Article 91

Existing data protection rules of churches and religious associations

General Data Protection Regulation · UE 2016/679

Existing data protection rules of churches and religious associations

1.   Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.

2.   Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees et mise en oeuvre du RGPD

In Luxembourg, no specific religious supervisory authority has been established: the CNPD remains fully competent over churches, communities and religious associations, in line with the law of 1 August 2018 organising the CNPD and implementing the GDPR. Agreements between the State and recognised faiths do not create a derogatory data protection regime; the GDPR and national law apply in full.

Luxgap practice: never assume a local derogation; document your article 9 basis and keep a record enforceable before the CNPD, since it, not any internal body, will supervise your processing.