The use of Micro­soft 365 by church agencies

Three important tips for data-protection-compliant use

The Catho­lic Data Pro­tec­tion Cen­ter Frank­furt con­siders data-protection-compliant ope­ra­ti­on of Micro­soft 365 to be pos­si­ble only in excep­tio­nal cases. The Con­fe­rence of Ger­man Dio­ce­san Data Pro­tec­tion Offi­cers of the Catho­lic Church has not yet pas­sed a nati­on­wi­de reso­lu­ti­on. The Data Pro­tec­tion Com­mis­sio­ner of the Evan­ge­li­cal Church in Ger­ma­ny (EKD) is skep­ti­cal to say the least. Secu­lar data pro­tec­tion super­vi­so­ry aut­ho­ri­ties have recent­ly issued an even more nega­ti­ve assess­ment. Con­tra­ry to the­se con­cerns, howe­ver, our expe­ri­ence in num­e­rous imple­men­ta­ti­on pro­jects and in exch­an­ges with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and Micro­soft has shown that it is pos­si­ble for church bodies to use Micro­soft 365 in a way that com­pli­es with data pro­tec­tion requi­re­ments.
Howe­ver, when church agen­ci­es use Micro­soft 365, the fol­lo­wing spe­cial fea­tures must be taken into account in particular:

  1. Churches and reli­gious asso­cia­ti­ons may app­ly their own data pro­tec­tion laws
    Via Artic­le 91 GDPR, churches or reli­gious asso­cia­ti­ons are gran­ted the right to con­ti­nue to app­ly their own rules for the pro­tec­tion of per­so­nal data that were alre­a­dy in force befo­re the intro­duc­tion of the GDPR. The spe­cial posi­ti­on fol­lows from the churches’ con­sti­tu­tio­nal right to self-governance. The Roman Catho­lic Church, for exam­p­le, has made use of this with the Church Data Pro­tec­tion Act (KDG), and the Pro­tes­tant Church with the Church Data Pro­tec­tion Act of the Pro­tes­tant Church in Ger­ma­ny (DSG-EKD). Howe­ver, the respec­ti­ve data pro­tec­tion rules must be “in line” with the GDPR.
  2. Church data pro­tec­tion laws some­ti­mes con­tain dif­fe­rent or sup­ple­men­ta­ry legal bases
    Accor­ding to the KDG and the DSG-EKD, data may be pro­ces­sed if the rele­vant church data pro­tec­tion law per­mits it or if the pro­ces­sing is neces­sa­ry for the per­for­mance of a task that is in the inte­rest of the church. At the same time, for exam­p­le, accor­ding to the KDG, the invo­ca­ti­on of a legi­ti­ma­te inte­rest – par­al­lel to Artic­le 6(1), Sen­tence 2 GDPR – is not pos­si­ble for church bodies orga­nis­ed under public law in the per­for­mance of their tasks. With regard to the legal bases, the legal bases under church law up to and inclu­ding church law con­sti­tu­ti­ons, such as the Catho­lic Codex Iuris Cano­ni­ci or the Basic Order of the Pro­tes­tant Church in Ger­ma­ny, must also be taken into account.
  3. Churches and reli­gious asso­cia­ti­ons have their own data pro­tec­tion super­vi­so­ry aut­ho­ri­ties
    This pos­si­bi­li­ty also fol­lows from the churches’ con­sti­tu­tio­nal­ly gua­ran­teed right to self-governance and is enshri­ned in Artic­le 91(2) GDPR. The Roman Catho­lic Church and the Pro­tes­tant Church in Ger­ma­ny, among others, have made use of this. In addi­ti­on to the views of the sta­te data pro­tec­tion super­vi­so­ry aut­ho­ri­ties – with whom the church data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are in con­stant exch­an­ge – the legal assess­ments of the respec­ti­ve church data pro­tec­tion super­vi­so­ry aut­ho­ri­ties in par­ti­cu­lar must the­r­e­fo­re be taken into account when using Micro­soft 365.


When it comes to the legal­ly com­pli­ant use of Micro­soft 365 by church bodies, the­re are many spe­cial data pro­tec­tion fea­tures that need to be taken into account. In our expe­ri­ence, the best way for church bodies to meet the chal­lenges this pres­ents is to con­duct a data pro­tec­tion impact assess­ment. For more infor­ma­ti­on, see our one-page report on privacy-compliant use of Micro­soft 365.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.