Privacy statement

No. 2311/2018

DATA PROTECTION REGULATION OF THE ROMAN CATHOLIC DIOCESE OF ORADEA

Chapter I: GENERAL PROVISIONS

Article 1 – Purpose and Scope of Application

(1) This regulation ensures the protection of the fundamental rights and freedoms of individuals by establishing rules regarding the protection of individuals in relation to the processing of personal data and the free movement of such data.

(2) This regulation has been developed in accordance with the principles introduced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) — hereinafter referred to as the Regulation — on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC. It also takes into account the principles and role of the Universal Catholic Church.

(3) This regulation applies to all entities operating within the framework of the Roman Catholic Diocese of Oradea. Its purpose is to ensure respect for the rights recognized in the regulation during the fully or partially automated processing of personal data, as well as during the non-automated processing of personal data that are part of, or are intended to be part of, a structured filing system.

Article 2 – Legal Definitions

For the purposes of this regulation, the following terms shall have the following meanings:

  1. “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  2. “Controller” means the entity within the Roman Catholic Diocese of Oradea that, alone or jointly with others, determines the purposes and means of the processing of personal data;
  3. “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
  4. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  5. “Supervisory Authority” means the ANSDPC – National Authority for the Supervision of Personal Data Processing in Romania, which is the independent authority established under Article 51 of the Regulation;
  6. “Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
  7. “Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
  8. “Third party” means a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
  9. “Data subject’s consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 3 – Principles

The following fundamental principles shall be observed in the processing of personal data:

  1. Lawfulness of processing – We make every effort to obtain the data subject’s consent whenever possible, in accordance with applicable laws and this regulation. Exceptionally, if such consent cannot be obtained for non-personal and objective reasons, we may rely on public interest and/or legitimate interest as legal grounds;
  2. Transparency of activities – The controller shall inform the data subject about the processing activities related to the stored data, as well as the rights the data subjects have in accordance with the applicable legislation;
  3. Purpose limitation – Data collection is carried out solely in the interest of the Roman Catholic Diocese of Oradea and, more generally, the Catholic Church, and/or for specific record-keeping purposes;
  4. Data minimization – The data processed shall be limited strictly to what is necessary, relevant, and appropriate for specific records within the Catholic Church;
  5. Accuracy and updating – We ensure that the collected and processed data are kept up to date in accordance with the legal requirements;
  6. Integrity and confidentiality – Data processing shall be carried out in a way that preserves the integrity of the data, and we shall ensure that such data remain confidential;
  7. Storage limitation – Personal data shall be stored in a manner that allows the identification of data subjects only for as long as is necessary for the purposes for which they were collected. It is important to note that data stored in parish records may have particular significance for research, statistics, and as historical documents;
  8. Accountability – The processor, as well as any other individuals or organizations involved in the processing as defined by law and this regulation, must understand and assume full responsibility for the protection of personal data collected, processed, and stored during the performance of designated activities.

Chapter II: Rights of the Data Subject

Article 4 – Right to Information

  1. When the controller collects data from the data subject, the controller shall provide the data subject with all necessary information regarding the identity of the controller, the purpose of the data collection, and, where applicable, information about the processing and storage of the data, the intention (if any) to transfer data to third parties, and the duration of data storage. The specifics of the activity and the nature of records kept at the parish level must be emphasized. The data subject shall also be informed of their rights to request access to personal data, or to request the rectification, restriction, or erasure of such data.
  2. The right to information shall also be preserved when personal data are collected from someone other than the data subject, in accordance with the law.
  3. The exact form and conditions of providing this information shall be determined based on the specific circumstances and as outlined in the Regulation and in the applicable national and/or European legislation and methodologies for implementation.

Article 5 – Right of Access to Personal Data

  1. The data subject has the right to obtain access from the controller to the personal data held and processed by the controller. Additionally, data subjects have the right to receive a variety of information related to the processing of their data, including the right to lodge a complaint regarding the protection of their personal data.
  2. The concrete procedures for exercising this right of access are set forth in the Regulation and in the applicable national and/or European legislation and methodologies for implementation.

Article 6 – Right to Update Personal Data

The data subject has the right to request the controller to update and/or complete their personal data in the event of any changes, taking into account the purpose of data processing and storage.

Article 7 – Right to Restrict Processing

  1. The data subject has the right to request the controller to restrict the processing of personal data under any of the following circumstances:

– the data subject contests the accuracy of the personal data;

– the processing is unlawful, and the data subject opposes the erasure of the data and requests restriction of its use instead;

– the controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims;

– the data subject has objected to the processing of the data and the controller is considering whether the controller’s legitimate grounds override those of the data subject; in such cases, data processing may be restricted until the proportionality of interests is resolved.

– if the data subject exercises the right to restriction of processing, no further processing operations may be carried out except with the data subject’s explicit consent, unless provided otherwise by law and/or related to the nature and purpose of the records managed by the controller. However, data storage activities remain unaffected by the exercise of this right.

– The specific procedures for enforcing the general and particular rules related to the right to restrict processing shall be outlined in the Regulation and in the applicable national and/or European legislation and methodologies for implementation.

Article 8 – Right to Erasure

  1. The data subject has the right to request the erasure of their personal data without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

– the personal data are no longer necessary for the purpose for which they were collected or otherwise processed. It must be considered that certain parish-level records may hold significant scientific and statistical value;

– the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;

– the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

– the personal data have been unlawfully processed;

– the personal data must be erased to comply with a legal obligation incumbent on the controller.

  1. When the data subject requests the erasure of their personal data, the specific nature of parish records must be taken into account, especially their historical, scientific, and statistical relevance. In such cases, the procedure shall always include documentation of the request for erasure.
  2. The specific procedures for implementing the general and particular rules regarding the right to erasure shall be developed in accordance with the Regulation and the applicable national and/or European legislation and implementation methodologies.

Article 9 – Right to Data Portability

  1. Where the processing of data is carried out by automated means and is based on the data subject’s consent, the data subject has the right to transmit those data to another controller or to request the original controller to transfer such data automatically.
  2. The exercise of this right shall not adversely affect the rights and interests of the processor, provided that the controller’s legitimate interests serve a public interest or the fulfillment of a legitimate interest.
  3. The specific procedures for implementing the general and particular rules on the exercise of the right to data portability shall be developed in accordance with the Regulation and with national and/or European legislation adopted pursuant to the Regulation.

Article 10 – Right to Object

Depending on the specific situation, the data subject may object to the processing of their personal data by the controller. Such objection may be exercised only if the data subject invokes specific and individual reasons justifying the objection, and only if the controller’s legitimate interest no longer outweighs the data subject’s objection.

Article 11 – Consent

(1) In most cases, the collection, processing, and storage of personal data must be based on the consent of the data subject.

(2) Where the processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data.

(3) For the consent to be valid, the following conditions must be met:

– a freely given declaration of intent by which the data subject clearly expresses their consent;

– the collection, processing, and storage of personal data must be necessary for a specific purpose;

– the consent must be given in an explicit form;

– the controller must not have influenced the giving of consent;

– the consent must be clear and concise;

– the declaration of intent must be expressed by means of a personal statement or by an unambiguous action.

(4) The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject must be informed, before giving consent, that they have the option to withdraw it.

(5) It must also be taken into account that within the framework of the Roman Catholic Diocese of Oradea, and more generally within the Catholic Church, the collection, processing, and storage of personal data may be carried out not only based on the data subject’s consent but also on legitimate interest.

(6) Specific provisions regarding other conditions necessary for consent, as well as related rules and developments, are contained in the Regulation and the methodology for implementing current national and/or European legislation.

III. Chapter: Internal Departments of the Roman Catholic Diocese of Oradea Ensuring the Protection of Personal Data Collection, Processing, and Storage

Article 12 – Coordination Committee for the Protection of Personal Data

(1) At the level of the Roman Catholic Diocese of Oradea, a committee responsible for coordinating activities related to the protection of personal data (hereinafter: the “Committee”) is established.

(2) The Committee acts on behalf of the Roman Catholic Diocese of Oradea in matters of personal data protection, based on its own statutes.

(3) To effectively carry out its work, the Committee may establish a working organization.

(4) The Committee consists of 3 members, who are nominated and appointed from within the organizational structure of the Roman Catholic Diocese of Oradea.

(5) The head of the Committee is the Chairperson, who represents the Committee in relations with authorities, organizations, third parties, as well as any other natural or legal persons.

(6) In case of a vacancy in the Committee, a new member shall be nominated and appointed within at most 6 months from the date the vacancy arose.

(7) If the transfer of personal data to third parties arises, it may only take place after verifying that the person(s) responsible for the protection of personal data have fulfilled the necessary legal conditions.

Article 13 – Data Protection Officer

(1) The Roman Catholic Diocese of Oradea shall appoint a person responsible for data protection (hereinafter: the Officer).

(2) The Officer must possess the necessary competencies both regarding data protection activities related to personal data processing and the specific activities of the Catholic Church in Romania.

(3) The Officer acts on behalf of and in the interest of the Roman Catholic Diocese of Oradea, for the benefit of the Catholic Church in Romania, and serves as the contact person with the national supervisory authority in matters of personal data protection.

(4) The Officer shall perform their duties ensuring full confidentiality, for which they are accountable. They are required to remain independent in their work and activities, respecting the applicable standards, and must avoid any conflicts of interest in carrying out their tasks.

(5) The Officer shall have at least the following responsibilities:

a) Providing information and advice to all data controllers and their agents, as well as to employees who process personal data in the course of their activities;

b) Monitoring compliance with the European Regulation, national laws, the Regulation, and all regulations and policies related to the implementation of the Regulation and national and European legislation;

c) Assigning specific tasks among data controllers and their agents regarding compliance with and implementation of the European Regulation, national laws, the Regulation, and all regulations and policies related to the Regulation and national and European legislation;

d) Assessing specific or general risks related to the collection, processing, and storage of personal data and, with the approval of the Committee, adopting measures necessary to reduce or eliminate such risks;

e) Conducting specialized training on personal data collection, processing, and storage for those who handle personal data in their activities;

f) Maintaining contact with the national supervisory authority;

g) Providing advice to any body upon request.

(6) The Officer is directly accountable to the Episcopal Conference for the activities performed.

(7) In carrying out their duties, the central Officer may delegate part of their tasks to subordinate leaders, who may be appointed at the level of data controllers or data controller groups. Accordingly, at least three data controller groups shall be established, each under the leadership of an authorized Officer subordinate to the central supervisor. The three authorized Officers subordinate to the central Officer shall provide services to the three data controller groups, which are grouped according to common characteristics. The authorized Officers are directly responsible to the data controllers they serve, but also to the central Officer who delegated tasks and responsibilities to them.

(8) The manner of establishing data controller groups, the limits within which the chief Officer may delegate tasks to authorized Officers, the appointment and operation of authorized Officers, and other related matters shall be detailed in the methodology for implementing the Regulation and the current national and/or European legislation.

Article 14 – Data Controllers and Their Representatives

(1) Each parish within the Roman Catholic Diocese of Oradea must have the status of a personal data controller, carrying out various activities in this regard, both related to ecclesiastical activities and employee recruitment.

(2) The representatives of these subunits shall be the parishes belonging to the diocese.

(3) Each representative keeps records of the collection, processing, and storage of personal data at the parish level. The receipt, processing, and storage of personal data related to employment relationships shall be conducted in accordance with the Regulation.

(4) The aforementioned records are maintained in writing as well as in electronic form, and are made available to the central director, appointed persons, and the supervisory authority upon request.

(5) The specific manner of implementing the general and particular rules related to personal data collection, processing, and storage by data controllers and their representatives shall be developed in the content of the methodology for the implementation of the Regulation, as well as national law and/or current legislation.

Article 15 – Transmission of Personal Data to Third Parties

(1) The transmission of personal data to third parties shall be carried out with due regard to the appropriate level of protection of the transmitted personal data, in compliance with the requirements set out by national and European legislation, this Regulation, and the standards issued for its implementation.

(2) At the level of the Roman Catholic Diocese of Oradea, the committee established ensures data transfer based on the documentation prepared by the central Officer.

(3) The specific manner of implementing the general and particular rules regarding the transmission of personal data shall be developed in the methodology for the implementation of the Regulation, as well as the current national and/or European legislation.

Chapter IV: Final Provisions

Article 16 – Methodology for the Implementation of the Regulation and National and/or European Law

(1) For the implementation of the Regulation as well as national and European legislation concerning the protection of personal data, the Committee, through the mediation of the central Officer, shall take all necessary measures to establish the required structures and adopt rules for their operation. It shall also take all measures to ensure the lawful, proper, and fair application of all provisions related to the collection, processing, and storage of personal data, including respecting the rights of data subjects and regulations concerning the transfer of personal data. Other considerations related to the processing of special data or specific categories of data processing (for example, the processing of photographs) may also be incorporated into this Regulation.

(2) The methodology shall be communicated by the central Officer and appointed leaders to all data processors within the Roman Catholic Diocese of Oradea, as well as their authorized representatives — that is, all parishes and other structural units working with confidential data.

Article 17 – Entry into Force of the Regulation

This Regulation shall enter into force upon its publication on the website of the Roman Catholic Diocese of Oradea and shall take effect from the date of publication.