President of the Polish SA met with data protection officers of church institutions

The intersection of state and church law, the independence of data protection officers - these were some of the issues raised during another meeting between the President of the Personal Data Protection Office (PUODO) and data protection officers (DPOs), this time representing church institutions such as dioceses, monastic congregations, social welfare homes run by church entities, Caritas and others.

The meeting was a continuation of a series of meetings between Mirosław Wróblewski, President of the Polish SA, and data protection officers representing various groups. During this meeting, problems arising from the specific nature of the work of DPOs performing their functions in church institutions, which they face every day, were discussed.

The role of the DPO in church institutions is complicated, because those carrying out these positions are navigating in two legal systems. As a general rule, cases that come down to the Church DPOs have to be considered under the GDPR as well as under the church regulations. Depending on the situation, compliance with data protection law in the Catholic Church is supervised by the Church Data Protection Officer or the President of the DPA.

During the discussions, it was pointed out that it is important for data protection that the church's regulations are essentially adapted to the GDPR.

"I care about supporting the position of personal data protection inspectors, including inspectors conducting their activities in such specific institutions as churches and other religious associations. This is extremely important to strengthen the importance of the data protection system in this area," said Mirosław Wroblewski, President of the DPA.

During the meeting, the issue of DPOs independence in religious associations was raised. Prof. Piotr Kroczek, Church Data Protection Officer, pointed out that the independence of the DPO is a very important issue which, despite the potential difficulties arising from the parallel obligation to maintain canonical obedience, is feasible.

"It is possible for the DPO to be independent, even though the person holding this position belongs to the religious congregation, is a member of it. This is because two types of authority interact here - the authority of power, i.e. the religious superior, and the authority of knowledge, i.e. the DPO," - said Prof. Piotr Kroczek.

The inspectors attending the meeting compared their experiences in the field of state and church law. It was noted that in church institutions, data controllers are very aware of the role of the DPO. It was also emphasised that in religious entities the independence of DPOs is respected and that controllers do not force their actions and positions.

During the discussions, the issue of the interface between state law and intra-church law was raised. The inspectors pointed out that it is ultimately up to the controller to decide which law applies in a given situation. There are cases where both the regulations of the GDPR and the General Decree on the protection of individuals with regard to the processing of personal data in the Catholic Church apply. Participants at the meeting agreed that from a data protection point of view, this does not pose a practical problem, as the Decree is basically a copy of the GDPR.

The President of the Personal Data Protection Office, Mirosław Wróblewski, encouraged the assembled DPOs to get involved in the consultations carried out as part of the ongoing update of the DPA's handbooks and also provided examples of the actions taken and planned to strengthen the position of DPOs.