top of page

Privacy Regulations

The subject of "Privacy" is regulated for ecclesiastical bodies as follows:

- canonical legislation with the recent General Decree of the CEI "Provisions for the protection of the right to good reputation and confidentiality", approved by the CEI General Assembly of 21-24 May 2018

According to what is indicated in the premises of the Decree, in fact, “…. the Catholic Church, an independent and autonomous legal system in its own order, has the native and proper right to acquire, store and use for its institutional purposes the data relating to the persons of the faithful, ecclesiastical entities and ecclesial aggregations ", by virtue of a recognized autonomy and independence related to the exercise of its mission.

- civil legislation with the new EC Regulation 679/16, as applicable.

The "processing" of personal data accepted in the Regulation and in the CEI Decree concerns any operation referable to personal data, carried out with or without the help of automated processes and applied to personal data or to sets of personal data, such as the collection , registration, storage, use, communication by transmission, dissemination or any other form of making available, regardless of whether these operations are carried out automatically.

All or almost all the activities usually carried out in the context of Parishes and / or Dioceses are included (e.g. registers, lists, etc. from which the name, physical identity, etc., art. 1, § 2 and art. 2, Decree and of art.2, par.2 and art.4 of the Regulations).

Data processing must be carried out according to the methods and conditions set out in art. 3 and 4, § 1, of the same Decree.

The most usual condition is the informed consent of the interested party which must be expressed and unequivocal (and revocable) and must be preceded by adequate information from the data controller himself (Article 6 of the Decree; Article 13 and Article 14 of the Regulation ).

The legislation provides for the appointment of a "data controller" who establishes the purposes and means of the processing (Article 2 of the Decree; Article 4 of the Regulations). Said subject should coincide with the apical subject of the Body (Bishop, Parish Priest, Superior, etc.…), but it could also be a different subject or a juridical person (Diocese, parish, Confraternity). Generally, it is suggested to appoint the Entity itself as the owner, in the person of its pro tempore legal representative.

The data controller, in turn, can appoint, in written and legally valid form, a "data controller", who will handle the processing of personal data on behalf of the data controller (art. 2; art. 15 of the Decree; art.4; art.28 of the Regulations), without however relieving the latter from any liability.

There is an obligation to keep a "register of processing activities", also in electronic format, paying particular attention to the inviolability of the archives, under penalty of sanctions.

As part of the activities of the Confraternity, therefore, it is appropriate, for example, to deliver the information (CEI Decree - art.6 Information to the interested party) and to acquire the relative consent also from the aspiring confreres at the time of their admission to the novitiate period, according to the provisions of the aforementioned regulatory framework.

In this regard, both the CEI Decree and the EU Regulation provide that:

- the responsibility for the delivery of the information by the Data Controller
- the ordinary form is written, including through electronic media
- the content of the Information must be concise, transparent, intelligible and easily accessible, with simple and clear language.

bottom of page