Pontifical Commission of Vatican City State Promulgates General Regulation on the Protection of Personal Data
Responsibility and transparency for the protection of people
Perhaps not everyone knows that in the Vatican too, personal data is protected by law. On 30 April 2024, with Decree No. DCLVII, the Pontifical Commission of Vatican City State promulgated its first General Regulation on the protection of personal data.
The legislative regulation fulfils the legal need to respond to the needs and challenges of our times, especially after the start of the digital era. The new Regulation, not only protects physical persons, but also brings the Vatican on the same footing as countries that have made significant steps towards responsibility and transparency in managing personal data.
The normative basis of the Regulation stems from several articles that are part of the Fundamental Law of Vatican City State of 13 May 2023. In particular, Article 7 which states: “The legislative function, except in cases that the Supreme Pontiff intends to reserve for himself, is exercised by the Pontifical Commission of Vatican City State”. And Article 15, paragraph 1-2 states: “The President of the Pontifical Commission is the President of the Governorate and exercises the executive function in accordance with the laws and other normative provisions”, and is assisted by the Governorate “whose governing bodies and organizations contribute to the exercise of the executive function of the State, which is exercised in the areas mentioned in art. 4”.
The new Regulation is inspired by European norms regarding the protection of personal data, especially by the European Union’s General Data Protection Regulation (GDPR) , adopted on 27 April 2016 and in effect since 25 May 2018, but with significant differences in relation to the institutional structure of Vatican City State and its service to the Petrine Ministry.
What prompted the new Vatican Legislator towards the Regulation was a willingness to protect the rights and freedom of physical persons, and in particular, the right to personal data protection, as stated in Article 1 of the Regulation which establishes “rules on the protection of physical persons with regards to the treatment of personal data, and norms related to the free movement of such data, respecting human dignity and fundamental freedoms”.
The implementation of the Regulation is the responsibility of the Governorate, “within the limits of the territory of Vatican City State, or for activities carried out by the Governorate in the zones mentioned in Article 15 and 16 of the Lateran Treaty, in accordance with Law No. CCLXXIV on the Governance of Vatican City State of 25 November 2018 and the Fundamental Law of Vatican City State of 13 May 2023” (Article 2, paragraph 1). The Vatican Legislator also included a provision for the exclusion of its implementation in cases of personal data treatment made by physical persons for exclusively personal reasons, as long as, “they are not destined for systemic circulation”, and the treatment of personal data “made clearly public by the Interested party”, or in cases of anonymous data” (Article 2, paragraph 2).
Article 11, paragraph 1, of the new Regulation identifies the Data Controller in the Governorate of Vatican City State, represented by the General Secretary, who makes decisions on the purposes and methods of data treatment. This also gives those responsible for the treatment the possibility of “identifying organizational technical measures (security measures) that are suitable to guaranteeing personal data protection”. (Article 11, paragraph 2), in accordance with the Regulation. Article 12 identifies those who are responsible for the treatment. It is up to the data Controller, that is, the General Secretary, to choose from within its organization “in its senior roles of the Bodies of the Governorate, those who are responsible for treatment and have the task of implementing the present Regulation and to work in accordance with the principles mentioned in Articles 4 and 5, by appointing Representatives when provided by the present Regulation” (Article 12, paragraph 1). The Data Controller and each person responsible for the treatment designates one or more Representatives from within its organization, with a written document, and establishes the duration of the service, the content, the duties and responsibilities (Article 13, paragraph 1). The Representatives are physical persons who are authorized to put security measures into action in accordance with the Regulation and are identified in the Register of treatment activities (Article 13, paragraph 2).
Furthermore, the Regulation provides specific procedures that allow the Interested party to exercise the right to access, change, cancel, exercise the right to data portability and to limit the treatment. They can do so by sending a written or electronic request to the Data Controller.
If the Interested party feels that the data treatment violates the Regulation, “with the exception of cases which involve the judicial authority of Vatican City State” (Article 25), he has the right to make a written complaint to the Data Protection Officer (DPO) whose functions are the responsibility “of the General Councillor of Vatican City State” (Article 10, paragraph 2), who carries out the responsibility and exercises power (Article 10, paragraph 3) independently and autonomously, and is a fundamental part of the overall procedural process, which along with the preliminary involvement of the Data Controller and a possible recourse to Vatican judicial authorities, has the aim of guaranteeing the greatest protection to the rights of the Interested party.
In light of the nature of the object of the Regulation, Decree No. DCLVII, was promulgated ad experimentum by the Pontifical Commission of Vatican City State, for a three year period.
Historical journey between privacy and data protection
In order to understand how the Legislator came to draft the Regulation, we have to think back in space and time, precisely to the end of the 19th century in the United States of America. We can trace the early mention of privacy as a right back to that time. The first to deal with the issue were two lawyers from Boston, the most European city in the United States. They were Samuel Warren and Louis Brandeis. On 15 December 1890, the two lawyers published an article in the Harvard Law Review, titled, The right to privacy. They called for the recognition of the “legal value of sensations” and “the right to be let alone”. At that time, newspapers were the chief means of communication, and they dedicated much space to photographs. What led the two lawyers to write the article was the intrusiveness of the photographs printed on many newspapers, depicting mundane events attended by members of the upper middle class and politicians.
There was still no mention of the intrusiveness of technology and the potential for social communication because there were only cameras and newspapers. However, it was enough to spread details of images of people an intrude into their private lives. Decades passed and at the end of World War II, awareness of privacy and the protection of privacy also reached Europe, but with a difference with respect to the United States of America. The goal was no longer to stop the intrusion to private citizens, from newspapers and businesses, but to be protected from the intrusion of the State. With the memory of the collapse of some totalitarian regimes and the continued existence of some, still very much alive, the Legislator’s priority was to protect private individuals. This led to the drafting of Article 8 of the 1950 European Convention on Human Rights, which established the right to protection of private life. As times changed, with the arrival of computers and their ever-growing popularity, in 1981 the Council of Europe came up with Convention 108 , known also as the Strasbourg Convention. It is one of the most important legal instruments for
the protection of individuals with respect to the automated treatment of personal data. A further step was taken with Directive 95/46 of the Parliament and of the Council of Europe, with the aim of putting together norms to guarantee personal data protection and a “free flow” of data, and to promote a higher level of protection of basic rights of citizens. This directive was undoubtedly the fundamental legal instrument of the European Union for the protection of data until the 2018 General Data Protection Regulation (GDPR).