This text was originally prepared as part of an individual written assignment for the course LAW5072 – Data Protection Law, in the LL.M. in Cybersecurity & Data Privacy programme at Maastricht University. It analyses Case C-12/25 (Bisdom Gent), which is still pending a ruling by the Court of Justice of the European Union (CJEU), and presents my personal academic reflection on the questions referred, with a focus on the right to erasure under the GDPR.
Introduction
This case concerns an individual who was baptised as a child by the Roman Catholic Church (“Church”) in the Diocese of Ghent. On 22 March 2021, the individual formally requested the erasure of all references to him from the diocese’s physical and digital records.
In April, the Church annotated the individual’s wish to leave in the margin of the baptismal register but did not erase his personal data. The individual, dissatisfied with this response, submitted a complaint to the Dispute Resolution Chamber of the Belgian Data Protection Authority. The Chamber subsequently ordered the Bishopric of Ghent to honour the objection to data processing and comply with the erasure request.
The Diocese, contesting this outcome, appealed to the Brussels Court of Appeal. In December 2024, the court issued an interim judgment and referred the following questions to the Court of Justice of the European Union (CJEU):
1) Does an individual who was baptised as a child and later wishes to dissociate from the Roman Catholic Church as an adult have the right to have his personal data erased from the baptismal register?
2) Can the fundamental right to religious freedom of the controller and the Church community override an individual’s right to object to data processing under Article 17(1)(c) of the GDPR1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1., thereby preventing the right to erase data in the baptismal record?
3) Does the fact that the baptismal register is a physical book rather than a digital record, with entries of multiple data subjects on the same pages, affect this analysis?
4) Given that the baptismal record is a historical artefact and a unique record of historical facts that are not recorded anywhere else, can the exception to erasure under Article 17(3)(d)2GDPR, art 17(3)(d). apply?
5) Considering that there is a right to erasure under Article 17(1)3GDPR, art 17(1). and that the above exception was not applied, is it satisfied by the notation made by the church in the margin of the baptismal record?
Question 3
Considering that baptismal records contain personal data of the individual—such as year of baptism, surname, first name, parish name, and the surnames of the godmother and godfather—and that, although they may be maintained manually in physical books4Beslissing ten gronde 169/2023 [67], they are nonetheless structured in an organized manner based on specific criteria5Code of Canon Law 1983, c 535., they qualify as a filing system within the meaning of Article 4(6)6GDPR, art 4(6).. Accordingly, it can be inferred that the aforementioned processing of personal data carried out by the Church falls within the scope of the GDPR, pursuant to Article 2(1)7GDPR, art 2(1)..
Consequently, the fact that the register constitutes a physical book rather than a digital record, containing entries of multiple data subjects on the same pages, does not exclude it from the scope of GDPR and, accordingly, does not influence this analysis.
Question 4
The data contained within the baptism register is sensitive, as it discloses an individual’s religious beliefs, in accordance with Article 9(1)8GDPR, art 9(1).. In light of this, such processing must always be justified by a legal basis pursuant to Article 69GDPR, art 6. and must comply with one of the conditions specified in Article 9(2)10Ludmila Georgieva and Christopher Kuner, ‘Article 9. Processing of Special Categories of Personal Data’ in Christopher Kuner, Lee A Bygrave and Christopher Docksey (eds), The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020) 376..
Therefore, the Church’s legal basis for collecting, registering, storing, and maintaining the baptism register is the legitimate interest11Beslissing ten gronde 169/2023 [102], with the purpose of ensuring proper sacramental administration and preventing repetition, avoiding fraud or duplication12Beslissing ten gronde 169/2023 [113]. This is based on Articles 6(1)(f) and 9(2)(d) and (j)13Beslissing ten gronde 169/2023 [102]; GDPR, arts 6(1)(f), 9(2)(d), (j)..
Regarding data retention, the justification for storing data after an individual’s withdrawal was based on archiving for public interest and historical research, pursuant to Articles 6(1)(f), 9(2)(j), and 89(1)14Beslissing ten gronde 169/2023 [157]; GDPR, arts 6(1)(f), 9(2)(j), and 89(1).. Furthermore, the Church refused the individual’s data deletion request by citing the exception in Article 17(3)(d)15GDPR, art 17(3)(d).. This article states that the right to data erasure does not apply to the extent that processing is necessary for archiving purposes in the public interest, scientific research, historical research, or statistical purposes.
Considering this, the Belgian DPA concluded that although the initial interest in preventing fraud is legitimate, the lifelong retention of all personal data of a former member is disproportionate16Beslissing ten gronde 169/2023 [136],[193]. Continuous retention, therefore, fails the necessity test and violates the data minimisation principle (Article 5(1)(b) and (c))17Beslissing ten gronde 169/2023 [127]; GDPR art 5(1)(b),(c)..
Justifying lifelong retention of an individual who explicitly wishes to leave the Church under Article 17(3)(d)18GDPR art 17(3)(d). requires strict, cumulative scrutiny. Specifically, it must be shown that:
(i) the processing genuinely qualifies as archiving in the public interest on a basis of Union or Member-State law (Article 9(2)(j))19GDPR art 9(2)(j).;
(ii) the Article 89(1)20GDPR art 89(1). safeguards are demonstrably in place (proportionality, data minimisation and, where possible, pseudonymisation); and
(iii) in the concrete case, erasure would be likely to render impossible or seriously impair the achievement of those archiving purposes.
The doctrine regarding Article 89(1)21GDPR art 89(1); Christian Wiese Svanberg, ‘Article 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ in Christopher Kuner, Lee A Bygrave and Christopher Docksey (eds), The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020) 1247. reinforces that not every archive qualifies for inclusion under this regime. Instead, only those records that, according to Union or Member State law, are required to be acquired, preserved, described, disclosed, and made accessible due to their long-term value and public interest are eligible. Therefore, Member States can define, through national legislation, what constitutes a historically significant public interest archive. Furthermore, safeguards such as data minimization and pseudonymization must be effectively implemented in practice.
Analysing the DPA’s decision reveals, in a somewhat obscure footnote22Beslissing ten gronde 169/2023 [159], that baptism records are transferred to the Belgian state archive after one hundred years. This practice is not based on a legal obligation but rather on an agreement between the Belgian state and the Church.
In conclusion, the answer to the fourth question is that this arrangement alone does not justify the diocesan retention of these records as processing “based on Union or Member-State law” for public interest archiving (Article 9(2)(j))23GDPR art 9(2)(j).. This is because there is no specific legislative basis considering these records as part of a public-interest archive, making the derogation under Article 17(3)(d)24GDPR art 17(3)(d). inapplicable.
Questions 1, 2 & 5
Based on the conclusion of response number four above, it can be affirmed that the data subject’s request must be analyzed in accordance with the general regime of the GDPR, considering the balance between objection and erasure. Article 17(1)(c) guarantees erasure when the data subject objects to the processing under the terms of Article 21(1)25GDPR arts 17(1)(c), 21(1); Herke Kranenborg, ‘Article 17. Right to erasure (“right to be forgotten”)’ in Christopher Kuner, Lee A Bygrave and Christopher Docksey (eds), The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020) 481.. This objection right applies only to treatments based on Article 6(1)(e) or (f)26GDPR art 6(1)(e), (f).. Based on the conclusion reached in response four, Article 6(1)(e)27GDPR art 6(1)(e) is excluded because no specific legal basis was identified to qualify the baptism record under that provision. Therefore, only Article 6(1)(f)28GDPR art 6(1)(f) remains, which requires an analysis of necessity and proportionality29GDPR, recital 47..
In this analysis, one must consider that
(i) the Belgian Constitution, which guarantees freedom of worship (Article 19)30Constitution of Belgium (Belgian House of Representatives 2021) art 19. and the freedom not to profess a religion (Article 20)31Constitution of Belgium, art 20., dimensions that are connected to the right to private life (Article 22)32Constitution of Belgium, art 22. of the individual who wishes to dissociate and;
(ii) recital 433GDPR, recital 4., which imposes a balance between data protection and other fundamental rights, such as religious freedom.
These elements support the analysis of Article 6(1)(f)34GDPR, art 6(1)(f). under three cumulative conditions: legitimate interest, strict necessity, and the precedence of the rights and freedoms of the data subject35Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV EU:C:2019:629, paras 93–97.. The purpose indicated by the Church, that is, to prevent the repetition of the sacrament, is legitimate36Beslissing ten gronde 169/2023 [136],[193], however, necessity requires demonstrating that only the strictly indispensable elements are maintained and for the minimal time.
In terms of proportionality, consideration is given to
(i) the fact that the data collection took place during childhood;
(ii) the impact on identity due to continued association against the data subject’s will;
(iii) the reasonable expectations of the data subject; and
(iv) the availability of less intrusive alternatives that achieve the same purpose.
Understanding that the exception in Article 17(3)(d)37GDPR art 17(3)(d). does not apply to the marginal annotation that maintains the record intact, this does not satisfy what is provided in Article 17(1)(c)38GDPR 17(1)(c).. In the face of a valid objection (art. 21(1)39GDPR 21(1).) and the lack of concrete proof of strict necessity and prevalence, the objection must prevail and the erasure is imperative.
Therefore, it is concluded that in question one, the individual has the right to erasure: the exception of public archiving being dismissed, the case returns to the general regime and, if there is an objection (Article 21(1))40GDPR 21(1)., without sufficient demonstration of necessity and proportionality of a treatment based on Art. 6(1)(f)41GDPR 6(1)(f)., Article 17(1)(c)42GDPR 17(1)(c). is imposed.
Regarding question two, religious freedom may be considered, however, it does not automatically negate the objection. It would be necessary to demonstrate, in the specific case, that the continuation of the treatment is essential and that no less intrusive alternatives exist, which has not been established.
Regarding question five, recognizing the right to erasure and the inapplicability of Article 17(3)(d)43GDPR 17(3)(d)., a marginal note does not satisfy Article 17(1)44GDPR 17(1).: maintaining the entry with a mere note does not replace removal.