Blog

Back to Blogs
#gdpr

Elections within the meaning of the GDPR

27.05.2021 | Autor: Top privacy s.r.o.
8

In this article, we have prepared an overview of the processing and protection of personal data of data subjects in the course of securing elections.

Elections within the meaning of the GDPR

 

Operator obligations

The conditions for exercising voting rights and organizing elections are governed by Act No. 180/2014 Coll. on the conditions for exercising voting rights and on amendments to certain acts (hereinafter referred to as "Act No. 180/2014 Coll."). This Act imposes a number of obligations on operators, the fulfillment of which requires the processing of personal data of the persons concerned – voters.

The controller, which in most cases is the municipality, is obliged to process the personal data of the data subjects for the purpose of ensuring the conduct of elections in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") and Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain laws (hereinafter referred to as "Act No. 18/2018").

The GDPR imposes certain principles on controllers when processing personal data. One of these principles istransparency, which primarily refers to the controller's obligation to provide data subjects with all information specified in Articles 13 and 14 and all notifications in Articles 15, 22, and 34 of the GDPR. In other words, the principle of transparency means, in particular, that the controller must fulfill its information obligations towards data subjects.

In accordance with the above-mentioned articles of the GDPR and based on the statement of the Office for Personal Data Protection, the controller must fulfill a comprehensive information obligation, which should be published on the official notice board or on the website. However, there are several ways to fulfill the information obligation. In addition to the official notice board and website, the controller may place the relevant documents, for example, directly at the entrance to the polling station, on the table with the ballot papers, or send them together with the documents sent to voters before the elections (e.g., on the right to vote and be elected or notification of the place and time of the elections).

The information obligation should inform the persons concerned of all the purposes of the processing of personal data, i.e. also of the security of the election process, the legal basis for such processing, and should also inform the persons concerned of the specific personal data being processed.

In this case, pursuant to Act No. 180/2014 Coll. on voters – data subjects, the following data are processed within the register of permanent voters:

  • first name and surname,
  • birth number, in the case of foreigners, date of birth if no birth number has been assigned,

nationality,

name of municipality, street name if the municipality is divided into streets, house number and orientation number of the permanent residence.

There are several purposes for processing personal data to ensure the conduct of elections, and they should therefore be listed individually in the information obligation. Specifically, these are:

  • Maintaining a permanent list of voters;
  • Maintaining records of members of district, local and precinct election commissions;
  • Maintaining a list of candidates.

As ensuring the conduct of elections is the responsibility of the municipality under Act No. 180/2014 Coll., the legal basis is the fulfillment of legal obligations under Article 6(1)(c) of the GDPR.

The controller only demonstrates compliance with its obligation to inform the data subject. It is not obliged to prove that the data subject has actually read and understood the information provided. It is also important that the controller is prepared to provide information in the language of the national minority and/or in a form suitable for visually impaired data subjects.

In the case of a visually impaired voter, one of the members of the commission may be designated to read the information obligation to the data subject and inform them about the manner in which their personal data will be processed. The designated member of the commission is required to inform the disabled person concerned about the voting procedure, but under no circumstances may they handle (alter or place in the envelope) the voter's ballot paper.

An example of what such an information obligation of the municipality towards voters may look like can be downloaded on request.

Organizational (procedural) measures

Personal data may only be processed by authorized persons, i.e. persons who are authorized to access the data contained in the voter list or on the candidate list. These include, for example, members of the commission and its recording clerk. Only data that is accurate and complete and, where necessary, updated in relation to the purpose of processing may be processed. Personal data should be provided in a manner that does not compromise its confidentiality. Therefore, the provision of such data by telephone or electronically without encryption or anonymization is prohibited.

Pursuant to Section 11(4) of Act No. 180/2014 Coll., every authorized person is obliged to maintain confidentiality regarding personal data that they become aware of in the voter register. Therefore, if there is a person in the room who is not an authorized person of the operator, it must be ensured that this person is not familiar with the data contained in the voter list. Unauthorized persons in the polling station may not inspect the list or make any notes. The same applies to unauthorized persons who carry documents containing personal data. It must be ensured that these persons do not have access to the content of personal data. Such transfer requires the consent of a designated person who must assess whether such transfer does not jeopardize the protection of personal data.

Authorized persons must ensure that personal data of other data subjects are not disclosed, even accidentally. For this reason, it is necessary that the persons concerned be dealt with individually, observing a zone of discretion, or that persons enter the polling station in a continuous stream so that ballot papers are collected gradually. If it is necessary for the voter to sign for the ballot paper and envelope, the authorized persons must ensure that the personal data of other data subjects whose data appear on the same page of the relevant voter list are not disclosed. Such unauthorized access can be prevented, for example, by placing a blank sheet of paper over the list of other voters on the same voter list. This will allow the voter signing the list to see only their own personal data and will not compromise the confidentiality of other voters' data. The same measures to protect the personal data of other voters on the list also apply to voting outside the polling station.

Personal data may have to be passed on to other authorized persons (such as the police, the public prosecutor's office, or the competent court) in the context of misdemeanor or criminal proceedings. Such transfer of personal data is only possible with the permission of the statutory body, based on a written request from the relevant authority and in accordance with the relevant special law. The statutory body shall authorize an authorized person to transfer the relevant personal data to the competent authority only on the basis of a record of the transfer, which shall specify to whom and for what purpose the data are being provided. This protocol transfers responsibility for the protection of personal data in accordance with Act No. 18/2018 Coll. to the transferee.

Records of members of the district election commission, local election commission and precinct election commission and maintenance of the list of candidates

The controller, in this case the municipality, is required to fulfill its information obligation internally as well, in relation to members of the commission as well as individual candidates for the representative body, because their personal data is also processed by the controller. Specifically, personal data is found on the registered list of candidates submitted by the political party. Pursuant to Act No. 180/2014 Coll., this list of candidates must contain:

  • the name of the political party or the names of the political parties forming the coalition,
  • a list of candidates containing:
  1. the candidate's first name, surname, title and date of birth,
  2. the occupation of the candidate at the time of submission of the candidate list; the occupation must not contain any proper names or abbreviations thereof,
  3. the permanent address of the candidate,
  4. the order on the candidate list expressed in Arabic numerals for all candidates,
  • the name, surname, position, signature of the person authorized to act on behalf of the political party and the stamp of the political party; in the case of a coalition, the name, surname, position, signature of the person authorized to act on behalf of each political party forming the coalition and the stamp of each political party forming the coalition.

The controller therefore processes personal data to the extent specified above. Personal data contained in the list of candidates is classified as ordinary personal data.

Even before the GDPR came into force, Act No. 122/2013 Coll. on the protection of personal data and on amendments to certain acts (hereinafter referred to as "Act No. 122/2013 Coll.") classified membership of a political party as a special category of personal data (Section 13 of the Act). The processing of such personal data would therefore be prohibited unless it fell within one of the exceptions listed in Section 14 of Act No. 122/2013 Coll. However, this is no longer the case, as the GDPR has removed membership of a political party from the special category of personal data.

If the candidate list contains more personal data than is required by Act No. 180/2014 Coll. for the purpose of ensuring the conduct of elections, the designated person shall ensure that the part of the data that is not necessary for the purpose of processing is deleted. This approach reflects one of the principles laid down in the GDPR – the principle of minimalism.

We will update further information regarding the elections and their compliance with the GDPR as necessary.

Sources

Act No. 18/2018 Coll. on the protection of personal data

Regulation (EU) 2016/679 of the European Parliament and of the Council

Frequently asked questions about the Regulation and Act No. 18/2018 Coll.

Slovak Data Protection Authority: Ensuring the conduct of elections and the protection of voters' personal data

Top privacy s.r.o.

Top privacy s.r.o.

"Quality content is not created by copywriters, but by experts."