Background information
- Date of final decision: 19 December 2023
- Cross-border case or national case: national case
- Controller: the diocese of Ghent (joint controller)
Legal Reference(s): Article 17 (Right to erasure (‘right to be forgotten’)), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 16 (Right to rectification), Article 21 (Right to object). - Decision: Compliance order, Erasure order
- Key words: Right to erasure, Sensitive data, Exercise of data subject rights, Lawfulness of processing, Right to be informed
Summary of the Decision
Origin of the case
A baptized person applied to the diocese of Ghent to be deleted from all Church files, including the baptismal register. However, the Roman Catholic Church does not delete the data from the baptismal registers, but rather adds an annotation reflecting the person's wish to leave the Church in the margin of the register.
The right to data deletion, enshrined in the GDPR, is not absolute and can only be exercised under certain conditions. The Roman Catholic Church considers that it has a legitimate interest in retaining the data contained in the baptism register, as such retention is necessary for the purpose of data processing, and that the conditions applicable to a request for deletion are therefore not met in this type of case. It also invoked the archival value of this data, which would prevent its deletion.
The unsuccessful party then lodged a complaint with the Belgian Data Protection Authority.
Key Findings
The Church's legal basis for keeping baptism data is its legitimate interest in preventing possible (identity) fraud, since, according to Catholic doctrine, a sacrament can only take place once. The BE Belgian Supervisory Authority (SA) recognises this legitimate interest.
However, this legitimate interest can only be validly invoked as a basis for data processing if the processing is necessary to achieve this objective, and if the interest of the data subject does not override the interest of the controller.
In the present case, the Belgian SA finds that these two conditions are not met: on the one hand data processing as it is carried out today does not in fact prevent a person from receiving the same sacrament twice, and is therefore not a priori appropriate for achieving the desired purpose.
On the other hand, the lifetime retention of all the complainant's data is disproportionate from the moment the complainant expressly states that he wishes to distance himself from the Roman Catholic Church. In this case, the interests of the complainant override those of the Church.
Consequently, the complainant can exercise his right to have the data deleted.
Decision
For the Belgian SA, from a data protection point of view, the lifelong processing of data, moreover of a sensitive nature, of a person who has asked to leave the Roman Catholic Church cannot therefore be justified if such processing is neither proportional nor strictly necessary to the admittedly legitimate interests of the Roman Catholic Church. These conditions were not met in this case.
For this reason, the Belgian SA decided to order the diocese of Ghent to comply with the complainant's request to object to the processing of his data, and with the request to erase his data.
The decision is still subject to appeal.
For further information: decision in national language (NL)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.