photo
02.06.2026

A New Guide for Church Entities Operating in the Field of Social Assistance

The Church Data Protection Officer, in cooperation with the Personal Data Protection Office, has developed a guide titled “Practical Guidelines for Church Entities Operating in the Field of Social Assistance.” This guide is a valuable source of information for all entities providing social assistance.

The publication was developed with church-run social welfare homes and other church entities operating in the field of social welfare in mind. Its purpose is to support these entities in the proper application of personal data protection regulations, both those arising from the GDPR and from the General Decree on the Protection of Natural Persons in Connection with the Processing of Personal Data in the Catholic Church. The guide is practical in nature and was prepared based on applicable regulations, experiences drawn from the supervisory activities of the Personal Data Protection Office and the Church Data Protection Officer, as well as the most common issues arising in the day-to-day operations of social welfare homes.

The publication discusses in detail issues related to determining the status of the personal data controller in church-run social welfare facilities and the scope of responsibility of individual entities. It also explains which categories of data are most frequently processed by these facilities, including data on residents, family members and legal guardians, employees, volunteers, donors, and users of websites and social media. Particular attention is given to the processing of special categories of data, such as data concerning health or disability.

A significant portion of the guide is devoted to the practical obligations of data controllers. Among other things, the guide outlines the principles for conducting risk assessments, implementing appropriate technical and organisational measures, developing data protection policies, and maintaining the required documentation, including a record of processing activities. The authors also explain how to properly organise access to personal data, grant authorisations to employees, and collaborate with data processors under data processing agreements.

The guide also discusses in detail the obligation to provide information to residents, employees, volunteers, and other individuals whose data is processed. It emphasises the need to clearly identify the data controller, precisely specify the recipients of the data, and use transparent and understandable information notices. The guide also includes guidance on data retention periods, responding to data breaches, and organising training sessions to raise staff awareness of security issues.

A separate chapter is devoted to the most frequently asked practical questions. The answers address, among other things, who is the data controller at a church-run nursing home, on what grounds residents’ medical data may be processed, whether and to what extent information may be disclosed to a resident’s family, when there is an obligation to appoint a data protection officer, and how long specific documentation must be retained. The chapter also addresses issues related to video surveillance and residents’ right to request the deletion of their personal data.

The publication also includes sample document templates that can be adapted to the needs of specific institutions. These include, among others, templates for privacy notices for residents and employees, a template for a consent form for the processing of personal data, and the basic elements of a data processing agreement.

The guide is intended to support church entities operating in the field of social assistance in establishing consistent, transparent, and secure rules for the processing of personal data, while respecting the dignity, privacy, and rights of individuals receiving social assistance.

This publication is yet another example of cooperation between the President of the Personal Data Protection Office and the Church Data Protection Officer in raising awareness about personal data protection and supporting data controllers in the proper application of the regulations. This cooperation included, among other things, educational activities, the exchange of experiences, and the preparation of supporting materials on the practical application of personal data protection regulations in the activities of church entities.

The guide is publicly available and can be downloaded from the Office’s website.