Existing data protection rules of churches and religious associations
General Data Protection Regulation · UE 2016/679
Existing data protection rules of churches and religious associations
1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.
2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation.
In Luxembourg, no specific religious supervisory authority has been established: the CNPD remains fully competent over churches, communities and religious associations, in line with the law of 1 August 2018 organising the CNPD and implementing the GDPR. Agreements between the State and recognised faiths do not create a derogatory data protection regime; the GDPR and national law apply in full.
Luxgap practice: never assume a local derogation; document your article 9 basis and keep a record enforceable before the CNPD, since it, not any internal body, will supervise your processing.