The use of Micro­soft 365 by church agencies

Three important tips for data-protection-compliant use

The Catho­lic Data Pro­tec­tion Cen­ter Frank­furt con­siders data-protection-compliant ope­ra­ti­on of Micro­soft 365 to be pos­si­ble only in excep­tio­nal cases. The Con­fe­rence of Ger­man Dio­ce­san Data Pro­tec­tion Offi­cers of the Catho­lic Church has not yet pas­sed a nati­on­wi­de reso­lu­ti­on. The Data Pro­tec­tion Com­mis­sio­ner of the Evan­ge­li­cal Church in Ger­ma­ny (EKD) is skep­ti­cal to say the least. Secu­lar data pro­tec­tion super­vi­so­ry aut­ho­ri­ties have recent­ly issued an even more nega­ti­ve assess­ment. Con­tra­ry to the­se con­cerns, howe­ver, our expe­ri­ence in num­e­rous imple­men­ta­ti­on pro­jects and in exch­an­ges with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and Micro­soft has shown that it is pos­si­ble for church bodies to use Micro­soft 365 in a way that com­pli­es with data pro­tec­tion requi­re­ments.
Howe­ver, when church agen­ci­es use Micro­soft 365, the fol­lo­wing spe­cial fea­tures must be taken into account in particular:

1. Churches and reli­gious asso­cia­ti­ons may app­ly their own data pro­tec­tion laws
   Via Artic­le 91 GDPR, churches or reli­gious asso­cia­ti­ons are gran­ted the right to con­ti­nue to app­ly their own rules for the pro­tec­tion of per­so­nal data that were alre­a­dy in force befo­re the intro­duc­tion of the GDPR. The spe­cial posi­ti­on fol­lows from the churches’ con­sti­tu­tio­nal right to self-governance. The Roman Catho­lic Church, for exam­p­le, has made use of this with the Church Data Pro­tec­tion Act (KDG), and the Pro­tes­tant Church with the Church Data Pro­tec­tion Act of the Pro­tes­tant Church in Ger­ma­ny (DSG-EKD). Howe­ver, the respec­ti­ve data pro­tec­tion rules must be “in line” with the GDPR.
2. Church data pro­tec­tion laws some­ti­mes con­tain dif­fe­rent or sup­ple­men­ta­ry legal bases
   Accor­ding to the KDG and the DSG-EKD, data may be pro­ces­sed if the rele­vant church data pro­tec­tion law per­mits it or if the pro­ces­sing is neces­sa­ry for the per­for­mance of a task that is in the inte­rest of the church. At the same time, for exam­p­le, accor­ding to the KDG, the invo­ca­ti­on of a legi­ti­ma­te inte­rest – par­al­lel to Artic­le 6(1), Sen­tence 2 GDPR – is not pos­si­ble for church bodies orga­nis­ed under public law in the per­for­mance of their tasks. With regard to the legal bases, the legal bases under church law up to and inclu­ding church law con­sti­tu­ti­ons, such as the Catho­lic Codex Iuris Cano­ni­ci or the Basic Order of the Pro­tes­tant Church in Ger­ma­ny, must also be taken into account.
3. Churches and reli­gious asso­cia­ti­ons have their own data pro­tec­tion super­vi­so­ry aut­ho­ri­ties
   This pos­si­bi­li­ty also fol­lows from the churches’ con­sti­tu­tio­nal­ly gua­ran­teed right to self-governance and is enshri­ned in Artic­le 91(2) GDPR. The Roman Catho­lic Church and the Pro­tes­tant Church in Ger­ma­ny, among others, have made use of this. In addi­ti­on to the views of the sta­te data pro­tec­tion super­vi­so­ry aut­ho­ri­ties – with whom the church data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are in con­stant exch­an­ge – the legal assess­ments of the respec­ti­ve church data pro­tec­tion super­vi­so­ry aut­ho­ri­ties in par­ti­cu­lar must the­r­e­fo­re be taken into account when using Micro­soft 365.

Con­clu­si­on

When it comes to the legal­ly com­pli­ant use of Micro­soft 365 by church bodies, the­re are many spe­cial data pro­tec­tion fea­tures that need to be taken into account. In our expe­ri­ence, the best way for church bodies to meet the chal­lenges this pres­ents is to con­duct a data pro­tec­tion impact assess­ment. For more infor­ma­ti­on, see our one-page report on privacy-compliant use of Micro­soft 365.