting them. There are several expressions in Article 91(1) of the GDPR which may cause some problems, and each of them can be called crux interpretum.

3.1. “Comprehensive Rules” of Religious Associations on the Protection of Natural Persons

The first of the problematic expressions is the phrase “comprehensive rules”. The phrase is connected with the first condition for excluding the religious association from the GDPR. The condition is that the religious association must have applied “comprehensive rules” for the protection of individuals regarding the processing of personal data at the time of the entry into force of the GDPR.
In the context of Polish legal system, the author of one of the commentaries on the GDPR, for example, stated that “In the current legal status, neither the Concordat nor the laws governing the relations between the state and churches, nor the Personal Data Protection Act of 1997 provide for alternative mechanisms for the protection of personal data by the churches and religious associations” (Zawadzka 2018, Art. 91). Consequently, the religious associations operating in Poland did not have and did not apply comprehensive rules relating to the protection of natural persons. This reasoning may be questionable, as it appears to be based on problematic assumptions.
First, the provision in question does not specify the source of the comprehensive rules at all. It may be exogenous, but it may be endogenous to a religious association. Consequently, it cannot be argued that there must be some state regulations in force, regarding religious associations, containing specific mechanisms for the protection of personal data. Such a requirement is not mentioned at all in the cited provision of the GDPR.
Secondly, the expression “rules” in the context of legal language or juridical language does not mean law or provisions building law. Rules are certain principles, metanorms, that is, upper norms, which are the basis of the legal system, particular directions of legal solutions or legal institutions. It is true that sometimes rules may be explicit in the legal text, but it is not necessarily conditio sine qua non.
It should be recognized that the expression “comprehensive rules” used in the commented provision does not mean that a religious association must have a uniform, complete set of internal regulations, e.g., one law, which regulates the issue of personal data protection (Fajgielski 2018, Art. 91). These regulations may be “compact or scattered rules on how to safeguard the processing of personal data in the interest of individuals” (Hucał 2017, p. 194). Furthermore, it must be mentioned that the rules in question may also come from customary law of religious organizations, as, for instance, is the case in the Catholic Church (Codex Iuris Canonici 1983, can. 23–28).
Consequently, it might be worth considering whether expecting religious associations to prove the application of data protection rules solely through printed and applied documentation dated before the entry into force of the GDPR (i.e., 24 May 2016) fully captures the complexity of religious organizational practices. Such an expectation towards the Catholic Church was expressed by representatives of the European Commission at the meeting with representatives of the Conference of Bishops from European Union countries appointed for the protection of personal data in Brussels on 21 May 2019.
It should be added that looking at the provision of Article 91(1) of the GDPR from a grammatical interpretation perspective, it should be assumed that the requirements of Article 91(1) of the GDPR will be satisfied by the presence of two rules governing the protection of personal data in each religious association (Łukańko 2018, p. 507).
An interesting question is whether these “comprehensive rules” can be derived directly from the religious-moral doctrine of a given religious association. It can be said that it is possible. It cannot be assumed that every religious association has some strictly legal normative regulations, and it cannot be preferred to those religious associations that have such regulations. Some religious associations have a reluctant attitude toward law as such—including their own—and may not pass internal normative acts at all or only to a minimal extent. Therefore, such religious associations may not have legal rules as such, and at the same time may have rules for the protection of natural persons in connection with processing, which will be an element of, e.g., their strictly ethical or moral system. If the possibility of exclusion were made conditional on strict legal rules, this could be qualified as an infringement of the equal treatment of religious associations and as discrimination in terms of religious doctrine.
The EU is also aware of the multitude of doctrinal solutions in religious associations, which is also reflected in the names used in the EU law. “Churches and other religious associations” are expressions from the Polish legal language (Konstytucja Rzeczypospolitej Polskiej 1997, art. 25 (1)). European law uses terms such as “churches”, “religious associations or communities”, or some other legal terms. Acknowledging this plurality also entails respecting religious freedom.

3.2. “Brought into Line with”—Alignment of the Religious Association Law with the GDPR

The second condition contained in Article 91(1) of the GDPR for the exclusion of a religious association from the GDPR is that the religious association’s comprehensive data protection rules must be “brought into line” with the GDPR. Misinterpretation of the expression “brought into line with” could be a threat to religious freedom.
It has been suggested by some lawyers commenting on the regulation that the phrase “brought into line with” may be interpreted as copying or repeating the provisions of the GDPR. This is a matter that may require further consideration. However, it should be emphasized that the GDPR does not order at all the literal acceptance by the religious association of the legal solutions contained in the GDPR. The expression “brought into line with” should rather be understood as adaptation or taking over the main objectives of the regulation, particularly as regards the rights of the data subjects, understood in this case as a model of regulation. After a thorough examination of the presented arguments, one should agree with the opinion that “not all the requirements of the new EU regulation relating to the rights of data subjects will have to be incorporated into the internal law of religious associations” (Mezglewski 2016, p. 50).
What speaks in favor of such a liberal interpretation of the expression in question is that religious associations must ultimately be guaranteed their autonomy, so that their internal (usually endogenic) law is in line with the religious doctrine of a given religious association. There is a forceful postulate of the orthodoxy of doctrine and law enacted by a legislative body of religious association. This is a specific element of the religious legislator’s rationality (Kroczek 2017, p. 131).
It would appear that, in principle, EU law might not be intended to interfere with the doctrinal affairs of the religious association, as is stated in Article 17(1) of the TFEU. There is no doubt that the rules on the protection of personal data should be adapted to a given religious association to avoid their contradiction with the principles of doctrine and the functioning of religious associations. In making internal rules, policies and practices of religious associations should follow the principle of proportionality in restricting the right to privacy of their members on the one hand, and the exercise of freedom of conscience and religion on the other (Hucał 2017, p. 216).
This position is in line with recital (4) of the GDPR, which states that the right to the protection of personal data is not an absolute right, and it must be seen in the context of its social function and balanced against other fundamental rights in accordance with the principle of proportionality. Consequently, the GDPR respects the fundamental rights, freedoms, and principles recognized by the Charter of Fundamental Rights—as enshrined in the Treaties—and in particular the right to freedom of conscience and religion and religious diversity. In practice, this may mean that if religious doctrine opposes certain regulations contained in the GDPR, then the religious association does not have to strictly transpose them into its internal law. It would be enough to adjust the regulations accordingly. The purpose of this correction is to guarantee the rights of natural persons to the maximum extent permitted by religious doctrine, in accordance with the standards of the GDPR.
To adapt its own rules of protection of natural persons to the GDPR, the Bishops’ Conference of the Catholic Church in Europe issued special laws (e.g., Konferencja Episkopatu Polski 2018; Conferenza Episcopale Italiana 2018; Österreichische Bischofskonferenz 2017). In these laws, numerous provisions are modelled on GDPR (Karsten 2021, p. 34). The legislative assumption, therefore, was literal fidelity to the provisions of the European regulation on the subject, with some exceptions (Kroczek and Skonieczny 2022, p. 42; Skonieczny 2018, pp. 71–73).

4. The Problem of Religious Associations and Their Rules Arising After the Entry of the GDPR into Force

The incorrect interpretation of Article 91(1) of the GDPR, which may lead to a violation of religious freedom, is also linked to the fact that the comprehensive rules had to be in place on the date of entry into force of the GDPR, i.e., 24 May 2016. The literal meaning of Article 91 of the GDPR suggests that the GDPR recognizes only those rules in question which existed on that date. Consequently, it is not possible to exclude from the GDPR those religious associations which (1) did not exist or (2) did not apply such rules on the date of the entry into force of the GDPR.
Such a legal solution might raise certain questions about its compliance with the principle of equal treatment of religious associations in the EU. The exclusion of these two groups of religious associations would be incompatible also with the Polish constitutional principles of equality of religious associations (see Article 25(1) Konstytucja Rzeczypospolitej Polskiej 1997). This in turn would be contrary to the recital (165) of the GDPR, which, with Article 17 of the TFEU, is intended to ensure that the status of these associations is respected in the national legal order.
Such an exclusion would also violate the principle of respect for religious diversity (Article 22 of the Charter of Fundamental Rights) and the principle of equality before the law (Article 20 of the Charter of Fundamental Rights). Some authors also rightly see the possibility of infringement by such a grammatical interpretation of Article 14 in conjunction with Article 9 of the European Convention on Human Rights (The Convention for the Protection of Human Rights and Fundamental Freedoms 1950), namely, the prohibition of discrimination on grounds of religion, as well as Article 9 of the European Convention on Human Rights, which provides for freedom of thought, conscience, and religion (Hucał 2017, p. 196).
There will probably be a dispute over this legal issue. The literal interpretation of the provision is clear, but it cannot be accepted. The outcome of the interpretation must be corrected by other methods of interpretation, such as, for example, teleological and functional interpretation. According to the literature, these two methods of interpretation of the EU enable the interpretation of EU legislation according to ratio legis, which is significant considering the dynamic nature of the EU (Helios and Jedlecka 2018, pp. 12–13; Koncewicz 2014, p. 222).
This tool presents a viable solution to the identified problem. The religious associations which did not exist until after 24 May 2016, or did not apply their comprehensive rules on the protection of personal data, can create and apply these rules. These rules must be implemented in accordance with the GDPR standard at the time of their application.
Correspondingly, for the coherence of the EU legal system, it should be assumed that the legislator’s order formulated in Article 91(1) of the GDPR is not a mistake, but it is intended as an obligation on the religious associations to adapt their regulations to the GDPR. Any different interpretation would require the Court of Justice to declare Article 91(1) of the GDPR incompatible with Article 17 of the TFEU and for the EU legislator to modify the provision accordingly.

5. The Problem of Article 17 of the GDPR in the Context of the Records of Religious Associations

Another problem that may arise in the application of the GDPR relates to the right to erasure (‘right to be forgotten’), as mentioned in Article 17 of the GDPR. The provisions of Item 1 of the Article in question state the following: “The data subject shall have the right to obtain from the controller the erasure of personal data (…) where one of the following grounds applies: (1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (2) the data subject withdraws consent on which the processing is based according (…), and where there is no other legal ground for the processing; (3) the data subject objects to the processing pursuant (…), (4) the personal data have been unlawfully processed; (5) the personal data have to be erased for compliance with a legal obligation in Union or Member State law (…); (6) the personal data have been collected in relation to the offer of information society services (…).” These are the rationales for the removal of data.
Item 3 of Article 17 of the GDPR contains negative prerequisites, i.e., circumstances in which the deletion request shall not apply: “(1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation (…) to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health (…), (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (…), (5) for the establishment, exercise or defence of legal claims”.
Currently, in Poland and other EU countries such as the Netherlands, Belgium, Ireland, Slovenia, and France, the religious associations or communities, or their bodies, that are “controllers” as defined in Article 5 (7) of the GDPR are receiving the requests of data subjects. These individuals wish to exercise the right in question. They want to obtain the deletion of their personal data processed in records. These include, in the case of the Catholic Church, records of baptism, confirmation, and marriage maintained within church registries, mainly maintained by parishes.
The controllers mostly reject requests on many grounds and use various arguments. It appears that the reasoning they use varies depending on the legal situation of the Church in the country concerned. Article 17(1) of the TFEU talks about the EU’s respect for the status of religious associations “under national law” in the Member States.
This occurs, whether in discussions with those interested in deleting the data or later during administrative processes before the supervisory authority, within the meaning of Article 51 (1) of the GDPR.
In Poland, the President of the Personal Data Protection Office has asserted that data collected by the Catholic Church for its religious activities falls outside his jurisdictional authority. This position recognizes that the Catholic Church operates under its own endogenous legal framework regarding data protection and maintains its independent supervisory authority (Personal Data Protection Office 2019). This jurisdictional delineation means that Article 17 of the GDPR, which establishes the “right to be forgotten”, does not apply to data collected by the Church. Instead, the Church’s internal regulatory system, which has been specifically adapted to align with GDPR standards, takes precedence over EU law in these matters.
In the case of the right to erasure of personal data, it is not applicable to the Church if “the data relate to the sacraments given or otherwise to the canonical status of a person” (Konferencja Episkopatu Polski 2018, Article 14(4)). This solution fully complies with European law, including the TFEU and the GDPR. It has already been established in this paper that two key arguments support this position: first, the argument from the rationality of the legislator (as evidenced by the inclusion of Article 91 in the GDPR), and second, the argument from a semantic perspective (recognizing that the phrase “brought into line with” should not be interpreted as requiring exact replication of the GDPR provisions).
An additional argument merits consideration in this context. If state authorities or courts were granted decisive power over the processing of data deemed essential for the functioning of religious associations, this would effectively subordinate inherently religious activities to state law—activities such as joining a religious community, receiving sacraments, and participating in other practices that shape an individual’s status within the organization. Consequently, these fundamentally spiritual matters could be reframed as creating or terminating subjective legal rights based on, inter alia, declarations of intent under civil law. This approach would substantially undermine the special legal autonomy granted to religious organizations under constitutional frameworks, concordats, and relevant legislation of EU Member States. These considerations strengthen the conclusion that data related to religious matters should remain under the autonomous control of religious associations themselves, rather than subject to general data protection regimes.
In the case of the Catholic Church in Poland, religious freedom contributes to the free exercise of the Church’s mission, including the proclamation and practice of Catholic doctrinal teaching (cf. Codex Iuris Canonici 1983, can. 747 § 1), its jurisdiction, and its management of its affairs (cf. art. 5 of the Concordat). In all these matters, the processing of personal data is within the realm of church jurisdiction.
Each Member State must provide the possibility to exercise the right to an effective judicial remedy against a legally binding decision of a supervisory authority in accordance with Article 78(1) of the GDPR. This position of the Polish supervisory authority has been evaluated by administrative courts in the first and second instance (Provincial Administrative Court in Warsaw 2019; Supreme Administrative Court of Poland 2024). It has been determined by the courts that, in light of the legal regulations expressed in Article 91 of the RODO and in view of the legal regulations concerning the Catholic Church in Poland, the President of the Office for Personal Data Protection is not authorized to review a case concerning the processing of personal data in databases maintained within the structures of the Catholic Church, if the data concern the Church’s religious activities. The matter of erasure or other forms of processing data used for religious reasons remains a matter of church law.
The issue of a demand based on Article 17 of the GDPR has recently been resolved differently in Belgium and Ireland. The Catholic controllers rejected the requests from data subjects. An appeal against each of these decisions to the supervisory authority resulted in an order to delete the data (e.g., Belgian Data Protection Authority 2023; see also Ireland Data Protection Commission 2023). The Belgian supervisory authority’s ruling has been challenged in court. The court has referred the case to the European Court of Justice in Luxembourg by way of preliminary ruling before hearing the case on its merits. These questions concern the right to erasure of personal data from baptismal registers under Article 17 of the GDPR, specifically whether individuals who were baptized as minors have the right to have their data deleted when they wish to dissociate from the Roman Catholic Church as adults. The questions also explore whether factors such as religious freedom, historical archiving purposes, the physical nature of the registers, and alternative solutions like marginal annotations can affect the application of the right to erasure in this specific religious context.
These differences in the decisions of the supervisory authorities in Poland and Belgium may be due to the different situation of the Church in each country’s legal system.
It is important to note that even if religious associations are subject to the full scope of the GDPR, the right to request the deletion of personal data may be subject to certain limitations. This is due to other legitimate reasons for the continued processing of such data.
An example of this can be found in a 2020 case from Slovenia, where the right of erasure was not found to apply to personal data stored in the Baptismal Register, which is classified as archival material of outstanding national importance under state law. As a result, the erasure of any data contained within this register is not permitted (EDPB 2021). In this particular instance, the processing is deemed necessary for archiving purposes in the public interest, as outlined in Article 89(1) of the GDPR. Additionally, erasure can be denied if deleting the data is likely to render impossible or seriously impair the achievement of the objectives of that processing, as specified in Article 17(3)(d) of the GDPR. A similar ruling based on the same argument was made recently in France (Conseil d’État 2024).
In the context of this paper, it is important to note that the retention of personal data relating to an individual in the registers run by religious associations is an aspect of religious freedom in both individual and institutional dimensions. First, the mere retention of personal data does not compel the individual (data subject) to confront religious elements or to participate in the exercise of any religion. The data are the confirmation of facts that have taken place, such as admission to a given religious association, e.g., by a religious act such as a baptism. These facts were an individual realization of the right to religious freedom. Second, the data are necessary for the religious association to act in accordance with the requirements of religious doctrine, e.g., avoiding double baptism or otherwise taking care of internal public goods.
The European Court of Human Rights has dealt with these issues on several occasions. In its jurisprudence on freedom of religion and freedom of organization there is a connection between the individual and collective aspects in the existence of religious communities, with the well-established assumption of freedom of association and freedom of religion. Article 11 and Article 9 of the The Convention for the Protection of Human Rights and Fundamental Freedoms are closely related, and Article 9 of the Convention must be interpreted in the light of Article 11. This way of dealing with the issue safeguards associative life against unjustified State or UE interference. The autonomous existence of religious communities is an element of effective enjoyment of the right to freedom of religion by all its active members (European Court of Human Rights 2000, § 62).

6. Conclusions

The modern world poses great challenges to religious freedom in many, sometimes unexpected, ways. One of these challenges is paradoxically the protection of personal data in EU law.
Based on the foregoing discussion, it could be suggested that Article 91 of the GDPR might not necessarily pose a threat. In fact, the freedom is highlighted and strengthened by the Article in question. The provisions in question appear to allow religious associations to regulate data processing with their own endogenous regulations, which are in accordance with the religious doctrine of these associations and other of their own laws. However, misinterpretation of Article 91(1) of the GDPR may indeed be a threat to this fundamental freedom of every human being and religious institution.
The interpretation of the entire GDPR by the supervisory authorities competent in matters of data protection, the national courts, and the European Court of Justice should be conducted in a manner that safeguards religious freedom as comprehensively as possible, while giving due consideration to the specific legal status of religious organizations in each Member State. Such an interpretative approach would not only uphold fundamental rights enshrined in the constitutional traditions of Member States but also ensure a proper balance between the individual right to data protection and the collective right to religious autonomy that forms an essential part of Europe’s pluralistic democratic society.
After all, the protection of personal data must not become a legal instrument that paralyses (intentionally or not) the activities of religious associations in the EU.

Funding

This research received no external funding.

Data Availability Statement

Data from public domain resources.

Conflicts of Interest

The author declares no conflict of interest.

References

  1. Belgian Data Protection Authority. 2023. The Disputes Chamber of the Data Protection Authority, Chamber Decision on the merits 169/2023 of 19 December 2023. File Number: DOS-2021-01986. Brussels: Belgian Data Protection Authority. [Google Scholar]
  2. Buttarelli, Giovanni. 2018. Choose Humanity: Putting Dignity back into Digital. Paper presented at the Opening Speech of the 40th International Conference of Data Protection & Privacy Commissioners, Brussels, Belgium, October 24. [Google Scholar]
  3. Charter of Rights. 2012. Charter of Fundamental Rights of the European Union, 2012 O.J. C 326/391. Available online: https://www.europarl.europa.eu/charter/pdf/text_en.pdf (accessed on 7 March 2025).
  4. Codex Iuris Canonici. 1983. Washington: Canon Law Society of America. [CrossRef]
  5. Conferenza Episcopale Italiana. 2018. Decreto generale ’Disposizioni per la tutela del diritto alla buona fama e alla riservatezza. Notiziario della Conferenza Episcopale Italiana 10: 376–97. [Google Scholar]
  6. Conseil d’État 461093. 2024. Lecture du 2 février 2024, ECLI:FR:CECHR:2024:461093.20240202, Décision n° 461093. Available online: https://www.conseil-etat.fr/fr/arianeweb/CE/decision/2024-02-02/461093 (accessed on 7 March 2025).
  7. Doe, Norman. 2011. Law and Religion in Europe: A Comparative Introduction, 1st ed. Oxford: Oxford University Press. [Google Scholar] [CrossRef]
  8. EDPB. 2021. Slovenian Administrative Court Upholds the Decision of the Slovenian SA: The Right of Erasure Does Not Enable an Individual to Have His Personal Data Erased from Baptismal Register, 18 October 2021. Brussels: EDPB. [Google Scholar]
  9. European Court of Human Rights. 2000. Hasan and Chaush v. Bulgaria. Judgment of October 26, 2000. Application no. 30985/96. Strasbourg: European Court of Human Rights. [Google Scholar]
  10. Fajgielski, Paweł. 2018. Art. 91. In Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz. Warszawa: Lex. [Google Scholar]
  11. Helios, Joanna, and Wioletta Jedlecka. 2018. Wykładnia prawa Unii Europejskiej ze stanowiska teorii prawa. Wrocław: E-Wydawnictwo. Prawnicza i Ekonomiczna Biblioteka Cyfrowa. [Google Scholar]
  12. Hucał, Michał. 2017. Ochrona danych osobowych w związkach wyznaniowych w świetle unijnego rozporządzenia nr 2016/679. Studia z Prawa Wyznaniowego 20: 185–222. [Google Scholar] [CrossRef]
  13. Ireland Data Protection Commission. 2023. Decision of the Data Protection Commission Made. Pursuant to Section 111 of the Data Protection Act 2018. Dublin: Ireland Data Protection Commission. [Google Scholar]
  14. Karsten, Kinga. 2021. Kilka uwag dotyczących zastosowania dekretu Konferencji Episkopatu Polski o ochronie danych osobowych z 2018 r. do spraw małżeńskich lub rodzinnych. Annales Canonici 17: 23–37. [Google Scholar] [CrossRef]
  15. Katsh, M. Ethan. 1995. Law in a Digital World. New York and Oxford: Oxford University Press. [Google Scholar]
  16. Koncewicz, Tomasz Tadeusz. 2014. Jak interpretować prawo europejskie? Palestra 5–6: 216–222. [Google Scholar]
  17. Konferencja Episkopatu Polski. 2018. Dekret ogólny w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych w Kościele katolickim. Paper presented at Konferencja Episkopatu Polski, Warszawa, Poland, March 13. [Google Scholar]
  18. Konstytucja Rzeczypospolitej Polskiej. 1997. Konstytucja Rzeczypospolitej Polskiej z dnia 2 kwietnia. Dz.U. 1997 nr 78 poz. 483. Available online: https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU19970780483/U/D19970483Lj.pdf (accessed on 7 March 2025).
  19. Kroczek, Piotr. 2017. The Art of Legislation: The Principles of Lawgiving in the Church. Kraków: Wydawnictwo UNUM. [Google Scholar]
  20. Kroczek, Piotr, and Piotr Skonieczny. 2022. Ochrona danych osobowych w Kościele katolickim. Komentarz do Dekretu ogólnego Konferencji Episkopatu Polski w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych w Kościele katolickim z 2018 roku. Tom 1, część 1: Kwestie wstępne, część 2: Preambuła. Seria: Annales Canonici. Monographiae, redakcja serii Jan Krzywda, nr 9; Kraków: Wydawnictwo Naukowe Uniwersytetu Papieskiego Jana Pawła II. ISBN 978-83-63241-29-2. [Google Scholar] [CrossRef]
  21. Krukowski, Józef. 2015. Kościół i państwo w prawie Unii Europejskiej. In Katolickie zasady relacji państwo-Kościół a prawo polskie. Edited by Józef Krukowski, Mirosław Sitarz and Henryk Stawniak. Lublin: Towarzystwo Naukowe KUL, pp. 289–335. [Google Scholar]
  22. Łopatowska-Rynkowska, Joanna. 2012. Art. 17. In Traktat o funkcjonowaniu Unii Europejskiej. Komentarz. Tom I (art. 1-89). Edited by Miąsik Dawid. Warszawa: Lex. [Google Scholar]
  23. Łukańko, Bernard. 2018. Prawo do ochrony danych osobowych w ramach kościołów i związków wyznaniowych—art. 91 rozporządzenia Parlamentu Europejskiego i Rady (UE) 2016/679. In Prawa człowieka i ich ochrona. Księga rocznicowa z okazji siedemdziesiątej rocznicy uchwalenia Powszechnej Deklaracji Praw Człowieka. Tom 2. Trwałość i modyfikacja. Edited by Błażej Kmieciak and Kamil Stępniak. Warszawa: Wydawnictwo Think & Make. [Google Scholar]
  24. Mezglewski, Artur. 2016. Perspektywa i zakres implementacji nowych przepisów Unii Europejskiej dotyczących przetwarzania danych osobowych przez związki wyznaniowe. In Ochrona danych osobowych w Kościele. Edited by Stanisław Dziekoński and Piotr Drobek. Warszawa: Wydawnictwo Uniwersytetu Kardynała Stefana Wyszyńskiego, pp. 35–52. [Google Scholar]
  25. Mezglewski, Artur, Henryk Misztal, and Piotr Stanisz. 2011. Prawo wyznaniowe. Warszawa: Wydawnictwo C.H. Beck. [Google Scholar]
  26. Nowicki, Maciej. 2011. Joke religions jako nowy model religijności współczesnej. Ex Nihilo 6: 57–90. [Google Scholar]
  27. Ojczyk, Joanna. 2019. Absurdy prawne nie pogrążą RODO. Prawo.pl, August 12. [Google Scholar]
  28. Österreichische Bischofskonferenz. 2017. Decretum Generale über den Datenschutz in der Katholischen Kirche in Österreich und ihren Einrichtungen (Kirchliche Datenschutzverordnung). November 6–9. Available online: https://www.bischofskonferenz.at/pages/glossary_list.siteswift?s=3804&t=91d310f66eb6c44f&ts=1741786352 (accessed on 1 March 2025).
  29. Personal Data Protection Office. 2019. Administrative decision of March 19, 2019. Warszawa: Personal Data Protection Office. [Google Scholar]
  30. Provincial Administrative Court in Warsaw. 2019. Judgment of 9, 2019. II SA/Wa 865/19. Warsaw: Provincial Administrative Court in Warsaw. [Google Scholar]
  31. Skonieczny, Piotr. 2018. Zakres podmiotowy dekretu ogólnego KEP z 13 marca 2018 r. w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych w Kościele katolickim. Prawnoporównawczy punkt widzenia. Annales Canonici 14: 69–86. [Google Scholar] [CrossRef]
  32. Supreme Administrative Court of Poland. 2024. Judgment of September 3, 2024, III OSK 769/23. Warszawa: Supreme Administrative Court of Poland. [Google Scholar]
  33. TFUE. 2012. European Union. Consolidated Version of the Treaty on the Functioning of the European Union. 2012 O.J. C 326/47. Available online: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12012E/TXT:en:PDF (accessed on 7 March 2025).
  34. The Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights). 1950. Available online: https://www.echr.coe.int/documents/d/echr/convention_eng (accessed on 7 March 2025).
  35. Tricker, Robert Ian. 1993. Harnessing Information Power. Hong Kong: Hong Kong University Press. [Google Scholar]
  36. Zając, Paweł. 2018. RODO a Kościół Katolicki w Polsce. Określenie zakresu działalności Unii Europejskiej. Biuletyn Stowarzyszenia Kanonistów Polskich 31: 61–75. [Google Scholar] [CrossRef]
  37. Zawadzka, Natalia. 2018. Art. 91. In RODO. Ogólne rozporządzenie o ochronie danych. Komentarz. Edited by Edyta Bielak-Jomaa and Dominik Lubasz. Warszawa: Lex. [Google Scholar]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kroczek, P. Data Protection and Religious Freedom in the EU in the Context of the Catholic Church in Poland. Religions 2025, 16, 364. https://doi.org/10.3390/rel16030364

AMA Style

Kroczek P. Data Protection and Religious Freedom in the EU in the Context of the Catholic Church in Poland. Religions. 2025; 16(3):364. https://doi.org/10.3390/rel16030364

Chicago/Turabian Style

Kroczek, Piotr. 2025. "Data Protection and Religious Freedom in the EU in the Context of the Catholic Church in Poland" Religions 16, no. 3: 364. https://doi.org/10.3390/rel16030364

APA Style

Kroczek, P. (2025). Data Protection and Religious Freedom in the EU in the Context of the Catholic Church in Poland. Religions, 16(3), 364. https://doi.org/10.3390/rel16030364

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop