With the issuing of Decree no. DCLVII of 30 April 2024, the Pontifical Commission for the Vatican City Statepromulgated the General Regulation on the protection of personal data for the Vatican City State "ad experimentum"for a three-year period.

This is the first normative intervention aimed at organically regulating the processing of personal data carried out by the Governorate of the Vatican City State, both in the territory of the Vatican City State and in the extraterritorial areas referred to in articles 15 and 16 of the Lateran Treaty, in accordance with the Law on the Government of the Vatican City State No. CCLXXIV of 25 November 2018 and the Fundamental Law of the Vatican City State of 13 May 2023 (art. 2, paragraph 1).

The General Regulation presents significant specific profiles with respect to the provisions of the European Regulation for the Protection of Personal Data 2016/679.

First of all, it’s different the function attributed to the Controllers, identified by the General Secretary of the Governorate, as Processor, within the apical roles of the Government Bodies. Controllers are called upon to directly implement the General Regulation on the protection of Personal Data for the Vatican City State in compliance with the principles set out in the articles 4 and 5 and designate, with a written document, the respective “Referenti”, a figure not provided for by the European Regulation and which indicates the natural persons responsible for keeping and updating the processing registers. The function of Data Protection Officer is instead attributed to the General Councilor of the Vatican City State who guarantees "in full independence" the correct application of the General Regulation also by deciding on complaints lodged by interested parties.

The art. 1 of the General Regulation also makes express reference, alongside the rights and freedoms of the person, to respect for human dignity as the first parameter - not provided for by the art. 1 of the European Regulation - which must inform the application of the new regulatory body. Nonetheless, the subsequent art. 6, paragraph 1 of the General Regulation, while confirming the general prohibition on the processing of "special categories of personal data", does not include data relating to the sexual life or sexual orientation of the person (art. 9, paragraph 1 of the European Regulation), opting for a more generic reference to data relating to "other situations connected to the person's private life".

Although more in conformity with the canonical concept of intimatas - and, in this regard, the General Regulation reiterates that "Vatican law is characterized by recognizing canon law as a normative source and irreplaceable interpretative criterion" - the provision can determine a notable expansion of the "special categories of personal data".

The consequent increase in the cases in which the general prohibition on the processing of such information can operate is partly mitigated by the greater breadth recognized to the scope of application of the exception referred to in the art. 6, paragraph 2, lett. d) of the General Regulation, which allows, in the absence of the data subjects’ consent, the processing of these categories of data by foundations, associations or other non-profit bodies/organisations in the pursuit of "purposes of institutional interest", and not only in carrying out "political, philosophical, religious or trade union purposes", as prescribed by the art. 9, paragraph 2, lett. d) of the European Regulation.

The prohibition on the processing of "special categories of personal data" in the absence of the data subject’s consent is further derogated when their acquisition is carried out for the purposes of prevention, investigation, detection or prosecution of crimes or execution of criminal sanctions, including protection against threats to public safety and their prevention - art. 6, paragraph 2, lett. i) – and, above all, when it is necessary for the execution of a task of institutional interest or connected to the exercise of institutional functions with which the Controller is invested (art. 6, paragraph 2, lett. j).

The exceptions contemplated by the art. 6, paragraph 2, lett. d), i) and j) lead, indeed, to a substantial limitation of the operation of the legal basis of consent also in the processing of these special categories of data.

Also worthy of mention is the provision in art. 8 of the General Regulation, that imposes to provide the data subject with information on the processing of personal data at the moment in which the same are collected or within a reasonable period, in any case not exceeding thirty working days from the date of collection or from the first communication.

The General Regulation, similarly to the European Regulation, disciplines in detail the right of access, the right to rectification, cancellation, portability of the data of the natural person and his or her right to object and limit the data, as well as the right to lodge a complaint with a supervisory authority, called to ensure that all processing of personal data takes place in compliance with the principles of lawfulness, correctness, transparency, good faith and proportionality and in respect of human dignity and the rights and freedoms of the person. In any case, the right of the data subject to appeal to the judicial authority of the Vatican City State is reserved (art. 25).

The supervisory authority is identified by the General Regulation in the General Councilor of the Vatican City State who, as Data Protection Officer (art. 10, paragraph 2), «acts in full independence in carrying out his duties and in 'exercise of one's powers' (art. 10, paragraph 3). However, beyond the circumstance that the General Councilor is appointed for a five-year period directly by the Supreme Pontiff (art. 12 of the Fundamental Law of the Vatican City State of 13 May 2023), in the General Regulations there are no provisions aimed at guaranteeing its "full independence". The General Regulation, in fact, does not reproduce any of those necessary provisions through which the art. 52 of the European Regulation ensures the effective independence of the supervisory authority.

Fabio Balsamo