Le Autorizzazioni Generali al trattamento dei dati sensibili da parte delle confessioni religiose. Osservazioni alla luce delle recenti riforme in materia di privacy

The Regulation (EU) 2016/679 – so-called GDPR - has resulted in a significant reform of the Italian system for the protection of personal data and crystallized in Legislative Decree no. 196 of 30 June 2003. The GDPR, which focuses on principle of accountability and the concepts of privacy by design and privacy by default, has rethought, in particular, the category of data in which those of a religious nature were inserted basing their discipline on a general prohibition of treatment and provided that churches, associations or religious communities can dictate and apply their own internal legislation in this field, provided that it complies with the community provisions of the regulation. Before entry into force of the GDPR, the processing of religious data was mainly linked to the provision by the Guarantor Authority for the protection of personal data of a General Authorization - No. 3 - which allowed religious confessions to process the data of their members. This system has been questioned in part by the GDPR and then re-read by Legislative Decree no. 101/2018, which confirmed the value of the General Authorization n.3 in the framework of a peculiar system of guarantees.