Three important tips for data-protection-compliant use
The Catholic Data Protection Center Frankfurt considers data-protection-compliant operation of Microsoft 365 to be possible only in exceptional cases. The Conference of German Diocesan Data Protection Officers of the Catholic Church has not yet passed a nationwide resolution. The Data Protection Commissioner of the Evangelical Church in Germany (EKD) is skeptical to say the least. Secular data protection supervisory authorities have recently issued an even more negative assessment. Contrary to these concerns, however, our experience in numerous implementation projects and in exchanges with the data protection supervisory authorities and Microsoft has shown that it is possible for church bodies to use Microsoft 365 in a way that complies with data protection requirements.
However, when church agencies use Microsoft 365, the following special features must be taken into account in particular:
- Churches and religious associations may apply their own data protection laws
Via Article 91 GDPR, churches or religious associations are granted the right to continue to apply their own rules for the protection of personal data that were already in force before the introduction of the GDPR. The special position follows from the churches’ constitutional right to self-governance. The Roman Catholic Church, for example, has made use of this with the Church Data Protection Act (KDG), and the Protestant Church with the Church Data Protection Act of the Protestant Church in Germany (DSG-EKD). However, the respective data protection rules must be “in line” with the GDPR. - Church data protection laws sometimes contain different or supplementary legal bases
According to the KDG and the DSG-EKD, data may be processed if the relevant church data protection law permits it or if the processing is necessary for the performance of a task that is in the interest of the church. At the same time, for example, according to the KDG, the invocation of a legitimate interest – parallel to Article 6(1), Sentence 2 GDPR – is not possible for church bodies organised under public law in the performance of their tasks. With regard to the legal bases, the legal bases under church law up to and including church law constitutions, such as the Catholic Codex Iuris Canonici or the Basic Order of the Protestant Church in Germany, must also be taken into account. - Churches and religious associations have their own data protection supervisory authorities
This possibility also follows from the churches’ constitutionally guaranteed right to self-governance and is enshrined in Article 91(2) GDPR. The Roman Catholic Church and the Protestant Church in Germany, among others, have made use of this. In addition to the views of the state data protection supervisory authorities – with whom the church data protection supervisory authorities are in constant exchange – the legal assessments of the respective church data protection supervisory authorities in particular must therefore be taken into account when using Microsoft 365.
Conclusion
When it comes to the legally compliant use of Microsoft 365 by church bodies, there are many special data protection features that need to be taken into account. In our experience, the best way for church bodies to meet the challenges this presents is to conduct a data protection impact assessment. For more information, see our one-page report on privacy-compliant use of Microsoft 365.
back