Next Article in Journal
The Religiosity of Adolescents and Young Adults in Malta: Tracing Trajectories
Next Article in Special Issue
The Challenges of Canon Law in the Church of the Third Millennium: Reflections on His “Sociality” from the Italian Doctrine
Previous Article in Journal
The Qurʾān Teaching Activities of Jaʿfarī Communities in Türkiye: An Analysis from the Perspective of Instructors
Previous Article in Special Issue
Secularization: A Response from Canon Law Based on the Concept of the “Church on the Move” and Cooperation with the Civil Order in Cases of Abuse of Minors by Priests
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Religions
Volume 16
Issue 4
10.3390/rel16040425
religions-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

GDPR and Canon Law—The Impact of European Union Law on the Canonical Systems for the Protection of the Right to Good Reputation and Privacy

by
Fabio Balsamo
Department of Law, University of Naples “Federico II”, 80138 Naples, Italy
Religions 2025, 16(4), 425; https://doi.org/10.3390/rel16040425
Submission received: 1 March 2025 / Revised: 22 March 2025 / Accepted: 24 March 2025 / Published: 27 March 2025
(This article belongs to the Special Issue Canon Law and Secularization: Societal Trends and the Changing Role of Religious Law)
Review Reports Versions Notes

Abstract

:
The paper examines the impact of GDPR on the canonical regulations established by the National Episcopates of EU Member States in accordance with Article 91, paragraph 1 GDPR. It also focuses on the canonical models of protection for the right to good reputation and privacy introduced in compliance with GDPR principles, which, in some cases, do not always give proper value to the provisions and instruments, such as the hierarchical recourse, outlined in universal canon law.

1. Introduction

Article 91, paragraph 1 of the European General Data Protection Regulation (GDPR), as is well known, has urged all “churches and religious associations or communities” to promptly adopt “comprehensive rules relating to the protection of natural persons with regard to processing”. The development of complete religious regulatory solutions, consistent with the principles of the GDPR, has, therefore, led to the general inapplicability of civil regulations for governing the processing of personal data within religious communities.
This opportunity, together with the additional possibility of identifying specific independent supervisory authorities (Article 91, paragraph 2 GDPR), was first seized by the Catholic Church through the enactment of canonical rules aimed at protecting the faithful’s right to good reputation and privacy in the processing of personal data necessary for carrying out the Church’s institutional activities.
The need to integrate the provisions of universal law with the enactment of regulations compatible with the privacy protection systems established by state legal frameworks following the entry into force of the GDPR directly involved national episcopates (Rhode 2019, p. 51 ff.; Schouppe 2019, p. 405 ff.). Firstly, this has occurred in legal systems where relations with the Catholic Church are governed by concordatarian agreements. Consider, for instance, the accords concluded between the Holy See and the German Länder, in which—as exemplified by Article 20 of the Agreement signed in 1998 between the Land of Saxony and the Holy See—the Catholic Church has explicitly committed to protecting the personal data of the faithful transmitted by civil registry authorities, including for the purpose of fulfilling obligations arising from the Kirchensteuer system (Rhode 2019, pp. 50–51).
National episcopates had to establish, first of all, the type of legal source to be adopted. Specifically, while the Italian, Spanish and Polish Episcopal Conferences made use of the instrument of the general decree pursuant to can. 455 of the Code of Canon Law (CIC), in Austria, Germany, Malta, Luxembourg, the Netherlands, and Slovakia, the respective episcopates, after drafting and agreeing on a common text, entrusted individual bishops with the issuance of a diocesan general decree with identical content for all dioceses1.
Beyond the different types of legal sources formally used, the main distinctions emerged primarily in relation to the originality of normative solutions adopted by the episcopates to implement, within the religious sphere, the principles set out in the GDPR.
In some cases, rather than enhancing the provisions and tools established by the Codex Iuris Canonici, the canonical rules appeared overly aligned with the GDPR’s provisions, resulting in its substantial reproduction. This approach risked a “trivialization” of the regulatory autonomy expressly recognized for religious denominations under Article 91, paragraph 1 GDPR.
Hence, the need to assess, on the one hand, the impact of the GDPR provisions on the evolution of canonical protection of the right to good reputation and privacy, and on the other, the influence of secular legal systems (Tedeschi 2013, p. 66 ff.)—specifically, European Union law—on the introduction of specific protection models that go beyond the principles and institutions expressly provided for by the Codex Iuris Canonici.
Nonetheless, it should be noted that some Episcopal Conferences have opted not to designate a specific independent supervisory authority. As a result, they remain subject to the corrective, investigative, and sanctioning powers of the competent state authorities, thereby facing the risk of significant external interference in their organizational autonomy (Ceserani 2019, p. 468).

2. Valorization of Canonical Specificities and Compliance with the GDPR Principles in the General Decree of the Polish Episcopal Conference—The Hierarchical Recourse as a Primary Tool for Protecting the Right to Good Reputation and Privacy

Although Directive 95/46/EC had already encouraged the adoption of specific canonical regulations capable of serving as “adequate safeguards” for the processing of sensitive data (Boni 2001, p. 1687 ff.; Arrieta 2002, p. 29 ff.; Milani 2015, p. 447 ff.; Fabbri 2019, pp. 554 ff.; Mazzoni 2020, pp. 68–74), it was only with Article 91, paragraph 1 of the GDPR that has been recognized the law of a religious association as lex specialis to the GDPR for the processing of personal data, including sensitive data, of the faithful, former members, and other individuals who come into contact with the organization (Ganarin 2018, p. 15 ff.; Gianfreda 2019, p. 349; Balsamo 2021, p. 128).
Through the enactment of specific regulations aimed at effectively implementing the right to a good reputation and privacy, as established in can. 220 CIC2 (Dalla Torre 1985; Cenalmor 1996, pp. 141–42; Tarantino 2017, p. 609), the episcopates of many EU Member States have thus contributed to the practical application of the Catholic Church’s “native right” to collect, retain, and use the data necessary for carrying out its institutional activities of religion and worship.
Among the various regulatory measures adopted, the General Decree issued on 13 March 2018, by the Plenary Assembly of the Polish Episcopal Conference, undoubtedly strikes a good balance between reinforcing religious autonomy and ensuring compliance with the principles set out in the GDPR (Rozkrut 2019, p. 499 ff.), despite the difficulties posed by Article 4, which restricts its scope of application to public ecclesiastical legal entities only (Skonieczny 2018, p. 69 ff.).
The Preamble of the “General Decree on the Protection of Personal Data of Natural Persons” asserts that the protection of personal data is one of the essential tools for safeguarding “the inviolable dignity of the human person”. According to the Polish Bishops, Canon Law itself can provide protection without requiring intervention from civil legal systems, at least regarding the regulation of intra-confessional data processing of the faithful. It is, therefore, unsurprising that, consistent with this premise, the Preamble of the General Decree makes no reference to Polish data protection legislation or to Article 91 GDPR. Instead, the Decree solely cites universal ecclesiastical and particular ecclesiastical laws.
The asserted self-sufficiency of Canon Law in regulating the protection of personal data is evident, first and foremost, in the mechanisms established by the Polish Episcopal Conference to ensure the effective protection for the right to good reputation and privacy.
In this regard, Article 41 of the General Decree, in line with Article 77 GDPR, explicitly recognizes the data subject’s right to file a complaint with the Ecclesiastical Inspector for the Protection of Personal Data. Legally binding decisions issued by this authority may then be appealed by proposing a hierarchical recourse to the competent dicasteries in accordance with cann. 1732–1739 CIC.
This provision also appears to indirectly confirm the possibility for the data subject to seek further judicial protection by challenging, before the Supreme Tribunal of the Apostolic Signatura, the final administrative acts issued by the dicasteries handling hierarchical recourses (Labandeira 1991, p. 271 ff.; Valdrini 1987).
The most significant aspect of the General Decreet issued by the Polish episcopate lies in the regulation, according to Article 91, paragraph 2 GDPR, of the specific and independent supervisory authority, identified as the Ecclesiastical Inspector for the Protection of Personal Data. The General Decree devotes a detailed set of provisions to this authority in Articles 35–40. Article 35 of the Decree establishes a series of safeguards to ensure the independence of the Ecclesiastical Inspector. It shall not be subject to external instructions but must also refrain from any activity or action incompatible with its function. Another safeguard ensuring the authority’s independence is its immovability, which prevents the Episcopal Conference from removing the Inspector, except in cases of serious misconduct in the performance of his duties and responsibilities. Article 36 of the Decree also provides that the Inspector shall be elected by the Plenary Assembly of the Episcopal Conference from among experts possessing adequate knowledge and expertise in the field of personal data protection (Rozkrut 2019, p. 499 ff.).
The Inspector, in accordance with Article 58 of the GDPR, is granted significant investigative and supervisory powers. In addition to deciding on individual complaints submitted by data subjects, the Inspector has the duty to adopt the most appropriate measures to restore compliance in data processing and may even propose legal provisions or regulatory changes to the Episcopal Conference (Article 37, No. 9).
The recognition of these prerogatives, as highlighted in Article 40, does not affect the supervisory activities carried out by the Diocesan Ordinary or by Superiors in institutes of consecrated life and societies of apostolic life. Therefore, even through the exercise of the right of visitation, the Diocesan Ordinary (as well as the Superior) may verify the concrete ways in which the public juridical persons under their authority comply with the provisions of the General Decree in the collection, storage and processing of personal data of individuals.
Ultimately, the General Decree of the Polish Episcopal Conference, while clearly affirming the full regulatory autonomy of the Catholic Church, appears to strike a balanced compromise between the enhancement of canonical specificities and consistency with the principles of the GDPR. The resulting set of rules adequately protects the right to informational self-determination of the faithful, former members, and individuals in contact with the Catholic Church, without renouncing the application of the provisions and institutions provided for by universal canon law.

3. The Tendential “Duplication” of GDPR Provisions in the General Decrees Issued by the Italian Episcopal Conference and the Spanish Episcopal Conference

The General Decrees issued by the Italian Episcopal Conference and the Spanish Episcopal Conference appear to be more closely aligned with a mere “duplication” of the provisions and principles of the GDPR.
The General Decree of the Italian Episcopal Conference dated 24 May 2018 “Provisions for the Protection of the Right to a Good Reputation and Privacy” presents some noteworthy elements of originality, despite a general overlap with the provisions of the GDPR.
The first noteworthy element lies in the choice, enshrined in Article 1 of the General Decree and also shared by the General Decree of the Spanish Episcopal Conference, to include not only natural persons but also ecclesiastical entities and ecclesial associations within its scope of application. This option clearly diverges from the provision of Article 4, paragraph 1, letter (a) GDPR, which unambiguously defines the concept of “data subject” exclusively as an “identified or identifiable natural person”. From this perspective, Article 1 of the General Decree could, therefore, be considered not entirely consistent with the principles of the GDPR, which, on the contrary, establishes a system of protection explicitly aimed at safeguarding the right to personal data protection solely for natural persons. However, this misalignment in the process of “adapting” to the European regulatory framework appears justifiable in light of what is stated in the Preamble of the General Decree, where it is reiterated that the Catholic Church “has the native and inherent right to acquire, store, and use data related to the persons of the faithful, ecclesiastical entities, and ecclesial associations for its institutional purposes”.
This ius nativum, by its very nature, therefore, also pertains to the processing of data concerning ecclesiastical entities and ecclesial associations, despite the more restricted scope defined by the GDPR. In this way, the delimitation of the original scope of intra-confessional data processing is entrusted to the Church’s own autonomy, in accordance with Article 91, paragraph 1 GDPR. This provision grants specific significance to the organizational autonomy of religious denominations, in line with the guarantees provided to “churches and religious associations” within the European Union Law.
A second aspect affirming regulatory autonomy lies in the decision to issue the General Decree independently of the Italian legal system’s adaptation to the European Regulation, which in fact only materialized later, on 10 August 2018, with the Legislative Decree No. 101 of 2018. It is evident that such an initiative, no longer tied to the national legislator’s adaptation process, further underscores the assertion of confessional autonomy, even on a distinctly regulatory level.
Beyond these considerations, the 2018 Decree ensures that data subjects are granted most of the rights recognized by the GDPR, with some adaptations. These include the right to access and rectify data, the right to restriction and objection to processing, as well as the right to lodge a complaint with the supervisory authority. Additionally, the right to request data erasure is guaranteed, although a true right to be forgotten or de-indexing is not explicitly provided.
The legal basis for the processing of personal data is typically represented by the provision of the data subject’s informed consent, which the data controller must be able to demonstrate at any time. Alternatively, processing may be considered lawful only in the additional cases specified in Article 4, §1, letters (b)–(g) of the 2018 General Decree, although its practical application is not always easy to define. Consider, for example, the interpretative difficulties posed by letter (c), which, while partially reproducing the Considerandum No. 55 GDPR, introduces concepts—such as public authority, constitutional law, and public international law—that are not immediately reconcilable with the categories of Canon Law (Mosconi 2020, p. 149).
Regarding the possibility of designating a specific supervisory authority, Article 22 of the General Decree merely reproduces the text of Article 91, paragraph 2 GDPR, without taking a clear stance on such a complex provision. The caution expressed by the Italian Episcopal Conference has been positively received in early doctrinal commentary (Marano 2019, p. 33). However, the failure to designate an independent supervisory authority results in the subjection of the Italian Catholic Church to the corrective, investigative, and sanctioning powers of the Italian Data Protection Authority, as also occurred under the previous Directive 95/46/CE (Ventrella 2010, pp. 254–60). This situation carries the risk of significant interference with the Church’s organizational autonomy, particularly given the potentially high financial penalties that could be imposed (Balsamo 2021, p. 270).
In April 2018, the Spanish Episcopal Conference also promulgated, pursuant to Canon 455 CIC, a Decreto General en materia de Protección de Datos, establishing its entry into force on 25 May 2018. The regulation, preceded by a Preamble, consists of forty-six articles and is particularly extensive, although early doctrinal commentary has deemed it verbose and, in several parts, cumbersome (Otaduy 2019, p. 471 ff.).
In fact, many of the numerous provisions of the Decreto General merely replicate the provisions of the GDPR without achieving sufficient standards of completeness. Despite its breadth, the decree lacks proper regulation concerning two crucial aspects of the GDPR: the supervisory authority and the sanctioning system. Indeed, as demonstrated by the General Decree of the Polish Episcopate, focusing on these aspects of the GDPR would have been essential for adopting regulatory solutions that, in addition to ensuring compliance with GDPR principles, would also provide a specific safeguard for the personal data while respecting pre-existing canonical institutions and provisions.
Regarding the establishment of a specific supervisory authority, the Conferencia Episcopal Española in Article 42, §1 of the Decreto General reserves the right to create a special supervisory authority in the future. However, it implies in Article 4, §24 that such an authority should be identified as the Agencia Española de Protección de Datos. In doing so, the Spanish Episcopate has renounced the possibility—offered by Article 91, paragraph 2 GDPR to “churches and religious associations”—to designate a special supervisory authority as an alternative to the state authority. Likewise, no reference is made to the possibility of imposing canonical sanctions or providing, pursuant to Canon 128 CIC, for the reparation of damages (d’Arienzo 2013, p. 91 ff.) caused to the data subject due to the unlawful processing of their personal data.
Finally, the excessive duplication of GDPR provisions also leads to certain practical and interpretative issues, as seen in the regulation of the responsable del tratamiento, whose definition, modeled after the European Regulation, appears difficult to align with Canon Law (Otaduy 2019, p. 471 ff.). A striking example is the provisions concerning the delegados de protección de datos. The designation criteria set forth in the Decreto General do not seem to meet the requirements of Articles 37–39 GDPR, as Article 36, §5, rather than emphasizing the independence guarantees of the data protection officer, appears to favor the appointment of internal individuals already holding ecclesiastical offices or, at least in the case of the delegate of the Conferencia Episcopal Española, personnel of the Conference “con independencia del tipo de relación laboral”. To understand the uniqueness of such a provision, it is useful to compare it with Article 18, §1 of the General Decree of the Italian Episcopal Conference, which instead allows for the employment of an external qualified figure.
Ultimately, the General Decree of the Spanish Episcopate appears to suffer from an excessively formalistic and bureaucratic approach, which ends up stifling the promotion of confessional autonomy invoked by Article 91, paragraphs 1 and 2 GDPR. As a result, the adopted regulatory text is repetitive of the GDPR provisions and lacks substance precisely in those areas where a dedicated effort to seek autonomous confessional regulatory solutions would have been feasible.
Indeed, as highlighted in doctrine, satisfying the requirement of “completeness” in confessional regulations does not necessitate a verbatim replication of the GDPR framework. Rather, it is sufficient that such regulations be systematic and include all provisions that, according to GDPR, appear necessary concerning the specific nature of data processing carried out by Churches (Marano 2019, p. 28; Durisotto 2020, p. 15). Likewise, from the same perspective, the obligation for religious regulations to conform to the European Regulation should not be understood as mandating a substantial duplication of civil law provisions within the religious sphere. Instead, this requirement can be sufficiently met by issuing regulatory solutions that are consistent with the fundamental principles of the GDPR while also being capable of safeguarding the specificities of religiously qualified entities (Ganarin 2018, pp. 15–17).

4. The Establishment of Specialized Tribunal for the Protection of Personal Data—The Canonical Translation of the Articles 77–78 GDPR in the Law on the Protection of Ecclesial Data Issued by the German Bishops

Oscillating between a duplication of the GDPR provisions and the development of autonomous confessional regulatory solutions capable of implementing the principles developed by the GDPR with extreme completeness, stands the Law on the protection of ecclesial data (Gesetz über den Kirchlichen Datenschutz) developed by the German Bishops. Comprising as many as fifty-eight paragraphs, this regulation formally takes the form of a diocesan law, promulgated in the same text by all individual bishops based on a prior unanimous agreement (Montini 2020, p. 214 ff.; Konrad 2019, p. 449 ff.).
The particular law aims to protect the right of individuals to the protection of their personal data in the context of processing carried out by dioceses, ecclesiastical associations and foundations, church communities, the German Caritas and diocesan Caritas organizations, as well as other ecclesiastical corporations, regardless of their legal form.
With regard to the rights granted to data subjects, the regulation essentially refers to the GDPR provisions, with certain adaptations, the most notable being the right to the erasure of data. This right is downgraded to a mere right to restriction of processing whenever the effort required to carry out the erasure is disproportionate to the protective purpose (Konrad 2019, pp. 458–59).
One of the most significant aspects is the designation of a specific supervisory authority, in accordance with Article 91, paragraph 2 GDPR. This authority consists of five interdiocesan data protection officers, each overseeing multiple dioceses to monitor the activities of all twenty-seven German archdioceses.
The officer is appointed for a maximum term of eight years (with a minimum term of four years) by the individual bishops and may only be selected from among Catholic individuals qualified as judges under German federal law. In this way, the German episcopate aimed to ensure the effective independence of these bodies, in compliance with the requirements set out in Articles 51–59 GDPR.
In line with Article 83 GDPR, § 47(6) of the German canonical regulation grants the data protection supervisory authority the power to impose specific administrative fines on data controllers. However, § 51(5) subsequently limits these fines to a maximum amount of five hundred thousand euros. It is important to note that such administrative sanctions cannot be imposed on ecclesiastical offices that are institutions of public law, except in cases where they participate as enterprises in tenders and competitions.
Another aspect of great interest is the introduction of a specific canonical judicial system for the protection of individuals’ personal data rights. § 48(1) of the Ecclesiastical Data Protection Act, in accordance with Article 77 GDPR, expressly granted data subjects the right to file a complaint, in the form of an appeal, with the territorially competent supervisory authority. This right was guaranteed to every data subject, without prejudice to the possibility of pursuing “any other remedy”, including the judicial remedy provided for in § 49(1).
Moreover, through the Kirchliche Datenschutzgerichtsordnung (Ecclesiastical Data Protection Judicial Regulation) has been established, according to can. 1423, § 1 CIC, an Interdiocesan First-Instance Court for Data Protection, based in Colonia and with jurisdiction exclusively limited to personal data protection matters. Additionally, a Second-Instance Data Protection Court, based in Bonn, was instituted according to can. 1439, § 1 CIC, by the German Bishops’ Conference (Montini 2020, pp. 214–15)3.
According to § 8 of the Ecclesiastical Judicial Regulation, the data subject may bring a case before the Interdiocesan Court for Data Protection either directly or against the decision of the supervisory authority, as well as, similarly to Article 78 GDPR, if the supervisory authority has not responded to the request within three months.
The canonical regulations developed by the German episcopate thus allow for the immediate filing of a judicial appeal before the special administrative Tribunals on data protection matters, regardless of whether a prior complaint has been submitted to the five interdiocesan data protection officers.
The introduction of first-instance and second-instance administrative courts specialized in data protection undoubtedly provides a broad range of options for data subjects to safeguard their right to informational self-determination, even within the ecclesiastical sphere. However, at the same time, it marks a clear reduction in the pre-existing system of administrative and contentious protection of the rights of the faithful provided for by the Code of Canon Law. In fact, the possibility of filing a complaint before the supervisory authority or the first-instance court serves as an alternative to submitting a hierarchical appeal before the competent ecclesiastical authority, up to the competent Dicastery of the Roman Curia.
The separation of the system of hierarchical recourses from the system of complaints/appeals to specialized administrative Tribunals would, therefore, also seem to preclude the possibility of a judicial appeal to the Tribunal of Apostolic Signatura against second instance rulings of the Court of the German Bishops’ Conference for the Protection of Personal Data.

5. Conclusions

From an overall examination of the canonical regulations issued on the basis of Article 91, paragraphs 1 and 2 GPDR emerges that the implementation of the principles laid down by the GPDR has not always been achieved through an adequate valorization of the instruments of protection already provided for by the Code of Canon Law, above all the hierarchical recourse. Indeed, only the intervention of the Polish Bishops’ Conference has proved capable of fully integrating the remedy of the hierarchical appeal into the personal data protection system outlined by the GPDR, by providing, in Article 41 of the General Decree, the right of the data subject to lodge a complaint with the Ecclesiastical Inspector for the Protection of Personal Data, and then a subsequent appeal to the competent Dicastery of the Holy See in accordance with the rules of the Code of Canon Law. Thus, by framing the decisions of the supervisory authority as singular administrative acts, the hierarchical appeal to the competent Dicastery is permitted, as well as the subsequent potential filing of a contentious appeal before the Supreme Tribunal of the Apostolic Signatura.
The enhancement of canonical administrative and jurisdictional remedies also in the field of personal data protection, moreover, could also lead to a better protection of the rights granted to data subjects. At times, an overly rigid interpretation of the European Regulation may result in rights being safeguarded only in cases of “unlawful” data processing, rather than also considering instances where processing is merely “burdensome” or “unfavorable”. Moreover, Canon Law scholars have repeatedly emphasized that singular administrative acts—regardless of their unlawfulness or illegitimacy in relation to the law—can, depending on the specific circumstances of the recipient, be classified not only as “indifferent” or “burdensome” but also as “favorable” or “unfavorable” (Gherri 2015, p. 345).
Moreover, especially in the context of personal data processing, it is common to encounter cases where data processing has a legitimate legal basis under the GDPR or specific canonical regulations but is nevertheless objectively detrimental to the data subjects. In such cases, rather than prioritizing the removal of the legal effects of a valid act, the primary concern may instead be the need for its modification or, at the very least, its suspension or non-execution (Gherri 2015, p. 339 ff.).
The system of remedies provided by universal law, in other words, allows the data subject to access protective measures capable of mitigating the adverse effects associated with the execution of singular administrative acts, even when such acts result from a lawful and legitimate exercise of governing authority.
The adoption of judicial protection models in the field of personal data protection that mirror those outlined in civil regulations ultimately leads to the partial disregard of certain universal canonical law provisions and legal instruments. These mechanisms are designed, in accordance with the general principles of Canon Law, to ensure that the exercise of rights and duties within the Church unfolds “in a spirit of communion rather than contention”, the same perspective in which the exercise of authority should be understood as a service to the faithful (Ortiz 1999, p. 717).
So, the divergence from canonical models occurs precisely in the field of personal data processing, an area that would seem to offer clear opportunities for the immediate and effective application of provisions on hierarchical recourses. Among these provisions, the preliminary mediation process outlined in can. 1733 CIC holds particular importance.
Beyond substantive protection, even from a formal perspective, the system of hierarchical recourses appears well-suited to ensuring the effectiveness of the right to personal data protection within the canonical framework, without diminishing the standards of protection established by the GDPR; consider the striking similarity between the GDPR provisions designed to protect data subjects from the inaction of the supervisory authority and can. 57, § 1 CIC. Both provisions set a three-month deadline within which the authority must issue a decision on the complaint or hierarchical recourse. Once this period expires, both frameworks grant the complainant access to judicial protection.
The circumstance that the hierarchical recourse ends up in the administrative jurisdiction of the Tribunal of Apostolic Signatura (Montini 2014) confirms the substantial compatibility of the canonical system of the protection of the rights of the faithful—and, therefore, also of the right to the protection of personal data as a declination of the right to good reputation and privacy referred to in can. 220 CIC—with the model outlined in the art. 78 GDPR, which ensures the right to bring an effective judicial remedy (to the judicial bodies of the Member States) against the legally binding decisions of the supervisory authority.
Ultimately, the administrative and jurisdictional remedies contemplated by universal canon law appear fully suitable to offer, with minimal adaptations, effective safeguarding to the right to the protection of personal data in intra-confessional processing of the Catholic Church according to high standards and in any case compliant with GDPR principles.
For this reason, the regulatory solutions developed by some European episcopates appear, on the contrary, excessively focused on a mechanical transposition of civil law into the canonical sphere. In contrast, a preferable approach would have been one that, far from disregarding the numerous applicable codified provisions, would have better valued the regulatory autonomy recognized by the GDPR through the introduction of protection systems centered on those same canonical legal instruments responsible for protecting the rights of the faithful, including the right to their own informational self-determination.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study.

Conflicts of Interest

The author declares no conflicts of interest.

Notes

1
The Portuguese Episcopal Conference adopted a specific Instruction pursuant to can. 34, § 1 CIC, also issued after the entry into force of the GDPR. The approach of the Belgian episcopate was even different, limiting itself to disseminating an “explanatory document” of the European Regulation, which was undoubtedly provisional in nature. Morevoer, the Slovenian Episcopal Conference, after having also released an explanatory document, subsequently dictated an autonomous legal discipline through the promulgation of a specific Regulation for religious activities dated 5 February 2019, which seems to take the form of a unanimous resolution of the Episcopal Conference subsequently implemented by the individual Bishops within their respective Dioceses (Rhode 2019, p. 51 ff.).
2
Just like the right to good reputation, the right to privacy also takes on a particularly ecclesial nature from the canonical perspective, being aimed at protecting the individual private sphere of the person, that is her or his internal world naturally oriented towards spirituality and transcendence. Therefore, regarding the peculiar juridical position of the christifideles, the right to the protection of one’s own intimacy, as stated in doctrine, can translate into the right of the faithful to live their relationship with Christ without suffering undue interference from other faithful or ecclesiastical authority (Cenalmor 1996, pp. 141–42).
3
The ecclesiastical Tribunal for data protection constitutes the second German administrative ecclesiastical court, after the creation, in 2005, of ecclesiastical tribunals in matters of labor law. See (Montini 2020, p. 213). The introduction of data protection courts has required, as well as the adoption of some amendments, also the recognitio of the Supreme Tribunal of the Apostolic Signatura (Montini 2020, p. 214).

References

  1. Arrieta, Juan Ignacio. 2002. Le conferenze episcopali europee e la legislazione sul diritto alla propria intimità e la protezione dei dati personali. Folia Canonica 5: 29–50. [Google Scholar]
  2. Balsamo, Fabio. 2021. La protezione dei dati personali di natura religiosa. Cosenza: Luigi Pellegrini Editore. [Google Scholar]
  3. Boni, Geraldina. 2001. Tutela rispetto al trattamento dei dati personali trattamento dei dati personali tra sovranità dello Stato e sovranità della Chiesa cattolica. Il Diritto di Famiglia e Delle Persone 30: 1687–768. [Google Scholar]
  4. Cenalmor, Daniel. 1996. Comentario al can. 220. In Comentario exegético al código de derecho canónico. Edited by Angel Marzoa, Jorge Miras and Rafael Rodríguez-Ocaña. Pamplona: EUNSA, vol. II. [Google Scholar]
  5. Ceserani, Alessandro. 2019. Il dato religioso nel sistema europeo di tutela della privacy. In Manuale di diritto alla protezione dei dati personali. Edited by Marco Maglio, Miriam Polini and Nicola Tilli. Sant’Arcangelo di Romagna: Maggioli. [Google Scholar]
  6. Dalla Torre, Giuseppe. 1985. Sub can. 220. In Commento al Codice di Diritto Canonico. Roma: Pontificia Università Urbaniana. [Google Scholar]
  7. d’Arienzo, Maria. 2013. L’obbligo di riparazione del danno in diritto canonico. Cosenza: Pellegrini. [Google Scholar]
  8. Durisotto, David. 2020. Diritti degli individui e diritti delle organizzazioni religiose nel Regolamento (UE) 2016/679. I “corpus completi di norme” e le “autorità di controllo indipendenti”. Federalismi.it, October 7. [Google Scholar]
  9. Fabbri, Alberto. 2019. Alberto Fabbri, I dati personali di natura religiosa, tra scelte individuali e trattamento confessionale collettivo. In Innovazione tecnologica e valore della persona. Il diritto alla protezione dei dati personali nel Regolamento UE 2016/679. Edited by Licia Califano and Carlo Colapietro. Napoli: Editoriale Scientifica. [Google Scholar]
  10. Ganarin, Manuel. 2018. Salvaguardia dei dati sensibili di natura religiosa e autonomia confessionale. Spunti per un’interpretazione secundum Constitutionem delregolamento europeo n. 2016/679. Stato, Chiese e Pluralismo Confessionale. [Google Scholar] [CrossRef]
  11. Gherri, Paolo. 2015. Petitio, remonstratio, exceptio: Cenni esplorativi sui modi di non-esecuzione degli atti amministrativi singolari. Ius Ecclesiae 27: 339–56. [Google Scholar]
  12. Gianfreda, Anna. 2019. Autonomia confessionale e sistema delle fonti del diritto ecclesiastico. Riforma del Terzo Settore e tutela della Privacy: Un banco di prova per la produzione normativa confessionale. In Costituzione, religione e cambiamenti nel diritto e nella società. Edited by Pierluigi Consorti. Pisa: Pisa University Press. [Google Scholar]
  13. Konrad, Sabine. 2019. La protezione dei dati personali nella Chiesa tedesca. Ius Ecclesiae 31: 449–70. [Google Scholar]
  14. Labandeira, Eduardo. 1991. La defensa de los administrados en el Derecho Canónico. Ius Canonicum 31: 271–88. [Google Scholar]
  15. Marano, Venerando. 2019. Impatto del Regolamento Europeo di protezione dei dati personali per la Chiesa. Prime soluzioni nei Decreti generali delle Conferenze Episcopali: L’esperienza italiana. In Chiesa e protezione dei dati personali. Sfere giuridiche e comunicative alla luce del Regolamento Europeo per la protezione dei dati. Edited by Jordi Puyol. Roma: EDUSC. [Google Scholar]
  16. Mazzoni, Giulia. 2020. Le Autorizzazioni Generali al trattamento dei dati sensibili da parte delle confessioni religiose. Osservazioni alla luce delle recenti riforme in materia di privacy. Stato, Chiese e Pluralismo Confessionale 2020: 66–90. [Google Scholar] [CrossRef]
  17. Milani, Daniela. 2015. La tutela dei dati di natura religiosa. In Nozioni di diritto ecclesiastico. Edited by Giuseppe Casuscelli. Torino: Giappichelli. [Google Scholar]
  18. Montini, Gian Paolo. 2014. I ricorsi amministrativi presso il Supremo Tribunale della Segnatura Apostolica. In Il diritto nel mistero della Chiesa, Tomo IV, Prassi amministrativa e procedure speciali. Edited by Gruppo Italiano Docenti di Diritto Canonico. Vatican City State: Lateran University Press. [Google Scholar]
  19. Montini, Gian Paolo. 2020. I tribunali ecclesiastici competenti in materia di privacy in Germania. Quaderni Di Diritto Ecclesiale 33: 205–24. [Google Scholar]
  20. Mosconi, Marino. 2020. La normativa della Chiesa in Italia sulla tutela della buona fama e della riservatezza: Dal decreto generale del 20 ottobre 1999 al decreto generale del 24 maggio 2018. Quaderni Di Diritto Ecclesiale 33: 136–66. [Google Scholar]
  21. Ortiz, Miguel Angel. 1999. I ricorsi gerarchici. Ius Ecclesiae 11: 683–737. [Google Scholar]
  22. Otaduy, Jorge. 2019. El Decreto general de la Conferencia Episcopal Española en materia de protección de datos personales. Primeras consideraciones. Ius Ecclesiae 31: 471–97. [Google Scholar]
  23. Rhode, Ulrich. 2019. La Chiesa e il rispetto della privacy: La prassi amministrativa e il governo della Chiesa. In Chiesa e protezione dei dati personali. Sfere giuridiche e comunicative alla luce del Regolamento Europeo per la protezione dei dati. Edited by Jordy Puyol. Roma: Edusc. [Google Scholar]
  24. Rozkrut, Tomasz. 2019. Decreto generale della Conferenza Episcopale Polacca relativo alla questione della protezione dei dati personali delle persone fisiche con riguardo al trattamento dei dati personali nella Chiesa cattolica. Ius Ecclesiae 31: 499–513. [Google Scholar]
  25. Schouppe, Jean Pierre. 2019. Les droits à la bonne réputation, à l’intimité et au respect des données à caractère personnel en droit canonique: Avant et après l’entrée en vigueur du règlement UE 2016/679. Ius Ecclesiae 31: 403–25. [Google Scholar]
  26. Skonieczny, Piotr OP. 2018. Zakres podmiotowy Dekretu ogólnego KEP z 13 marca 2018 roku w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych w Kościele katolickim. Prawnoporównawczy punkt widzenia. Annales Canonici 14: 69–86. [Google Scholar] [CrossRef]
  27. Tarantino, Daniela. 2017. The protection of the faithful’s privacy in the Codex Iuris Canonici: An evolving right? Il Diritto Ecclesiastico 3–4: 607–18. [Google Scholar]
  28. Tedeschi, Mario. 2013. La canonizzazione delle norme civili. Diritto e Religioni 1: 666–73. [Google Scholar]
  29. Valdrini, Patrick. 1987. Conflits et recours dans l’Eglise. Strasbourg: Cerdic. [Google Scholar]
  30. Ventrella, Carmela. 2010. Diritto alle “identità” e profili interordinamentali: Cambiamenti di status e certificazioni religiose. Diritto e Religioni 1: 249–78. [Google Scholar]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Balsamo, F. GDPR and Canon Law—The Impact of European Union Law on the Canonical Systems for the Protection of the Right to Good Reputation and Privacy. Religions 2025, 16, 425. https://doi.org/10.3390/rel16040425

AMA Style

Balsamo F. GDPR and Canon Law—The Impact of European Union Law on the Canonical Systems for the Protection of the Right to Good Reputation and Privacy. Religions. 2025; 16(4):425. https://doi.org/10.3390/rel16040425

Chicago/Turabian Style

Balsamo, Fabio. 2025. "GDPR and Canon Law—The Impact of European Union Law on the Canonical Systems for the Protection of the Right to Good Reputation and Privacy" Religions 16, no. 4: 425. https://doi.org/10.3390/rel16040425

APA Style

Balsamo, F. (2025). GDPR and Canon Law—The Impact of European Union Law on the Canonical Systems for the Protection of the Right to Good Reputation and Privacy. Religions, 16(4), 425. https://doi.org/10.3390/rel16040425

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop