Data Protection

Data Protection Regulations

of EBM INTERNATIONAL A corporation under public law

These data protection regulations were agreed by the Executive Committee of EBM INTERNATIONAL on February 24, 2018 and by the Mission Council of EBM INTERNATIONAL on May 03, 2018, and came into force on May 03, 2018.

Contents

PART ONE: GENERAL PROVISIONS

§ 1. Objectives, Targets and Scope of Application

§ 2. Responsibility for Implementing Data Protection

§ 3. Definitions

§ 4. Legality of Processing

§ 5. Conditions for Consent

§ 6. Transfer of Data to Member Unions of EBM INTERNATIONAL and Public Agencies

§ 7. Processing Special Data

 

PART TWO: RIGHTS OF THE DATA SUBJECT

 

§ 8. Transparent Information, Communication

§ 9. Information Requirements for Data Collection

§ 10. Right to Information of the Data Subject

§ 11. Right to Correction

§ 12. Right to Deletion

§ 13. Right to Restrictions on Processing

§ 14. Information Requirements for Correction, Deletion or Restrictions on Processing

§ 15. Right to Object

 

PART THREE: OBLIGATIONS OF THE RESPONSIBLE AGENCIES AND PROCESSORS

 

§ 16. Data Confidentiality and Secrecy

§ 17. Technical and Organisational Measures

§ 18. Contracting Out Processing of Personal Data

§ 19. List of Processing Activities

§ 20. Notification of Breaches of Personal Data Protection

§ 21. Notification of the Person Affected by a Breach of Personal Data Protection

 

§ 22. Data Protection Impact Assessment

 

PART FOUR: OVERSIGHT COMMITTEE AND RESPONSIBILITY FOR DATA PROTECTION

§ 23. Appointment and Status of Data Protection Agents for EBM INTERNATIONAL

§ 24. Duties and Powers of Data Protection Agents for EBM INTERNATIONAL

§ 25. Oversight Committee

§ 26. Financial Penalties

§ 27. Right to Complain

§ 28. Compensation by Responsible Agencies

 

PART FIVE: RULES FOR SPECIAL PROCESSING SITUATIONS

§ 29. Handling of Personal Data in Service and Employment Relationships

§ 30. Handling of Personal Data for Journalistic Purposes

§ 31. Activities of EBM International

 

PART SIX: FINAL PROVISIONS

§ 32. Supplementary Provisions

§ 33. Entry into Force, Abrogation

 

§ 1. Objectives, Targets and Scope of Application

1. These data protection regulations apply to the EBM INTERNATIONAL religious community, a corporation under public law (hereafter EBM INTERNATIONAL), and its management.
2. These regulations contain provisions for the protection of natural persons during the handling of personal data. They serve to protect the basic rights and freedoms of natural persons, in particular their right to the protection of their personal data.
3. These regulations apply to wholly or partially automated, as well as non-automated, handling of personal data which is stored in a file system or is intended to be stored. Files and collections of files are only considered as a file system if they are ordered by certain criteria.

1. These regulations apply to the handling of personal data by non-EBMI staff or processors, if the handling of the data is for EBM INTERNATIONAL purposes.

 

1. These regulations are not applied to the processing of personal data by natural persons in sole connection with personal or family activities.
    
2. These regulations are based on the provisions of article 91 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2017 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EG (General Data Protection Regulation).

 

§ 2. Responsibility for Implementing Data Protection

(1) The Executive Committee of EBMINTERNATIONAL ensures compliance with data protection in accordance with these regulations. The Executive Committee may delegate this function to the Management Board.

 

§ 3. Definitions

For the purposes of these regulations, the following terms are defined:

1. “Personal Data” - All information which refers to an identified or identifiable natural person (“Data Subject” in the following); a natural person is considered to be identifiable if they can be directly or indirectly identified by association with an identifier such as a name, an identification number, location data, an on-line identifier or one or more special characteristics which are expressions of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
    
2. “Specific Data” - Personal data which express racial and ethnic origin, political opinions or trade union affiliation, as well as health data and genetic and biometric data for the specific identification of a natural person.
    
3. "Processing" - Any operation, or any such sequence of operations, performed with or without the aid of automated procedures, in connection with personal data, such as collecting, recording, organisation, sorting, storing, amending or modifying, reading, querying, usage, disclosure by transfer, dissemination or any other form of provision, matching or association, reduction, erasure or deletion;
    
4. “Recipient" - A natural or legal person, public authority, body or other agency to which personal data are disclosed, regardless of whether or not it is a third party;
5. “Responsible Person” - A position at EBMINTERNATIONAL that either alone or together with others decides on the purposes and means of processing personal data;
6.  “Data Controller” - See “Responsible Person”;
7. “Processor” - A natural or legal person or, if the data controller belongs to another legal entity, a body of EBM INTERNATIONAL, that processes data on behalf of the data controller;
    
8. “Third Party” - A natural or legal person, public authority, other than the data subject, the responsible agencies, the processor and the persons authorized under the direct responsibility of the controller or processor to process the personal data;
9. “Anonymisation” - Processing of personal data such that the personal data can no longer be attributed to a specific data subject, or can only be attributed to an identified or identifiable person with great expenditure of time, financial resources and manpower.
10. “Pseudonymisation” - Processing personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separate and subject to technical and organisational measures which ensure that the personal data cannot be attributed to an identified or identifiable natural person;

1. “File System” - Any structured collection of personal data accessible by specific criteria, regardless of whether this collection is centralised, decentralised or organised by functional or geographic criteria;
    
2. “Oversight Committee” - An independent body

of EBM INTERNATIONAL which monitors compliance with the data protection regulations;

1. “Data Protection Officer” - the data protection officer appointed by the Executive Committee of EBM INTERNATIONAL;
2. “Restriction of Processing” - The marking of stored personal data in order to limit its future processing;

1. “Consent” - An expression of will, voluntarily and in an informed and unambiguous manner, in the form of a statement or other explicit affirmative act, by which the data subject indicates that he / she agrees to the processing of his / her personal data, for the particular case.

 

 

§ 4. Legality of Processing

1. Processing is only permitted if;

1. the rules of EBM INTERNATIONAL or an overriding state law allow or order the processing of personal data;

1. The data subject has given his / her consent to the processing of his / her personal data for one or more particular purposes;
2. the processing is necessary to carry out the duties of the responsible body;
3. the processing is necessary to carry out a legal obligation;
4. the processing is necessary to protect the vital interests of the data subject or another natural person;
5. processing is necessary to safeguard the legitimate interests of the responsible person or a third party, so long as the interests or fundamental rights and freedoms of the data subject requiring personal data protection prevail, particularly if the data subject is a child or

 

g)it is done for journalistic or editorial purposes of EBM INTERNATIONAL.

1. The purpose of the data processing and the cohort of data subjects must be fixed or recognisable.
2. Processing for another purpose than that for which the personal data was originally collected (change of purpose) is only permitted if the possibility of pseudonymisation has been examined and

1. the data subject has consented;
2. it is obvious that it is in the interest of the data subject, and there is no reason to believe that knowing the other purpose, he / she would refuse to consent.

1. the data may be extracted from generally accessible sources or the data controller is allowed to disclose them, unless the legitimate interest of the data subject in excluding the change of purpose obviously outweighs it.

1. there is reason to assume that otherwise the fulfilment of the church’s mission would be endangered;
2. it is necessary to prevent serious harm to the rights of another person;

 

1. it is necessary for statistical purposes to fulfil the mission of the church.

1. Processing for other purposes is permitted, if it serves EBM INTERNATIONAL’s purpose of visitation, supervision and control, auditing, review or carrying out organizational investigations for the responsible body.

 

§ 5. Conditions for Consent

1. If the processing is based on consent, the responsible person must be able to prove that the data subject has given their consent to the processing of their personal data.
2. If the data subject's consent is provided by a written declaration which also relates to other matters, the request for consent must be made in an understandable and readily accessible manner, in clear and simple language, so that it is clearly distinguishable from the other matters.
3. The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the legality of any processing which has already been performed on the basis of that consent up until its withdrawal.
4. If data concerning a child is to be processed, consent may be obtained from only the bearer of parental responsibility for the child, if the child has not yet reached the age of 14. Otherwise, consent is given by the child together with the bearer of parental responsibility.

 

§ 6. Transfer of Data to Member Unions of EBM INTERNATIONAL and Public Agencies

1. The transfer of personal data to Member Unions of EBM International is permitted if;

1. it is necessary for the fulfilment of the duties for which the transferring or receiving body is responsible, and
2. satisfies the conditions of admissibility of § 5.

1. The responsible person bears the responsibility for the admissibility of the transfer. If the transfer is in response to a request from the receiving body, the responsible person also bears this responsibility. In these cases, the transferring body shall only check whether the request for transfer lies within the remit of the body receiving the data, unless there are specific grounds to consider the permissibility of the transfer.
2. The body receiving the data may process or use the transferred data for the purpose for which the data were transferred to it. Processing or use for other purposes is only permitted under the conditions of § 4 paragraph 2.

1. If further personal data of the person concerned or of another person are connected with personal data which is permitted to be transferred in accordance with paragraph 1 in such a way that separation is not possible, or only possible with unreasonable effort, the transmission of these data is also permitted, insofar as the legitimate interest of the data subject or another person in maintaining their secrecy does not obviously prevail; use of this data is prohibited.

 

1. Personal data may be transferred to bodies of other public-law religious communities, if this is necessary for the fulfilment of the duties of the responsible person, provided that it is ensured that sufficient data protection measures are taken at the receiving body and that it does not harm the legitimate interests of the data subject.

1. Personal data may be transferred to governmental and municipal bodies, if legal provisions permit this and it does not harm the legitimate interests of the data subject.

 

§ 7. Processing Special Data

1. Processing of special data is prohibited.
2. Paragraph 1 does not apply in the following cases:

1. The data subject has expressly consented to the processing of the personal data for one or more specified purposes,

 

 

1. The processing is necessary for the protection of the vital interests of the data subject or another natural person, and the data subject is physically or legally unable to give their consent,

1. The processing refers to personal data which the data subject has clearly made public.
2. The processing is necessary for the establishment, exercise or defence of legal claims,
3. The processing is necessary on grounds of considerable public interest and the responsible person has taken reasonable and specific measures to protect the basic rights and interests of the data subject.
4. The processing is necessary for health provision or occupational health purposes or the evaluation of an employee’s ability to work and subject to the conditions and guarantees in paragraph 3, or

1. The processing is necessary for the purposes of archiving, or scholarly or historical research in the interests of EBM INTERNATIONAL and the responsible person has taken reasonable and specific measures to protect the basic rights and interests of the data subject.

1. The personal data referred to in paragraph 1 may be processed for the purposes stated in paragraph 2(f), if these data are processed by

 

or under the responsibility of qualified staff and these qualified staff are subject to professional secrecy under the laws of the European Union, or the law of a member state or the rules of a responsible national body.

 

1. The processing of personal data on criminal convictions and offences or related security measures is permitted under the conditions of §6, if allowed under church or state law.

 

PART TWO: RIGHTS OF THE PERSON CONCERNED

§ 8. Transparent Information, Communication

1. The data controller shall take appropriate measures to communicate to the data subject all information required to be provided under these regulations regarding the processing, in a precise, transparent, understandable and easily accessible form.
2. The data controller shall make information about the measures taken in accordance with §§ 12 to 15 available to the data subject within three months from receipt of the request. This period can be extended by two months if necessary, taking into account the complexity and the number of requests. The data controller shall inform the data subject of any extension of the period within three months of receipt, together with the reasons for the delay.

 

1. If the data controller does not act on the data subject’s request, he / she shall inform the data subject without delay, and no later than three months after receipt of the request, of the reasons for this and of the option to raise a complaint with the data protection committee.
2. Information is to be made available free of charge. In the case of evidently unfounded or, in particular in the case of frequent repetition, excessive requests from a data subject, the data controller may refuse to act on the request, or charge a reasonable fee.

1. If the responsible person has reasonable doubts about the identity of the natural person making a request in accordance with §§ 11 to 15, he / she may request any additional information necessary to confirm

 

the identity of the data subject.

§ 9. Information Requirements for Data Collection

1. The state Data Protection Officer makes the following information about data collection publicly available:

• The existence of the rights of access, correction, deletion, limitation of processing, data portability, as well as the right to object to data processing;
• The existence of the right to withdraw any previously given consent;
• The existence of the right to raise a complaint with the data protection committee;

1. If personal data are collected from the data subject, the data controller shall, upon request, communicate the following to the data subject:

• The name and contact details of the data controller;
• If applicable, the contact details of the responsible Data Protection Officer
• The purpose for which the personal data will be processed
• The legal basis for the processing
• If applicable, the recipient of the personal data

1. If personal data are not collected from the data subject, the data controller shall, upon request, communicate the following to the data subject:

• The data stored about that person
• The origin of the data
• The recipient of the data

 

The data controller is exempted from this obligation insofar as the data or the fact of its storage must be kept secret due to a special legal provision or because of the legitimate interests of third parties, and the interests of the data subject in the disclosure of information must be overruled or if the disclosure would harm the image of the church’s mission.

 

1. If the data controller intends to process the data further for another purpose than that for which the personal data was collected, he / she must provide the data subject with information about this other purpose and, if

 

applicable, the recipient of the personal data, prior to such further processing. This duty to inform does not apply in the case of §10 paragraph 2.

 

§ 10. Right to Information of the Person Concerned

1. The data subject is to be given information about the personal data stored about him / her, upon his / her request. The disclosure must include the following information:

• The purpose of the processing;
• The categories of personal data;
• The recipients to whom the personal data have been disclosed;

• Wherever possible, the intended period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
• The existence of the right to correct or delete the personal data relating to him / her, or to a restriction of processing by the data controller or a right to object to this processing;

 

• The existence of the right to raise a complaint with the data protection committee;
• Information about the origin of the data.

1. Information might not be provided, if as the data or the fact of its storage must be kept secret due to a special legal provision or because of the legitimate interests of third parties, and the interests of the data subject in the disclosure of information must be overruled or if the disclosure would harm the image of EBM INTERNATIONAL.

1. This disclosure is free of charge.
2. Paragraph 1 does not apply, if as the disclosure would require a disproportionate effort.

 

§ 11. Right to Correction

1. Incorrect personal data are to be corrected immediately. This especially applies at the request of the data subject.
2. In consideration of the purpose of the processing, the data subject

 

has the right to request the completion of incomplete personal data

1. No right to correction exists if the personal data is to be processed for archiving purposes in the church’s interests. If the data subject disputes the accuracy of the personal data, he / she has the option to submit a counter statement. The responsible archive is obliged to append the counter statement to the documents.

§ 12. Right to Deletion

1. The data subject has the right to demand the data controller immediately deletes any personal data regarding him / her, and the data controller is obliged to immediately delete these personal data, insofar as the following reasons apply:

1. The personal data are no longer necessary for the purpose for which they were collected or otherwise processed.
2. The data subject revokes his / her consent under which the processing was based, and no other legal basis exists for the processing.
3. The data subject objects to the processing in accordance with §15 and there exist no legitimate reasons for the processing.
4. The personal data has been processed unlawfully.

1. If the data controller has made the personal data public and he is obliged to delete them in accordance with paragraph 1, he shall aim to ensure the deletion of all links to these personal data or copies or replicates of these data, taking into account the available technology and the cost of implementing appropriate measures.

1. Paragraphs 1 and 2 shall not apply insofar as the processing is necessary

• in order to ensure the exercise of the right to freedom of expression and information;
• in order to fulfil a legal obligation that requires the processing under the state or church law to which the data controller is subject;
•  
• to carry out a duty due to a major interest of EBM INTERNATIONAL;

• for purposes of archiving or academic and historical research in the interest of EBM INTERNATIONAL, insofar as the right referred to in paragraph 1 is expected to render impossible or seriously impair the achievement of the purpose of this processing, or
• for the establishment, exercise or defence of legal claims.

1. If deletion is not possible, or only possible at disproportionately high cost, the right to restriction of processing according to § 13 will take the place of the right to deletion.

 

§ 13. Right to Restrictions on Processing

1. The data subject has the right to demand the responsible person restricts the processing, if one of the following conditions is met:

1. The accuracy of the personal data is disputed by the data subject and the examination of its accuracy by the data controller has not yet been completed.
2. The responsible person no longer requires the personal data for the purpose of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims.
3. The data subject has filed an objection to the processing according to §15 and it is still not clear whether the legitimate reasons of the responsible person prevail over those of the data subject.

1. If the processing has been restricted according to paragraph 1, processing of this personal data (except for storage) may only take place either with the consent of the data subject or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person, or due to a major interest of EBM INTERNATIONAL.

1. A data subject who has obtained a restriction of processing according to paragraph 1 shall be informed by the data controller before the restriction is lifted.

 

§ 14. Information Requirements for Correction, Deletion or Restrictions on Processing

The data controller shall notify the data subject of any correction or deletion of personal data or any restriction of processing, unless this proves impossible or would require a disproportionate effort. If the data subject so requests, the data controller shall inform the data subject of the recipient of the data.

§ 15. Right to Object

1. The data subject has the right to object to the processing of personal data relating to him / her, for reasons related to his / her specific situation, in accordance with § 4 paragraphs 1 (f) and (g)

 

1. This objection obliges the data controller to cease processing of the data, unless there exists a compelling interest of the Church in the processing of the data, the interests of a third party prevail, or there is an obligation to process the data under state law.

 

PART THREE: OBLIGATIONS OF THE RESPONSIBLE AGENCIES AND PROCESSORS

§ 16. Data Confidentiality and Secrecy

The persons entrusted with the handling of personal data are prohibited from processing personal data without authorization (data secrecy). This applies in particular to the disclosure of such data. These persons are to commit themselves in writing to data secrecy upon taking up their duties. Data secrecy persists after their work has been concluded.

§ 17. Technical and Organisational Measures

1. The data controller and, if applicable, the processor, taking into account the state of the technology, the cost of implementation, the type, scope, circumstances and the purposes of the processing, as well as the associated risks to the rights and freedoms of natural persons, shall implement and document specific technical and organizational measures to ensure a level of security appropriate to the risk.
2. These measures include, among other things, the following aspects:

• The pseudonymisation, anonymisation and encryption of personal data;

• The ability to permanently guarantee the security (confidentiality, integrity, availability and capacity) of the data processing systems and services;
• The ability to restore without delay the access to and availability of personal data after a physical or technical incident;

• A procedure for regular review and evaluation of the effectiveness of the technical and organisational measures to ensure the security of the processing.

1. In the assessment of the appropriate level of security, the particular risks associated with processing personal data are to be taken into account, especially the risks of deletion, loss, alteration, unauthorised disclosure or unauthorised access.

1. The data controller and, where applicable, the processor shall implement suitable technical and organisational measures to ensure only the personal data which is necessary for the respective specific processing purpose is processed. This obligation applies to the volume of collected personal data, the extent of their processing, their storage period and their accessibility. Such measures must in particular ensure that personal data is not made accessible to an indefinite number of natural persons by default without the intervention of the data controller.

 

1. These measures are only necessary if the effort involved is appropriate in relation to the targeted level of security.
2. Compliance with a procedure recognised under EU law to assess the security of personal data may be used as an indication of the fulfilment of the obligations referred to in paragraphs 1 to 4.
3. The data controller and the processor shall take steps to ensure that natural persons under their direction who have access to personal data only process these in accordance with the instructions of the responsible person.

§ 18. Contracting Out Processing of Personal Data

1. If personal data is to be processed by other bodies or persons under contract, the contracting body of EBM INTERNATIONAL is responsible for ensuring compliance with the conditions of these regulations and other applicable conditions concerning data protection. The rights referred to in PART TWO may also be claimed against them. The data protection committee is responsible for overseeing this.
2. If a natural or legal person is based, or has a place of business which is necessary for the processing in the contract, in a third country, the data controller is only permitted to contract them to process personal data if the EU Commission has decided that this country provides an appropriate level of data protection.

1. Only processors who provide sufficient guarantees that suitable technical and organisational measures will be followed, such that the processing will be performed in concordance with the requirements of these regulations, and ensuring of the rights of the data subject are protected, may process data on behalf of the responsible person,

1. If a processor outside of EBM INTERNATIONAL is commissioned, the choice of this processor shall be justified in writing and kept available.

1. The processor shall be obliged not to make use of any further processors without prior separate or general written permission from the responsible person. In particular, one condition for the responsible person’s approval is the obligation of the processor to ensure that further processors accept identical conditions in accordance with §19 and § 20.

1. The contract shall be made in writing. The contract shall stipulate, in particular, that the processor

1. only processes the personal data according to the instructions of the responsible person;

1. ensures that the processors of the personal data of the data subject have committed themselves to data secrecy in accordance with §16 or are bound by another reasonable obligation of confidentiality;

1. takes all measures necessary for the processor pursuant to §17;
2. complies with the conditions for the use of the services of another processor according to paragraph 5;
3. shall, in view of the type of the processing, support the responsible person as far as possible with suitable technical and organisational measures to comply with his / her obligations to reply to applications concerning the rights of the data subject referred to in PART TWO;
4. shall, according to the decision of the data controller, either delete or returned, all personal data after conclusion of the provision of the processing services;
5. provides the controller with all information necessary to demonstrate compliance with the obligations set out in this article and to facilitate and contribute to audits, including inspections, carried out by the responsible person or another auditor appointed by the latter;

 

1. informs the responsible person without delay, if he / she believes that an instruction of the data controller breaches these regulations or any other applicable data protection provisions.

1. the data controller shall ensure compliance with the terms of the contract according to paragraph 6 before data processing commences, and at scheduled intervals. The result is to be documented. Expertise and resources must also be evaluated. The compliance with a process recognised by EU Law to establish the security of personal data held by the processor is permitted as a justification for facilitated monitoring prior to concluding the contract or during the contractual relationship.
2. in the case of a printing task performed by EBM INTERNATIONAL itself, the data controller need not act in accordance with paragraph 7.

 

§ 19. List of Processing Activities

1. EBM INTERNATIONAL maintains a list of all processing activities carried out under its authority. This list contains the following information:

• The name and contact details of the data controller and, if applicable, those of the processor and of the decentralised representatives.
• The purpose of the processing;
• A description of the categories of data subjects and the categories of the personal data, as well as
• The categories of recipients to which the personal data has been disclosed or is to be disclosed, including recipients in third countries.

1. Processors not subject to these regulations are obliged to comply with EU Regulation 2016/679.
2. Data controllers and processors shall provide the list to the data protection committee upon request.

 

§ 20. Notification of Breaches of Personal Data Protection

1. In the event of a breach of personal data protection that is likely to pose a non-negligible risk to the rights of a natural person, the data controller shall inform the data protection committee immediately
2. If the processor becomes aware of a breach of personal data protection, he / she shall immediately inform the data controller.

1. The notification according to paragraph 1 shall in particular include a description of the nature of the breach of personal data protection and the probably consequences of the breach of protection.
2. The data controller shall document all breaches of personal data protection and any corrective measures taken.

 

§ 21. Notification of the Person Affected by a Breach of Personal Data Protection

 

1. If the breach of personal data protection is expected to pose a high risk to the personal rights of a natural person, the data controller shall notify the data subject immediately of the breach.
2. The notification of the data subject must be in clear and simple language.
3. The duty to notify the data subject may be waived if

• The data controller has ensured through subsequent measures that the high risk to the rights of the data subject in accordance with paragraph 1 in all likelihood no longer exists, or
• The notification would require disproportionate effort. In this case, a public notice or a similar measure shall be effected in its place, through which the data subject will be informed with similar effectiveness.

 

§ 22. Data Protection Impact Assessment

1. If a form of processing, in particular the use of new technologies, poses a high risk to the rights and freedoms of natural persons, due to the nature, the scope, the circumstances and the purpose of the processing, the responsible person shall carry out a prior assessment of the impact of the intended processing operations on the protection of personal data. For the examination of various similar processing methods carrying similar degrees of risk, a single assessment may be carried out.

1. The impact assessment shall include in particular:

• A systematic description of the planned processing operations and the purpose of the processing, including where applicable the legitimate interests pursued by the data controller;
• An assessment of the necessity and proportionality of the processing operations in relation to the purpose;

• An assessment of the risks to the rights and freedoms of the data subject and
• The planned corrective measures for dealing with the risks, including guarantees, safeguards and procedures which ensure the protection of personal data and provide evidence of compliance

 

 

with the laws pertaining to data protection.

PART FOUR: OVERSIGHT COMMITTEE AND RESPONSIBILITY FOR DATA PROTECTION

§ 23. Appointment and Status of Data Protection Agents for EBM INTERNATIONAL

1. The executive Committee of EBM INTERNATIONAL shall appoint by resolution a representative for data protection.
2. The appointment is usually limited to five years. Re-appointment is permitted.
3. The data protection officer is appointed on the basis of his / her professional qualifications and, in particular, expertise in the field of data protection law and data protection practice, as well as on the basis of his / her ability to fulfil the duties referred to in §24.

1. The data Protection Officer may be an employee of EBM INTERNATIONAL or perform his / her duties on the basis of a service contract.
2. The management of EBM INTERNATIONAL shall support the data Protection Officer, insofar as providing the necessary resources to perform these duties and to maintain his / her technical expertise.

1. The data protection officer shall report to the data protection committee.
2. The data protection officer shall be entitled to bring matters before the executive committee of EBM INTERNATIONAL at any time.
3. Data subjects may consult the data protection officer on any matter related to the processing of their personal data and the exercise of their rights under these regulations.

 

1. The data protection officer is bound by the protection of data secrecy and confidentiality in the performance of his / her duties.
2. Representation is to be regulated.
3. Dismissal of the data protection officer is only permitted with the approval of the Mission Council of EBM INTERNATIONAL. A provisional suspension by the Executive Committee of EBM INTERNATIONAL on serious grounds is possible.

 

§ 24. Duties and Powers of the Data Protection Officer

1. The data protection officer shall sensitise, inform and advice the data controllers and internal processors on questions and significant developments in data protection as well as on risk mitigation.

1. He / she shall inform data subjects upon request about their personal rights under these regulations.
2. He / she shall take complaints from data subjects and from EBM INTERNATIONAL employees and pass them on to the data protection committee for handling.
3. Audits by the data protection officer will be carried out under the following conditions:

1. The officer shall be supported in the performance of his / her duties by the data controller involved. Upon request, he / she shall be provided with information and access to all documents and files concerning the processing of personal data, and all data stored in this regard must be provided.

1. The officer shall inform the outcomes of his / her audit to the data controller involved and the data protection committee. This may be accompanied by proposals to improve data protection, in particular the elimination of identified faults in the processing of personal data and a request for statements.

1. Records referred to in §4 as well as personal data covered by medical secrecy are not subject to audit by the data protection officer.

 

§ 25. Oversight Committee

1. An independent oversight committee for data protection (data protection committee) shall oversee compliance with these regulations.

1. The data protection committee is headed by and represented by the data protection officer.

1. The Executive Committee of EBM INTERNATIONAL shall choose the members of the data protection committee, taking into account their expertise, reliability and

 

experience. The data protection committee shall consist of at least two members. Members are appointed for at least two years. Participation in the data protection committee shall usually be on a voluntary basis.

1. The data protection committee shall be completely independent in the performance of its duties and the exercise of its powers. It shall be subject to neither direct nor indirect external influence and does not receive instructions.
2. The data protection committee shall generally prepare an activity report once per year. The activity report will be submitted to the Executive Committee of EBM INTERNATIONAL. It may contain a list of the types or breaches reported and the types of measures taken.
3. The data protection committee may delegate administrative tasks to the management of EBM INTERNATIONAL.
4. If the data protection committee becomes aware of breaches of data protection provisions or other failures during the processing of personal data, they shall raise this complaint with the data controller or the processor and request a statement within a specified period of time. A complaint may be disregarded if it concerns negligible failures or those that have been eliminated in the meantime. The request for statements may be accompanied by suggestions to correct failures or other improvements in data protection. The statement should contain an account of the measures which have been taken as a result of the notification by the data protection committee.

1. The data protection committee is empowered to order, if necessary:

• To bring processing operations into compliance with these regulations in a certain way;
• To temporarily or permanently restrict or cease data processing operations;

• To correct, lock or delete personal data;

• To notify the data subject affected by a breach of personal data protection.

1. The members are bound by the protection of data secrecy and confidentiality in the performance of their duties. This does not apply to communication between members. Former members may not comment on matters subject to secrecy which arose during their membership without the permission of the data protection committee.
2. The representation of the management is to be regulated.

§ 26. Financial Penalties

1. If a data controller or processor of EBM INTERNATIONAL intentionally or negligently breaches the provisions of these regulations, the data protection committee may propose that the Executive Committee of EBM INTERNATIONAL imposes fines.
2. The data protection committee shall ensure that the imposition of fines is proportionate and dissuasive.
3. Fines are imposed depending of the circumstances of each individual case. When deciding on the imposition of a fine and its amount, the following will be duly considered for each case:

• The nature, severity and duration of the infringement, taking into account the nature, the circumstances and the purpose of the processing concerned, as well as the number of data subjects affected by the processing and the extent of the harm suffered by them;
• Whether the infringement arose out of intent of negligence;
• Any measured taken by the data controller or the processor to reduce the harm caused to the data subjects;

 

• Any relevant previous infringements by the data controller or the processor;

• Willingness to work with the oversight committee to correct the infringement and to reduce its potential adverse effects;
• The categories of personal data affected by the infringement;
• The manner in which the infringement became known to the oversight committee.
• Any other aggravating or mitigating circumstances in each case

1. In the event of a breach, in accordance with paragraph 3, fines of up to 10,000 Euro may be imposed.

 

1. If applicable, the collected funds will be made available to be spent for the Mission or for social welfare work, at the discretion of the data protection committee.

§ 27. Right to Complain

1. Any person who believes that their rights have been violated by the processing of their personal data may, without prejudice to other remedies, raise a complaint with the data protection committee.
2. The data protection committee shall inform the data subject about the status and outcome of the complaint.
3. No one may be reprimanded or penalised for communicating details which are likely to raise suspicion that these regulations or other applicable legal provisions concerning data protection have been violated. Employees do not have to follow official channels for communications with the data protection committee.

§ 28. Compensation by Responsible Agencies

1. Any person, who suffers damage due to an infringement of the provisions of this regulation has a claim for damages against the data controller.  The data subject may demand compensation of an appropriate cash amount for non-pecuniary damages.

1. A data controller is freed from the liability referred to in paragraph 1 if he / she can prove that he / she is not responsible for the loss incurred.
2. Section 254 of the Civil Code and the statute of limitations for unauthorized acts of the Civil Code apply accordingly to contributory negligence on the part of the person concerned.
3. Several persons liable to pay compensation shall be held jointly and severally liable within the meaning of the German Civil Code.
4. Provisions whereby persons are liable to a greater extent than under these regulations, or where others are responsible for the damages, remain unaffected.
5. If an affected party claims damages, church tribunal of the Union of Evangelical-Free Churches in Germany (Bund Evangelisch-Freikichlicher Gemeinden in Deutschland K.d.ö.R.) should first of all hold a hearing.

PART FIVE: RULES FOR SPECIAL PROCESSING SITUATIONS

§ 29. Handling of Personal Data in Service and Employment Relationships

1. Data regarding employees may only be processed to the extent necessary to justify, implement, terminate or complete the employment relationship or to implement organisational, staffing and social measures, in particular for the purpose of personnel planning and deployment of personnel, or a legal provision, contract or service agreement provides for this.
2. In connection with suspected criminal offences and violations of official duty committed by employees, the personal data of employees may be processed, especially to protect potential victims, in accordance with the principle of proportionality, insofar as the suspicion has not been dispelled and it is necessary for the interests of potential victims.

1. Disclosure of data about employees to law enforcement authorities is permitted if it appears to be necessary for the detection of a criminal offence or violation of official duty or to protect potential victims.
2. Disclosure to a future employer is only permitted with the consent of the data subject.
3. If the data controller requests medical or psychological examinations and tests necessary to determine the suitability of the candidate in the context of an employment relationship, then the data controller may demand the disclosure of the result of the assessment.

1. Personal data collected prior to the justification of an employment relationship are to be deleted within one year of the decision being taken that such a relationship will not come about. This does not apply, insofar as the prevailing legitimate interests of the data controller prevent the deletion, or the data subject consents to further storage. 

1. The processing of social data in accordance with Book X of the Social Security Code (SGB X) shall be governed by the provisions of that Code.
2. After termination of an employment relationship, personal data are to be deleted, if such data is no longer needed.

 

§ 30. Handling of Personal Data for Journalistic Purposes

1. If processing according to § 5 paragraph 1(h) leads to the publication of statements by the data subject, these statements are to be attached to the stored data and preserved for the same length of time as the data itself.

1. If someone’s personal rights are adversely affected by reporting in accordance with § 5 paragraph 1(h), he may request information about the data underlying this report and stored about himself. The information may be refused, if data on the people reporting or submitting, or the sources of contributions, documents and notices for the editorial section, may be concluded from it.

 

§ 31. Activities of EBM INTERNATIONAL

1. The recording or transmission of religious services or other public events by audio-visual media and the publication of these data is permitted, if those taking part are informed through suitable measures about the nature and scope of the recording or transmission.

1. Those affected may object in accordance with §16, if the protection-worthy interests of the affected prevail over the interests of the responsible person.

PART SIX: FINAL PROVISIONS

§ 32. Supplementary Provisions

1. The Executive Committee of EBM International may, with the agreement of the Data Protection Committee, approve supplementary provisions for data protections. These may not contradict these regulations.
2. Insofar as personal data are disclosed by social service authorities, the state provisions will apply in addition to protect these data.

 

§ 33. Coming into Force

These Data Protection Regulations of EBM INTERNATIONAL were agreed by the Executive Committee of EBM INTERNATIONAL on February 24, 2018 and enter into force on May 3, 2018 by the decision of the Mission Council of EBM International in Gandia, Spain

Legally binding is the version in German language