skip to Main Content
BY THE CROATIAN DATA PROTECTION AUTHORITY: Recommendations From The Personal Data Processing Because Of The Administrative Elections Of 2021

BY THE CROATIAN DATA PROTECTION AUTHORITY: recommendations from the personal data processing because of the administrative elections of 2021

This post is also available in: Italiano Español Français

The Personal Data Protection Agency for the next local election (elections of the member of representation organization of unit of local and regional self-government and municipal mayors, trade unions and prefects of their deputies) provides guidelines and recommendations that political parties, candidates and other participants shall follow during the procedure of application and the electoral campaign, in order that the personal data processing of interviewed or of elector is in compliance to the legal framework on personal data protection.

A political party, candidate or another participant to an electoral campaign, as a data controller, shall be guided by personal data protection principles, which are provided by the article 5 of the General Data Protection Regulation, that requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’); adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); accurate and, where necessary, kept up to date (‘accuracy’); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’); processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

LEGAL BASIS – an obligation for each recollection and personal data processing

In particular, we underline that each recollection and personal data processing in compliance with the General Data Protection Regulation requires the existence of a legal basis. For this reason, in order that the processing is lawfulness, only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Data on political opinion represent a special categories od personal data according to the disposals of the General Data Protection Regulation. The processing of those data is forbidden as a matter of principle, so the processing requires, in addition to a legal basis, one of the exception mentioned into the article 9, paragraph 2, of the General Data Protection Regulation, as the explicit consent of data subjects for one or more specific purposes.


If the legal basis of the personal data processing is a legal obligation of the data controller or the execution of a tasks of public interest, this legal basis shall be established by the European Union Rights or into the Member States Rights to which is subjected the data controller and this legal basis shall also determine the processing purposes. For a better comprehension of the legal basis mentioned above, hereinafter are described the most important disposals of in which it is necessary the recollection and the personal data processing:

  • According to article 21 of the Law on the financing of political activities, electoral campaign and referendum (OG 29/19 and 98/19), political parties, independent representants and advisers must present reports on donations to the State Electoral Commission, which is obliged to published reports on its website. The report includes the personal name, which is composed by name and the address, as well as the ID number of the donator, the date of the payment, the amount and the type of each donations. Data on the address of a natural person are not published.
  • In addition, Law on Local Election (OG 144/12, 121/16 , 98/19 , 42/20 , 144/20) establishes state for each candidate proposed into the list of candidates, the name and surname of the candidate, residence, date of birth, OIB and sex, meanwhile the nationality is declared into the candidature to deputy mayor, mayor and prefect among the national minorities members (Articles 18 and 19).
  • Articles 23 and 26 of the same legislation require, among other things, that data in all the candidature lists are inserted into the summarizing list. Competent electoral commission, within 48 hours since the expiring data of the candidature, publish on local media and press release, on the bulletin board and on the website of the unit: all the list of candidates which are validly proposed and a summarizing list for the election of member of the representant body and a fast list of the proposals validly presented to mayor, deputy mayor and prefect.
  • The article 102 of the same legislation requires that the electoral commission, while determine the results of the elections, publishes, without delay name and surname of the candidate who has been elected as mayor, deputy mayor and prefect.

These disposals make up the legal basis for the recollection and the processing (the term includes, among other things, the publication) of personal data (name, surname, date of birth, OIB, residence, etc.) and of respondents, in this case, candidates, can not opposed themselves to the public communication of personal data. The General Data Protection Regulation also applies to such publicly published data, and all obligations and principles from the General Data Protection Regulation, in particular the principle of legality, transparency and purpose specification, apply to the processing or use of such data (data may be used only for the purpose of in which they were published).


Political parties and candidates contact voters and potential voters by different channels in order to promote themselves and their program. In order to advertising and sending promotional market messages to voters, this can, normally, trust on the consent of interviewed or on a legitimate interest. For example, if a voter sympathizes or is a member of a particular political party and/or its donator, he/she can expect personalized messages by the same political party, or the political party or the same candidate has an interest in sending those messages.  In order to demonstrate this interest, the data controller shall conduct a proportionality test, which can be downloaded.

Anyway, the voter has the right to object to the personal data processing at any time, this means that he/she can object to the message’s reception, no matter if he/she has given his/her consent or that the data controller has a legitimate interest.

This right shall be explicitally announced to the voter and presented him in a clear and different way from the other information, this means that each marketing message shall include also a notification for the voter that he/she can object to the reception of those messages at any time. If the interviewed or the voter oppose to the message reception, the data controller can not send them anymore.

In addition, if the voter object and it is processed for direct marketing purposes, personal data shall be not processed for those reasons.

The existence of automated decision-making, including profiling, that produce legal effects or affects the voter, is forbidden.

The creation of profiles relating to the sending of targeted messages to certain respondents can influence their vote and in principle will be allowed only with the explicit consent of the respondents. For example, a social network may use the personal information that the user publishes on their profile (address, age, photos, interests, etc.), but also information about what the user likes, such as pages visit, what purchases, location data and so on, in order to create a user profile based on all these data. From all this data,

Social networks are becoming an increasingly important communication channel through which political parties, candidates or other campaign participants send personalised messages to voters, with the increasing use of sophisticated predictive analysis tools, voter profiling techniques and targeted advertising.

Modern technologies allow targeted advertising based on a wide range of criteria and can be defined on the basis of personal data that Internet and social network users voluntarily share and publish, but also on the basis of personal data collected by social networks or third parties . In other words, sending targeted messages to voters is a complex process that can involve different stakeholders, such as data brokers, marketing analysis agencies, social media platforms and advertising networks, and is often not transparent and poses a serious risk to privacy and data protection rights and to trust in the integrity of the democratic process. These actors can play an important role in the electoral process and the processing of personal data they carry out is subject to the supervision of the Personal Data Protection Authority.


In all cases of targeted advertising, taking into account the principle of transparency, voters should be provided with adequate information explaining why they receive a particular message, who is responsible for the message and how they can exercise their rights, including the right to lodge a complaint with the agency.

Therefore, the Agency recommends that all political parties, candidates and other participants in the election campaign address as much as possible to citizens / voters in presenting their plans in ways that do not necessarily include the processing of their personal data (for example through the media, public forums, sharing leaflets, brochures and other non personalized materials in which they present and explain their program). For sending personalized brochures, letters, flyers and other material (including sending SMS, MMS messages or e-mails) addressed to a specific citizen / voter declaring their personal data, it is necessary to take into account the existence of a legal basis referred to in article 6, paragraph 1 of the General Data Protection Regulation.

It should also be noted that, according to Article 34 of the Law on the implementation of the General Data Protection Regulation (OG 42/18), anyone who believes that their right is guaranteed by the General Data Protection Regulation and the Law on the implementation of the General Data Protection Regulation has been violated. Request to the Agency to establish a breach of rights.


Back To Top