Article 91: Existing data protection rules of churches and religious associations

Article 91 allows churches and religious associations that already had comprehensive data protection rules in place when the GDPR took effect to keep using those internal rules, but only if the rules are brought into line with the GDPR (Regulation (EU) 2016/679, Article 91). Operationally, you must confirm whether this carve-out applies, map your existing church rules to GDPR requirements, close gaps, and retain evidence that your rules and oversight mechanisms align with GDPR.

Key takeaways:

• Confirm applicability first: Article 91 only matters if your church/community had comprehensive rules at GDPR entry into force (Regulation (EU) 2016/679, Article 91).
• Keep the rules, but align them: perform a documented gap assessment and remediation to “bring into line” with GDPR (Regulation (EU) 2016/679, Article 91).
• Evidence wins exams: maintain a role-and-scope register, an operating procedure, and recurring evidence packets for audits and inquiries (Regulation (EU) 2016/679, Article 91).

A lot of church and religious-association privacy programs have two overlapping regimes: internal church data protection rules and the GDPR. Article 91 is the bridge between them. It does not exempt you from GDPR outcomes; it permits continuity of existing, “comprehensive” church rules that were already applied when the GDPR entered into force, as long as those rules are brought into line with the GDPR (Regulation (EU) 2016/679, Article 91).

For a Compliance Officer, CCO, or GRC lead, the operational goal is simple: decide whether your organization legitimately relies on Article 91, then make that reliance defensible. That means (1) documenting the historical and jurisdictional basis for using church rules, (2) mapping those rules to GDPR obligations to prove alignment, (3) updating procedures, templates, training, and third-party contracting to remove gaps, and (4) maintaining an audit-ready evidence pack that shows the rules are actively used, not just archived.

This page is requirement-level guidance focused on execution. You can hand it to your privacy lead, internal audit, and your church governance stakeholders to get aligned quickly and produce evidence that holds up in diligence.

Regulatory text

Text (excerpt): “Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.” (Regulation (EU) 2016/679, Article 91)

Operator interpretation: You may keep using existing church/religious association privacy rules only if:

1. you were applying those rules when GDPR entered into force,
2. the rules were “comprehensive” for personal data processing, and
3. you can demonstrate they are aligned to GDPR requirements in practice, not just on paper (Regulation (EU) 2016/679, Article 91).

This requirement is less about drafting new policy and more about governance, mapping, and proof.

Plain-English interpretation of the requirement

Article 91 is a continuity clause. If your church or religious community already had its own end-to-end privacy rulebook in place at the time the GDPR began to apply, you can keep running that rulebook. The tradeoff: you must update it so it matches GDPR expectations (lawful basis concepts, data subject rights, security, accountability, etc.) and you must be able to show that alignment (Regulation (EU) 2016/679, Article 91).

A practical way to think about it:

• Article 91 does not mean “churches are exempt.”
• Article 91 means “existing church rules can be your operating framework, if they reach GDPR-equivalent outcomes and controls” (Regulation (EU) 2016/679, Article 91).

Who it applies to

In-scope entities

• Churches.
• Religious associations or communities.
• Church-affiliated legal entities that process personal data under the church’s internal privacy rules (for example, dioceses, parishes, orders, affiliated charities, schools, health or social service arms), if they are within the organizational scope of those rules (Regulation (EU) 2016/679, Article 91).

In-scope operational contexts

You should treat Article 91 as relevant when any of the following are true:

• You reference “church law,” “ecclesiastical privacy rules,” or a church data protection ordinance in your policies or notices.
• You have a church-appointed privacy authority or internal supervisory structure.
• Your programs handle sensitive categories of data typical in religious contexts (membership/pastoral records, sacraments, counseling notes, donations tied to individuals, volunteer screening), and you believe church rules govern the processing.

Out-of-scope (common misunderstandings)

• Organizations with no pre-existing, comprehensive church privacy rules at the time GDPR entered into force cannot “elect” Article 91 later as a shortcut (Regulation (EU) 2016/679, Article 91).
• A single privacy policy document is usually not “comprehensive rules” by itself; you need a rule set that covers the lifecycle of processing (collection through deletion) (Regulation (EU) 2016/679, Article 91).

What you actually need to do (step-by-step)

Step 1: Make an applicability decision (document it)

Create a short decision record that answers:

• Are we a church/religious association/community in an EU Member State context?
• Did we apply comprehensive internal data protection rules when the GDPR entered into force?
• What is the name/version of those rules, and where are they published internally?
• Which legal entities and processing activities do those rules cover?
  Tie the decision explicitly to Article 91 (Regulation (EU) 2016/679, Article 91).

Output: Article 91 Applicability Memo (approved by Legal/CCO).

Step 2: Build a role-and-scope register (controller/processor + systems)

Operationalize scope before you touch policy language:

• List each legal entity and decide if it acts as controller, joint controller, or processor for key processing activities.
• Map data categories (member data, employee data, donor data, safeguarding, pastoral care).
• Map systems (case management, parish management, HRIS, donation platform, email, cloud storage). This is the anchor artifact auditors ask for because it forces clarity on “who does what” (Regulation (EU) 2016/679, Article 91).

Tip: In Daydream, track this as a register with owners, last review date, and linked evidence so scope decisions do not live in email.

Step 3: Perform a “brought into line with GDPR” gap assessment

Use a structured matrix that maps your church rules to GDPR-aligned control outcomes. Keep it practical:

• Governance/accountability: assigned privacy leadership, escalation, internal oversight.
• Data subject rights: intake, identity verification, response workflows, logging.
• Third parties: contracting, instructions, security requirements, onward transfers.
• Security: access control, incident response, backups, logging.
• Retention and deletion: retention schedule, legal holds, disposal.
• Transparency: notices, internal communications, consent where needed.

You do not need to claim perfect textual equivalence; you need to show that your rule set and operating controls deliver GDPR-consistent protections (Regulation (EU) 2016/679, Article 91).

Output: Article 91 Alignment Matrix with gaps, owners, and remediation tickets.

Step 4: Update policies and procedures, then wire them into workflows

Turn the gap list into operational changes:

• Update church rule text (if you own it) or publish addenda/implementation standards that bring practice into line with GDPR (Regulation (EU) 2016/679, Article 91).
• Publish a requirement-specific operating procedure: triggers, owners, approvals, and evidence to retain.
• Update templates: privacy notices, rights request forms, incident intake, third-party clauses.
• Train the teams who actually touch data (parish admins, HR, safeguarding teams, IT, finance).

Output: Approved SOP + training completion evidence.

Step 5: Implement recurring evidence packets (so you can prove it later)

Set a recurring cadence to collect:

• register snapshots (role-and-scope),
• rights request logs and sample case files,
• third-party contract checks,
• retention/deletion evidence,
• incident drills or incident records,
• exceptions and risk acceptances with approvals.

This converts “we follow church rules aligned to GDPR” into verifiable, time-stamped proof (Regulation (EU) 2016/679, Article 91).

Required evidence and artifacts to retain

Minimum defensible set:

1. Article 91 applicability memo referencing the internal rules and their historical application (Regulation (EU) 2016/679, Article 91).
2. Role-and-scope register (entity, controller/processor role, data categories, systems).
3. Article 91 alignment matrix showing mapping of church rules to GDPR-aligned requirements, gaps, and remediation status (Regulation (EU) 2016/679, Article 91).
4. Operating procedure (SOP) for how the rules are applied day-to-day, including approvals and escalation paths.
5. Control evidence: rights request logs, third-party agreements, retention schedule, deletion logs, security/incident artifacts.
6. Exception register with documented rationale and approvals (time-bound where possible).

Common exam/audit questions and hangups

Auditors, DPAs, and enterprise customers tend to press on:

• “Show me the rule set that existed when GDPR entered into force and proof it was applied then.” (Regulation (EU) 2016/679, Article 91)
• “Where is the documented mapping that demonstrates the rules are brought into line with GDPR?” (Regulation (EU) 2016/679, Article 91)
• “Which legal entities and systems fall under the church rules versus standard GDPR governance?”
• “How do you handle third-party processors and cloud tools under the church rule framework?”
• “Show recent evidence: rights requests handled, retention actions, incidents, training.”

Hangup to expect: teams over-focus on theology or governance formality and under-produce operational evidence. Your goal is boring, repeatable records.

Frequent implementation mistakes (and how to avoid them)

1. Assuming Article 91 is an exemption.
   Avoid it by writing the applicability memo in plain language: you keep church rules only if aligned to GDPR outcomes (Regulation (EU) 2016/679, Article 91).

2. No clear scope boundary.
   Fix it with a role-and-scope register that is owned, reviewed, and tied to your system inventory.

3. Policy-only compliance.
   Close the loop with SOPs, workflow tooling, and evidence packets. If parish offices process data, build rights request intake and retention into their daily tools.

4. Third-party blind spots.
   Treat every external software provider, payroll provider, donation processor, and safeguarding hotline as a third party that must fit your rule framework. Update contracting playbooks and onboarding checklists.

5. Unowned remediation.
   Each gap needs an owner, target date, and acceptance path if you cannot remediate quickly. Daydream can track these remediation items alongside evidence so your audit story stays coherent.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so do not assume regulators ignore it. The practical risk is indirect: if you claim reliance on church rules but cannot show they are aligned and operating, you invite findings under broader GDPR accountability expectations (Regulation (EU) 2016/679, Article 91). Customers and grantors may also treat this as a due diligence red flag if your governance looks bespoke but unverifiable.

A practical 30/60/90-day execution plan

Use phases rather than fixed durations if your governance cycles are slow.

First 30 days (triage and scope)

• Draft and approve the Article 91 applicability memo (Regulation (EU) 2016/679, Article 91).
• Build the role-and-scope register for top entities, key processing activities, and critical systems.
• Inventory the current church rules and all related procedures/templates actually in use.

Days 31–60 (alignment and remediation design)

• Complete the Article 91 alignment matrix and prioritize gaps by risk (rights handling, third parties, security, retention).
• Write or update the requirement-specific SOP with owners and triggers.
• Open remediation work items with accountable owners (policy updates, workflow changes, contract addenda).

Days 61–90 (operate and prove)

• Roll out updated workflows (rights request intake, retention actions, third-party onboarding checks).
• Run a mini internal audit: sample rights cases, third-party contracts, and deletion evidence.
• Establish recurring evidence packets and an exception register; centralize them in Daydream for audit-ready retrieval.

Frequently Asked Questions

Does Article 91 mean churches are exempt from the GDPR?

Article 91 permits continued use of existing church or religious community data protection rules, but only if those rules are brought into line with the GDPR (Regulation (EU) 2016/679, Article 91). You still need GDPR-consistent outcomes and proof.

What does “comprehensive rules” mean in practice?

Treat it as a rule set that covers the full processing lifecycle and governance, not a single policy page (Regulation (EU) 2016/679, Article 91). Your best proof is a mapped control framework plus operating procedures and evidence.

We have church rules today, but they were adopted after GDPR. Can we rely on Article 91?

Article 91 is tied to rules applied “at the time of entry into force” of the GDPR (Regulation (EU) 2016/679, Article 91). If your rules were adopted later, document that and run a standard GDPR alignment approach without claiming Article 91 continuity.

How do we prove our church rules are “brought into line” with GDPR?

Maintain an alignment matrix that maps each church rule area to GDPR-aligned operational controls, shows gaps, and tracks remediation to closure (Regulation (EU) 2016/679, Article 91). Pair it with evidence packets from real operations (rights logs, contracts, retention actions).

What should we do about third-party software used by parishes or ministries?

Bring third-party onboarding and contracting under the same governance: identify the processing role, require appropriate data protection terms, and retain contract and security evidence. Auditors will look for consistency between your stated rules and how third parties handle church data.

Where does Daydream fit without turning this into a tooling project?

Use Daydream as the system of record for the Article 91 applicability memo, role-and-scope register, alignment matrix, and recurring evidence packets. That keeps decisions, remediation, and proof linked so you can answer audits and customer diligence quickly.