Can a political party access registers of voters or obtain electronic information from the municipal authority in charge of keeping such data?
The legal basis for any personal data processing can be either legal authorization for data processing or freely given consent by a person (Article 8, item 1 of the Law on Personal Data Protection – Official Gazette of RS, Nos. 97/08 and 104/09 – other Law). This means that a data controller (in this case the authority in charge of keeping the register of voters) may make the processed data available to another entity (in this case a political party) only if there is a legal basis for doing so (i.e. if it is required under the law). If there is no such legal basis, it is necessary to obtain the data subject's freely given consent. In this specific case it would mean that every single individual included in the register of voters would have to give his/her consent to making the data available to the data recipient. In other words, for the data controller to make data available to the data recipient, there must be a legal basis that would allow such access to the data, as provided for by Article 3, item 7 of the Law on Personal Data Protection which defines the meaning of the term data recipient. It is considered to mean any natural person, legal entity or public authority authorized by virtue of the law or on the basis of a person's consent to use data.
The Law on Single Register of Voters (Official Gazette of RS, Nos. 104/2009 and 99/2011) sets out when and under which conditions can the data contained in the register of voters can be accessed and used and who can access them and use them.
According to Article 14 of the Law on Single Register of Voters, One day after elections had been called, the municipal/town administration updating the Register of Voters for the territory of the local self-government unit makes public the part of the Register of Voters for the territory of the local self-government unit and announces this through the media and, if necessary, in other ways, and informs the citizens until the Register of Voters is closed, they can request the municipal/town administration to adopt decisions on amendments to the Register of Voters.
According to Article 19, paragraph 1 of the Law on Single Register of Voters, the ministry competent for public administration prepares and verifies printed excerpts from the Register of Voters classified by local self-government units and polling stations in the country and abroad and forwards them to the Republic Electoral Commission within 24 hours of the moment when it adopted the decision on the closure of the Register of Voters.
The provision of Article 21 of the Law on Single Register of Voters provides that once the list of candidates for elections is declared, the right to have insight and file requests for changes in the Register of Voters will also be enjoyed by the person submitting the list of candidates for election or the person authorized by him/her, according to the same procedure applied when citizens exercise this right. The powers-of-attorney and the necessary evidence must be enclosed to requests.
In view of the legislative provisions quoted above, we are of the opinion that, outside of the cases specifically provided for by the law, voters' data, i.e. the Single Register of Voters, cannot lawfully be made available to anyone. This means that, if an authority in charge of maintaining the register of voters (the ministry in charge of public administration or municipal/city administrations which maintain registers of voters as a delegated duty) makes such register available to political parties, it has committed an infringement and the persons responsible within the authority could even face criminal charges. Namely, processing of personal data included in a register of voters (or, in this specific case, making citizens' data available to political parties) outside of the rules set out in the Law on the Single Register of Voters by the authorities in charge of maintaining the register of voters would constitute processing of data contrary to Article 13 of the Law on Personal Data Protection, which is punishable as an infringement within the meaning of Article 57, paragraph 1, item 2 of the Law on Personal Data Protection. Furthermore, unauthorised disclosure or use for purposes other than those originally intended of any personal data collected, processed and used in accordance with the law by an official in the exercise of his/her powers is a criminal offence punishable under Article 146, paragraph 3, relating to paragraph 1 of the Criminal Code (Official Gazette of the Republic of Serbia, Nos. 85/2005, 88/2005 – corrigendum, 107/2005 - corrigendum, 72/2009 and 111/2009).