Impact of GDPR on WT HQ and EU branches?

by respectful_observer 34 Replies latest watchtower beliefs

  • respectful_observer
    respectful_observer

    Hi all,

    Curious if any of our EU-based members (especially those still in) have heard anything from official WT channels on how the Organisation plans to be in compliance with GDPR ("General Data Protection Regulations") by May 2018?

    It's my understanding that religious organisations must comply, and that religious data is treated a "protected" and therefore subject to some enhance requirements.

    Specifically, how will they comply with the following requirements:

    1. You must disclose to the individual: what data you collect on them, why, and what you do with the data (including what other parties receive the data and what they do with it)
    2. The individual must provide their written explicit consent that they agree to have the entity retain their data in the manner disclosed. Any changes to the terms require new consent from the individual
    3. Data collection must be proportional (i.e., only necessary data may be collected and can only be used for what you've previously disclosed to the individual)
    4. You can only keep the data as long as absolutely necessary, and must delete afterward. (e.g., even if a person demands deletion of their data, the organisation may be required to retain certain data points such as financial/tax data attached to a contribution)
    5. The individual must have: rights of access to all their data, the ability to correct it, and object to it
    6. The individual must have the "Right to be Forgotten" (i.e., they must be able to dictate that all their data be permanently erased

    Congregations keep Publisher Cards and Judicial files forever; COs review publisher info; Judicial findings on specific individuals are reported to the Branch (and WT HQ in USA?)

    What if the individual demand the "Right to be Forgotten" and all written evidence of them ever being a member wiped from congregation and WT files?

  • poopie
    poopie

    Vedi interesting

  • sir82
    sir82

    You must disclose to the individual: what data you collect on them, why, and what you do with the data

    LOL - can you imagine the (truthful) JW version of this?

    "We collect your field service reports so we can judge how spiritual you seem to be. These numbers you give us help us determine your worth as a human being. If the numbers are too low we will directly or indirectly communicate to the rest of the congregation that you are not good association and they should avoid you as much as possible."

  • Phoebe
    Phoebe

    This is going to affect every single place where data is collected and there are no excuses. I know because it will impact my business too (I am in online retail sales) A person will have the right to have their data deleted and request proof that you have done that. Physical data kept for tax reasons etc must be kept in a secure place. Policies will need to be in place including what processes are in place for a breach of security. It's very involved.

    I struggle to see how JWs will comply. As mentioned above, a lot of info is kept on file in congregations.

    I kind of want to request that all my data is deleted from the congregation even tho I am not DA/DF.

    Even when the UK leave the EU the govt will still have the GDPR because it is necessary to protect people.

    Failure to comply will carry some heavy penalties.

  • respectful_observer
    respectful_observer

    It would be interesting if some EU-based journalist who's had some experience with J-dub policies and records in the past (most likely child abuse) decided to do a story on this and make official press inquiries of the WT.

    I doubt most PIMI JWs ever think about how much more personal data the Org really keeps and circulates on members than the average religion.

    I'm assuming most faiths might track name of members, what parish/congregation they attend, maybe baptism/wedding dates if the church is involved. Probably not much more than that, unless there are tax issues related to contributions.

    Compare that with the JWs: DOB, baptism dates, letters of introduction if moving between congregations, JC notes, notification of judicial action to the Branch, monthly service report data, applications for and letters of recommendation for LDC, Bethel, etc., letters of appointment, emergency contacts, copies of Blood Cards, records/notes on elders who are convention/assembly speakers, etc., etc....

    If the WT does have to disclose in writing to each publisher what records they actually keep, why they keep them, and who sees them, that might be rather eye opening to many.

  • sillygirlforgotpassword
    sillygirlforgotpassword

    Good point raised respectfulobserver. I cannot wait to see how this evolves.

    Deadline for compliance is May 25 this year. Stiff penalties and fines are in the face of those that do not comply after that date (20million EUR or 4 per cent of global annual turnover, whichever is higher). Firms like facebook/ Google will be most affected. They are literally making money from nothing by selling our freely supplied data to targeted advertising companies at their interest. Also, GDPR breaches must be reported within 72 hours of an incident.

    Ok I just ran a search and apparently the Org has already got their legal team to come up with this: https://www.jw.org/en/data-protection-policy/

    Can you believe among other things THIS is said:

    ""The organization of Jehovah’s Witnesses has a longstanding history of respecting privacy rights and maintaining confidentiality, even before the enactment of such data protection laws.""

    *EYEROLL*

    No mention that I noticed on how they treat data collected during door to door service.
    A lawsuit has already been launched in Finland on this subject: http://www.dw.com/en/jehovahs-witness-note-taking-challenged-at-eus-top-court/a-42408206
    https://pdpecho.com/2017/03/21/door-to-door-gathering-of-data-by-religious-group-goes-to-the-cjeu/

    An interesting reddit discussion where some exjw's have tried to address this : https://www.reddit.com/r/exjw/comments/6auxcu/gdpr_and_the_databases_of_the_witnesses/

  • Drearyweather
    Drearyweather
    What if the individual demand the "Right to be Forgotten" and all written evidence of them ever being a member wiped from congregation and WT files?

    Interesting.

    The first two points under article 17 says that the data should be erased unless,

    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

    the Data protection policy on jw.org says under point 7:

    Personal data will not be transferred between branches unless necessary to accomplish the religious or charitable purposes of the organization of Jehovah’s Witnesses, to which all Jehovah’s Witnesses have consented by virtue of their free and willing decision to become and identify themselves as Jehovah’s Witnesses.

    A person consents to become a JW by getting baptized and gives right to the WT to collect and maintain data about him. So, technically, how does a JW withdraw his consent? By writing a letter of DA or by getting DF'ed?

    So if a person just stops going to the meetings without getting DA'ed or DF'ed, can he still ask the WT to erase data on him?

  • Spiral
    Spiral

    I haven't been able to read all the links yet, but I think the following is problematical for them:

    Data protection policy on jw.org says under point 7:

    Personal data will not be transferred between branches unless necessary to accomplish the religious or charitable purposes of the organization of Jehovah’s Witnesses, to which all Jehovah’s Witnesses have consented by virtue of their free and willing decision to become and identify themselves as Jehovah’s Witnesses.

    Having been baptised in the early 70s as a young teen in the US, I certainly was never asked or made aware of the records that the Society has kept on me. I am sure that has not changed today. When you open a bank or credit card account, you have to sign a form saying you understand privacy policy, and you get updates in the mail when the policy or the law concerning that has changed. So, how do they think they can prove the (untrue) statement above? Unless things have changed, they don't have signatures on file for each publisher giving permission to collect/keep personal data. Perhaps if they enforce a system where everyone must log in to JW.org to get literature, see videos, and make contributions (with individual accounts with passwords) they will try to sneak this in as well. It will be interesting to see how this plays out.

    Perhaps the cart witnessing with no not-at-home records (I remember those forms, and turning them in to the congregation with the territory) is a way they've come up with to address this?


  • DesirousOfChange
    DesirousOfChange

    Personal data will not be transferred between branches unless necessary to accomplish the religious or charitable purposes of the organization of Jehovah’s Witnesses, to which all Jehovah’s Witnesses have consented by virtue of their free and willing decision to become and identify themselves as Jehovah’s Witnesses.

    It seems to me they have the veiled threat of DF/DA attached to anyone demanding the erasure of their personal data, because by making such a request they would be revoking their "consent" by identifying as JWs. Is such a threat legal?

    It will take some bold ex-JWs to challenge all of this.

  • sillygirlforgotpassword
    sillygirlforgotpassword

    You're absolutely right Spiral. Point 7 in the JW DP policy can NOT stand in a typical GDPR Audit.

    Clear consent about sharing data is a big deal in the GDPR Standard. Which is why Facebook revised its own DP Policy early this year to be clearer about what is done with data they collect (in my opinion, that's still not enough but that's another story)

    GDPR definition of consent:

    (11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
    => Article: 6, 7, 8
    => Recital: 32, 33, 38, 42, 43
    => Dossier: Consent

    IT Governance goes on to give examples of lawful consent requests@

    • Signing a consent statement on a paper form;
    • Clicking an opt-in button or link online;
    • Selecting from equally prominent yes/no options;
    • Choosing technical settings or preference dashboard settings;
    • Responding to an email requesting consent;
    • Answering yes to a clear oral consent request;
    • Volunteering optional information for a specific purpose (such as optional fields in a form); and
    • Dropping a business card into a box.

    https://www.itgovernance.eu/blog/en/gdpr-when-do-you-need-to-seek-consent/

    I'm just WAITING for May 25 to come around!

Share this

Google+
Pinterest
Reddit