04 April 2024
Protection of Personal Data in Election Activities
Elections are one of the important elements of healthy and well-functioning democracies in terms of the exercise of political rights and the direct and/or indirect participation of citizens in the administration.
Today, elections are of great importance for the healthy functioning of democratic processes and public participation. However, it is of great importance to be careful about the protection of personal data and to take the necessary precautions during the activities. The protection of personal data should be considered as an essential element of democratic processes.
1. Data Controller-Data Processor within the Scope of Election Activities
First of all, within the scope of the protection of personal data in election activities, it is necessary to first define the data controller and mention who or who can be the data controller. In Article 3 of the Law on the Protection of Personal Data No. 6698, the data controller is defined as "the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system". In election activities, the YSK(Supreme Election Board), political parties and independent candidates are considered as data controllers. In Article 3 of the Law, the data controller is defined as "the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system".
The Supreme Election Board is in the position of processing data during the election activities in line with the duty imposed on it by the Law No. 7062 on the Organization and Duties of the Supreme Election Board. Article 28/2c of the Law on the Protection of Personal Data stipulates that "Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority granted by the law." and Article 10, which regulates the clarification obligation of the data controller, provided that it is proportionate and in accordance with the purpose and basic principles of this Law, Except for the right to demand the compensation of the damage, Articles 11, which regulate the rights of the person concerned, and Article 16, which regulates the obligation to register in the Data Controllers Registry, do not apply in the following cases, and it is regulated that the responsibility will not come to the fore if the personal data processing is carried out on the basis of the authority granted by the law. In this case, Article 10 of the Law, which is responsible for the management and supervision of the elections with the authority granted in the Constitution and other relevant Laws, is within the scope of the said exception in terms of the personal data processed within the scope of election activities, and Article 10 of the Law, which regulates the obligation to inform, Article 11, which regulates the rights of the person concerned, except for the right to demand compensation for damages, and Article 16, which regulates the obligation to register in the Data Controllers Registry, are within the scope of the said exception. It is considered that it will not be applied in terms of its activities within the scope of its activities. However, the relevant exception is a partial exception from the Law and the other provisions of the Law will be applied.
In accordance with the relevant laws, especially the Law No. 2820, political parties process personal data within the scope of transactions such as establishment, membership, candidate determination activities in elections, election of authorized bodies and notification of them to the relevant authorities, etc., and can transfer this data within the framework of the relevant provisions, and political parties are also data controllers within the scope of the Law.
Independent candidates may also be considered as data controllers within the scope of the Law if they engage in "personal data processing" activities defined in Article 3 of the Law on personal data during the election processes.
2. Duties of the YSK Regarding the Protection of Personal Data During Election Activities
The duties of the Supreme Election Board (YSK) regarding the protection of personal data in election activities are very important. The YSK is obliged to ensure that the election process is carried out in a fair, reliable and transparent manner. In this context, it fulfills the following duties:
- Security of Voter Registrations: The YSK is responsible for ensuring the security of voter registrations. The security of these records is of paramount importance to the privacy of voters' personal data. During the electoral process, it is ensured that voter records are accurately and securely maintained and protected.
- Supervision of Election Campaigns: The YSK supervises the conduct of election campaigns in accordance with the laws and rules. In this context, necessary measures are taken to protect personal data used in election campaigns and to prevent their misuse.
- Data Processing in the Election Process: During the election process, the personal data of the candidates and voters are processed by the YSK. It is the responsibility of the YSK to process and protect this data securely. By ensuring the confidentiality and security of the personal data of the voters, it is ensured that the election process takes place securely.
- Secure Voting Process: The YSK is responsible for ensuring the security of the voting process. Necessary measures are taken to ensure the confidentiality of the personal data of the voters and to ensure that the voting process is carried out correctly and honestly. By ensuring the security of the voting process, it is ensured that the preferences of the voters are effectively reflected and the right to vote is protected.
- Security of Election Results: The YSK is responsible for ensuring the security of election results and announcing them accurately. The security of personal data collected and processed in relation to the election results is ensured and the election results are announced accurately and reliably.
3. Processing Conditions Regarding Personal Data Processed/Transferred by the Supreme Election Board and Relevant Public Institutions
The Supreme Election Board (YSK) and relevant public institutions and organizations process and transfer personal data while carrying out election activities. These institutions are obliged to act in accordance with certain conditions and legislation when processing personal data.
Some of the personal data processed and transferred by the Supreme Election Board in accordance with the provisions of the relevant legislation fall within the scope of "Clearly Stipulated in the Laws" for the reasons of compliance with the law regulated in the Law. In this case, personal data may be processed without seeking the explicit consent of the data subject.
For example; Personal data processed in the voter register, Suspension of voter registers in headmen's offices, Personal data contained in the voter information sheet.
The aforementioned personal data can be processed by the data controller without seeking the explicit consent of the person concerned, based on the legal processing condition clearly stipulated in the laws.
The Supreme Election Board also processes "sensitive personal data" within the framework of the provisions of the legislation. Some of the sensitive personal data processed by the YSK, such as criminal conviction information or personal data that may cause the emergence of political opinion of individuals, can be processed without seeking explicit consent in accordance with the provision of "it is possible to process data other than health and sexual life without the explicit consent of the person concerned" regulated in paragraph (3) of Article 6 of the Law No. 6698.
Article 7 of Law No. 298 lists "Convicts in Penal Institutions" among those who cannot vote. On the other hand, Article 8 of the same Law regulates the provision "Regarding Those Who Cannot Be Voters", stating that individuals under guardianship and those banned from public service cannot be voters, and the personal data of these individuals are processed based on information obtained from the Ministry of Justice by the Supreme Election Board (YSK) during the determination process. Furthermore, some special category personal data processed by the YSK includes health data, such as disability status. In this regard, it can be evaluated that such transfer is conducted in accordance with Article 8, paragraph 3 of the Law, which states "Provisions in other laws regarding the transfer of personal data are reserved." As an example of this situation, the personal data processing activities carried out by the YSK for disability-related data, aimed at facilitating voting for disabled voters, can be demonstrated in order to fulfill the provision "...take any necessary measures to facilitate voting for disabled voters."
4. Conditions of Processing Personal Data Processed by Political Parties
Political parties are required to act in accordance with the data processing conditions specified in Articles 5 and 6 of the Law, depending on the type of data processed in their personal data processing activities. Some of the personal data processed and transferred by political parties in accordance with relevant legislation fall under Article 5, paragraph 2, clause a of Law No. 6698 on the Protection of Personal Data, which states "Explicitly Provided by Law" as the legal basis, and for personal data processing activities that involve the processing of special category personal data related to "processing of political opinions," it is possible to process such data without the explicit consent of the data subject in accordance with Article 6, paragraph 3 of the Law, which states "Data other than health and sexual life may be processed without the explicit consent of the data subject in cases explicitly provided for by laws." If explicit consent is required from the data subjects, it must be obtained within the scope of the definition of explicit consent provided in Article 3 of the Law, which includes:
- Specifically regarding a certain subject,
- Based on informed consent,
- Based on the free will of the data subjects.
The data subject has the right to determine the future of personal data and may withdraw the explicit consent given to the data controller at any time. However, the withdrawal of explicit consent will have prospective consequences, in other words, all activities carried out based on explicit consent must be stopped by the data controller from the moment the withdrawal statement reaches the data controller. In other words, the withdrawal declaration takes effect from the moment it reaches the data controller.
5. Obligations of Data Controllers
The obligation to inform is regulated in Article 10 of the Law on the Protection of Personal Data. According to this, "During the acquisition of personal data, the data controller is obliged to inform the data subjects about the identity of the data controller, the purpose for which the data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11." In this context, the obligation to inform in the process of processing personal data by the YSK, Political Parties and Independent Candidates must be fulfilled.
According to the Law on the Protection of Personal Data, the data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the protection of personal data. In this context, all data controllers who process personal data during election processes are required to act in accordance with the obligations regarding data security within the scope of Article 12 of the Law.
Within the scope of this article of the Law regarding the deletion and destruction of personal data, in the event that the reasons requiring the processing of personal data processed during the election processes disappear, personal data must be destroyed by appropriate methods by the relevant data controllers, ex officio or upon the request of the person concerned. On the other hand, if there are regulations imposed by the relevant legislation for the storage of data, these retention periods should be taken as basis; If there is no period in this direction, the data should be destroyed at the end of the storage periods to be determined ex officio by the data controllers, taking into account the purpose of personal data processing.
6. Conclusion
At the same time, the Guidelines on the Protection of Personal Data in Election Activities (In Turkish) published by the Personal Data Protection Authority provide guidance on how personal data should be used during election campaigns and propaganda activities.
Should you have any queries or need further details, please contact us.
Notification!