Frequently asked questions about elections
On this page, you will find answers to frequently asked questions about election advertising and data protection.
The person planning election advertising should also view
- frequently asked questions about direct marketing
- and Vaalit.fi website, which contains information about legislation concerning election advertising
- Instructions and tips concerning data protection on the website of Traficom's National Cyber Security Centre.
Yes. If parties, candidates or their support groups process personal data in their election campaign, for example for election advertising, they must comply with data protection legislation. Data protection rules must also be respected when processing personal data collected from social media or other sources.
Where personal data is processed in an election campaign (for example in the context of election advertising), data protection principles such as transparency, purpose limitation and lawfulness obligations must be respected. Election advertising must also ensure that people's data protection rights are respected. For example, they have the right to access their personal data, to ask for their data to be corrected if it is incorrect, and to object to the sending of election advertising and opinion polls.
If personal data contain political opinions, the data belong to special categories of personal data. Particularly strict provisions are applied in the processing of such personal data, due to their sensitivity. Advertising may not be targeted on online platforms based on political opinions.
Read more:
If you carry out targeted advertising based on personal data, there must be a legal basis for the targeting (grounds for processing personal data), such as the data subject's consent.
On online platforms, advertising must not be targeted on the basis of specific personal data, such as political opinions, religion, ethnicity or health information. This is provided for in the EU’s Digital Services Act.
You must also provide the targets of advertising with sufficient information about why and on the basis of what information they are being targeted, who is responsible for the advertising and how they can exercise their data protection rights.
Targeted advertising and profiling for political purposes can impose risks on privacy protection and democracy. Violating the protection of personal data can also affect other fundamental rights, such as the freedom of opinion and the possibility to think freely without manipulation. Election interference refers to a situation where the purpose of debate about elections is to cheat, dissolve or disrupt through fake news, false information, provoking or aggravating.
When carrying out election advertising, it must also be observed whether somebody is processing personal data on behalf of the party or candidate. Examples of processors include social media services, stakeholders, data brokers, analytics companies, marketing agencies and advertising networks. Remember to observe the data controller's responsibilities.
Read more:
- Profiling
- Rights of the data subject
- Digital Services Act (DSA)
- Processors
- Read more about the data controller's responsibilities: organisations
- Read more about election interference (vaalit.fi)
Data protection legislation and principles must always be respected when processing personal data. It is important for parties, candidates and support associations to define their mutual roles and obligations with regard to the processing of personal data in the context of election work. It is the data controller who determines the purpose and methods of processing personal data. The party and candidate might also act as joint controllers.
1. Plan and determine in advance
- for which purpose you intend to use personal data
- what the legal basis of processing is
- what types of information you can collect based on the purposes of use
- in what contexts and how in practice you will collect data.
Read more about legal bases for processing personal data
2. Tell about the processing openly and understandably to the persons whose data you are processing.
Read more about informing data subjects about processing
3. Observe confidentiality and security.
- Protect the data so that it will not fall into the hands of third parties.
- Process the data in an information secure manner and according to their purpose of use based on the controller's instructions.
- Limit the right of use to the data appropriately.
- Do not disclose or publish the data in the internet without grounds. If you intend to publish data, report this already when you are collecting the data.
- Remember your obligation to report any data breaches concerning personal data and to document all situations of data breaches.
Read more about personal data breaches
4. Always update personal data where necessary. Remove inaccurate and incorrect personal data or adjust them immediately.
5. Remove personal data immediately when you no longer need them for the purposes of processing, if there is no special obligation to store such data.
6. Make sure that the data subject's rights are observed. For example, the data subject has the right to obtain information on the processing of their personal data and to remove their data. The scope of the rights depends on the legal basis for the processing of personal data.
Read more about the rights of data subjects
Read more about what rights do data subjects have in different situations
7. Remember documentation. You must be able to prove that you observe the data protection legislation.
Read more about accountability
8. Observe the data controller's responsibilities if you use the services of a data analysis company or social media platforms, for instance. Check that the information received from a third party or service provider have been obtained legally.