Can you use GDPR law to delete your church records? This was the question I asked in 2018 shortly after GDPR (General Data Protection Regulation) launched in May of that year. You can catch up on my efforts to use GDPR to leave the Catholic Church which even featured in national press. You can also read my frustrations with how long it things were taking.
There’s a large chapter in this story I haven’t documented; the final chapter. A bittersweet end to a very long story. It came early in 2023. So my apologies for being very late with this final update.
Taking the DPC to the High Court
The story picks up at years of inaction from the Data Protection Commission (DPC). My complaint was submitted back in 2018, requesting that the Church delete my baptismal records as they were now inaccurate. I’m not Catholic, so why should they hold a record stating I am.
By 2022, nothing had happened. I was getting no closer to a decision being made. What started out with a simple goal, a new challenge, had entered the fray. To reach a conclusion, I would have to shift my focus from the Church, to the DPC itself.
So I brought in a legal team, a sentence which I still enjoy saying. I was now represented by William McLoughlin Bl instructed by Gibson and Associates solicitors. I was now taking the DPC itself to the High Court, as the DPC was failing to complete the investigation into my complaint and that was unlawful.
This went through a lot of small updates. Brief mentions and general updates I really don’t know a lot about, even being through the process. This is why you get a legal team.
All the updates don’t really matter, because I never did get my day in court. I’m sure, purely by coincidence, the DPC started to move on making a decision with my complaint. This deemed my request for a judicial review was no longer needed, and so my case was dropped.
Now the focus was the DPC’s decision and that decision finally came in February 2023.
DPC Rules Catholic Church Can Process Data Against Individuals Request
The key finding of the DPC’s decision which was published on 27 February 2023 was that the Archbishop, and effectively the Church, could continue to retain erroneous records even if individuals do not want the Church to retain them.
The DPC deemed that GDPR contained a mechanism called “legitimate interests” and that this was sufficient for the Church to continue “processing” or retaining personal data like my baptismal record. “Legitimate interest” is an unfortunately vague element of GDPR. Simply put, if an organisation states that it requires your data to operate, it can retain your data.
Important sidenote here. My personal complaint against the Church was not the only one. Several others, it turned out, had done the same thing both before and after me. This meant that the DPC’s investigation and final decision was made against the Archbishop of Dublin, setting the precedent which I could assume in my own complaint which was against the Diocese of Ossory.
The Archbishop of Dublin made an argument on behalf of the Church with several points. This included the rather pedantic point that baptismal records are not a filing system because they are in chronological order and so not easy to find individuals. He also argued the records are a matter of historical fact and not solely about Church membership.
What really annoyed me was any mention of Canon Law. He mentioned that Canon Law requires permanent retention of these records. Canon Law is the church’s own internal law system which, in my eyes, doesn’t matter and shouldn’t even have been in consideration for the DPC.
To be fair to the DPC they did acknowledge the importance of Canon Law to the Church but also clarified it would not overwrite the requirements of GDPR. However, the DPC unfortunately did maintain that baptismal records are subject to GDPR but you don’t have a right to delete your records. Because the Church has legitimate interest to retain that data to operate.
So, what does options does this leave you with if you no longer want to be Catholic?
Leaving the Catholic Church with GDPR
The short answer to my opening question is that GDPR nor the Church itself offer a clear route to leave the Catholic Church. Which has left me with many other questions as deep and meaningful as “what is leaving the Catholic Church” and what does that even mean.
Simply because the Church has retained a document saying they believe something, doesn’t make it true. They continue to claim I’m Catholic in their eyes, but apparently do not use baptismal records to determine numbers in the Church. So I wasn’t being counted as Catholic, wasn’t practising as a Catholic and therefore I’m not Catholic.
But throughout all of this I did have one massive victory.
The Catholic Church Now Updates Baptismal Records on Request
When I initially made my complaint, the Bishop of Ossory said he would update a supplementary record in the Diocese of Ossory files that stated I no-longer want to be considered Catholic.
I wasn’t happy with this. I’ve studied history in college and know that one record can easily give the wrong context. By updating a supplementary record and not the original document, someone could view just my baptismal record and assume I’m Catholic.
After the DPC’s decision, I submitted a Data Access request to the Diocese of Ossory, because I wanted to know what they actually had containing my personal data. I got back a lot of stuff, including the letter that Dermot Farrell sent me back in 2018, communications between the DPC and the Diocese of Ossory and a supplementary file which documented my request to no longer be considered Catholic.
To say I was underwhelmed.
But this was the only record provided which stated I am no longer Catholic and was not in line with the process the DPC had outlined in its ruling.
The DPC stated that the original baptismal document could have been annotated, which was a suggestion from the Archbishop of Dublin himself. This was not done and only uncovered by myself after requesting my data through a Data Access request.
Seeing this original document updated was a great moment for me. It gave me the satisfaction that I had reached a point I was happy enough with. It answered that earlier question of “what is leaving the Catholic Church”, because this was enough for me.
But a really important point here is that if you want to do the same as I do, you should first request it be actioned, and then follow up with a Data Access request to ensure it has been actioned appropriately.
Is This The End?
Six years on from when I started this journey, it’s at an end. Or at least it’s at an end for now.
GDPR hasn’t gone through any major changes since 2018, but the understanding of the law and how it’s applied is constantly evolving. The interpretation of “legitimate interest” could change or GDPR could be completely overhauled at some stage in the future, opening the door to a new complaint.
Could I have achieved what I achieved with my baptismal records without GDPR? Possibly, yes. But I believe the pressure of having the DPC looking into things likely made the Church act upon updating documents. The Archbishop of Dublin likely offered up adding comments to baptismal records to show cooperation and provide an easy option for the DPC to find satisfactory, while the Church got to retain its records.
But for now, the DPC has decided that the Church can retain my data based on “legitimate interests” outlined in GDPR. Do I agree with this? No. I absolutely don’t. There were avenues to take this back into a new legal process, but I decided it was time to call it a day, at least for now unless some new precedence emerges that gives my complaint new life.
But, what I’ve learned over these six years is that whatever the Church wants to believe or document about me, doesn’t really matter, at least not to me. I was challenging a document that I believed was incorrect. I accept it’s a factually correct document in terms of stating I was in a church getting my head wet one day, but utterly disagree with anything that suggests I’m at all Catholic.
I’m not. And I’m not because I say I’m not. The Church has absolutely not right, legal or moral, to tell anyone what to do or what to believe. I respect if you’re opting into that of free will and find it pretty poor form they don’t show the same respect for letting people back out again. But that’s their problem not mine.
I’m happy to know that if my grandchildren ever stumble upon my baptismal records (I’ve no idea how that might happen), they will clearly show that I am not Catholic, and that’s what I set out to achieve (in a roundabout way).
If you were baptised and no longer consider yourself Catholic, I do recommend doing this.
- Email your local dioceses and request they amend your records
- I also recommend not baptising out of habit. The term I coined at the start of this was “passive Catholicism”. The Catholic Church does do good. I would never deny that. But I couldn’t remain a member of any organisation riddled with child abuse, coverups and utter hypocrisy. If I ever have kids, they won’t be baptised nor will they be attending any school overseen by the Church.
What Does the DPC Do?
One final note I have to add is the Data Protection Commission’s mission being unclear to me.
It’s difficult to not draw conclusions from the DPC kicking into action after a legal challenge was made in the High Court. In the aftermath of the DPC’s decision and finding that the Diocese of Ossory had not updated the original document outlined in the final decision, I asked the DPC if this should be highlighted to ensure all similar requests are handled properly.
The response from the DPC, honestly, left my jaw on the ground.
The DPC stated, “as an independent Office, it is not within the remit of the Data Protection Commission to examine an organisation’s policies and procedures regarding compliance with data protection laws”.
This was greeted with an audible “huh?” from me.
My understanding here is that the DPC doesn’t look at how organisations are handling data prior to the large scale investigation as that might compromise the DPC in such an investigation.
To me, it’s a missed opportunity to truly support the spirit of data protection and focus on prevention rather than penalising. Given the rather large fines the DPC has issued to tech companies in recent times, the incentive really isn’t to shift towards protecting data. Instead, it’s to punish poor data protection.
Thank You
Yep. That’s it. For now, at least. I want to thank everyone who’s been involved in this. From the support my my other half, family, friends, my legal team (love saying that) and the massive number of people who’ve dropped into my DMs and inbox asking for updates and how they can follow suit. I’m glad that this story has given you the blueprint for the paperwork side of disassocation with the Church.
Thanks to you all.
 on using GDPR to leave the Catholic Church by erasing baptismal records. A mixed bag of a story.){kind=link}