Instructions on the processing of personal data in the election process

Unofficial translation Instructions on the processing of personal data in the election process The present instructions are developed in accordance with the provisions of Art. 20 para. (1) letter c) of the Law on personal data protection No. 133 of 8 July 2011 in order to bring the personal data processing in accordance with the principles of personal data protection in exercising of a fundamental right - the right to vote, without approaching the scope of competence of the Central Election Commission, stated by the Republic of Moldova's election Code. Taking into account that besides the need of ensuring the right to vote, the State has the positive obligation to respect and protect the intimate, family and private life; of the findings of the National Center for Personal Data Protection of the Republic of Moldova (the Center) while examining several appeals with respect to the breach, by some electoral competitors, of the right to privacy during the conduct of election campaigns in 2009-2011; of the yet insufficient level of personal data protection highlighted during the controls in some town halls; of the fact that the Central Election Commission is the authority vested with the power to determine the manner and means of personal data processing in the election process, those other entities within the electoral bodies are to process these data based on specific instructions from this authority, the present Instructions were developed and can serve as Guidelines for Central Election Commission and other entities involved in the process, to bring the processing of personal data in accordance with the principles stated in the Law on personal data protection and the best practices in this domain; of the provisions of Montreux Resolution (Swiss Confederation) regarding the use of personal data for political purposes, adopted on 14-15 September 2005 at the Conference of Data Protection Commissioners that states, inter alia, that: - in politics, a great number of personal data are collected continuously by political organizations and, sometimes, are processed through aggressive ways, using various techniques, including surveys, collecting e-mail addresses through search/software engines, campaigning extensively all over the town or forms of political decisions through interactive television, files of voters' isolation; where these data sometimes include illegally (in addition to postal addresses, telephone numbers, e-mail accounts, information about professional activities and family relations) sensitive data on moral and political beliefs or real or supposed activities, or at the voting activities; - there is a tendency for creating invasive profiling of different people who are

currently classified - sometimes inaccurate or based on superficial contact - as sympathizers, supporters or party members to enhance personalized communication to groups of citizens; - the individuals must be protected against possible negative effects of discrimination in their personal sphere and renouncing thereof to some forms of political participation; - any activity of political communication, including those which do not refer to election campaigns, which attracts processing of personal data must respect fundamental rights and freedoms of the persons concerned, including the right to protection of personal data and must comply with data protection principles stated, I, hereby, issue the present Instructions. These instructions are to be applied in conjunction with the provisions of: the Code of Good Practice in Electoral Matters. Guidelines (Venice, 18-19 October 2002) of the European Commission for democracy through law (Venice Commission), Election Code, the Law on personal data protection, Requirements for the assurance of personal data security at their processing within the information systems of personal data, approved by the Government Decision No. 1123 of 14 December 2010 (the Requirements), Regulation of the Register of personal data controllers, approved by the Government Decision No. 296 of 15 May 2012, that creates the needed regulatory framework to ensure the right to privacy of the voter, as well as the Regulation on the activity of Central Election Commission, approved by the Commission Decision No. 137 of 14 February 2006 with further amendments and completions. I. The terms used in the text: personal data - any information relating to an identified or identifiable natural person ('personal data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. For example, the information recorded in the election lists: name and surname, year of birth, address, serial number of the identity document of the voters - is personal data relating to an identified individual. At the same time, in the conduct of the vote, there are collected some other personal data from the individual, such as application of his/her signature at the receipt of the ballot; place of birth and state identification number (IDNP) of voters recorded in the additional electoral lists, etc. special categories of personal data data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social belonging, data concerning health or sex life, as well as data relating to criminal convictions, administrative sanctions or coercive procedural measures. For example, the stamp confirming the voting in the respective day, applied in the sheet accompanying the ID document or on the document in which is based on the vote of the individual, is a

special category of personal data on the grounds that in certain situations, such as the referendum held in the Republic of Moldova in 2010, that can swiftly appreciate which are his political sympathies. At the same time, the information about persons in hospitals, nursing homes for the elderly or held under a warrant of arrest until the judicial sentence is announced, related to convicted persons to prison whose judgment is not final, at those serving a contravention sanction in the form of arrest, to persons convicted to imprisonment by final court decision, being in prisons, also represent special categories of personal data. processing of personal data any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, keeping, restoring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. For example, drawing up by town halls or diplomatic missions of electoral lists, checking the voters subscribed in, determining every year (after the 1 of January) the electoral lists, storage and disclosure by their transmission to the Central Election Commission, represent processing operations of personal data. controller a natural or legal person governed by public law, or by private law, including public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data expressly provided by applicable law. For example, town halls or diplomatic missions are personal data controllers in relation to the data included in the drawn up election lists, veryfied and stated, which are stored and kept a certain period of time; the electoral Office of voting section is a personal data controller of personal data registered within the election lists maintained or modified as a result of examining of the applications related to the inadequacies in the election lists, of additional election lists compiled, but also of personal data collected during the examination of the applications for inaccuracies in the election lists, on the request of certificates for the voters right to vote who will be away from their home residence on election day and other applications related to the organization and conduct of elections. The Central Election Commission is constituted as the recipient of the election lists submitted by municipalities and also when they organize them following to some functional criteria, amende them, combine the in some way or decide on the purpose of the data included in the election lists - is to be consider as personal data controller. At the same time, the Central Election Commission is a personal data controller of the processed personal data or to be processed in the Register of electoral officers, the State Register of voters, etc. processor a natural or legal person governed by public law, or by private law, including public authority and its territorial subdivisions, which processes personal data on behalf of the controller, on instructions from the controller. For example, the Center for continuing education in the election field is the processor of the Central Election Commission, as it processes personal data aimed at electoral officers within

their specialized training according to the Regulation approved by the decision of Central Election Commission. recipient a natural or legal person governed by public law, or by private law, including the public authority and its territorial subdivisions, to whom personal data are disclosed, whether it is a third party or not. For example, the Central Election Commission is constituted as the recipient of election lists sent by tawn halls or diplomatic missions. In charge bodies for the national defense, state security and public order, the prosecution bodies and the courts, which may receive personal data in the framework of exercising their duties established by law, shall not be considered as recipients. filing system of personal data - any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or distributed according to functional or geographical criteria. As filing system of personal data consists including but not limited to, databases, information systems where are stored and processed automatically or manually personal data. For example, classical models of filing systems of personal data are: Register of electoral officers or State Register of voters. At the same time, election lists prepared and stored on paper or electronically, also represent a filling system of personal data. Similarly, other structured series of personal data, such as video images collected by a surveillance system installed inside or on the perimeter of polling sections, which are maintained a certain period of time; personalized information about specialized training of electoral officers or other subjects involved in the election process, etc; depersonalisation of data is such alteration of personal data so that details of personal or material circumstances can no longer be linked to an identified or identifiable natural person or so link can only be made within an investigation with disproportionate efforts, expense and use of time. II. Organizational and technical procedures that must be followed 1. It is recommended that entities involved in the electoral process to be alloted, depending on the role they have, the quality of controller, processor or recipient, in accordance with the terms stated by the Art. 3 of the Law on personal data protection. This will allow clear separation of powers and the appropriate allocation of rights and obligations within the processing operations of personal data. 2. All officers and those involved in the election process, which have access to personal data, including employees of the Central Election Commission, all will be subject to a confidentiality statement, which, as appropriate, may be included in contracts of employment, as having contractual clause, or within the job descriptions, mentioning about civil, criminal or contravention liability for its breach.

3. Personal data processed must be accurate and, where necessary, updated. It is recommended that updating of personal data is to be done by the person responsible for processing of personal data in election purposes, appointed by administrative act, decision, of the mayor, military unit commanders, heads of medical institutions, sanatorium homes, rest homes, diplomatic and consular offices of the Republic of Moldova, electoral bodies, as appropriate. The administrative act will contain a personal data confidentiality clause in accordance with Art. 29 of the Law on personal data protection and information on liability for the breach of thereof, in accordance with Art. 33 of the same law. 4. In charge person is to make the processing of personal data aimed at citizens with voting rights, as appropriate, residing on teritorial administrative unit, military units, being in hospitals, sanatorium homes, rest homes and of citizens with voting rights who are in other countries, in accordance with Art. 39 of the Election Code. However, during the update process of personal data, it is to be assured their exact nature, being recommended the on-spot checking and processing of personal data stored within information systems of personal data managed by the local authority, military unit, healing institutions, sanatorium homes, medical and/or assigned to the key state information resources to which the in charge person has the right of access as an authorized user of thereof. 5. The use of certain filing systems of personal data for drawing up subscription lists is to be prohibited. 6. During the electoral process, personal data controllers jointly with the National Center for Personal Data Protection are to develop and implement the security policy of personal data in accordance with the provisions of the Requirements, which would cover issues referring to: procedures and measures related to security policy making, applying practical solutions with a wide related details and proportionate complexity level; identifying and authenticating users with access rights to the information systems of personal data processed in the election process; reactionary ways to security incidents; protection of information technology and communications; ensuring information integrity that contain personal data and information technology; management of access to personal data processed; audit in information systems and filling systems of personal data, etc. 7. Security policy is to contain provisions that ensure the protection of personal data processed within filling systems in the election process, in particular through the following methods: 1) prevention of unauthorized connections to communications networks and interception by technical means of personal data transmitted via these networks, especially while disclosure by transmission of election lists between different entities vested with powers in the election process;

2) exclusion of the unauthorized access to personal data processed within filling systems by means of implementing procedures for identification and authentication of users; by distribution of duties and investment with the minimum rights and competencies of those involved in the management of filing systems of personal data; by ensuring the integrity of information resources (data and programs); 3) prevention of specific technical and program actions which makes destruction, modification of personal data or failure in technical and programming complex work, of software for processing personal data by means of special technical and program protection methods, also using licensed programs, antivirus programs, organizing control system of software security and performing regular backups; 4) prevention of intented and/or unintended actions of local and/or external users, and other employees conditioning the destruction, modification of personal data processed in filling systems or failures in technical and program work. 5) prevention of leakage of information containing personal data, transmitted via connecting channels, using encryption methods (encryption) of such information; 6) precise establishment of order and procedures of access to information containing personal data processed within information and filling systems, both for local and external users. 8. When the disclosure happens by transmission of the electronic format of personal data contained in the election lists, additional election lists, subscription lists or in other documents, via communication networks or on other (digital) media storage, it will be ensured the encryption of this information or it will be examined the possibility of using a bilateral connections via VPN secure channel. Wireless access to the information systems of personal data is to be allowed and authorized only if using cryptographic protection of information. Each case of requirement for transmission of personal data electronically will be considered separately, given the technical possibilities of the recipient and controller, as well as in accordance with organizational and technical measures implemented by the parties. In case if the communication networks pose a risk to confidentiality and security of personal data, there will be used traditional methods of transmission (mailing with recommended notice, personal handing, etc.). 9. Transmission of personal data through communication networks that do not meet the Requirements, (e.g.: sending information via personal e-mail such as @gmail.com, @ mail.ru, @ yahoo.com, etc.) will be prohibited. 10. The procedure of personal data transmission stored on paper, including in the case of polling sections established outside the Republic of Moldova, are to be governed by institutional law, taking into account the need to ensure an adequate

level of security, using including diplomatic channels. 11. The procedure for drawing up, review and updating of election lists, receipt and transmission of lists from and to the election offices; the inclusion/exclusion of the voters from the lists by the members of the election office; of further submission of final election lists; storage of election lists and other necessary aspects which imply personal data processing, will be developed and approved by the Central Election Commission in cooperation with the National Center for Personal Data Protection, in accordance with the principles of the Law on personal data protection. 12. The Central Election Commission shall regulate in particular the acess procedure for accredited observers to the information with electoral content and to the election lists, including procedure and limits within which they can perform photo and video footage, taking into account not only the need of ensuring the secrecy and security of voting procedure, but also the principles of confidentiality and security of personal data processing provided by Articles 29 and 30 of the Law on personal data protection. III. State Register of Voters 13. The existence of an updated election register is crucial to ensure the universal suffrage, to secure the election process and to ensure updating and accuracy of personal data processed in electoral purposes. However, although at the moment there exists the Concept of State Automated Information System Elections, approved by Law No. 101-XVI dated 15 May 2008, before the entry into service of automated information System for keeping state registry, it will be required the approval of the Regulation on the manner of keeping this register. 14. It is recommended that while drafting the Regulation to take into consideration the principles stated by the Law on personal data protection and provisions of the Requirements for the assurance of personal data security at their processing within information systems of personal data, including by specific regulation of rights and obligations of central and local public authorities in providing of personal data necessary for keeping the registry etc. Particular attention should be paid to issues related to: a) providing conditions for the citizen to achieve the constitutional right to a secret ballot, to be excluded completely any technical possibility, even imaginary, of the administrator of the automated filling System or of other person, to have access tothe information regarding the option exercised by the voter during viting process through the electronic system. b) technical procedures that would ensure automatic termination, after the voting, of the link between the voter's personal data and check made by him for a specific candidate in the electronic ballot, and the absolute impossibility to restore

this link; c) technical procedures that would ensure the impossibility of monitoring by the administrator of the automated filling System or of other person, of the choice expressed by the voter during the following period after ticking the appropriate section in the electronic ballot and the final confirmation of this option that is measurable over time. 15. It is to be prohibited the creation of filing systems of personal data collected in electoral purposes, except the cases expressly provided for by election Code. IV. Rights of personal data subjects 16. When personal data are collected directly from the data subject, to this (data subject), upon the request, shall be provided with the following information, except where he/she already has that information on: 1) the identity of the controller or, where applicable, the processor (name, legal address, IDNO, registration number in the Register of evidence of the personal data controllers); 2) the actual purpose of processing of the collected data; 3) the recipients or categories of recipients of personal data, the existence of rights to information and access to the data collected; the intervention over the data (especially to correct, update, block or delete personal data whose processing is against the law because of the incomplete or inaccurate nature of thereof) and the opposition, as well as the conditions under which these rights can be exercised; if the answers to the questions with the help of which data are collected are obligatory or voluntary, including the possible consequences of refusing to answer the questions via which the information is collected. 17. Informing personal data subjects on the peculiarities of processing operations of personal data during elections it is recommended to be done and generalized through mass media of Republican or local level, as appropriate, including via appropriate information display on information panels of central and local public authorities and the use of available communication means (phone, posts, Internet). 18. Subjects of personal data voters, will be guaranteed the right of access and opportunity to learn about the election lists in order to verify the correctness of their establishment, appealing against their non-inclusion in or exclusion from the list, as well as against other mistakes done during the enrollment of his/her personal data or data of other voters. In this respect, those in charge persons for processing of

personal data contained in the election lists will ensure the citizen's access only to the personal data that concerns him/her directly, being excluded from the posibility of consultation of personal data that concerns other subjects, contained in the election lists, except where the applicants have an legal interest that is not prejudicial to the interests or fundamental rights and freedoms of data subject. 19. When posting personal data contained in the election lists through the official website of the Central Election Commisssion or local public authority, is to be established necessary technical solutions to exclude unrestricted access to it, being provided technical programming measures, specializing in information security, protective measures for unambiguous confirmation of the identity of personal data subject, who exercise their right of access and rectification, by exclusion of the unauthorized access to data. 20. When exercising by the personal data subject the right to intervention, the inaccurate data are to be updated by amendment or deletion, as base for using only legal sources (identification documents, marital status dosuments, main state information resources etc.) the amendment is to be done in all filing systems managed in electoral purposes. 21. Disclosure by transmission, dissemination or otherwise of the personal data processed in electoral purposes will be prohibited, except where personal data subject has given his/her consent, when the information is depersonalized or when the law expressly stipulates the right of the recipient or of the third party to do so. V. Storage, retention and destruction of personal data processed in the election process 22. Storage and retention of personal data registered in the electoral documents, is to be carried out in strict accordance with the Art. 62 of the Election Code, and to the Central Election Commission is to be assumed the right to decide on their finality taking into consideration the provisions of Art. 4 para (1) letter e) of the Law on personal data protection. 23. The access to areas where are located information and filling systems of personal data are to be restricted, allowing only to those who have the necessary authorization and only during working hours, according to institutional security policy approved by each controller. 24. The storage and keeping in computers of the electronic format of personal data, structured in filing systems that are connected to Internet, that are not equipped with special means of technical and program protection and do not have installed licensed programs, antivirus programs, systems of software security control, insurance for regular back-ups and audit performance is to be prohibited.

25. Storage of personal data on magnetic, optical, laser, paper or on other means of information on which is created, set, transmitted, received, maintained or otherwise it is being used the document which allows its reproduction, shall be ensured by placing them in safes or lockable metal cabinets and to seal them. Access to safes and metal cabinets is to be monitored by keeping an evidence register. Storage without authorization, of personal data bearers from the security perimeter of the controller is to be prohibited. 26. Damage/destruction of electoral documents and of information bearers containing personal data is done by the controller or processors, based on clear instructions. In case where, as controllers are local public authorities, then damage/ destruction is to be carried out in accordance with the terms specified in the standard Nomenclature of files of the town halls (villages), municipalities (cities), based on a minutes. In case where as controller is the Central Election Commission, then, the destruction will be carried out according to the Regulation on organization and operation of the archives of the Central Election Commission, approved by Central Election Commission Decision no. 1917 of 21 October 2008 under the provisions of the Election Code. 27. Annually, by 31 st of January, personal data controllers will submit to the National Center for Personal Data Protection of the Republic of Moldova a general report on security incidents of the information systems of personal data in accordance with the provisions of point 91 from the Requirements.