GDPR and Congregation Data: What Every Elder Should Know

Every publisher trusts the congregation with sensitive information — their name, phone number, baptism date, field service hours. Where is that data right now? For most congregations, the answer involves WhatsApp groups, personal laptops, and shared Google Sheets with no data processing agreement. The GDPR has been in force since 2018, and this article will help you take proper care of that trust.

What counts as personal data in a congregation

Under GDPR, personal data is any information that can identify a living person. For a congregation this is broad: publisher name and phone number, baptism date, monthly field service hours, pioneer status, and even an address on a territory card where a householder was spoken to.

Some of this falls under GDPR’s “special categories” — Article 9 explicitly lists religious beliefs. Because Jehovah’s Witnesses are a recognised religious body, the data you hold about your members inherently touches Article 9. This means a higher standard of care is required, the legal basis must be explicit, and access should be restricted to those who genuinely need it.

Who is responsible

The congregation is the data controller — the entity that decides why and how personal data is processed. A software platform or hosting provider is a data processor. GDPR Article 28 requires a written Data Processing Agreement (DPA) between controller and processor before any processing begins. Without it, you have a compliance gap regardless of how secure the tool is.

For self-hosted deployments, the congregation is both controller and processor. The technical configuration — server security, access controls, backup procedures — becomes part of the compliance responsibility.

The risks of Excel, WhatsApp, and Google Sheets

WhatsApp is owned by Meta and routes data through US servers. There is no congregation-level DPA available. Every publisher name and service update shared in a WhatsApp group is processed under Meta’s standard terms — not designed for religious bodies managing Article 9 data.

Google Sheets requires a Workspace account with an active DPA. Most congregations using a free Google account have no such agreement. A local Excel file is defensible from a data transfer perspective, but if the laptop is lost without encryption, the entire publisher database is exposed. Emailing the file sends it unencrypted over infrastructure you don’t control.

What GDPR actually requires

Article 9(2)(d) permits processing by a religious body “in the course of its legitimate activities” provided data relates exclusively to members and is not disclosed outside the organisation without consent. This is a workable legal basis for congregations — but it does not automatically cover sharing data with third-party platforms.

Data minimisation means you should only hold what you actually need. Retention limits mean inactive publisher data should not be kept indefinitely. Data subject rights mean any publisher can request to see their data, and you must respond within thirty days. Every tool that touches congregation data must have a DPA in place.

How to close the gaps

Start with an audit: list every tool, file, and channel that contains publisher data. For each one, ask: Is there a DPA? Is the data limited to what is necessary? Is there a retention policy? Move congregation records to a tool with a proper DPA — Unitae’s managed hosting includes one at no additional cost, covering publisher records, territory data, and service reports, with data hosted in France.

Document your legal basis. A short internal note recording that the congregation processes data under Article 9(2)(d) is sufficient but should exist and be reviewed annually. Appoint one elder as the informal data contact — the person a publisher can speak to about their data.

The right tools make compliance the default

GDPR compliance for a congregation is not bureaucratic — it is a practical expression of respect for your members. Publishers trust the congregation with sensitive information. They deserve to know it is handled carefully, stored securely, and not shared with platforms that profit from it. When records live in a system with a proper DPA, appropriate access controls, and a clear retention policy, the congregation can focus on what actually matters.