Personal Data Storage of Jehovah's Witnesses Questioned -

In four separate letters, each affecting a particular individual, the Data Protection Authority require that the Jehovah’s Witnesses in Norway reveal what personal data they store on members, what laws they comply with and whether or not the individuals in question are informed of the collection and storage of their data. Each letter is dated May 10, 2021.

We have translated two of the letters from the Data Commissioner to Jehovah’s Witnesses. The letters are similar in content but the request for information is quite tedious as the Jehovah’s Witnesses use every means possible not to share the data they have with the data subject.

Letter One:

Statement of Requirement – Storage of Personal Data – Jehovah’s Witnesses

We refer to letters from Jehovah’s Witnesses, org. No. 879 492 742 (hereinafter only Jehovah’s Witnesses), to the Norwegian Data Protection Authority dated 4 March 2021. In the letter, Jehovah’s Witnesses explain who is responsible for the processing of personal data about members and former members living in Norway, including the associated judicial committee.

Jehovah’s Witnesses state in the letter that Jehovah’s Witnesses and local congregations are individually responsible for the processing of personal data about members and former members, depending on the purpose of the processing of personal data and the categories of personal data involved. Although the branch office of Jehovah’s Witnesses in Scandinavia, located in Denmark, provides religious guidance to the individual congregations of Jehovah’s Witnesses in Norway, it is Jehovah’s Witnesses who provide information to the individual congregations on how personal information is to be handled and processed at a congregation level. The individual congregations are also independent religious legal entities, and their activities are subject to the religious community’s internal rules and procedures that are followed in the individual congregations.

Case Background

The Data Protection Agency has received a complaint against Jehovah’s Witnesses [REDACTED]. The background for the complaint is the processing of his personal data [REDACTED].

Furthermore, complainants have stated that according to Jehovah’s Witnesses guidelines, all notes should be burned by a judging panel. A message is then sent to the branch office in Holbæk in Denmark in a blue envelope, stating the reason for any expulsion using a code system.

Complainant first require access to all personal information recorded about him by Jehovah’s Witnesses, including handwritten notes. He then wants confirmation that all personal information about him has been deleted or destroyed. He states that his claims have not been granted.

For your information, we have also sent a letter with a request for an explanation to [redacted] in the case.

Legal Background

We refer here to the Data Commissioner’s review of legal background in our letter to Jehovah’s Witnesses of 10 February 2021. In addition, we would like to emphasize the following:

The scope of the Personal Data Act and the Privacy Regulation

The rules in the law and the regulation apply to fully or partially automated processing of personal data. The rules also apply to non-automated processing of personal data that is included in or is to be included in a register, cf. the Personal Data Act § 2 and the Privacy Regulation Article 2.

The initial condition for the regulation to apply is that personal data is processed. It follows from Article 4 (1) of the Privacy Regulation that personal data are:

“any information about an identified or identifiable natural person (” the data subject “); an identifiable natural person is a person who can be directly or indirectly identified, in particular by means of an identifier, e.g. a name, identification number, location information, a network identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Personal information includes all information and assessments that, due to their content, purpose or effect, can be linked to a specific person.¹

Special categories of personal information

The processing of special categories of personal data, such as personal data on a person’s religion or sexual relations, is in principle prohibited, cf. Article 9 (1) of the Privacy Regulation. This includes not only data that directly concerns one of the listed categories of data, but also indicators that can indirectly derive them, for example through the use of passwords. In order to be able to process such personal data, one of the exceptions in Article 9 (2) of the Regulation must apply, and this requirement is in addition to the requirement of a legal basis under Article 6.

Requirements for internal control

The data controller has a duty to implement appropriate technical and organic measures to ensure and demonstrate that the processing of personal data is in accordance with the Privacy Regulation, cf. Article 24.

We ask for answers to the following:

Regarding the processing of the complainant’s personal information

Explain all personal information you process about complainant.
For what purpose(s) do you process the complainant’s personal data?
What legal basis under Article 6 (1) of the Privacy Regulation do you have for processing personal data on complainant? Explain what assessments you have made here.
Do you process information that directly or indirectly deals with the complainant’s sexual relations, [redacted]?
If the answer to question 4 is yes, which of the exceptions in Article 9 (2) are met for this processing of personal data? Explain what assessments you have made.
How did you inform complainant about the processing of his personal data? Submit documentation.
Has the complainant’s personal information been disclosed to anyone else, and if so, to whom? This includes other parts of Jehovah’s Witnesses, such as local congregations, the Scandinavian branch office, or the United States headquarters.
If the complainant’s personal data has been disclosed to others, what basis do you have for Article 6 (1) and Article 9 (2) for this disclosure? Explain what assessments you have made.
Explain what assessments you have made in connection with the complainant’s request for access to all his personal data, cf. Article 15. If you believe that you have not previously received such a request, we ask you to assess such a request now and explain the assessment.
Explain what assessments you have made in connection with the complainant’s claim for deletion of his personal data, cf. Article 17. If you believe that you have not previously received such a claim, we ask you to assess such a claim now and explain the assessment.

Routines for the processing of personal data by Jehovah’s Witnesses
Explain the procedures (internal control) of Jehovah’s Witnesses for the processing of personal data related to the Judgment Committee / Judgment Committee, and provide documentation on this as follows from the elders’ manual and any other written documents. This includes, among other things, the routines you have linked to the judicial committee for:
- What personal information is processed and in what way.
- Assessment of the legal basis pursuant to Article 6 (1).
- Assessment of Article 9 (2) for specific categories of personal data.
- Storage time, both for members and for people who leave or have been expelled.
- Who has access to the personal information.
- Disclosure of personal information to other parts of Jehovah’s Witnesses, such as local congregations, the Scandinavian branch office, or the United States headquarters.
- The information provided to data subjects about the processing of their personal data.
- Protection of the data subjects’ rights, including the right of access and deletion.
Do Jehovah’s Witnesses have a confidential archive that stores information about members or former members that is not disclosed or accessible to the registered persons?
If the answer to question 12 is yes, what possible exceptions from the right to information and access to the privacy regulations are this based on? Explain what assessments you have made.

Further progress

You must answer our questions by June 4, 2021.

Legal basis

Pursuant to Article 58 (1) of the Privacy Regulation, we have the authority to require the information necessary for us to be able to carry out our tasks.

Protection against self-incrimination

In accordance with the Public Administration Act § 48, we draw your attention to the fact that there may be a right not to answer questions or hand over documents when the answer or handing over may expose you to an infringement fee.

Right of appeal

You can complain about the order to give us information. Any complaint must be sent to us within three days after this letter has been received (cf. the Public Administration Act § 14). If we uphold our decision, we will forward the case to the Privacy Board for appeal.

Publicity, transparency and duty of confidentiality

We must inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. If you believe there is a basis for exempting all or parts of the document from public access, we ask you to justify this.

The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant’s personal circumstances. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and the Public Administration Act § 13. As a party to the case, you may nevertheless be made aware of such information by the Data Commissioner, cf. the Public Administration Act § 13 b first paragraph no. , cf. the Public Administration Act § 18.

We point out that you have a duty of confidentiality regarding information you receive from the Data Commissioner about the complainant’s identity, personal circumstances and other identifying information, and that you can only use this information to the extent necessary to safeguard your interests in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that breaches of this duty of confidentiality can be punished according to the Penal Code § 209.

More information about privacy, internal control and information security can be found on our website, www.datatilsynet.no.

With Best Regards

Bjorn Erik Thon
Director

¹ Case of the European Court of Justice C-434/16 Nowak section 35

Letter Two:

Statement of Requirement – Storage of Personal Data – Jehovah’s Witnesses

Case Background

The Data Inspectorate has received a complaint from [redacted] Complainant writes that Jehovah’s Witnesses and the congregation [redacted] have registered information about him [redacted].

Complainant writes that he has previously signed a consent form (S-290-N) that Jehovah’s Witnesses process his personal data in accordance with his religious interests, in order to be able to participate in certain religious activities and to receive spiritual support. The consent statement further states that the personal data can be sent to other countries that have a lower level of protection for personal data, and that the personal data can be used in line with “with later adjustments in the text that may be made”. The statement of consent also refers to the information on privacy available on the website www.jw.org. Complainant has written that he felt pressure to sign this declaration of consent, as he had to sign for spiritual help and guidance, and to be able to participate in certain activities.

Complainants sent letters to Jehovah’s Witnesses [redacted] 2019, in which he withdrew all consent he had given to Jehovah’s Witnesses regarding the processing of his personal data.

In response to a request for access to complaintant [redacted] 2020, Jehovah’s Witnesses have written that the religous organization of Jehovah’s Witnesses keep information about [redacted].

Complainant has demanded that this personal information be deleted, and in the alternative that it be corrected. In a letter to complainant from Jehovah’s Witnesses of [redacted] 2020, the complainant’s request for deletion and rectification is rejected.

The processing of personal data by Jehovah’s Witnesses

On the website https://www.jw.org/no/personvernpolicy/bruk-av-personopplysninger/bruk-av-personopplysninger-norge Jehovah’s Witnesses provide information on how the religious community processes the personal information of their members in Norway. Here it follows, among other things, that:

“In accordance with this Privacy Act, publishers agree that their personal information is used for religious purposes by Jehovah’s Witnesses (…)

“The personal data will be stored indefinitely, as long as it is necessary to fulfill the purposes mentioned above, and other legitimate purposes. If a publisher chooses not to sign the Personal Data Statement of Consent, Jehovah’s Witnesses may not be able to assess whether he or she is fit to perform certain roles in the congregation or to participate in certain religious activities (…)

“A publisher may at any time withdraw his consent to certain forms of future use of his personal information. If a publisher withdraws his or her consent to the use of personal data, Jehovah’s Witnesses may still have the right to continue to use certain personal data without consent, based on the legitimate religious purposes associated with keeping track of global membership information or other legitimate reasons such as the Privacy Act allows for.”

Legal background

We refer here to the Data Commissioner’s review of the legal background in our letter to Jehovah’s Witnesses of 10 February 2021. In addition, we would like to emphasize the following:

The Personal Data Act and the scope of the Privacy Regulation

The initial condition for the regulation to apply is that personal data is processed. It follows from Article 4 (1) of the Privacy Regulation that personal data are:

Personal information includes all information and assessments that, due to their content, purpose or effect, can be linked to a specific person.¹

If the personal data is only processed through handwritten notes, the personal data regulations nevertheless apply as long as the information that is included or is later to be included in a register. By register, it is meant that the information is structured in such a way that makes the personal information in the material retrievable.

Right to correction of personal data

It follows from Article 5 (1) (1) of the Privacy Regulation that personal data must be correct and, if necessary, updated. Every reasonable measure must be taken to ensure that personal data which are incorrect as to the purposes for which they are processed, are deleted or corrected without delay.

The data subject shall have the right to have personal data about himself corrected by the data controller without undue delay, cf. Article 16. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data supplemented, including by submitting a supplementary statement.

We ask for answers to the following:

Regarding the processing of the complainant’s personal data

For which purpose (s) do you process personal information about the complainant [redacted]?
How long it is necessary to store personal information about the complainant [redacted] for the purpose for which the personal data is processed?
What legal basis do you have under Article 6 (1) of the Privacy Regulation for processing personal data on appeal [redacted]? Explain what assessments you have made here.
How have you informed complainant about the processing of his personal data? Submit documentation.
Has the complainant’s personal information been disclosed to anyone else, and if so, who? This includes other parts of Jehovah’s Witnesses, such as local congregations, the Scandinavian branch office, or the United States headquarters.
If the complainant’s personal data has been disclosed to others, what basis do you have for this disclosure in Article 6 (1)? Explain what assessments you have made.
Explain what assessments you have made in connection with the complainant’s claim for deletion of the personal data about him [redacted] cf. article 17.
Explain what assessments you have made in connection with the complainant’s claim for correction of the data about him [redacted] cf. Article 16.

Routines for the processing of personal data by Jehovah’s Witnesses
Explain what procedures (internal control) Jehovah’s Witnesses have for obtaining consent for the processing of personal data about their members, and what assessments have you made in connection with fulfilling the requirements for a valid consent in the Privacy Regulation 4 No. 11 and Article 7? Submit documentation of the routines as they follow from the elders’ manual or any other written documents.
Is consent form S-290-N still used as presented in the appendix to this letter? If the answer is no, please present the current version.