Frequently asked questions about elections

Yes. If the parties, candidates or their support groups process personal data for election advertising, they must follow the data protection legislation. Obligations concerning transparency, the purpose limitation and lawfulness must also observed when processing personal data collected from the social media or other sources.

If personal data contain political opinions, the data belong to special categories of personal data. Particularly strict provisions are applied in the processing of such personal data, due to their sensitivity.

Categorically speaking, targeted advertising and profiling are not prohibited, though the applicable legislation must also be observed in election advertising. If you carry out targeted advertising based on personal data, you must provide the targets of advertising with sufficient information on why advertising is targeted at them, who is responsible for the advertising and how they can exercise their data protection rights.

Targeted advertising and profiling for political purposes can impose risks on privacy protection and democracy.  Violating the protection of personal data can also affect other fundamental rights, such as the freedom of opinion and the possibility to think freely without manipulation. Election interference refers to a situation where the purpose of debate about elections is to cheat, dissolve or disrupt through fake news, false information, provoking or aggravating.

When carrying out election advertising, it must also be observed whether somebody is processing personal data on behalf of the party or candidate. Examples of processors include social media services, stakeholders, data brokers, analytics companies, marketing agencies and advertising networks. Remember to observe the data controller's responsibilities.

1. Determine in advance

• for which purpose you intend to use personal data
• what the legal basis of processing is
• what types of information you can collect based on the purposes of use
• how you collect the data in practice.

2. Tell about the processing openly and understandably to the persons whose data you are processing.

3. Observe confidentiality and security.

• Process the data in an information secure manner and according to their purpose of use based on the controller's instructions.
• Limit the right of use to the data appropriately.
•  Do not disclose or publish the data in the internet without grounds.
• Remember your obligation to report any data breaches concerning personal data.

4. Always update personal data where necessary. Remove inaccurate and incorrect personal data or adjust them immediately.

5. Remove personal data immediately when you no longer need them for the purposes of processing.

6. Make sure that the data subject's rights are observed. For example, the data subject has the right to obtain information on the processing of their personal data and to remove their data. The scope of the rights depends on the legal basis for the processing of personal data.

7. Remember documentation. You must be able to prove that you observe the data protection legislation.

8. Observe the data controller's responsibilities if you use the services of a data analysis company or social media platforms, for instance. Check that the information received from a third party or service provider have been obtained legally.

The data protection legislation and principles must always be observed when processing personal data.