The processing of personal data within the context of parliamentary elections
In the context of the European Parliamentary elections in May 2019, the National Supervisory Authority recommends that all entities involved in this process to pay a greater attention to compliance with personal data protection legislation in order to ensure that personal data are used in a responsible way and that the rights of data subjects are respected.
Thus, from the 25th of May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation – hereafter referred to as the GDPR) became applicable.
The General Data Protection Regulation provides in Article 6 that the processing is lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In addition, we mention that Article 5 of Regulation (EU) 2016/679 establishes a series of principles which shall be observed when processing personal data. These include, among others, the principle according to which the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“purpose limitation”) and personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (“integrity and confidentiality”).
Also, the same legal provisions mentioned above states that the controller shall be responsible for complying with these principles and shall be able to demonstrate compliance with these principles (“accountability”).
At the same time, according to the GDPR provisions, the controller involved in the electoral process have the obligation to respect the rights of the data subjects, in particular the right to information regarding the processing of personal data. Please note that the Regulation does not impose a certain way of informing the data subjects, leaving it to the controllers to choose effective ways of accomplishing the information – posting on the site, on the notice board, in writing etc.
By Regulation (EU, Euratom) no. 1141/2014 of the European Parliament and of the Council of 22 October 2014 on the statute and funding of European political parties and European political foundations, the European Authority for European Political Parties and Foundations was established for the purpose of recording, controlling and imposing sanctions on European political parties and European political foundations.
By Regulation (EU, Euratom) no. 2019/493 of the European Parliament and of the Council of 25 March 2019 amending Regulation (EU, Euratom) no. 1141/2014 as regards a verification procedure related to infringements of rules on the protection of personal data in the context of elections to the European Parliament introduces new provisions at EU level with reference to the protection of personal data within the context of European Parliament elections.
Article 10a of the above-mentioned Regulation regulates the verification procedure related to infringements of rules on the protection of personal data.
Regarding these aspects, within the context of the elections for the European Parliament and other EU elections planned for 2019, the European Data Protection Board adopted Statement 2/2019 on the use of personal data in the course of political campaigns which underlines a series of key points to be respected when political parties process personal data in the course of electoral activities.
In Romania, the way of organising and holding elections for the European Parliament is regulated by Law no. 33/2007 on the organisation and the development of the elections for the European Parliament, as subsequently amended and supplemented, republished.
In light of the above, we emphasize the need to respect the rules on the protection of personal data, including in the context of electoral activities and political campaigns.
Legal and Communication Department
ANSPDCP