Blog

Back to Blogs
#gdpr

Choices under the GDPR

27.05.2021 | Autor: Top privacy s.r.o.
8 min

In this article, we have prepared an overview of the processing and protection of data subjects’ personal data in the context of election administration.

Choices under the GDPR

Obligations of the Data Controller

The conditions for exercising the right to vote and the organization of elections are governed by Act No. 180/2014 Coll. on the Conditions for Exercising the Right to Vote and on Amendments to Certain Acts (hereinafter “Act No. 180/2014 Coll.”). This Act imposes a number of obligations on the operator, the fulfillment of which requires the processing of personal data of data subjects—voters.

The controller, which in most cases is the municipality, is required to process the personal data of data subjects for the purpose of ensuring the conduct of elections in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter referred to as “Act No. 18/2018”).

The GDPR imposes an obligation on controllers to comply with certain principles when processing personal data. One of these principles is transparency, which primarily refers to the controller’s obligation to provide data subjects with all the information set forth in Articles 13 and 14 and all the notifications in Articles 15, 22, and 34 of the GDPR. In other words, the principle of transparency means, for the controller, primarily the fulfillment of the duty to inform data subjects.

In accordance with the aforementioned articles of the GDPR and based on the statement of the Office for Personal Data Protection, the controller must fulfill a comprehensive information obligation, which should be published on the official notice board or on the website. However, there are other ways to fulfill this information obligation. In addition to the official notice board and website, the controller may, for example, place the relevant documents directly at the entrance to the polling station, on the table with the ballot papers, or send them along with the documents sent to voters prior to the election (e.g., regarding the right to vote and be elected, or a notice of the place and time of the election).

The duty to provide information should inform data subjects of all purposes of personal data processing, including ensuring the conduct of the election and the legal bases for such processing, and should also inform data subjects of the specific personal data being processed.

In this case, pursuant to Act No. 180/2014 Coll. on the voter—the data subject—within the framework of the list of permanent voters, the following data are processed:

  • first name and last name,
  • birth number; if the individual is a foreigner, date of birth if no birth number has been assigned,
  • nationality,
  • name of the municipality, street name (if the municipality is divided into streets), house number, and orientation number of the permanent residence.

There are several purposes for processing personal data to ensure the conduct of elections, and they should therefore be listed individually in the privacy notice. Specifically, these are:

  • Maintaining the permanent voter registry;
  • Maintaining records of members of the district, municipal, and precinct election commissions;
  • Maintaining the list of candidates.

Since ensuring the conduct of elections is an obligation of the municipality under Act No. 180/2014 Coll., the legal basis is the fulfillment of legal obligations pursuant to Article 6(1)(c) of the GDPR.

The controller is only required to demonstrate compliance with its obligation, which is to inform the data subject. The controller is not required to prove whether the data subject actually became familiar with the content of the information obligation by reading it. It is also important that the controller be prepared to provide information in the language of the national minority and/or in a format suitable for visually impaired data subjects.

In the case of a visually impaired voter, one of the commission members may be designated to inform the data subject about the manner of processing their personal data by reading the information notice aloud. The designated commission member is required to inform the visually impaired person about the voting procedure, but under no circumstances may they tamper with (alter or place in the envelope) the voter’s ballot.

An example of what such an information obligation of the municipality toward voters might look like can be downloaded upon request if needed.

Organizational (Regulatory) Measures

Personal data may only be processed by authorized persons, i.e., persons who are authorized to access the data listed in the voter registry or on the candidate list. These include, for example, members of the commission and its secretary. Only data that is accurate, complete, and, where necessary, updated in relation to the purpose of processing may be processed. The provision of personal data should be carried out in a manner that does not compromise its confidentiality. Therefore, the provision of such data over the phone or electronically without encryption or anonymization is prohibited.

Pursuant to Section 11(4) of Act No. 180/2014 Coll., every authorized person is obligated to maintain confidentialityregarding the personal data they have become aware of in the voter list. Therefore, if a person who is not an authorized representative of the operator is present in the room, it must be ensured that this person is not made aware of the data contained in the voter list. Unauthorized persons present in the polling station may not view the list or take notes. The same applies to unauthorized persons who transport documents containing personal data. It must be ensured that these persons do not have access to the content of the personal data. Such transport requires the consent of a designated person, who must assess whether such a transfer jeopardizes the security of personal data protection.

Authorized persons must ensure that they do not even accidentally become aware of the personal data of other data subjects. For this reason, it is necessary for data subjects to be served individually while maintaining a discreet zone, or for individuals to enter the polling station on a rolling basis so that ballots are distributed sequentially. If a voter is required to sign for receipt of the ballot and envelope, authorized personnel must ensure that there is no unauthorized disclosure of the personal data of other data subjects whose information appears on the same page of the relevant voter list. Such unauthorized disclosure can be prevented, for example, by placing a blank sheet of paper over the names of other voters on the same voter list. This method allows the voter signing the receipt to see only their own personal data, thereby preventing a breach of the confidentiality of other voters’ data. The same measures to protect the personal data of other voters on the list also apply to voting outside the polling station.

It may be necessary to disclose personal data to other authorized entities (such as the Police, the Prosecutor’s Office, or the competent court) in the context of administrative or criminal proceedings. Such disclosure of personal data is permitted only with the authorization of the statutory body, based on a written request from the competent authority, and in accordance with the relevant special law. The statutory body shall authorize an authorized person to transfer the relevant personal data to the competent authority, and only on the basis of a transfer record that precisely defines to whom and for what reason the relevant data is being provided. This protocol transfers responsibility for the protection of personal data in accordance with Act No. 18/2018 Coll. to the recipient.

Records of members of the district election commission, local election commission, and precinct election commission, and maintenance of the list of candidates

The controller, in this case the municipality, is required to fulfill its information obligation internally as well, specifically in relation to commission members as well as individual candidates for the municipal council, since their personal data is also processed by the controller. Specifically, personal data is contained in the registered list of candidates submitted by the political party. Pursuant to Act No. 180/2014 Coll., this list of candidates must contain:

  • the name of the political party or the names of the political parties forming a coalition,
  • a list of candidates, which includes:
  1. the candidate’s first name, last name, title, and date of birth,
  2. the candidate’s occupation at the time of submitting the candidate list; the employment information must not contain any proper names or their abbreviations,
  3. the candidate’s permanent address,
  4. the order on the candidate list expressed as an Arabic numeral for all candidates,
  • the first name, last name, position, and signature of the person authorized to act on behalf of the political party and the political party’s official seal; in the case of a coalition, the first name, last name, position, and signature of the person authorized to act on behalf of each political party forming the coalition and the official seal of each political party forming the coalition.

The controller therefore processes personal data to the extent specified above. We classify the personal data contained in the list of candidates as ordinary personal data.

Even before the GDPR came into effect, Act No. 122/2013 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter “Act No. 122/2013 Coll.”) classified membership in a political party as a special category of personal data (Section 13 of the Act). The processing of such personal data would therefore have been prohibited unless it fell under one of the exceptions listed in Section 14 of Act No. 122/2013 Coll. However, this is no longer the case, as the GDPR has removed political party membership from the special category of personal data.

If a candidate list contains more personal data than required by Act No. 180/2014 Coll. for the purpose of ensuring the conduct of elections, the designated person shall ensure the deletion of that portion of the data which is unnecessary for the given purpose of processing. This approach reflects one of the principles established by the GDPR—the principle of data minimization.

We will update further information regarding the elections and their compliance with the GDPR as needed.

Sources:

Act No. 18/2018 Coll. on the Protection of Personal Data

Regulation (EU) 2016/679 of the European Parliament and of the Council

Frequently Asked Questions Regarding the Regulation and Act No. 18/2018 Coll.

Office for Personal Data Protection of the Slovak Republic: Ensuring the Conduct of Elections and the Protection of Voters’ Personal Data

 

Top privacy s.r.o.

Top privacy s.r.o.

"High-quality content isn't created by copywriters, but by experts."