According to the BE DPA, a baptized person has the right to be deleted from the baptismal register
The DPA today ordered the diocese of Ghent to comply with the request of a baptized person to be deleted from the baptismal register of his parish. For the DPA, the Catholic Church has a legitimate interest in recording baptisms in a register, but this interest cannot always be invoked once the person expressly states his or her wish to leave the Church and have his or her baptismal data erased.
Background of the case
A baptized person applied to the diocese of Ghent to be deleted from all Catholic Church files, including the baptismal register. However, the Church does not delete the data from the baptismal registers, but rather adds an annotation reflecting the person's wish to leave the Church in the margin of the register.
The right to data deletion, enshrined in the General Data Protection Regulation (GDPR), is not absolute and can only be exercised under certain conditions. The Catholic Church considers that it has a legitimate interest in retaining the data contained in the baptism register, as such retention is necessary for the purpose of data processing, and that the conditions applicable to a request for deletion are therefore not met in this type of case. She also invoked the archival value of this data, which would prevent its deletion.
The unsuccessful party then lodged a complaint with the Data Protection Authority.
The Church's interest and the data subject's interest
The Church's legal basis for processing baptism data is its legitimate interest in preventing possible (identity) fraud, since, according to Catholic doctrine, a baptism can only take place once. It is therefore necessary to keep a record of it.
For the APD, this is indeed a legitimate interest on the part of the Church.
However, this legitimate interest can only be validly invoked as a basis for data processing if the processing is necessary to achieve this objective, and if the interest of the data subject (here: the complainant) does not override the interest of the organization processing the data (here: the diocese of Ghent).
In the present case, the DPA finds that these two conditions are not met:
- On the one hand, since the register is only kept in paper form within a single parish (that of the baptism), it is not always possible to verify whether or not the baptism took place. Data processing as it is carried out today does not in fact prevent a person from receiving the same sacrament twice, and is therefore not a priori appropriate for achieving the desired purpose.
- On the other hand, the lifetime retention of all the complainant's data - including data not strictly necessary to determine whether a person has already been baptized - is disproportionate from the moment the complainant expressly states that he or she wishes to distance himself or herself from the Catholic Church. In this case, the interests of the complainant override those of the Church.
Consequently, the data processing in question is deemed unlawful, which means that the complainant can exercise his right to have the data deleted. Moreover, data must also be deleted when a legitimate objection to data processing is raised, which is therefore the case here.
Furthermore, the DPA considers that the information provided by the Church regarding the processing of baptismal data is not sufficient, in particular because it does not include any indication to the person (or his/her parents) as to how long the data will be kept.
Order to comply with erasure request
For this reason, the DPA decided to order the Bishopric of Ghent to comply with the complainant's request to object to the processing of his data, and with the request to erase his data.
Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian Data Protection Authority: "In this case, several fundamental rights are at stake. In our decision, we only express ourselves on the application of the GDPR to the data processing carried out by the diocese of Ghent, as is our role. From a data protection point of view, the lifelong processing of data, moreover of a sensitive nature, of a person who has asked to leave the Church cannot be justified if such processing is neither proportional nor strictly necessary to the admittedly legitimate interests of the Church. These conditions were not met in this case".
Parties affected by the decision have 30 days in which to lodge an appeal.
Important note: several cases concerning the data protection aspects of the de-baptization procedure are currently before the Litigation Chamber of the Belgian Data Protection Authority. The decision summarized in this press release concerns only one of these cases.