Frequently asked questions about elections
On this page, you will find answers to frequently asked questions about election advertising and data protection.
See also:
- Frequently asked questions about direct marketing
- Information on the EU regulation on political advertising
- Material from the National Audit Office of Finland on the oversight of political advertising (vtv.fi)
- Information about legislation concerning election advertising: Vaalit.fi
- Instructions and tips concerning data protection on the website of Traficom's National Cyber Security Centre
Yes. If parties, candidates or their support groups process personal data in their election campaign, for example for election advertising, they must comply with data protection legislation. Data protection rules must also be respected when processing personal data collected from social media or other sources.
When personal data is processed during an election campaign, data protection principles must be observed, including obligations relating to transparency, purpose limitation, data minimisation and lawfulness.
Election advertising must also ensure that people's data protection rights are respected. For example, they have the right to access their personal data, to ask for their data to be corrected if it is incorrect, and to object to the sending of election advertising and opinion polls.
Specific obligations relating to political advertising are laid down in the EU Regulation on the transparency and targeting of political advertising. It applies in parallel with other EU legislation, such as the General Data Protection Regulation and the Digital Services Act.
Read more:
The law sets out requirements for the targeting of online election advertising based on personal data. The use of advertising targeting- and display techniques involving the processing of personal data is, in principle, prohibited in the context of online political advertising.
Advertising targeting refers to techniques used to direct political advertising at a specific individual or group or to exclude them from such advertising, on the basis of personal data. Advertising display techniques, on the other hand, are used to increase the reach, coverage or visibility of an advertisement. These display techniques are based on the automated processing of personal data.
The use of such techniques is permitted in online political advertising only under limited circumstances, provided that the following conditions are met:
- the controller (e.g. the advertiser) has collected the personal data directly from the individuals targeted by the advertising
- the data subject, i.e. the person being targeted by the advertising, has given explicit consent to the processing of their personal data for the purposes of political advertising; and
- targeting and display techniques do not involve profiling that uses data relating to special categories of personal data. Special categories of personal data include political opinions, ethnic origin, religious or philosophical beliefs, trade union membership, health data, sexual orientation or behaviour, and genetic and biometric data used for the purpose of identifying a person.
When you do targeted election advertising online, you must provide your audience with sufficient information about why and on what basis the content is being targeted at them, who is responsible for the advertising and how they can exercise their data protection rights.
Election advertising must not be targeted at people whom you know with reasonable certainty to be at least one year below voting age. The voting age is 18, so you cannot target election advertising at those under the age of 17.
Data subjects who do not consent to the targeting of political advertising must be offered an equivalent option to use the online service without political advertising.
Targeted advertising and profiling for political purposes can create risks to privacy and democracy. A breach of data protection can also affect other fundamental rights, such as freedom of expression and the ability to think freely without manipulation. The term ‘election interference’ is used when the aim of the debate surrounding an election is to deceive, disrupt or stifle public discourse, for example by spreading fake news and false information, or by provoking and escalating tensions.
Read more:
Data protection legislation and principles must always be respected when processing personal data.
When conducting an election campaign, it is also important to determine whether anyone is processing personal data on behalf of the party or candidate. It is important for political parties, candidates and support organisations to define their respective roles and obligations regarding the processing of personal data in connection with election campaigns.
- The data controller is the one who determines the purpose and methods of processing personal data. The party and candidate might also act as joint controllers. In such cases, remember to take care of the controller's responsibilities.
- Processors of personal data may include, for example, social media platforms, interest groups, data brokers, analytics companies, marketing agencies and advertising networks.
1. Plan and determine in advance
- for which purpose you intend to use personal data
- what the legal basis of processing is
- what types of information you can collect based on the purposes of use
- in what contexts and how in practice you will collect data
- roles and responsibilities for processing personal data.
Read more about legal bases for processing personal data
2. Tell about the processing openly and understandably to the persons whose data you are processing.
Read more about informing data subjects about processing
3. Observe confidentiality and security.
- Protect the data so that it will not fall into the hands of third parties.
- Process the data in an information secure manner and according to their purpose of use based on the controller's instructions.
- Limit the right of use to the data appropriately.
- Do not disclose or publish the data in the internet without grounds. If you intend to publish data, report this already when you are collecting the data.
- Remember your obligation to report any data breaches concerning personal data and to document all situations of data breaches.
Read more about personal data breaches
4. Always update personal data where necessary.
Remove inaccurate and incorrect personal data or adjust them immediately.
5. Remove unnecessary personal data
Remove personal data immediately when you no longer need them for the purposes of processing, if there is no special obligation to store such data.
6. Make sure that the data subject's rights are observed.
For example, the data subject has the right to obtain information on the processing of their personal data and to remove their data. The scope of the rights depends on the legal basis for the processing of personal data.
Read more about the rights of data subjects
Read more about what rights do data subjects have in different situations
7. Remember documentation.
You must be able to prove that you observe the data protection legislation.
Read more about accountability
8. Observe the data controller's responsibilities if you use the services of a data analysis company or social media platforms, for instance. Check that the information received from a third party or service provider have been obtained legally.