A significant shift in data protection practices is on the horizon for Germany’s Catholic Church. As of March 1, 2026, revised versions of the Gesetz über den Kirchlichen Datenschutz (KDG) – the Law on Church Data Protection – and its implementing ordinance, the Durchführungsverordnung zum Gesetz über den Kirchlichen Datenschutz (KDG-DVO), will arrive into effect. These changes represent a move towards aligning church data protection standards with broader European regulations, particularly the General Data Protection Regulation (GDPR), while addressing specific needs within the church’s operations. One of the most impactful updates centers on mandatory training requirements for personnel and expanded data secrecy obligations.
The revisions introduce two key changes regarding training. First, § 2 Abs. 7 KDG-DVO now explicitly mandates training for employees. Previously, data protection awareness was primarily achieved through data secrecy commitments for full-time staff. Second, § 3 KDG-DVO extends the obligation to maintain data secrecy to individuals serving in volunteer roles. Importantly, provisions allowing previously issued data secrecy declarations under the 2018 KDO regulations to remain valid have been removed, necessitating updates for long-serving personnel.
These changes reflect a broader trend of strengthening data protection within the church, aiming to enhance security and compliance in an increasingly digital world. The new regulations are designed to address evolving challenges, including the handling of sensitive data related to abuse investigations, the streaming of religious services, and the management of church records. Understanding the implications of these changes is crucial for all those involved in church administration and operations.
What Does the New § 2 Abs. 7 KDG-DVO Regulate?
The core of the new regulation lies in the explicit requirement for institutions to provide regular training to their employees. This aims to foster a continuous awareness of data protection principles and best practices. Previously, this sensitization was largely achieved through the commitment to data secrecy required of full-time employees. The updated rule emphasizes proactive, ongoing education rather than relying solely on initial agreements.
The removal of the reference to § 4 KDO – within the data secrecy regulations – means that employees who previously made commitments under the older rules will likely need to reaffirm their obligations under the updated framework. To ensure legal certainty, it is recommended that active employees hired before 2019 be re-committed to data secrecy. Volunteer personnel, if not already covered, should also be required to adhere to data secrecy protocols.
How Does This Compare to Secular Data Protection Law?
The specifics of how this training requirement will be implemented remain open to interpretation. The regulation itself doesn’t detail the content or frequency of training. However, a look at how data protection training is handled in the secular world provides valuable context. The GDPR itself doesn’t mandate explicit training, but it’s implied through several provisions, including:
- Art. 39 GDPR: Assigns the responsibility for raising awareness and training staff to the Data Protection Officer (DPO).
- Art. 5 Abs. 2 GDPR: Requires demonstrating compliance with data processing principles, which is difficult to achieve without a trained workforce.
- Art. 32 GDPR: Mandates appropriate organizational measures to ensure data security, with training recognized as a standard minimum requirement.
The Bundesdatenschutzgesetz (BDSG), Germany’s federal data protection law, goes even further, explicitly requiring sensitization and training through Data Protection Officers (§ 7 Abs. 1 Nr. 2 BDSG). This demonstrates that the new church training requirement aligns with established expectations in the broader data protection landscape.
What Does This Mean for Church Institutions?
Church institutions must now critically evaluate their existing data protection measures and expand them where necessary. Developing a structured training concept is paramount. While the law doesn’t prescribe a specific approach, best practices in the secular sector suggest regular, documented training sessions – perhaps every one to two years – as a starting point. Other methods, such as frequent “data protection refreshers” focusing on specific topics, could also be effective. The key is to ensure all personnel receive consistent and ongoing data protection awareness.
The implementation of these changes will require investment in resources and planning. Institutions will need to determine the appropriate training content, delivery methods, and documentation procedures. Collaboration with data protection experts and the development of tailored training materials will be essential to ensure compliance and effectiveness.
Looking Ahead
The introduction of a formal training requirement in the KDG-DVO is a logical step towards modernizing data protection standards within the church. It bridges the gap between church and state data protection laws and strengthens data security in everyday church operations. Regular training will help minimize risks stemming from a lack of knowledge, ensure legal compliance, and promote responsible handling of personal data.
Given that employees are often unintentionally the cause of data protection breaches, the mandatory training requirement will become a central component of church data protection compliance in the future. The revisions provide a clear legal basis for this, while still allowing responsible authorities sufficient leeway in its implementation. The next key date for institutions to prepare for is March 1, 2026, when the new regulations officially take effect, requiring immediate assessment and planning for compliance.
Have questions or comments about the new KDG-DVO regulations? Share your thoughts below.
