Article 91 of the GDPR: Existing rules of churches and religious associations

Article 91 of the GDPR recognizes churches and religious associations the ability to keep their own internal data protection rules, provided that they comply with the GDPR and are applied systematically.

Article 91 of the GDPR explained

More precisely:

Churches and religious organizations can continue to apply their internal data processing rules, if these existed before May 2018;
These rules must be compatible with the GDPR, particularly in terms of personal rights, security and governance;
Each religious authority can designate its own internal supervisory authority, provided that it complies with GDPR requirements for independence and efficiency.

Why is this article important for your GDPR compliance?

It allows one recognition of canon law or religious rules pre-existing, while ensuring alignment with the GDPR. The organizations concerned must therefore make their historical practices coexist with modern compliance obligations.

How to comply with Article 91 of the GDPR?

Check if your organization falls under a recognized religious framework before 2018;
Document your internal rules for protecting personal data;
Establish an autonomous and independent supervisory authority, or collaborate with the CNIL if necessary;
Train data controllers in the obligations arising from the GDPR.

Examples of application of Article 91 of the GDPR

A Catholic Church applies its confidentiality rules in the processing of parish registers;
A religious community maintains a membership file with very strict access restrictions;
A diocese establishes an ecclesiastical supervisory authority to supervise local treatments.