State Electoral Office data protection terms and conditions

General information on personal data

Personal data is any kind of data that enables to identify a person.

Personal data processing is any operation that is performed on personal data or on sets of personal data.

The documents that contain personal data and that are re    quired to be registered are stored for the term set for the storage of documents entered on the list of documents.

The data protection policy does not apply to the storage of data on legal entities and other institutions. The data protection policy also does not apply to the processing of data on natural persons when the data is processed in connection with their official duties.


Chief processor of data

In the field of elections, the chief processor of data is the State Electoral Office, which is a structural unit at the Chancellery of the Riigikogu. 


Processing situations

1. The lists of voters are submitted to the State Electoral Office by the Ministry of the Interior. The State Electoral Office processes the list of voters in the electronic voting system and forwards the fact of voters having voted electronically as well as their anonymised choice to the election information system. The data entered on the list of voters is processed by elections managers who are assisted in this by persons provided in the Municipal Council Election Act, Riigikogu Election Act, European Parliament Election Act, and Referendum Act. The data entered on the list of voters is processed for the performance of legal obligations, which is why the data entered on the list is not erased. Any voter has the right to consult their personal data entered on the list of voters. After the election or referendum, the data entered on the list of voters can be consulted by submitting a written request to the State Electoral Office [email protected]

2. The data on the candidates is collected and published according to the law. Six months after the elections, the contact information, information on the education, job and position of the candidate are removed from the webpage. The data attesting to the fact of having stood as a candidate (name and surname, date of birth, party affiliation when standing as a candidate, electoral list and district, and candidate registration number) are published on the webpage indefinitely. The purpose of publishing the date of birth is to allow the voters to identify the individual who is standing as a candidate. The information on candidates is stored permanently to fulfil the archiving obligation arising from the law.

3. The information on the elections managers (staff of the State Electoral Office, rural municipality or city secretaries, foreign missions, and other employees of local governments and members of electoral committees) and persons related to standing as a candidate (candidates, authorised representatives or managers of parties or election coalitions,) are processed in the election information system according to the law. In the election information system, user accounts are generated for the users and their contact information is collected according to the law for the purpose of organising elections. The information is kept until the next elections for reuse when the account is reopened. The State Electoral Office forwards to the Political Parties Financing Surveillance Committee the names and contact information of election coalitions and independent candidates for the performance of functions provided in the Political Parties Act. 

4. The State Electoral Office collects the names and contact information of the observers of electronic voting or test voting or foreign observers with their consent. The information is collected for the purposes of determining the fact of participation of the observer, which may transpire to be necessary in the course of resolving a complaint, or for allowing the observer to conclude training before the observation of electronic voting. After the proclamation of the election results, the information on the observers is erased.

5. Webpage traffic. The following information is collected and stored: internet address of the computer or computer network (IP address), the name and address of the internet service provider of the computer or the computer network used, time of the visit (time, date, year). IP addresses are not linked to the data that identifies an individual. Information is collected concerning the part of the web page visited and the length of the visit; this is used for visitor statistics in order to analyse the web development needs. Information is deleted as soon as it becomes obsolete and is not kept for longer than one year. 

6. Letters, requests for explanation, memorandums, information requests or responses to the letter (the letters) are subject to the data protection policy of the Chancellery of the Riigikogu. 

7. Applications for an internship or a job fall under the provisions on data protection of the Chancellery of the Riigikogu. 

8. Contracts with natural persons contain personal data, some of which may adversely affect the privacy of a person if published (e.g., contact details). Access to contracts concluded with natural persons is granted to submitters of relevant information requests.

9. Visiting the State Electoral Office and taking part in their events (collectively the events). The work of the elections managers and the election results are actively covered in the social media. Participants of the events can be photographed or filmed. The events are recorded with the purpose of informing the public of the activities of the Office.

10. Public procurements where the CVs of the members of the tenderer team are required in the procurement procedure. During the procurement procedure, personal data is processed for the purpose of preparing the procurement contract, therefore no agreement is needed for that. If it is necessary due to the nature of the service, a data processing contract within the meaning of Article 28 of the General Data Protection Regulation is concluded with the successful tenderer in order to ensure the security of personal data processing.


Rights of an individual regarding the data processing concerning them

11. An individual has the right to access the personal data that has been collected on them. We refuse to disclose information only in the cases where it may:
11.1. damage the rights and freedoms of others;
11.2. damage public order or national security;
11.3. hinder or adversely affect the prevention, detection, or investigation of a crime, or the imposing of a punishment.

12. An individual is informed before their personal data is processed for any other purpose than the one for which the data was originally collected.

13. An individual has the right to:
13.1. request rectification or deleting of inaccurate personal data (except in cases where the data is processed for the performance of legal obligations, exercise of public authority, or performance of duties in public interests);
13.2. request restrictions to be set on processing the personal data (except in cases where the data is processed for the performance of legal obligations, exercise of public authority, or performance of duties in public interests);
13.3. request that no automatic decisions are made regarding themselves on the basis of personal data;
13.4. withdraw consent for processing personal data (if the personal data processing was based on consent).

14. We will reply to requests without undue delay, but not later than one month after receiving the request. We prefer to reply by e-mail; however, if possible, we can also use other means specified in the request.

15. We are not required to meet unjustified or repeated requests. We are allowed to ask reasonable compensation for meeting such requests, taking into account the administrative expenses incurred in meeting these.

16. If a person finds that their rights have been unjustifiably restricted or violated, they have the right to turn to the Data Protection Inspectorate or the court.

17. We will inform the Data Protection Inspectorate of violations without undue delay, and if possible, within 72 hours after learning of these, except in cases where the violation is not likely to pose a serious threat to the rights and freedoms of a natural person. In case of a serious threat to the rights and freedoms, we will inform the data subject so that they could take the necessary measures without delay.


For more information on personal data processing, please contact the Data Protection Officer at [email protected], or by phone +372 631 6533.