The conditions for exercising the right to vote and the organization of elections are governed by Act No. 180/2014 Coll. on the Conditions for Exercising the Right to Vote and on Amendments to Certain Acts (hereinafter “Act No. 180/2014 Coll.”). This Act imposes a number of obligations on municipalities, the fulfillment of which necessitates the processing of personal data. This year, Act No. 185/2022 Coll. was also added, concerning a special method of voting in elections to municipal self-government bodies and in elections to regional self-government bodies, which will take place in 2022 on the same day and at the same time, and which amends and supplements certain laws (hereinafter referred to as “Act No. 185/2022 Coll.”), regulating the right to vote for persons whose personal freedom is restricted for the purpose of protecting public health against COVID-19.
From the perspective of personal data protection, municipalities and cities (hereinafter referred to as “the controller”) are required to take appropriate measures and ensure that elections are conducted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter referred to as “Act No. 18/2018 Coll.”) and to comply with the principles of proportionality, transparency in relation to data subjects, lawfulness, fairness, and the minimization of personal data processing.
In view of the aforementioned obligations for controllers in the conduct of elections, we would like to inform you about the most common errors.
Mistakes made by public administration entities during elections:
We most frequently encounter mistakes regarding obligations related to transparency, proportionality, and security—which is closely linked to the unauthorized disclosure of personal data. An explanation of the individual obligations and the causes of possible violations is provided below.
Violation of the principle of transparency:
Every data subject whose personal data is being processed has the right to be informed, through the duty to provide information, about the processing of their personal data. As part of this, the municipality is required to provide the following information:
- the identity and contact details of the controller (the municipality),
- the contact details of the person responsible for supervising personal data protection,
- the purposes of processing for which the personal data are intended, as well as the legal basis for processing,
- recipients or categories of recipients of personal data, if any,
- categories of personal data concerned,
- the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period,
- the rights of data subjects,
- the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- where relevant, information that the controller intends to transfer personal data to a third country or an international organization and information on the existence or absence of a Commission adequacy decision or,
- in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1) of the Regulation, a reference to the appropriate or suitable safeguards and the means to obtain a copy of them, or where they have been provided.
The municipality is required to inform all data subjects—voters, committees, scrutineers, and candidates—through a notice posted on the municipality’s website, on the municipality’s official bulletin board, and finally at the entrance to each polling station.
If the municipality fails to fulfill its obligation under Articles 13 and 14 of the Regulation and does not inform data subjects about the processing of their personal data prior to the first processing, this constitutes a violation of the principle of transparency under the Regulation.
Violation of the principles of data minimization and proportionality:
Under the Regulation and Act No. 18/2018 Coll., personal data may only be collected for a specific, explicitly stated, and legitimate purpose and must not be further processed in a manner incompatible with that purpose.
The municipality is obligated to process only those personal data that are permitted by Act No. 180/2014 Coll. and Act No. 185/2022 Coll. for the purpose of exercising the right to vote. This means that the municipality is obligated to process personal data on documents and forms only to the extent permitted by these laws. Whoever prepares forms for the conduct of elections must ensure that the arbitrary entry of personal data beyond the scope of the aforementioned laws is prevented (e.g., an email address or phone number on the voter list).
If a municipality processes personal data for the purpose of conducting elections beyond the scope set forth in Act No. 180/2014 Coll. and Act No. 185/2022 Coll., this constitutes a violation of the principles of data minimization and proportionality within the meaning of Article 5 of the Regulation.
Breach of personal data processing security:
The municipality is required to adopt appropriate security measures based on an assessment of the risks associated with the conduct of elections within the meaning of Articles 25 and 32 of the Regulation and Sections 32 and 39 of Act No. 18/2018 Coll. One of the fundamental requirements is the obligation of the statutory representative to authorize persons to process personal data for the purpose of conducting elections and to properly instruct them.
If, in addition to the members of the precinct election commission, its secretary, and other authorized persons, other individuals who have expressed an interest in observing the conduct of the election and the counting of votes are present in the polling station, it must be ensured that these individuals, in particular, cannot view the voter list, or make extracts, copies, photographs, or video recordings from it.
When a voter signs the voter list upon receiving a ballot and envelope, members of the election commissions must proceed in such a way as to prevent the unauthorized disclosure of personal data regarding other voters whose personal data is located on the same page of the relevant voter list. Data security can be achieved, for example, by placing blank sheets of paper over the personal data of other voters on the list so that the voter can see only their own data. In the case of voting outside the polling station, the dispatched members of the election commission should proceed in the same manner to prevent access to the personal data of other voters on the list. It is also necessary to ensure a private area when signing the ballot papers, for example by marking the private area by outlining its boundaries on the floor, or by having election commission members ensure that the confidentiality of voters’ data is maintained. Every data controller, in this case the municipality, is responsible for the security of personal data and is required to comply with security measures to ensure the protection of personal data.
An interesting fact to conclude: During the period for submitting candidate lists, it has become common practice for candidates for municipal council members to approach municipalities with a request to access and provide a list of the municipality’s residents, including their first and last names last names, and addresses, for the purpose of sending their marketing materials. But do they have the right to request such data from the municipality? Every authorized municipal official who prepares voter lists must be instructed on how to process personal data.
Based on this instruction, they must be able to assess to whom and what data they are required to provide. Since no candidate is an authorized person (within the meaning of the GDPR and Act No. 18/2018 Coll.) to whom such data may be provided, and there is no legal basis for such provision of personal data, if the requested data were made available for the purpose of distributing candidates’ marketing materials to the municipality’s residents, this would constitute a gross violation of personal data protection.
