German Church Data Overhaul: Volunteers Must Sign Secrecy Pledges, Fax Machines Outlawed From March 1
27.06.2026 - 04:03:08 | boerse-global.de
For the first time, churches and affiliated institutions across Germany must formally bind their volunteers to data secrecy under a reformed data-protection law that took effect on March 1, 2026. The requirement, laid out in the revised Gesetz ĂĽber den Kirchlichen Datenschutz (KDG), shifts responsibility onto thousands of parish councils, youth-group leaders, and charity workers. Local communities now face significantly higher administrative loads simply to comply.
The mandate is explicit: every volunteer handling personal data must sign a confidentiality obligation under § 5 Abs. 2 KDG. Previously, such pledges were mostly directed at employees. The threshold for appointing a dedicated data-protection officer has also been lowered. Any organization with at least 20 employees – rather than the earlier, higher bar – now needs one (§ 36 Abs. 2a KDG).
Fax Ban and Multi-Factor Security
Technically, the biggest changes target outdated hardware. Fax machines can no longer be used to transmit personal data; the church regulator deems the transmission method no longer permissible. At the same time, all sensitive databases must be protected by multi-factor authentication. Private IT equipment – laptops, phones, storage devices – is banned from official use. The reform forces a strict separation between personal and professional infrastructure.
There are trade-offs. The requirement for a hand-written signature on digital consent forms has been dropped (§ 8 Abs. 2 KDG), easing electronic authorization. Two entirely new sections were added: § 52a KDG governs the recording of church services, while § 54a KDG covers data processing during abuse investigations.
Penalties Jump to Seven Figures
Fines are rising sharply. Violations of the KDG can now be punished with up to €1 million or four percent of the worldwide annual turnover of the offending institution – whichever is higher – with a hard cap of €3 million (§ 51 Abs. 4 KDG). That places church bodies on a similar penalty footing to secular companies under the GDPR.
New Federal Commissioner Steps In
On June 25, 2026, the Bundestag elected Moritz Hennemann as the new Federal Commissioner for Data Protection and Freedom of Information. The Freiburg law professor will take over from Louisa Specht-Riemenschneider, who remains in office until the end of September 2026. Hennemann is known as a critic of bureaucratic excess in the GDPR and has argued for looser rules to encourage innovation. His stance could reshape how state and church supervisory authorities coordinate going forward.
The wider legal environment is shifting, too. Earlier in 2026, the European Court of Justice ruled that dismissing an employee solely because they left the church is generally disproportionate. In response, German dioceses have already revised the Grundordnung des kirchlichen Dienstes – the foundational employment code – to reduce potential discrimination.
Shrinking Church Estates Need Data Care
The KDG reform coincides with ongoing structural decline. The Nordkirche (Northern Evangelical Lutheran Church) has deconsecrated 45 churches since 2015. On June 28, 2026, the Zachäus Church in Hamburg-Langenhorn is scheduled to be deconsecrated. When former church buildings are turned into day-care centers, museums, or other community uses, the new data-protection requirements demand that personal data from prior operations be handled carefully from the planning stage onward.
