The conditions for exercising the right to vote and the organization of elections are governed by Act No. 180/2014 Coll. on the conditions for exercising the right to vote and on amendments to certain acts (hereinafter referred to as "Act No. 180/2014 Coll."). This Act imposes a number of obligations on municipalities, the fulfilment of which requires the processing of personal data. This year, Act No. 185/2022 Coll. on a special method of voting in elections to municipal self-government bodies and in elections to self-governing regional bodies which will take place on the same day and at the same time in 2022 and which amend and supplement certain acts (hereinafter referred to as "Act No. 185/2022 Coll."), which regulates the right to vote for persons with restrictions on personal freedom due to the protection of public health against COVID-19.
From the perspective of personal data protection, municipalities and towns (hereinafter referred to as "controllers") are required to take appropriate measures and ensure that elections are conducted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "Regulation") and Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain laws (hereinafter referred to as "Act No. 18/2018 Coll.") and to comply with the principles of appropriateness, transparency in relation to data subjects, lawfulness, fairness and minimization of personal data processing.
In view of the above-mentioned obligations for operators in the conduct of elections, we would like to inform you about the most common errors.
Errors of public administration bodies in elections:
We most frequently encounter errors in obligations related to transparency, appropriateness, and security, which are closely linked to the unauthorized provision of personal data. The explanation of individual obligations and the occurrence of possible errors is explained further in the text.
Violation of the principle of transparency:
Every data subject whose personal data is being processed has the right to be informed, through an information obligation, about the processing of their personal data. As part of this, the municipality is required to provide the following information:
- the identity and contact details of the controller (municipality),
- the contact details of the person responsible for supervising personal data protection,
- the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing,
- the recipients or categories of recipients of the personal data, if any,
- the categories of personal data concerned,
- the period for which the personal data will be stored or, if this is not possible, the criteria for determining this period,
- the rights of the data subjects,
- the existence of automated decision-making, including profiling referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- where applicable, information that the controller intends to transfer personal data to a third country or international organization and information on the existence or absence of a Commission decision on the adequacy of the level of protection provided by the third country or international organization, or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1) of the Regulation, a reference to the appropriate or suitable safeguards and the means for obtaining copies of those safeguards or where they have been made available. 1 of the Regulation, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
The municipality is obliged to inform all data subjects – voters, commissions, recorders, candidates – about the processing of personal data during elections before the first processing, by means of an information notice posted on the municipality's website, on the official notice board of the municipality and, finally, before entering each polling station. candidates, through an information obligation posted on the municipality's website, on the municipality's official notice board and, finally, before entering each polling station.
If the municipality fails to fulfill its obligation under Articles 13 and 14 of the Regulation and does not inform the persons concerned about the processing of their personal data before the first processing, this constitutes a breach of the principle of transparency within the meaning of the Regulation.
Violation of the principle of proportionality and minimization:
Under the Regulation and Act No. 18/2018 Coll., personal data may only be obtained for a specific, explicitly stated and legitimate purpose and may not be further processed in a manner incompatible with that purpose.
The municipality is obliged to process only those personal data that are permitted by Act No. 180/2014 Coll. and Act No. 185/2022 Coll. for the purpose of exercising the right to vote. This means that the municipality is obliged to process only personal data on documents and forms to the extent permitted by these acts. Anyone who prepares forms for the conduct of elections must ensure that the arbitrary entry of personal data beyond the scope of the above-mentioned laws (e.g., email or telephone number in the list of voters) is prevented.
If a municipality processes personal data for the purpose of conducting elections beyond the scope specified by Act No. 180/2014 Coll. and Act No. 185/2022 Coll., this constitutes a violation of the principles of minimization and proportionality within the meaning of Article 5 of the Regulation.
Breach of personal data security:
The municipality is obliged to take appropriate security measures with regard to the assessment of risks associated with the conduct of elections within the meaning of Articles 25 and 32 of the Regulation and Sections 32 and 39 of Act No. 18/2018 Z. z. One of the basic requirements is the obligation of the statutory representative to authorize authorized persons to process personal data for the purpose of conducting elections and to properly instruct them.
If, in addition to the members of the district election commission, its recorder and other authorized persons, other persons who have expressed an interest in observing the conduct of the elections and the counting of votes must be prevented from viewing the list of voters or making extracts, copies, photographic or video recordings from it.
When signing the voter upon receipt of the ballot paper and envelope in the voter list, election commission members must proceed in such a way as to prevent unauthorized access to personal data of other voters whose personal data are on the same page of the relevant voter list. Data security can be achieved, for example, by placing blank sheets of paper over the personal data of other voters on the list so that voters can only see their own data. In the case of voting outside the polling station, the members of the electoral commission should proceed in the same way to prevent access to the personal data of other voters on the list. It is also necessary to ensure a discreet area for signing ballot papers, for example by marking the outline of a discreet area on the floor or by election commission members adjusting the layout to ensure the confidentiality of voters' data. Each operator, in this case the municipality, is responsible for the security of personal data and is obliged to comply with security measures to ensure the protection of personal data.
Interesting fact: During the period when candidate lists were being submitted, it became common practice for candidates for parliament to ask municipalities to provide them with a list of residents, including their first names, last names, and addresses, for the purpose of sending their marketing materials. However, do they have the right to request such data from the municipality? Every authorized person in the municipality who prepares voter lists must be instructed on how to process personal data. Based on this instruction, they must be able to assess to whom and what data they are required to provide. Since no candidate is an authorized person (within the meaning of the GDPR and Act No. 18/2018 Coll.) to whom such data may be provided, and there is no legal basis for such provision of personal data, if the requested data were made available for the purpose of distributing candidates' marketing materials to citizens of the municipality, this would constitute a gross violation of personal data protection.
