fbevnts Data protection and the Catholic Church. Notes on the Italian experience six years after the definitive application of the GDPR

Data protection and the Catholic Church. Notes on the Italian experience six years after the definitive application of the GDPR

News > Papers
26.06.2024

Beatrice Serra*

 

Data protection and the Catholic Church. Notes on the Italian experience six years after the definitive application of the GDPR**

DOI: 10.26350/18277942_000171

 

Summary: 1. Introductory coordinates. 2. The prohibition, of European origin, to process data revealing religious beliefs. a) Reason for this prohibition. 3. (continues) b) effects of this prohibition on the structure of relations between the Italian State and religious denominations. 4. The adaptation of national legislation to the European Regulation. 5. The art. 91 of the GDPR. 6. The reaction of the Catholic Church in Italy. 7. The test bench of the coexistence between the effectiveness of the right to the protection of personal data and the inviolability of confessional autonomy: the control system pursuant to art. 91, par. 2 GDPR and its multiple interpretations. 8. (continues) The (lack) definition of the specific supervisory authority pursuant to art. 91, par. 2 GDPR by the particular canonical legislator and the national legislator in Italy. The (persistent) state jurisdiction on the intra-religious affairs of the right to the protection of personal data: foundation and limits. On the principle of collaboration.

 

  1. Introductory coordinates

 

The issue of the protection of personal data of religious nature possesses at least three characteristics: it is topical, fundamental, and complex.

Why topical?

The issue of personal data protection, especially when read in the prism of the interactions between the state order and the confessional order, belongs to the present time for two reasons.

Firstly, and immediately, because the whole matter has been rearranged by EU Regulation 2016/679 (henceforth GDPR or European Regulation) concerning the protection of natural persons with regard to the processing of personal data and to the free movement of such data. The Regulation, repealing Directive 95/46/EC, became definitively and directly applicable in the member states of the European Union on 25 May 2018[1].

It is therefore a question of a new discipline which, as such, needs careful hermeneutical scrutiny.

Secondly, the topicality of the subject emerges, indirectly,from the fact that the problem of the meaning of legal categories similar or overlapping with that of data protection,such as secrecy and confidentiality, recur recently in relations between Church and States. I refer to state attempts to ignore the ecclesial discipline of the confessional seal and ministerial secrecy to prevent or repress sexual abuse of minors, as well as to requests for access to confidential canonical documents presented by civil judges to confessional authorities[2].

There is, therefore, an objective need to define the inter-ordinal declinations of figures that share a direct or indirect affiliation to the semantic area of confidentiality.

This appears even more evident or understandable if we look at the second characteristic of the data protection theme: fundamentality.

To tell the truth, in the legal system of the European Union the protection of personal data is the object of a right. Right established, respectively, by art. 8 of the Charter of Nice, by art. 16 of the Treaty on the Functioning of the European Union and by art. 1 of the GDPR which, in addition to reaffirming the right of every person to the protection of personal data concerning him or her, explicitly qualifies this right as fundamental[3].

This gives rise to two logical corollaries: the undisputed obligation for the Member States of the Union to guarantee individuals the protection of their personal data; the need to achieve this protection in a proportional manner, i.e. reconciling the data protection with other equally fundamental rights- including the right to religious freedom- as moreover sanctioned by the GDPR itself in the "Recital" no. 4[4].

Again, the subject of personal data, especially when related to the religious phenomenon, is structurally complex and not easy to interpret and apply. And this, first, because its juridical structure derives from a multiplicity of sources: European law, national laws, confessional rules and, therefore, from the peculiar power relations amongthese sources and from their evolution.

Now, having set these very general coordinates, this contribution intends to define the subject of data protection from a specific perspective, looking at the Italian experience with particular reference to the action of the Catholic Church and the declination of data protection within the peculiar dynamics of coexistence between canonical and state regulations.

The aim is to offer a reconstructive framework from which to draw elements of reflection for a partial evaluation of the GDPR six years after its definitive and direct applicability in the countries of the European Union.

 

2. The prohibition, of European origin, to process data revealing religious beliefs. a) Reason for this prohibition

 

But, without prejudice to these very general coordinates, what is meant by data of a personal nature of a religious nature and what exactly does their protection consist of?

Pursuant to art. 4 of the GDPR (definitions) is personal data any information concerning an identified or identifiable natural person (interested) and, therefore, any information (name, location data, online identifiers, characteristic elements of the physical and psychic, physiological and genetic, economic, cultural and social identity) which leads to an individual, allowing, even indirectly, to identify him.

Among this information, the art. 9 of the GDPR (processing of particular categories of personal data) distinguishes, as a subset of personal data, the category of particular data; a category within which all news that reveal religious beliefs are explicitly included.

That said, while "simple" personal data can be collected and used when certain conditions set forth in art. 6 GDPR (lawfulness of processing), particular data must never be processed, except for exceptional and specific cases[5].

What are the reasons for this more intense protection?

The answer can be found in the GDPR itself, in the "Recital" no. 51, where it is stated that those data which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms deserve specific protection, so that the context of their treatment could create significant risks for these rights and freedoms.

The qualification of information of a religious nature as particular or sensitive data therefore finds its root in the need to prevent the use of this information from harming the individual right to religious freedom, understood as the freedom not to manifest one's faith, confessional affiliation or attitude towards the religious dimension[6].

But not only.

The rigorous regime of the religious data intrinsically achieves two further objectives,rooted in Italian and European legal culture: to prevent information from being used by public or private subjects to discriminate against the data subject (principle of equality and non-discrimination) - given that, historically, religious beliefs have led and still lead to distinctions and formal and substantial inequalities -[7]; to allow everyone to be themselves in relations with others (right to personal identity) by representing themselves also from a religious point of view and, therefore, controlling both the processing of the related data - through powers of access, rectification, cancellation - and the fact that the data themself are responsive to one's current feeling[8].

It is no coincidence that Directive 95/46/EC in art. 8 included information revealing religious beliefs among the particular categories of data whose treatment should be prohibited by the Member States, thus recognizing that an uncontrolled circulation of such information has a greater capacity to affect the identity and freedom of the person[9].

 

3. (continues) b) effects of this prohibition on the structure of relations between the Italian State and religious denominations.

 

Now, why and how does the European legal system's constant attention to the protection of news of a religious nature affect the relationship between the order of the Italian state and the order of the Catholic Church?

In the first place, due to the very characteristics of the right to religious freedom.

If it is true that the protection of religious data strengthens the right of the individual not to reveal what he believes in, it is equally true that associations, churches and religious denominations are also holders of the right to religious freedom. The protection of religious data on the basis of the negative profile of individual religious freedom is accompanied by the positive freedom of religious associations to act and operate in order to live their own beliefs by treating the data of the faithful[10].

Secondly, data protection affects the relations between the State and the Catholic Church because, in the case of the latter, the acquisition, storage and use of personal data is a corollary of the independence and sovereignty that art. 7 first paragraph of the Italian Constitution recognizes this religious denomination in its order. Even further, the arrangement - necessarily contractual pursuant to art. 7 second paragraph of the Constitution - of the relations between the State and the Church and, precisely, the art. 2 of the 1984 Agreement (law 25 March 1985 n. 121) assures the Catholic Church specific freedoms for carrying out its mission (organisation, exercise of the magisterium and spiritual ministry, jurisdiction in ecclesiastical matters, communication, diffusion and publication of deeds and documents) involving the processing of personal data.

It follows from this that, in itself, the prohibition of dealing with information of a religious nature conflicts with the right - guaranteed at the constitutional level - of the Catholic Church to use such information in the exercise of its institutional functions.

Therefore, it is no coincidence that the possibility of this contrast was envisaged and resolved by the European legislation itself, first with the aforementioned art. 8, par. 2, lit. d) of Directive 95/46/EC and, subsequently, with the current art. 9, par. 2, lit. d) of the GDPR.

In particular, the art. 8, par. 2, lit. d) of Directive 95/46/EC authorized all non-profit organizations, including those of a religious nature, to process - for their own purposes and only internally - particular data of the members or persons having regular relations with the organization in reason of its nature, provided that adequate guarantees are ensured and the consent of the interested parties for the possible communication of the data to third parties.

The art. 9, par. 2, lit. d) of the GDPR confirms the authorization structure already provided for by art. 8, par. 2, lit. d) of Directive 95/46/EC[11].

Well, to what extent has this dogmatic composition between the right to the protection of particular data, collective religious freedom and confessional autonomy responded and does it respond to the Italian reality?

In this regard, it is useful to give a concise account of the methods of implementation of Directive 95/46/EC implemented by the national legislator. This directive was implemented with the law no. 675/1996 entitled Protection of persons and other subjects regarding the processing of personal data, whose art. 22 - sensitive data - in paragraph 1, sanctioning a more rigorous structure than the European one, made the processing of data suitable for revealing religious beliefs and/or membership of associations or organizations of a religious nature subject to the presence of two requirements: prior authorization from the Guarantor of privacy and written consent of the interested party[12].

It was a rule which - as immediately highlighted in the doctrine - made the use of information objectively difficult (also) by religious aggregations and harmed the sovereignty of the Catholic Church, subjecting its action to the request and obtaining of the concession provision of an independent state authority[13].

From this, the recourse to two successive corrective measures: a) the General Authorization no. 3/1997, which allowed confessions and religious communities to process sensitive data, but always with the written consent of the interested party and observing the rules established by the Data Protection Authority; b) the art. 5 of Legislative Decree no. 135 /1999 which - by introducing the art. 22 paragraph 1- bis to the law no675/1996- excluded the application of the ordinary regime (subject to authorization by the Guarantor and written consent) for data of the faithful or of subjects having regular contact with religious denominations who had entered into agreements or understandings with the State pursuant to articles 7 and 8 of the Constitution and determined suitable guarantees for the treatments carried out. Such guarantees were promptly prepared - for the declared purpose of protecting its native right to use the data of the faithful, ecclesiastical bodies and ecclesial aggregations -, by the Catholic Church alone with the General Decree of the Italian Episcopal Conference Provisions for the protection of the right to good reputation and privacy, of 20 October 1999[14].

The reorganization of the entire matter, through the elaboration of a Code regarding the protection of personal data (legislative decree no. 196/2003), codified in art. 26 (guarantees for sensitive data), paragraph 3 lett. a) and 4, lett. a), a distinction between all religious confessions - whose civilly recognized bodies or entities were authorized to process the sensitive data of the faithful or subjects in regular contact with the confession with suitable guarantees, elaborated by observing the principles indicated with authorization from the Guarantor -, and organizations of a religious nature, which could process the same sensitive data without the consent of the interested party, but with the prior authorization of the Guarantor and in compliance with the conditions duly indicated[15]. At the same time, the art. 181 paragraph 6 (other transitional provisions) of the Code specified that the religious confessions which, before the adoption of the Code itself, had established in their legal system the appropriate guarantees pursuant to art. 26 paragraph 3, lett. a) could continue the processing activity in compliance with the same.

With which, moreover, in the absence of the issuing of a contextual authorization from the Guarantor Authority, it was not clear whether the Catholic Church was exempt from the bond, objectively more restrictive and not foreseen by art. 22 paragraph 1-bis of law 675/1996, to conform the system of protection already set up to the principles indicated in the authorization of the Guarantor[16].

In any case, the choices of the Italian legislator prior to the GDPR allow an immediate consideration: if, at first, the desire to emphasize data protection led to not giving specific attention to religious data, the reasons for its treatment and the freedom of action of the Catholic Church, this position has been progressively diluted, considering who uses the information, the purposes and ways of using them and giving space, although not uncontrolled, to the power of self-regulation and discipline of all religious denominations in harmony with the position recognized to them by the constitutional provision.

Not only.

The Italian system, although elaborated later than other countries of the Union and for successive approximations[17], presented interesting profiles of originality with respect to the European indications: the use of the formula, not present in the art. 8 of Directive 95/46/EC, "sensitive data", which best expresses their particular relevance to the most intimate sphere of the person; the (initial) extension of the protection to subjects other than natural persons[18]; the inclusion among sensitive data of information suitable for revealing membership in associations or organizations of a religious nature[19]; a difference in the regime between the treatment carried out by religious denominations and the treatment carried out by non-profit associations, bodies or organizations, even if not recognized, of a religious nature. All characteristics which, on closer inspection, consider and value the different facets of the community and institutional dimension of the experience of faith in a way not dissimilar from what happens in the reality of the Catholic Church. Indeed, under this specific aspect, the reciprocal influence between the civil order and the canonical order is attested by the fact that the CEI Decree of 1999 expressly guaranteed the protection of the data of ecclesiastical bodies and ecclesial aggregations, using a civil notion, that of ecclesiastical body, and echoing the art. 1 of law 675/1996 which, likewise, protected legal persons and any other body or association.

Significantly, moreover, in the period between the law no. 675/1996 and the GDPR, the appeals to the Privacy Guarantor for the processing of data by the Catholic Church concerned exclusively requests for cancellation from the baptismal registers.

These requests - made on the basis of the right to have data processed unlawfully or no longer necessary for the purposes for which they were collected and of the aspiration to see one's image correctly represented - have been rejected by both the Guarantor and the judicial authority. And this because the registration of the baptism - indelible historical fact - is lawful, exact and complete, while it is possible to update this data - corresponding to the current wish of the person concerned not to be considered Catholic - with a note in the margin of the register of the sacraments[20].

In other words: the exercise, under certain conditions, of the right to erasure of data does not indiscriminately affect the Church's power to document, since it is a legitimate power, pertinent to the specific nature of the religious confession and concerning true information which, in as such, while not corresponding to the image that the subject has of himself, it does not harm his personal identity, nor, concretely, the faculty of estranging himself from the ecclesial community as a corollary of the right to religious freedom[21]. On the contrary, the cancellation of the news of the baptism, hypothetically imposed by provision of the Guarantor or of the judicial authority, would violate the sovereignty and identity of the Church.

In addition to the information suitable for revealing religious convictions and in relation to the freedom of ecclesial jurisdiction, a question of the use of sensitive data then arose with reference to the conduct of the canonical process of matrimonial nullity when, for preliminary reasons, the parties asked to public administrations the viewing and copying of documents containing particular data. Question defined, according to a prevailing address in administrative jurisprudence, considering that the treatment of sensitive information is admissible to ascertain the truth about one's religious marriage as a right of equal rank to the right to the protection of personal data[22].

 

  1. The adaptation of national legislation to the European Regulation

 

Given this, has the GDPR, by directly dictating the rules that govern data protection, changed this equilibrium achieved in the interactions between the Italian legal system and the canonical order?

Certainly, by repealing Directive 95/46/EC, the GDPR required an adaptation of the individual national legislations that had transposed its content. Adaptation was made in Italy with the legislative decree no. 101/2018 laying down Provisions for the adaptation of national legislation to the provisions of regulation (EU) 2016/679which, in revising the Code for the protection of personal data in order to implement and complete the provisions of the GDPR, eliminated the articles on religious data which until then constituted the reference system[23].

To be immediately and entirely applicable to the Italian reality is, therefore, now first of all the art. 9, par. 2, lit. d) of the GDPR, albeit with any additions required by respect for the status enjoyed by churches, associations or religious communities in Italy by virtue of national law. Pursuant to art. 17, par. 1 of the Treaty on the Functioning of the European Union - appropriately referred to by Recital n. 165 of the GDPR-, the different systems of relationship between the State and religious confessions (and the models of definition of the State with respect to religious experience) present in the countries of the Union cannot, in fact, be prejudiced or called into question by the regulatory provisions of the European order[24].

In other words, due to the so-called "safeguard clause" of the statuses, the European competence on personal data does not directly change national ecclesiastical law.

Without prejudice to this constraint, in exceptionally authorizing the processing of particular data how does art. 9, par. 2, lit. d) of GDPR affects the position recognized to the Catholic Church in Italy?

In truth, this regulatory provision, repeating the substance of Directive 95/46/EC, does not restrict the margin of action of any confession or religious grouping.

On the contrary.

There are at least two profiles, not present or different from the previous Italian discipline, which could strengthen the freedom of organization of the Church.

First, the fact that the art. 9, par. 2, lit. d) GDPR authorizes non-profit organizations that pursue purposes of a religious nature to process, within the scope of their legitimate purposes and with adequate guarantees, not only the particular data of their members and of persons having regular relations with the institution, but also the particular data of the former members. This is probably a novelty introduced also in consideration of the requests for cancellation from the baptismal registers made in Italy and in other States as corollaries of data protection[25].

Certainly, this novelty in itself confirms and strengthens the power recognized to the canonical authority to note and preserve information on the occurred celebration of the sacraments or pertaining to participation in the ecclesial community of those who have since declared that they no longer consider themselves Catholic faithful. More specifically, if in its first provision on the subject the Italian Privacy Guarantor claimed that, after the request for cancellation of the news of baptism, this data could no longer be used in Ecclesia not even for statistical purposes[26], this limit seems to have been exceeded by the current European rule.

Moreover, from the combined provisions of articles 17 par. 3 and 21 par. 1 of the GDPR - concerning, respectively, the cases in which the right to erasure of data cannot be invoked (right to be forgotten) and the right of the data controller to demonstrate that the same is due to binding legitimate reasons -, the request for cancellation from the baptismal register can be rejected, understanding the exercise of the institutional functions of the canonical authority as a legitimate reason, which prevails over the request itself[27].

The second aspect of the European precept that can reflect on the autonomy of the Catholic Church is that, unlike art. 26, paragraph 3 lett. a) and 4, lett. a) of Legislative Decree no. 196/2003, the regulatory standard does not distinguish between the processing of particular data operated by bodies or entities of a religious denomination and the processing of the same data carried out by a foundation, association and other non-profit organization, even if not recognized, which pursues religious purposes. And this in continuity with Directive 95/46/EC.

The absence of this distinction and the consequent possibility for non-profit organizations of a religious nature other than confessions to process data in Italy without prior authorization from the Guarantor[28], is susceptible to two interpretations.

It can be assumed that the non-explicit mention of religious confessions is due to the need to use a flexible formula, suitable for including, without specification, all the forms assumed by the collective dimension of the religious phenomenon in the various countries of the Union.

On the contrary, it is also possible to attribute the absence of an explicit reference to religious confessions to the desire to subtract these institutional realities from the regime sanctioned by art. 9 par. 2, lit. d) GDPR[29]. Which for the Italian Church could mean continuing to process particular data by applying the system of guarantees already in place.

 

  1. The art. 91 of the GDPR

 

In reality, the position of the Catholic Church after the GDPR finds its most immediate and certain point of reference in another provision of the European Regulation: art. 91 (Data protection regulations in force in Churches and religious associations) inserted in chapter IX, Provisions relating to specific treatment situations.

Pursuant to art. 91 par. 1, if in a Member State there are Churches and religious associations or communities which, at the time of entry into force of the Regulation, apply complete corpusof rules for the protection of natural persons with regard to the processing of personal data, these rules may continue to be used provided that they are made compliantwith the regulation itself.

The same provision in par. 2 establishes that the Churches and religious associations that apply their own discipline are subject to the supervision of an independent Authority which can be specific, provided that it satisfies the conditions set out in Chapter VI of the European Regulation concerning the independent Supervisory Authorities.

The art. 91 - which has no precedents in the European framework on data protection - is structured on three elements: a) a distinct consideration of the Churches and their faculty of self-regulation; b) a conditional acknowledgment of the binding efficacy of the confessional rules, which replace the GDPR only if they comply with the same, complete and already applied when the Regulation comes into force; c) the submission of religious confessions or associations that regulate themselves in terms of data protection to the control of an Authority [30].

This is an arrangement that is not entirely extraneous to the Italian experience from a double point of view: because it appears homogeneous with the normative autonomy proper to religious confessions pursuant to articles 7, first paragraph and art. 8, second paragraph of the Constitution, fulfilling the so-called statussafeguard clause; because some aspects of the art. 91 GDPR find their precedent in the repealed art. 181, par. 6 of the Privacy Codewhich, as mentioned, affirmed the persistent applicability of confessional guarantees if in force before the adoption of the Code and respectful of the principles indicated by the Guarantor.

Nonetheless, the previous obligation of compliance with the principles contained in the Guarantor's authorization - intended as a minimum standard, which could also be respected through documents of an informative nature without the need for strictly legal acts - was susceptible to less stringent applications than the current parameter of completeness and compliance with the entire GDPR[31].

Moreover, in the case of the Catholic Church, the compliance of the CEI Decree with the principles of the Guarantor was assumed.

Above all, however, the national discipline did not envisage subjecting the action of religious confessions to the specific control of an independent Authority[32]. Nor, moreover, was this control contemplated in Directive 95/46/EC.

In reality, read in the light of the new approach to data protection pursued with the GDPR, the entire structure of the art. 91 can be understood due to a basic choice of the European legislator: to entrust the person who processes the data (so-called data controller) with the task of preparing - in advance and in consideration of the nature, scope of application, context and purpose of the treatment - all the necessary measures to avoid or minimize the risk of damage to the interested party and, especially, the risk of damage to his fundamental rights and freedoms (so-called accountability principle)[33].

At the same time, the data controller must be able to demonstrate that the measures he uses comply with the GDPR which punctually defines both the rights of the data subject (see articles 15-22), and the duties and responsibilities of the data controller and of the data controller (see articles 24-43).

Well, applied to Churches, associations and religious communities in a context of broader attention to the "religion" factor[34], the principle of accountability has had two consequences.

The first is the need to recognize confessional norms as tools for effectively declining the preventive protection structure envisaged in the European system within the religious order without "caging" the activities of the community of believers from the outside. From this point of view, indeed, even the provision of a time limit for the recognition of confessional rules (the date of entry into force of the GDPR) can be read as a way to encourage the responsible elaboration of a (also) religious corpus of matrix guarantees[35].

The second consequence that derives from the application of the principle of accountability to intra-confessional data processing is the need to monitor, in specific ways, the outcome of the application of confessional rules.

And this on a precise assumption, clarified by the Court of Justice: the duty of every person to respect European law on protection of personal data does not in itself violate the organizational autonomy of religious confessions[36].

 

  1. The reaction of the Catholic Church in Italy

 

Now, in the face of this specific orientation and the new structure of Union law on data protection, while the national legislator by adapting the 2003 Privacy Code to the GDPR has not made additions to the regime sanctioned by art. 91, the Italian Episcopal Conference has instead taken steps to update its rules in good time, making them compliant with the Regulation through the General Decree Provisions for the protection of the right to good reputation and privacy of 25 May 2018[37].

The transition from the 2003 Privacy Code to the GDPR has therefore not changed the reaction of the Church in Italy.

Leveraging, ad extra, on the position recognized by the Constitution and by the contractual framework and, ad intra,on the truth of its nature and mission and on the possession of an original and rooted legal instrument, the Italian Episcopal Conference has (again) chosen to avail itself of the possibility of processing personal data with its own rules, avoiding the (direct) application of the GDPR[38].

From this point of view, indeed, the new general decree of the CEI is a concrete form of acceptance of the principle of accountability , given that the particular canonical legislator - assuming exclusively the GDPR as a point of reference and regardless of the adaptation choices of the Italian privacy codeto the Regulations - has assumed the responsibility of minimizing the risk of illegitimate treatment, regulating it in advance in relation to the confessional reality. Likewise, the provisions of the CEI on data protection can be read as balancing formulas between the position of the interested party and the position of the person who processes the data; formulas necessary today in every regulatory context - given the relational structure on which the discipline of data protection is based - but elaborated in the canonical order always according to its peculiar logic[39].

Considered as a whole, the CEI General Decree of 25 May 2018 appears, in fact, neither as a mere reception of the content of the Regulation, nor as an act that cannot be traced back to the autonomous exercise of the normative power of the Church.

Rather, the rules set by the Italian Episcopal Conference tend to implement the GDPR criteria without denying the specific methods and purposes of the processing dictated by the confessional nature of the owner. And this also thanks to profiles which, although belonging to canonical juridical law, find their correspondence in the European system.

In this regard, without analytically retracing the individual provisions of the Decree or the innovations it has brought with respect to the 1999 discipline[40], it is sufficient to dwell on two different but connected aspects.

The first is the purpose, explicitly indicated in the Preamble, which is aimed at in the Decree: to give a more articulated regulation to the right to a good reputation and privacy recognized to every person by canons 220 CIC and 23 CCEO.

With which the entire provision is immediately traced back to a confessional reason: the affirmation of a natural right (of which the data protection is manifestation) already explicitly enshrined in the juridical order of the Church before Directive 95/46/EC and its implementation at national level.

But not only. Regardless of the punctual and specific declinations of the right to defend one's privacy in the relational dynamics of the ecclesial community[41], it is certain that by representing the CEI legislation as the explanation of the faculties proper to each person, the dignity of the latter is identified as the foundation of data protection. A foundation in itself common to the ecclesial system and the European one which allows us to consider the adaptation of particular canon law to the GDPR not as an act required by “external” interests, but as a legal instrument with which the Italian Church pursues an objective which it is intrinsic to it. In this regard, consider the outcome of the wide range of faculties that the CEI Decree in Chapter III - Rights of the interested party - recognizes to the person to whom the information refers. These faculties merely define, with reference to the Italian Church, the subjective dimension of the canon right to intimitas and place the person concerned in the position of actively contributing to the protection of his or her position in Ecclesia. Moreover, even if the presence in the canonical legislation of a Chapter intended for the rights of the interested party clearly derives from the structure of the GDPR, the Italian Episcopal Conference, unlike the Regulation, continues to consider ecclesiastical bodies and ecclesial aggregations as interested.

The second aspect that highlights an affinity between the European order and the canonical order, facilitating the compliance of the confessional rules with the GDPR - and, therefore, relating the interests of which the European Union is the bearer of to the specific interests of the Church - is the aforementioned principle of accountability.

On closer inspection, indeed, the criterion of making those who handle information responsible already belongs to the ecclesial juridical system.

Proof of this is the universal canonical discipline on the keeping, conservation and access of diocesan and parish books and archives. A discipline entirely built on an arrangement of duties incumbent on whoever collects and keeps the information (cf. cann . 486-491, 535 CIC; 256-261, 296 CCEO) which, not by chance, is punctually referred to in the preamble of the CEI Decree and respected in its essential lines in Chapter IV - tools for collecting personal data - of the same Decree.

In summary: in Italy the choice to accord particular canon law to the GDPR did not mean the assumption of paradigms detached from the idea of justice that innervates the ius Ecclesiae.

Rather, by placing itself in a position to process data by applying its own rules, the Catholic Church: a) can exercise with less risk of interference the prerogatives that derive from the collective right to freedom of religion and from its independence and sovereignty; b) contributes - collaborating with the civil authorities, but according to its own idea of the dignity of the person - to stem the new forms of damage to data protection which - as highlighted by the "Recital" n. 6 of the GDPR - derive from the rapidity of technological evolution and globalization and which can also occur within religious confessions whenever their activity involves the use of the web or other IT and telematic tools[42].

 

  1. The test bench of the coexistence between the effectiveness of the right to the protection of personal data and the inviolability of confessional autonomy: the control system pursuant to art. 91, par. 2 GDPR and its multiple interpretations

 

Having said that, the real problem is, or may be, the control system that art. 91 GDPR provides (also) for the action of the Catholic Church.

The effective coexistence between respect for the right to the protection of personal data sanctioned by the European order and the safeguarding of the independence and sovereignty of the Italian Church depends on the concrete implementation of this system, on the methods of its application and interpretation.

The question arises, first of all, on the hermeneutic level.

The two requirements, completeness and compliance, required by art. 91 par. 1 GDPR for the application of confessional legislation, when can they be satisfied?

More explicitly: does religious legislation replace the GDPR only if it slavishly repeats all the provisions of the latter or is it sufficient that the canonical system establishes mechanisms to prevent a macroscopic violation of the essential goods indicated by the European order?

It is evident that the first option - actually followed by some episcopates as in the case of the diocese of Luxembourg[43]- reduces the confessional norm to a mere explanatory vehicle of the European provisions; while the second offers the canonical legislator the necessary margins to keep in place the aspects which, ex parte Ecclesiae, are indispensable in the treatment of data.

In this regard, it may indeed be significant that the European Data Protection Supervisor has suggested “... greater self-remain on the part of the Supervisory Authorities who are called to be less prescriptive and to avoid entering into certain details”[44] towards the religious denominations which, by inverting the principle of accountability,have developed their own regulation compliant with the GDPR.

But, if so, how should the new figure of the Authority be defined and understood which, pursuant to art. 91 par. 2 GDPR, is called to supervise the work of the Italian Church on data protection?

On this point, the GDPR provides only one reference: the Authority that controls religious confessions can also be specific, but must possess all the requisites that guarantee its independence and act with competence and exercising the tasks established in chapter VI of the same Regulation[45].

It is an indication susceptible of different interpretations, according to the meaning that is attributed to the requirement of “specificity” and independence.

Thus, it can be considered that religious confessions, in adapting their body of rules to the GDPR, must or can establish the Supervisory Authority.

In this perspective, that is, the obligation to make the structure of religious rules complete and compliant with the GDPR would include the establishment of an Authority that would be "specific" because it is denominationally appointed. Which, also given the significant authoritative, corrective, investigation and sanctioning powers that Chapter VI of the GDPR attributes to the Supervisory Authorities, would undoubtedly go to protect the autonomy of the religious confession[46].

It remains, however, that the establishment of a "specific" Authority is possible, but not required, while art. 91 par. 2 GDPR does not explicitly recognize to religious groups the power to appoint such an Authority in place of the Member States.

Therefore, nothing excludes that it is the State that designates the subject who has the task of supervising religious confessions or that this task is carried out by the ordinary supervisory authorities and therefore, in Italy, by the Guarantor for the protection of personal data.

Conversely, if it is believed that the independence that the Authority must necessarily possess cannot exist if the controlling entity is chosen by the controlled entity, the supervision of compliance with the GDPR by religious denominations belongs only to a state body or at most, as it has been suggested by many, to a specific body made up of representatives of the state and representatives of religious confessions[47]. This, however, means assuming a fundamental contrast between civil interests and confessional interests in terms of data protectionwhich postulates, where possible due to the state regulation of the religious phenomenon, a settlement with bilateral instruments.

 

8.(continues) The (lack) definition of the specific supervisory authority pursuant to art. 91, par. 2 GDPR by the particular canonical legislator and the national legislator in Italy. The (persistent) state jurisdiction on the intra-religious affairs of the right to the protection of personal data: foundation and limits. On the principle of collaboration

 

Well, how was the figure of the Supervisory Authority with respect to the Catholic Church defined in Italy?

In this regard, while Legislative Decree no. 101/2018 does not contain any specification of the Regulation, the art. 22 of the current CEI General Decree Provisions for the protection of the right to good reputation and privacy limits itself to reiterating that the processing of data is subject to the supervision of the authority established by art. 91 par. 2 of the GDPR. And this unlike other particular Churches, such as the Polish or German ones, which have understood the reference to “specificity” as the possibility of establishing a supervisory authority internally and have proceeded in this direction[48].

In drafting a Decree which burdens the data controller with precise obligations (see art. 3 § 2, 13 § 2), it provides for the designation of a data protection officer (see art. 18), the establishment of a consultancy service (cf. art. 25), the duty of vigilance of the Ordinary (cf. art. 21) and reiterates the canonical tools for reacting to the violation of data protection ( cf. art . 23), the Italian Bishops' Conference has preferred not to immediately introduce an additional supervisory body using, however, an open formula, which does not exclude the establishment of such a body in the future. In other words, this choice does not mean the automatic delegation of the surveillance function on the intra-denominational processing of data to the Privacy Guarantor or to another state public entity set up for this purpose.

However, it is necessary to ask whether the surveillance activity, if carried out by a state body and focusing, first of all, on the formulas and application of the CEI General Decree, can take place in harmony with the sovereignty and independence of the Italian Catholic Church in its own order.

Above all, it remains to be clarified whether, following the GDPR, confessional acts concerning data protection can be reviewed by a court or other civil body.

These are questions that represent two sides of the same coin.

Certainly the Regulation - without prejudice to any other administrative or extrajudicial appeal - gives the interested party three rights: to lodge a complaint with the Supervisory Authority; appeal against a decision of this Authority before the courts of the State where the Authority is established; present an effective judicial remedy against the data controller or processor before the courts of the Member State where the parties to the dispute are located (see articles 77, 78, 79).

It can be deduced from this that, even if the Supervisory Authority is established by the religious denomination and even if this denomination, as it happens for the Catholic Church, has its own and articulated procedural system, the instruments of protection of the interested party provided by the religious group do not replace the state ones.

In other words, it seems unlikely that the complete corpus of rules prepared by a Church - even if compliant with European indications and including supervisory bodies and various dispute settlement tools - means the establishment of a reserve of exclusive jurisdiction in favor of the Church itself which precludes the interested party from the possibility of turning to the State against confessional measures. And this in harmony with what has been sanctioned by the EU Court of Justice, according to which an effective judicial protection of the rights guaranteed by the European system passes through the independent review of national judges[49].

Even further, and with specific reference to the Italian legal order, the state jurisdiction over the intra-religious affairs of the right to the protection of personal data rests on the well-known principle, affirmed by the Constitutional Court, according to which the confessional autonomy referred to in articles 7 and 8 of the Constitution finds its limit in the need to guarantee inviolable rights even within religious confessions, qualified as social formations where the personality of man takes place pursuant to art. 2 Const.[50]. This argument was duly used by the Court of Padua in the ruling on the cancellation of personal data from the baptismal register[51], while since 1999 the Privacy Guarantor has constantly intervened on the subject, syndicating the action of parish priests and Bishops and intervening on their work with decisions of a corrective, tax or compensatory nature[52].

In summary: it is evident both that the processing of personal data, despite being the subject of a native law of the Church, is a mixed matter, on which a canonical and civil competence concurs[53], and that the relations between the two jurisdictions cannot be defined with the prevention criterion[54]. Rather, since pursuant to the GDPR (see art. 78, paragraph 2) in order to appeal to the state judge against the provision of the Supervisory Authority, this provision must be in place or that after three months from the complaint nothing has been communicated to the interested party, if the Italian Episcopal Conference constituted a specific confessional authority, the latter's decision could, at most, be considered challengeable before the civil court only after all the canonical appeals have been exhausted[55].

Moreover, when the Italian Bishops' Conference decided to avail itself of the effects that art. 91 GDPR recognizes to the confessional rules in the European order, coordinating the particular canon law to this order, it has also implicitly accepted that its data processing activities are susceptible to an external supervisory action.

In other words: in the light of the GDPR, there seems to be no room for acceptance of the thesis, albeit supported authoritatively and with various arguments, according to which the processing of data carried out within the Catholic Church is always extraneous to civil law and jurisdiction[56].

Now, given that ecclesial subjects could be called to answer for their work on data protection before state administrative and judicial bodies, the question is that of the modalities and limits of this union.

With respect to this question, in the light of art. 7, 1st paragraph of the Constitution, of the art. 2 of the Agreement of 18 February 1984 (law 25 March 1985 no. 121 ) and of the supreme principle of secularism - as the cornerstone of the attitude of the Italian State with respect to the religious phenomenon which precludes interference in the sphere of religious aggregations[57] - some fixed points must be drawn.

A preventive and abstract check of completeness and conformity to GDPR of CEI Decree Dispositions for the protection of the right to good reputation and privacy of 2018 seemsto be excluded. In other words, an appeal against the canonical norms is not admissible, since a check on the legislation of the Church or on the interpretation and application of ecclesial rules carried out by religious authority is constantly recognized, in jurisprudence, as an act which unequivocally invades confessional autonomy[58].

The state body, therefore, only intervenes following a complaint or appeal by the interested party and to ascertain, in the concrete case, whether there has been a violation of the right to data protection as defined by the Regulation, by evaluating incidentally the canonical norm and its respect.

As for the conduct of such a union, the general criteria that govern the jurisdictional relations between the order of the Italian state and the order of the Church should apply and therefore: a) the examination of the appeal can only concern effects and aspects that involve state values and interests, since it is not admissible to enter into the religious merit of the provision, nor to reform it or declare it null and void within the confessional system; b) the verification of the infringement of the right to data protection can be followed by the assessment of the unjust damage that has arisen and the imposition of consequent compensation measures[59].

Furthermore, if it is true that the GDPR gives anyone the right to compensation for material or immaterial damage caused by a violation of the Regulation (see art. 82), it is also true that the reference, present in the CEI Decree, to the canonical obligation to repair the damage (cf. art. 23), could be used in an interpretative way to understand this right either as a confessional faculty, which the faithful can claim exclusively within the canonical order, or as a faculty that can be exercised in the civil forum only on a subsidiary and residual basis.

Certainly, the hermeneutical and evaluation scheme to which the administrative or judicial state body will refer is of decisive importance, not only to establish whether its competence exists, but, above all, to ascertain a violation of the position of the interested party.

In this regard, since the General Decree of the CEI has implemented the guarantee mechanisms provided for by the GDPR, it would be difficult to highlight substantial formal gaps of protection in the canonical order or conflicts with the principles of the Regulation. Rather, in considering the appellant's request, the state judge and the Supervisory Authority - called to take appropriate, necessary and proportionate measures (see “Recital” no. 129 GDPR) - should, first of all, start from the non-absolute nature of the right to the protection of personal data and to read it, also, in the light of the confessional context in which this right is exercised and the meaning it assumes in it. The objective is to avoid two risks of opposite sign: the risk that, due to the sovereignty of the Church, an indeterminate free zone is established, with respect to which the State is precluded from any intervention even in the face of macroscopic violations of fundamental rights; the danger that, in the name of these rights, and even further, of a state idea of the dignity of the person as the root of the rights themselves, the freedom of action and organization which belongs to the Church in Italy could be de facto emptied[60].

These are two intrinsic risks to any act of definition of the relationship between personal rights and confessional autonomy which now, following the qualification of data protection as a fundamental right operated by the Euro-unitary system, are re-proposed for a specific sector.

On this point, however, one observation is necessary.

Certainly, today's information technology tools involve a concrete and current danger of injury to the person through the processing of his data. Surely it was necessary to react with legal instruments above all at a supranational level, through an articulated system of rules which aims to prevent the aforementioned danger, and which also involves religious denominations.

Having said that, if we look at the activity of the Italian Privacy Guarantorfrom 2018 to today, no complaint or appeal has been proposed with reference to the treatment carried out by the Catholic Church[61]. Moreover, even considering the canonical juridical experience it does not seem that the claim of data protectionis the cause of a consistent number of administrative or jurisdictional appeals. The small number of cases examined by the special ecclesiastical courts for data protection established by the German Church is exemplary in this sense[62].

It can be deduced that the legal framework defined by the GDPR and, consequently, by the Church, at the moment effectively prevents conflicts or, also, that in the reality of intra-ecclesial relationships the sensitivity of citizens/faithful for the treatment of their data is not, then, so accentuated, so that the right to data protectionis qualified as fundamental, but is not considered as such by its holders within the dynamics of the community of believers.

It will, therefore, above all the future practice to bring out any and effective critical issues posed by the application of the GDPR in the relationship between the order of the Church and the order of the State.

Then, it will be with respect to these tangible problems that it will be possible to resort to agreements between the two parties for their solution. The Italian legislator would execute such agreements by exercising its power to adapt the European dictates to the national reality. And this (always) by leveraging the principle of collaboration that structures the relations between the State and the Church in Italy and between the European Union and religious confessions[63].

In any case, so that the different and possible forms of collaboration are not reduced to the search for a fragile compromise in which each of the interlocutors loses something of themselves, but are truly profitable, it is necessary that the two parties to the relationship do not enter into as distant and different centers of power, for the sole purpose of establishing who must yield more to the other, but as two entities which, through dialogue, identify the need for justice inherent in the human person and his sociality in the religious dimension and in the civil one. Only in this perspective, which tends to structure the relations between the State and the Church on a juridical order of an objective nature, in which both can recognize each other, it is possible to set up these relations in terms of service to the person, juridically grounding this service in the rights of the person himself, including the right to data protection.

 

 

Abstract (ENG):This contribution intends to define the subject of data protection from a specific perspective, looking at the Italian experience with particular reference to the action of the Catholic Church and the declination of data protection within the peculiar dynamics of coexistence between canonical and state regulations.

Keywords (ENG):personal data protection, personal data of a religious nature, Catholic Church, Italian State, GDPR


* Università degli Studi di Roma “La Sapienza” (beatrice.serra@uniroma1.it).

** The article underwent a double blind peer review. Itupdates and expands the text of a lecture given at the Lateran Apostolic Palace on 27 april 2022.

[1] For an analysis of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, see The EU for all. General Data Protection Regulation (GDPR). A Commentary, edited by C. Kuner, L.A. Bygrave, C. Docksey, Oxford University Press, New York, 2020.

For a summary view, see also V. Cuffaro, Il diritto europeo sul trattamento dei dati personali, in Contratto ed impresa, 3 (2018), pp. 1098-1119.

The text of the Regulation can be found at the address: http://eur-lex.europa.eu (last access on May 7th, 2024).

[2] On state initiatives that have called into question the inviolability of the confessional seal and ministerial secrecy and on the requests for the transmission of reserved canonical acts of civil judicial bodies, see for an overview: R. Palomino Lozano , Sigilode confesión y abusio de menores , in Ius canonicum, 59 (2019), pp. 767-809; G. Boni , Sigillo sacramentale, segreto ministeriale e obblighi di denuncia-segnalazione: le ragioni della tutela della riservatezza tra diritto canonico e diritto secolare, in particolare italiano,in Jus Online, 3 (2019), spec. pp. 32-112; M. Visioli, Confidenzialità e segreto pontificio , in Periodica, 109 (2020), pp. 478-479 .

[3]For a synthetic framework of the right to the protection of personal data considered in relation to similar figures and within the various generations of human rights, see E. Brugiotti, La privacy attraverso le “generazioni dei diritti”. Dalla tutela della riservatezza alla protezione dei dati personali fino alla tutela del corpo elettronico, in www.dirittifondamentali.it, 2 (2013), pp. 1-30.

[4] The Recital n. 4 of the GDPR clarifies that the right to the protection of personal data is not an absolute prerogative and therefore must be protected in the light of its social function and in relation to other fundamental rights. The statement is important because the recitals are the tool through which the European legislator explains the reasons for the GDPR rules, its structural and evolutionary lines. On this specific aspect, see V. Cuffaro, Il diritto europeo sul trattamento dei dati personali, cit., p. 1107.

[5] Pursuant to art. 4 of the GDPR means treatmentany operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction .

[6]On this point, see the "Recital" no. 4 of the GDPR which in binding the regulation of the processing of personal data to the service of man, specifies that this service implies respect for freedom of thought, conscience and religion and cultural and religious diversity.

The historical and conceptual link between religious freedom and confidentiality is tangible in the affairs of US privacy, given that the first recognitions of the right to conceal one's religious feelings in the United States occurred in relation to the First Amendment of the US Constitution, which guarantees the impartiality of the law with respect to the cult of religion and its free exercise. On this point cfr. A. Cerri, Riservatezza (diritto alla). II) Diritto comparato e straniero, in Enciclopedia Giuridica Treccani, Istituto della Enciclopedia Italiana, Roma, 1991, vol. XXVII, pp. 3-6.

[7] It is significant, in this regard, that the "Recital" no. 71 of the GDPR establishes the obligation to adopt adequate technical and organizational measures in order to prevent forms of automated processing of personal data, which lead to decisions on the interested party, producing discriminatory effects on the basis of the religion of the subject to whom the data refer.

As for the principle of equality and non-discrimination, see usefully V. Salvatore, I principi di uguaglianza e non discriminazione, una prospettiva di diritto comparato. Unione Europea, EPRS, Bruxelles, 2021; M. Luciani, I principi di uguaglianza e non discriminazione, una prospettiva di diritto comparato. Italia, EPRS, Bruxelles, 2020.

[8] From jurisprudential matrix, the right to personal identity - defined by the Court of Cassation as the interest of the subject to be represented in his life of relationship with his true identity (cfr. Court of Cassation, Section I, 22 June 1985, no. 3769, in Il Foro italiano, I (1985), cc. 2211-2218) - is often considered a corollary of the right to the protection of personal data, given that its first regulatory recognition dates back precisely to art. 1, 1 paragraph, of the law 675/1996. However, it should be pointed out that while the right to personal identity entails negative control over one's social image, with the consequent faculty of opposing any damage to this image, the right to the protection of personal data, while functional to first, it is a positive right to control over data. In this regard, see for all G. Finocchiaro, Identità personale (diritto alla), in Digesto della Discipline Privatistiche. Sezione Civile, Aggiornamento, Utet, Torino, 2010, pp. 722-731.

[9] Before Directive 95/46/EC, art. 6 of law 21 February 1989 no. 98, of ratification and execution of the Convention of the Council of Europe n. 108 of 28 January 1981 (so-called Strasbourg Convention), concerning the protection of individuals with regard to the automated processing of personal data, placed religious convictions or other beliefs among the special categories of data.

[10] On the characteristics of religious freedom as collective freedom cf. ex multis G. Casuscelli, Diritto e religione nell’ordinamento italiano, ovvero cosa è il “diritto ecclesiastico, in S. Berlingò - G. Casuscelli, Diritto ecclesiastico italiano. I fondamenti. Legge e religione nell’ordinamento e nella società d’oggi, Giappichelli, Torino, 2020, pp. 17-20.

[11]The art. 9 of the GDPR also provides for other hypotheses of derogation from the prohibition of processing particular data that may concern religious data and the action of religious confessions: a) when the interested party explicitly consents, even if not necessarily in writing, to the processing with regard the pursuit of one or more specific purposes; b) when it comes to particular data that the interested party has already made public in a manifest manner; c) when one falls into one of the cases listed in the same article 9 under letters bj, in which with reference to heterogeneous fields (work, public health, social security and protection, judicial protection, scientific or historical research) the prohibition of treatment is waived of the particular data for the needs of the interested party or of the data controller. The cause of derogation provided for by art. 9, par. 2, lit. g): reasons of significant public interest, as specified in Italy by art. 2 sexies , paragraph 2, lett. r of Legislative Decree no. 101/2018, pursuant to which institutional relations with religious bodies, religious confessions and religious communities fall within the tasks of public interest or connected to the exercise of public powers which authorize the processing of particular data without the consent of the interested party.

Furthermore, it is necessary to highlight the EU Directive 2016/680 of the European Parliament and of the Council of 27 April 2016- relating to the protection of personal data of natural persons with regard to the processing of data by the competent authorities for the purposes of prevention, investigation, assessment and prosecution of crimes or execution of criminal sanctions, as well as to the free movement of such data - Article 10 of which sets strict limits for the processing of data revealing religious beliefs.

Finally, the "Recital" no. 51 of the GDPR provides that it is possible to derogate from the general prohibition of processing particular categories of personal data if the same is performed in the course of legitimate activities of associations or foundations whose purpose is to allow the exercise of fundamental freedoms, while the "Recital" n . 55 of the same GDPR establishes that the processing of personal data carried out by public authorities for the purpose of achieving purposes, envisaged by constitutional law or by public international law, of officially recognized religious associations, is carried out for reasons of public interest.

[12] In particular, the art. 22 of the law no. 675/1996 distinguished between the processing of sensitive data carried out by public subjects, possible only if authorized by prior provision of the law, and the processing of sensitive data carried out by private subjects, possible only with the prior authorization of the Guarantor and written consent of the interested party. Non-profit organizations of a religious nature were included among private entities.

[13]The authorization was in fact a singular and concrete act issued by the Guarantor after a specific request from the data controller. The authorization of the Guarantor had to arrive within thirty days of the request, after which the latter was to be considered rejected.

On the non-correspondence of this discipline with the confessional autonomy guaranteed by the Italian Constitution, see for all A.G. Chizzoniti, Prime considerazioni sulla legge 675 del 1996 «Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali», in Quaderni di diritto e politica ecclesiastica, 2 (1997), pp. 379-383.

[14] See Italian Episcopal Conference, General Decree “Disposizioni per la tutela del diritto alla buona fama e alla riservatezza”, in Notiziario della Conferenza Episcopale Italiana, 10 (1999), pp. 375-397. For a comment on this Decree, see ex multis C. Redaelli, Il decreto generale della CEI sulla privacy, in Quaderni di diritto ecclesiale, 14 (2001), pp. 175-202. Regarding the cause-and-effect relationship between Legislative Decree no. 135 /1999 and the Italian Episcopal Conference Decree, it has been argued in doctrine that the chronology of the elaboration of the rules of the Italian Church on personal data leads to the conclusion that these rules are prior to the legislative decree no. 135/1999 and that therefore the CEI Decree does not find its origin in the need to adapt to civil legislation (cf. in this sense V. Resta, Il trattamento dei dati sensibili di natura confessionale: questioni ancora aperte dopo l’emanazione del Codice in materia di protezione dei dati personali, in Il diritto ecclesiastico, I (2005), pp. 573- 574, nota 12). In this regard, however, what has been highlighted by G. Buttarelli, Nuovo paradigma sulla privacy in Internet: le sfide che si pongono per istituzioni come la Chiesa, in Chiesa e protezione dei dati personali, cit., p. 10, which underlines both the precedence of Legislative Decree no. 135/1999 with respect to the CEI Decree and that this Decree was elaborated after Cardinal Ruini had the certainty that the legislative decrees that were being elaborated in implementation of l. 675/1996 would also have been applied to the Catholic Church.

[15] This distinction implemented and extended what had already been established with Legislative Decree 467/2001 - containing corrective and supplementary provisions of the legislation on the protection of personal data, pursuant to art. 1 of the law of 24 March 2001, n. 127 - whose article 8, modifying the letter a) of paragraph 4 of the art. 22 of the law 675/1996, established that sensitive data could be processed with the sole authorization of the Guarantor if the processing was carried out by non-profit associations, bodies and organizations, even if not recognized, of a religious nature, including religious confessions, for the pursuit of lawful purposes, in relation to the personal data of the members or of the subjects who for this purpose had regular contact with the non-profit organization, provided that this had set up suitable guarantees and that the data were not communicated or disclosed outside.

This change was induced by the desire to overcome a specific critical profile of the system outlined by law 675/1996 and subsequent amendments and, that is, the attribution of the right to escape the double constraint of the written consent of the interested party and the authorization of the Guarantor only to religious confessions with agreement, excluding from this benefit both religious confessions without agreement and other non-profit organizations. And this against the provisions of Directive 95/46/EC which, under certain conditions, authorized the entire non-profit sector to process sensitive data. On these aspects, conducted for examination by the ordinary judiciary, the Constitutional Court and the Guarantor for privacy, see ex multis: N. Colaianni, Tutela della personalità e diritti della coscienza, Cacucci, Bari, 2000, pp. 214-225; M. Massimi, La tutela dei dati sensibili nel rapporto con i principi di libertà religiosa e di autonomia confessionale, in Corriere giuridico, 11 (2002), pp. 1445-1450; D. Milani, Dati sensibili e tutela della riservatezza: le novità introdotte dal D. Lgs. N. 467 del 2001, in Quaderni di diritto e politica ecclesiastica, 2 (2004), pp. 453-464.

[16] The CEI intervened on the point with the Nota Privacy, protezione dei dati personali ed enti della Chiesa cattolica: prime indicazioni alla luce del “Codice in materia di protezione dei dati personali” (cfr. inwww.chiesacattolica.it.), in which it was stated that, in the light of the combined provisions of articles 26, paragraph 3, lett. a), and 181, paragraph 6, of the Privacy Code, the bodies of the Catholic Church and the civilly recognized ecclesiastical bodies that processed the data for exclusively religious purposes and only within them applied the general CEI Decree of 1999, while in all other cases also for ecclesiastical bodies and for their activity the Italian law was fully applied.

[17] The same art. 1 of law 676/1999 provided for the delegation to issue legislative decrees containing supplementary provisions of the legislation on the subject of protection of the person and of other subjects with respect to the processing of personal data. On the delay of the Italian legislator in terms of data protection and its effects cf. R. Pardolesi, Dalla riservatezza alla protezione dei dati personali: una storia di evoluzione e discontinuità,in Diritto alla riservatezza e circolazione dei dati personali, a cura di R. Pardolesi, Giuffrè, Milano, 2003, pp. 40-42.

[18] Pursuant to art. 40, paragraph 2, lett. a), of Legislative Decree 6 December 2011, converted into Law 2014/2011, the protection was limited to the natural person only in order to reduce the burden on privacy.

For a reconstruction of the privacy protection of subjects other than natural persons in the Italian system before the aforementioned novella, see V. Pignedoli, Privacy e libertà religiosa, Giuffrè, Milano, 2001, pp. 153-196.

[19] With respect to the formula of art. 8 of Directive 95/46/EC, the Italian legislator considered sensitive not only the data that directly reveal religious convictions, but also those capable of revealing these convictions, realizing a wider protection of individual religious freedom.

[20] The first provision of the Privacy Guarantor on the subject of cancellation from the baptismal records is the provision of 13 September 1999 (see web doc. n. 1019502, in www.garanteprivacy.it), which was followed by others with the same outcome against this provision, the interested party lodged an objection to the Court of Padua, which rejected the appeal, reaffirming the decision of the Guarantor: cfr.TribunalediPadova, decr. 29 maggio 2000, in Giustizia civile, 51 (2001), pp. 235-241, nt. G. Dalla Torre, Registro dei battesimi e tutela dei dati personali: luci ed ombre di una decisione. Sulla questione, ampiamente analizzata in dottrina, si veda altresì S. Berlingò, Si può essere più garantisti del Garante? A proposito delle pretese di «tutela» dai registri del battesimo, in Quaderni di diritto e politica ecclesiastica, 1 (2000), pp. 295-328.

[21] In this regard, it is useful to consider that the universal canonical discipline of the registers of the sacraments already provides for custody obligations and rigorous access limits (see cann. 482-491, 535 CIC) which make it objectively unlikely that the communication and dissemination of data could damage or affect the social identity of the interested party understood as a consideration of a subject within a group. In other words, the registration of the baptism that took place and the conservation of this data is a fact internal to the reality of the confessional which does not produce effects in the order of the State. As for the reasons for which the Catholic Church processes data on the occurred celebration of the sacraments, see for all B. Marro, Tutela della privacy e registri ecclesiastici, in Sovranità della Chiesa e giurisdizione dello Stato, a cura di G. Dalla Torre - P. Lillo - Giappichelli, Torino, 2008, pp. 412-413.

[22] As an indication, see in this sense Cons. Stato, Sez. V, 14 novembre 2006, n. 6681, in Il diritto di famiglia e delle persone, 36 (2007), pp. 1579-1612, nt. P. Morozzo della Rocca, Invalidità del vincolo coniugale e diritto di accesso alla cartella clinica del coniuge: i dati riguardanti la salute e la disciplina dell’accesso and nt. M. Canonico, Tutela della riservatezza e diritto alla difesa: un difficile equilibrio nel rapporto tra ordinamento statale ed ordinamento canonico; Cons. Stato, Sez. V, 28 settembre 2010, n. 7166, in Famiglia e diritto, 5 (2011), pp. 500-506, nt. J. Long, Accesso a dati sensibili e annullamento del matrimonio: il diritto alla prova prevale sulla tutela della riservatezza. For a different orientation see, instead, Cons. Stato, Sez. V, 3 July 2003, n. 4002/3, on www.giustizia-amministrativa.it(last access on May 7th, 2024).

 [23] D.lgs. n. 101/2018 joined the legislative decree n. 51/2018 issued in implementation of the aforementioned EU Directive 2016/680. For a critical comment on the methods of adapting the Italian Privacy Code to the GDPR, see V. Cuffaro, Quel che resta di un codice: il D.Lgs. 10 agosto 2019, n. 101 detta le disposizioni di adeguamento del codice della privacy al regolamento sulla protezione dei dati, in Il Corriere giuridico, 10 (2018), pp. 1181-1185.

[24] On art. 17 of the TFEU and its interpretative results cf. ex multis: A. Licastro, Unione europea e «status» delle confessioni religiose. Fra tutela dei diritti umani fondamentali e salvaguardia delle identità costituzionali, Giuffrè, Milano, 2014, spec. pp. 121 - 228; M. Lugato, L’Unione europea e le Chiese: l’art. 17 TFUE nella prospettiva del principio di attribuzione, del rispetto delle identità nazionali e della libertà religiosa, in Quaderni di diritto e politica ecclesiastica, 2 (2014), pp. 305-321; V. Marano, L’art. 17 TFUE e il ruolo delle Chiese in Europa, in Ephemerides Iuris Canonici, 55 (2015), pp. 21-37.

[25] On this point cf. with reference to the different national realities: P. Billaud, A propos d’une pratique de la commission nationale de l’informatique et des libertés: le droit individuel de radiation des registres paroissiaux de baptêmes, in L’Année canonique, 35 (1992), pp. 255-258; A. Carblanc, La protection des données en France et les Eglises, in Quaderni di diritto e politica ecclesiastica, 1 (1994), pp. 15-20; M. Arenas Ramiro, Sentencia del Tribunal Supremo de 19 de septiembre de 2008, sobre cancelación de datos personales en los libros de bautismo, in Quaderni di diritto e politica ecclesiastica, 3 (2009), pp. 969-977; ID., Protección de datos personales y apostasía : la sentencia de Tribunal Supremo de 19 septiembre de 2008, in Anuario de Derecho Eclesiástico del Estado, 26 (2010), pp. 683-702; F. Pérez-Madrid, Protección de datos y autonomía de las confesiones: consideraciones acerca del auto 20/2011 del Tribunal constitucional español, in Il diritto ecclesiastico, I-II (2011), pp. 265-298; A. Fuccillo, Giustizia e religione, I, Giappichelli, Torino, 2011, pp. 146- 147; M. Gas Aixendri, Apostasía y tratamineto jurídico de los datos de carácter personal. La experiencia jurídica europea, in Ius Ecclesiae, 25 (2013), pp. 363-386.

As for the meaning to be attributed to the formula "members, former members and subjects who have regular relations with the religious group due to its purpose", a recent ruling by the EU Court of Justice is relevant, issued before the entry into force of the GDPR, in which, with reference to the "door-to-door" proselytism carried out by Jehovah's Witnesses, it is clarified that the collection of data of people who do not want to be contacted or who were absent during the visit of the preachers, if carried out in the name of the religious confession is admissible, since it concerns information relating to subjects unrelated to the confession itself: cf. European Court of Justice (Grand Section), 10 July 2018, C- 25/17,  in Responsabilità civile e previdenza, 1 (2019), pp. 89-111, nt. R. Panetta, F. Sartore, Proselitismo religioso e protezione dei dati personali: tra esigenze di tutela e particolarità della fattispecie.

For further commentary on this pronunciation see J. Salinas Mengual, Protección de datos: entre el derecho a la intimidad y la autonomia de las confesiones religiosas. El caso finlandés y el español (a propósito de la Sentencia Jehovan Todistajat del TJUE), in Ius Canonicum, 58 (2018), pp. 671-708.

[26] See Guarantor for the protection of personal data, provision of 13 September 1999, cit.

 [27]For an analysis of the right to be forgotten in the GDPR, see usefully A. Thiene, Segretezza e riappropriazione di informazioni di carattere personale: riserbo e oblio nel nuovo Regolamento europeo, in Nuove leggi civili commentate, 2 (2017), pp. 411-444.

As for the jurisprudential pronouncements and the decisions of the national privacy authorities that have anticipated such a definition of the right to be forgotten, see A. Ceserani, Il dato religioso nel sistema europeo di tutela della privacy, in Manuale di diritto alla protezione dei dati personali. II. Edizione. Privacy e GDPR, Maggioli editore, Santarcangelo di Romagna, 2019, p. 472, note 52 e 53.

[28] In reality, with provision n. 146 of 5 June 2019, the Privacy Guarantor, implementing the provisions of art. 21, paragraph 1 of Legislative Decree no. 101/2018, clarified which provisions contained in the general authorizations already adopted are compatible with Community legislation. These specifically include the provisions relating to particular categories of data by associations, foundations, churches and religious associations or communities referred to in Authorization no. 3/2016: see www.garanteprivacy.it(last access on May 7th, 2024). On this point, see usefully G.  Mazzoni, Le Autorizzazioni Generali al trattamento dei dati sensibili da parte delle confessioni religiose. Osservazioni alla luce delle recenti riforme in materia di privacy, in Stato, Chiese e pluralismo confessionale. Rivista telematica (www.statoechiese.it), 7 (2020), pp. 66-90.

[29] M. Ganarin hypothesizes an interpretation in this sense in Salvaguardia dei dati sensibili di natura religiosa e autonomia confessionale. Spunti per un’interpretazione secundum Constitutionem del regolamento europeo n. 2016/679,in Stato, Chiese e pluralismo confessionale, Rivista telematica (www.statoechiese.it), 11 (2018), p. 11.

 

[30] While at par. 1 the art. 91 GDPR takes into consideration the rules for the protection of personal data in force in Churches, associations or religious communities, the same article in par. 2 in providing for the control of the Authority mentions only the Churches and associations. It is probable that this is an editorial choice due to the equivalence of associations to religious communities, so that the reference to the former contained in par. 2 also implies the reference to the latter. Moreover, also in the title of the art. 91 only mentions Churches and religious associations.

On the other hand, it seems less probable to believe that religious communities are not subject to control because they are unable to organize themselves with juridical rules or to express institutional structures. This inability, in fact, would also preclude the elaboration of a complete and compliant corpusof rules to be applied internally instead of the GDPR pursuant to art. 91 par. 1.

On various doctrinal interpretations of this profile of art. 91 see also F. Balsamo, La protezione dei dati personali di natura religiosa, Luigi Pellegrini Editore, Cosenza, 2021, pp. 139-141.

[31]For a positive assessment of the obligation of religious confessions to comply with the principles indicated in the authorization of the Guarantor, see R. Acciai, Privacy e fenomeno religioso: le novità del Codice in materia di protezione dei dati personali, in Quaderni di diritto e politica ecclesiastica, 2 (2004), pp. 357- 358,  note 46, who believes that these principles constitute a certain and generalized point of reference which allows the Guarantor himself to legitimately and objectively assess the adequacy of the guarantees provided by individual religious confessions and places the latter in a position to oppose to an arbitrary evaluation.

[32] Significantly see in this regard the Prolusion, given on the occasion of the inauguration of the 72nd judicial year of the Piedmonts’ Regional Ecclesiastical Court, by F. Pizzetti, La protezione dei dati personali e i rapporti tra Stato e Chiesa, del 19 febbraio 2011, p. 17, in www.tribunaleecclesiasticopiemontese.it(last access on May 7th, 2024), in which the then Privacy Guarantor highlighted that the obligation to adopt suitable guarantees, envisaged for religious confessions that wanted to process sensitive data without the consent of the interested party, was not accompanied an obligation to communicate these guarantees to the Guarantor.

[33] The principle of accountability, as a feature of the GDPR (see  recital no. 78 and art. 25 GDPR) which shifts the axis of the protection system from the rights of the data subject to the obligations of the person who processes the data, implies both that the data controller adopts technical and organizational measures aimed at complying with EU and national rules (privacy by design), and that only the data indispensable for the activity to be carried out and for the strictly necessary time are processed (privacy by default). On this point, see R. Celella, Il principio di responsabilizzazione: la vera novità del GDPR, in Ciberspazio e diritto, 19 (2018), pp. 211-224. For applications of the principle of accountability see instead B. Borrillo, La tutela della privacy e le nuove tecnologie: il principio di accountability e le sanzioni inflitte dalle Autorità di controllo dell’Unione europea dopo l’entrata in vigore del GDPR, in Dirittifondamentali.it, 2 (2020), pp. 326-356.

[34] In the text of the GDPR there are eleven references to the religious factor, while in Directive 95/46/EC there were three references.

[35] The indication of a time limit should be understood as an organizational criterion, aimed at avoiding the risk of an uncertain overlap between confessional norms and European norms for an indefinite time. Therefore, it does not seem plausible to attribute discriminatory effects to this limit, as has also been hypothesized in doctrine (cfr. in this sense U. Rhode, La Chiesa e il rispetto della privacy: la prassi amministrativa e il governo della Chiesa, in Chiesa e protezione dei dati personali, a cura di J. Pujol, Edusc, Roma, 2019,p. 52, note 13)since the same possibility (developing one's own discipline within a certain time) has been attributed to the same subjects (religious denominations and associations or communities). Any disadvantageous situation in which religious confessions or associations that have not drawn up their own legislation could find themselves would therefore result from their choice of freedom rather than from a non-compliance with the principle of equality of art. 91 GDPR.

[36] See European Court of Justice (Grand Section), 10 July 2018, C-25/17, cit., p. 100; European Court of Justice (Grand Chamber), 17 April 2018, C-414/16, in Il diritto ecclesiastico, I-II (2018), pp. 352-362.

[37] See Italian Episcopal Conference, Decreto generale sulle Disposizioni per la tutela del diritto alla buona fama e alla riservatezza, 25 maggio 2018, in Notiziario della Conferenza episcopale italiana, n. 2 (31 maggio 2018), pp. 1-40.

[38] In this regard, it should be highlighted that the common validity of the GDPR in all the member countries of the Union has not led to a common reaction of the particular Churches given that if to date there are at least eleven national episcopates that have acted to adapt to the provisions of the European Regulation, the modalities and concrete contents of this adaptation are different. The general decrees adopted pursuant to can. 455 § 2 CIC are in fact accompanied by episcopal laws, instructions or simple explanatory documents of the GDPR; likewise, the corpus of purely canonical norms is accompanied by acts which consist in a mere reproduction of the European rules. A collection of particular canon law norms on the protection of personal data can be found at the address https://www.iuscangreg.it/protezione_dati.php?lang=EN(last access on May 7th, 2024).For a comparative analysis of these rules see ex multis: J. A. Rodríguez García, Autonomía de las confesiones y derecho comunitario: la protección de los datos personales en este contexto, in Revista General de Derecho Canonico y Derecho Eclesiastico, 49 (2019), pp. 26-40; M. J. Roca, La aplicación del Reglamento Europeo de Protección de Datos por las Conferencias Episcopales Europeas, in El derecho de libertad religiosa en el entorno digital. Actas del IX Simposio Internacional de Derecho Concordatario, Madrid, 5 al 7 Junio de 2019, J. M.A. Vázquez García-Peñuela - I. Cano Ruiz, (eds.), Editoral Comares, Granada, 2020, pp. 471-497.

[39] In this sense, the art. 4 § 1 of the CEI Decree for which the treatment carried out for reasons of ecclesial public interest must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and the interests of the 'interested.

[40] On the contents of the 2018 Decree, in which, alongside specifically canonical norms, all the structural aspects of the GDPR are present, see: M. Mosconi, La normativa della Chiesa in Italia sulla tutela della buona fama e della riservatezza: dal decreto generale del 20 ottobre 1999 al decreto generale del 24 maggio 2018, in Quaderni di diritto ecclesiale, 33 (2020), pp. 136-166.

A quick survey of the effective implementation of the Decree by the Italian dioceses, conducted through a mapping of the diocesan and parish sites, can be found in F. Gravino, La tutela del diritto alla buona fama e alla riservatezza. Passi compiuti e passi da compiere tra GDPR e Decreto della Conferenza episcopale italiana del 24 maggio 2018, in Protezione dei dati personali e nuove tecnologie. Ricerca interdisciplinare sulle tecniche di profilazione e sulle loro conseguenze giuridiche, a cura di A. Adinolfi e A. Simoncini, Edizioni Scientifiche italiane, Napoli, 2022, pp. 203-230.

[41] On the meaning assumed by the concept of confidentiality and the right to defend one's privacy in the legal order of the Catholic Church, I take the liberty of referring to B. Serra, Intimum, privatum, secretum. Sul concetto di riservatezza nel diritto canonico, Mucchi Editore, Modena, 2022, spec. pp. 101-161.

[42] On the use by religious confessions or in relation to the religious factor of IT tools and on the risks of this use for the right to the protection of personal data, see P. Perri, La tutela dei dati personali nei social networks e nelle app religiose, in Jus Online, 3 (2020), pp. 82-97; J. Pujol, La Chiesa e il rispetto per la privacy: aspetti di comunicazione istituzionale, in Chiesa e protezione dei dati personali, cit., pp. 65-82.

For an analysis that highlights the greater danger for the protection of particular data that derives from the use of the Internet, see A. Busacca, Le “categorie particolari di dati” ex art. 9 GDPR. Divieti, eccezioni e limiti alle attività di trattamento, in Ordine internazionale e diritti umani, I (2018), pp. 36-40.

[43] The regulations of the diocese of Luxembourg on data protection are structured entirely on the GDPR and explain it: cfr. Standards internes de L'Archevêché de Luxembourg en matierè de protection des donnés, in https://www.iuscangreg.it/protezione_dati.php?lang=EN (last access on May 7th, 2024).

[44] G. Buttarelli, Nuovo paradigma sulla privacy in Internet: le sfide che si pongono per istituzioni come la Chiesa, in Chiesa e protezione dei dati personali, cit., p. 13.

[45] In particular, the GDPR explains both how the independent supervisory authorities must be constituted and the characteristics they must possess (see articles 52 pars. 1-5, 53-54), and the investigative, corrective and authorization powers that these Authority have in order to effectively supervise the application of the Regulation (cf. articles 51, paragraph 1, 57-58).

[46] On this point, it is sufficient to consider two powers of the Supervisory Authority which could interfere with the freedom of action and organization of a religious denomination: access to all premises, means and tools of the data controller and of the data processor in accordance with Union law and the procedural law of the Member States, impose a temporary or definitive limitation of the processing itself (cf. articles 58 paragraph 1 letter f and paragraph 2 letter f GDPR).

For the interpretation of the art. 91, par. 2 of the GDPR as a rule that authorizes the confessional constitution of the Supervisory Authority see M. Ganarin, Specificità canonistiche e implicazioni ecclesiasticistiche del nuovo Decreto generale della Conferenza Episcopale Italiana sulla tutela del diritto alla buona fama e alla riservatezza, in Quaderni di diritto e politica ecclesiastica, 2 (2018), p. 610, M. Ganarin, who believes that the reference, contained in the art. 91. para. 2 of the GDPR, to the discipline of the Supervisory Authority contained in Chapter VI of the same regulation, makes sense only as a tool to direct the establishment of the same Authority by religious denominations. In indirect support of this argument see, moreover, A. Fabbri, I dati personali di natura religiosa, tra scelte individuali e trattamento confessionale collettivo, in Innovazione tecnologica e valore della persona. Il diritto alla protezione dei dati personali nel Regolamento UE 2016/ 679, edited by L. Califano - C. Colapietro, Editoriale scientifica, Napoli, 2017, p. 562, note 55, which considers compliance with the requirements indicated in Chapter VI of the GDPR a sufficient guarantee of independence even if the Supervisory Authority is constituted by the religious denomination.

[47] In this sense, see D. Durisotto, Diritti degli individui e diritti delle organizzazioni religiose nel Regolamento (UE) 2016/679. I “corpus completi di norme” e le “autorità di controllo indipendenti”, in federalismi.it, 27 (2020), p. 59; M. Parisi, Trattamento dei dati sensibili, tutela dei diritti individuali e salvaguardia dell’autonomia confessionale. A proposito del Regolamento europeo n. 2016/ 679 e della sua applicazione nell’ordinamento italiano, in Diritto e società, 4 (2020), p. 772; V. Marano, Impatto del Regolamento Europeo di protezione dei dati personali per la Chiesa. Prime soluzioni nei Decreti generali delle Conferenze episcopali: l’esperienza italiana, in Chiesa e protezione dei dati personali, cit., pp. 28-30.

[48] In Poland a single and specific supervisory body has been established for the whole country, the ecclesiastical Inspector for the protection of personal data, while in Germany five persons in charge of interdiocesan data protection have been set up to supervise the twenty-seven German archdioceses. On this point, see usefully T. Rozkrut, Decreto generale della Conferenza Episcopale polacca relativo alla questione della protezione delle persone fisiche con riguardo al trattamento dei dati personali nella Chiesa cattolica, in Ius Ecclesiae,31 (201)9, pp. 499-514; S. Konrad, La protezione dei dati personali nella Chiesa tedesca, ivi, pp. 449-470.

 

[49] On this orientation of the EU Court of Justice applied to disputes concerning the religious factor, see for all P. Floris, Organizzazioni di tendenza religiosa tra Direttiva europea, diritti nazionali e Corte di Giustizia UE, in Stato, Chiese e pluralismo confessionale. Rivista telematica (www.statoechiese.it),12 (2019), spec. pp. 12-13.

[50] See Constitutional Court, 30 July 1984, n. 239, in Il Foro italiano, 107 (1984), cc. 2397-2404, nt. N. Colaianni, L’appartenenza «di diritto» alle comunità israelitiche tra legge, intesa e statuto confessionale.

With reference to the Catholic Church, the principle sanctioned by the Constitutional Court finds confirmation and support in art. 2 letter c of the Additional Protocol to the Agreement of 18 February 1984 (law 25 March 1985 n. 121) pursuant to which the civil effects of the sentences and provisions issued by the ecclesiastical authority against clergymen and religious in spiritual or disciplinary material they must be understood in harmony with the rights constitutionally guaranteed to Italian citizens.

[51]See Tribunale di Padova, decree 29 May 2000, cit., p. 235.

[52] For information, see among the most recent provisions: Privacy Guarantor, provision of 13 December 2012, doc. web. no. 23338014; provision of 20 September 2012, doc. web. no. 2099418; provision of 21 April 2011, doc. web. no. 1816392 inwww.garanteprivacy.it .

For earlier decisions, see C. Ventrella Mancini, Diritto alle “identità” e profili interordinamentali: cambiamenti di status e certificazioni religiose, in Diritto e Religioni, 5 (2010), pp. 255-256.

[53] For the thesis, dating back, according to which in the matters that the confessional normative model includes in the autonomy of the Church, there are no rights based on state norms, see instead O. Giacchi, La giurisdizione ecclesiastica nel diritto italiano, Giuffrè, Milano, 1970, pp. 385-387.

[54] On the possibility of extending the criterion of prevention, indicated by the Court of Cassation with reference to the concurrent competence alternatively of the State and the Church in the matter of remuneration of the clergy in the service of the diocese, to other topics, see G. P. Montini, Il ricorso della autorità giudiziaria civile nei processi matrimoniali canonici. Una valutazione giudiziaria a partire dalle disposizioni concordatarie italiane, in Quaderni di diritto ecclesiale, 16 (2003), pp. 142-143.

[55] In this sense, with reference to the reality of the Catholic Church in Germany, cfr. S. Konrad, La protezione dei dati personali nella Chiesa tedesca, cit., pp. 468-469.

[56] In this sense, see S. Berlingò, Si può essere più garantisti del Garante? A proposito delle pretese di «tutela» dai registri del battesimo, pp. 308-309; G. Dalla Torre, Registro dei battesimi e tutela dei dati personali: luci ed ombre di una decisione, cit., pp. 239-240; V. Marano, Libertà religiosa e autonomia confessionale nella società dell’informazione. Nodi problematici e prospettive di evoluzione alla luce del “Codice in materia di protezione dei dati personali, in Iustitia, 2-3 (2004), pp. 341-343.

[57] See Corte costituzionale, 12 April 1989, n. 203 in Il Foro italiano, I (1989), cc. 1333-1346 nt. N. Colaianni, Il principio supremo di laicità dello Stato e l’insegnamento della religione cattolica.

[58] On this specific point I take the liberty of referring to B. Serra, Sulla responsabilità civile del giudice canonico. Profili giurisdizionali, in Ius Ecclesiae, 24 (2012), pp. 252-253.

[59] On the cornerstones that govern the relationship between state jurisdiction and confessional jurisdiction by reason of the secular nature of the state, see for all C. Cardia, Principi di diritto ecclesiastico. Tradizione europea legislazione italiana, Giappichelli, Torino, 2010, pp. 276-282.

As for the issue of compensation for damages, it is worth remembering that the United Sections of the Court of Cassation have ruled that only the infringement of a right guaranteed by the state legal system and determined by the effects in the civil court of a measure or action by the confessional authority configures the unjust damage: Cass. Civ., Sez. Un., 13 June 1989, n. 2853, in Quaderni di diritto e politica ecclesiastica, 1 (1990), pp. 402-409.

[60] For considerations aimed at highlighting the dignity of the person as a value whose protection requires overcoming the principle of separation between the order of the State and the order of the Church, see for all N. Colaianni, Tutela della personalità e diritti della coscienza, Cacucci Editore, Bari, 2000, pp 54-59.

[61] In this regard, see the Annual Reports of the Privacy Guarantorof 2018, 2019, 2020, 2021, at www.garanteprivacy.it(last access on May 7th, 2024). In this period of time the only question of data processing by religious denominations has arisen with reference to the Christian Congregation of Jehovah's Witnesses: cfr. Guarantor for the protection of personal data, provision of 25 February 2021, doc. web 9574136, at www.garanteprivacy.it (last access on May 7th, 2024).

[62] On this point, see G.P. Montini, I tribunali ecclesiastici competenti in materia di privacy in Germania, in Quaderni di diritto ecclesiale, 33 (2020), p. 223.

[63] See articles 1 and 13, para. 2 of the Agreement of February 18, 1984 (law March 25, 1985 n. 121); art. 17, paragraph 3 of the Treaty on the functioning of the European Union.

Serra Beatrice



Guarda tutti gli articoli scritti da Serra Beatrice


Download:
SERRA_2_2024_Final.pdf
 

Array
(
    [acquista_oltre_giacenza] => 1
    [can_checkout_only_logged] => 0
    [codice_fiscale_obbligatorio] => 1
    [coming_soon] => 0
    [disabilita_inserimento_ordini_backend] => 0
    [fattura_obbligatoria] => 1
    [fuori_servizio] => 0
    [has_login] => 1
    [has_messaggi_ordine] => 1
    [has_registrazione] => 1
    [homepage_genere] => 0
    [homepage_keyword] => 0
    [insert_partecipanti_corso] => 0
    [is_login_obbligatoria] => 0
    [is_ordine_modificabile] => 1
    [libro_sospeso] => 0
    [moderazione_commenti] => 0
    [mostra_commenti_articoli] => 0
    [mostra_commenti_libri] => 0
    [multispedizione] => 0
    [pagamento_disattivo] => 0
    [reminder_carrello] => 0
    [sconto_tipologia_utente] => carrello
    [scontrino] => 0
    [seleziona_metodo_pagamento] => 1
    [seleziona_metodo_spedizione] => 1
)

Vai alla categoria Papers
 

Consulta l'archivio

Articoli Open Access

Colant omnes quemque. Tornare all’essenziale dopo il ddl Zan

Ultimi 3 numeri

JUS - 2025 - 1
JUS - 2024 - 3
JUS - 2024 - 2

Annate disponibili online

2025202420232022202120202019201820172016201520142013201220112010200920082007200620052004200320022001200019991998199719961995199419931992199119901989198819871986198519841983198219811980197919781977197619751974196919681967196619651964196319621961196019591958195719561955195419531952195119501943194219411940

Fascicoli anno 2025

[1]

Inserire il codice per attivare il servizio.

Chiudi