This text was published in UNITAS 2021, the internal journal of the Order of the Knights of the Holy Sepulchre of Jerusalem (Order abbreviation OESSH) and is reprinted here in a modified and updated form.
Data protection of church associations
Ecclesiastical associations in canon law and secular law are also affected by data protection issues. According to the Codex Iuris Canonici (CIC) of 1983, such an association of believers is understood by canon law as the possibility of forming associations of persons within the Roman Catholic Church. As ecclesiastically recognised associations, these can also acquire ecclesiastical legal capacity. Catholic canon law is the self-imposed law of the Church. A synonym for Catholic canon law is canon law. The counter term to canon law is the respective state law as so-called secular law.
The faithful are free to form and direct associations for purposes of charity or piety or for the promotion of the Christian vocation in the world, and to hold meetings to pursue these purposes together.
All church associations in Switzerland are covered by the 1992 Data Protection Act (DPA), which is still in force. The totally revised DPA was passed by the Swiss Parliament on 25 September 2020. However, since the corresponding ordinance still has to be drafted, it cannot be assumed that the new law will enter into force before 2022. Nevertheless, the most important questions regarding data protection in the church association will be briefly explained.
Transparency, proportionality and purpose limitation continue to apply as principles of the current FADP. In addition, the European General Data Protection Regulation (GDPR) can already apply to church associations in Switzerland. This is the case if one processes personal data of persons in Europe (EU and EFTA without Switzerland) even without a European branch. According to the GDPR, it does not matter where the actual data processing takes place. For example, association members from Liechtenstein (EEA/EFTA) already have a connection to the European GDPR and must therefore be taken into account accordingly. For this reason, a corresponding DSGVO-compliant notice must be attached to the website of the church association and a data protection declaration must be created.
The association’s management usually collects and processes personal data to fulfil the purpose of the association in order to be able to comprehensively perform the tasks set out in the statutes. Ideally, the association’s management only requests personal data from members that is directly related to the association’s purpose. This must be checked and recorded. Personal data is usually made available to association members in the form of membership directories. It is therefore advisable for every church association in Switzerland to think about the structuring and organisation of personal data. It is also advisable to appoint a member of the association or a third party to be responsible for data protection.
References to the topic
Schneider, Christoph F. (2020): Der kirchliche Verein im kanonischen und weltlichen Recht; Vorgaben des kirchlichen Rechts, des zivilen Vereinsrechts und des Gemeinnützigkeitsrechts an Rechtsformwahl, Betätigung und Vermögensverwaltung kirchlicher Vereine. Schulthess: Zurich.
Loretan, Adrian (2015): Kirche und Staat in der Schweiz, in: Handbuch des katholischen Kirchenrechts, Regensburg: Verlag Friedrich Pustet, 1888-1913