top of page

VATICAN CITY (HOLY SEE) - Data Protection and GDPR Review

The Vatican City, also known as the Holy See, has a unique standing in the world of international relations and governance. Given its unique status as an independent city-state entirely surrounded by the city of Rome, Italy, it has its own specific set of laws and regulations that govern various aspects of life, including data protection. However, the history of data protection in the Vatican City is not as extensive or well-documented as it is in larger states or those within the European Union. Below is a summary of key developments in this area.

Early Developments

Fundamental Law of Vatican City State

The Fundamental Law of Vatican City State, issued in 2000, serves as the constitutional law of the Vatican. While it doesn't specifically address data protection, it sets the framework for governance and legislative authority within the Vatican City.

Relation to Italian Law

Given its geographical location and close relations with Italy, the Vatican often takes cues from Italian laws and regulations. However, it is crucial to note that Italian law, including those related to data protection, does not automatically apply to the Vatican City.

Legislation and Guidelines


In 2018, the Vatican promulgated Law N. CCXLVII on the Protection of Personal Data. This law was created to align the Vatican's data protection standards with those of the European Union's General Data Protection Regulation (GDPR). The law applies to the processing of personal data for activities within the scope of Vatican City State or by entities dependent on the Holy See.

The Data Protection Authority

Along with the 2018 law, the Vatican also established an independent Data Protection Authority for supervising and enforcing the provisions related to data protection. The authority has the power to investigate complaints, issue guidelines, and impose sanctions in the case of violations.

Principles and Key Aspects

  1. Data Minimization: Personal data collection is restricted to what is strictly necessary for lawful purposes.

  2. Consent: The law emphasizes the need for clear and explicit consent for the processing of personal data.

  3. Rights of Data Subjects: Individuals have the right to access, correct, and delete their personal data, similar to the rights provided under GDPR.

  4. Security Measures: Entities that process personal data must implement adequate security measures to protect the data.

Current State and Future Prospects

As of the latest available information, the Vatican continues to operate under the framework set forth by its 2018 law on the Protection of Personal Data. Given its intent to align with GDPR standards, it is likely that the Vatican will continue to update and refine its data protection measures in line with any future amendments or updates to the GDPR.

The history of data protection in Vatican City is relatively recent but shows a clear intent to align with international standards, particularly those of the European Union. The 2018 law marks a significant step in formalizing data protection measures, bringing the Vatican City in line with broader global trends toward enhanced privacy protections.

The Vatican City, also known as the Holy See, is a unique entity with its own set of rules and regulations. Its stance on data protection has evolved in recent years to align more closely with international standards, particularly the European Union's General Data Protection Regulation (GDPR). This guide aims to offer a comprehensive overview of data protection in the Vatican City as it relates to the GDPR.

Regulatory Framework


In 2018, the Vatican City enacted Law N. CCXLVII on the Protection of Personal Data to provide a comprehensive framework for data protection. This law is designed to bring the Vatican's data protection standards in line with the EU's GDPR.

Data Protection Authority

The law also established an independent Data Protection Authority responsible for supervising the application of data protection law in Vatican City. This authority has regulatory powers, including the ability to issue fines and conduct investigations.

Key Principles

Similarity to GDPR Principles

  1. Lawfulness, Fairness, and Transparency: Just like the GDPR, the law stipulates that personal data should be processed lawfully, fairly, and in a transparent manner.

  2. Purpose Limitation: Personal data may only be collected for specified, explicit, and legitimate purposes.

  3. Data Minimization: The collection of data should be limited to what is necessary for the purposes for which it is processed.

  4. Accuracy: Data must be accurate and updated as necessary.

  5. Storage Limitation: Data should not be kept longer than required for the purpose for which it is processed.

  6. Integrity and Confidentiality: Adequate security measures must be in place to protect the data.

Individual Rights

The Vatican’s data protection law confers several rights to data subjects, similar to those in the GDPR:

  1. Right to Information: Individuals must be informed about the collection and processing of their data.

  2. Right to Access: Individuals have the right to access their personal data.

  3. Right to Rectification: Individuals can have inaccurate data corrected.

  4. Right to Erasure ("Right to Be Forgotten"): Under certain conditions, individuals can request the deletion of their personal data.

  5. Right to Data Portability: Data subjects can request the transfer of their data to another entity.

Organizational Obligations

Organizations that process personal data in Vatican City are subject to similar obligations as those under GDPR:

  1. Consent: Explicit consent must be obtained from individuals before processing their personal data.

  2. Data Protection Impact Assessments: Organizations may be required to conduct impact assessments for processing activities that pose high risks to data subjects.

  3. Data Breach Notification: In case of a data breach, both the authority and the data subjects must be notified.

  4. Security Measures: Organizations are obligated to implement security measures to ensure the protection of personal data.


The Data Protection Authority has the power to issue administrative sanctions for violations of the law, which can be substantial, although they are not identical to GDPR's penalty framework.

Scope of Application

It's essential to note that this law applies to data processing carried out by entities that operate within the Vatican City or are dependent on the Holy See, regardless of whether the data processing occurs within Vatican City.


The Vatican City's data protection framework, though recent, is robust and largely modeled after the GDPR, making it one of the more stringent data protection regimes among small independent jurisdictions. Understanding this framework is critical for organizations operating within Vatican City or those interacting with entities dependent on the Holy See. By aligning its data protection standards with those of the GDPR, the Vatican City signals its commitment to safeguarding individual data rights.


bottom of page