GDPR: What It Is & When It Applies
GDPR (General Data Protection Regulation) is an EU law that governs personal data protection. It applies:
To organisations based in the EU processing personal data.
To organisations outside the EU that offer goods or services to people in the EU or monitor the behaviour of people in the EU online. European Union+1
This means if ElectionCandidates.org collects or processes data from EU citizens — even if the site is hosted outside the EU — GDPR likely applies. European Union
2. Core GDPR Requirements for a Privacy/GDPR Policy
A GDPR-compliant privacy notice must be clear, accessible, and explain exactly how user data is handled. Key elements include:
a. Who Is the Data Controller
You must identify the organisation responsible for data processing and give contact details.
(GDPR Article 13 requirement.) European Union
b. What Personal Data Is Collected
Define what counts as personal data (names, email addresses, IP addresses, etc.). European Union
c. Legal Basis for Processing
GDPR requires one lawful basis for all processing, such as:
Consent
Legitimate interest
Contract performance
Legal obligation European Union
d. How Data Is Used & Retained
Be precise about how long data is stored and for what purposes. Only collect what’s necessary (data minimisation principle). European Union
e. Third-Party Sharing
List any external processors (e.g., analytics services), and explain why data is shared. European Union
f. Data Subject Rights
GDPR gives individuals rights such as:
Right to access their data
Right to correct inaccuracies
Right to delete data
Right to restrict or oppose processing
Right to data portability
Individuals must be told how to exercise these. European Union
g. Transfers Outside the EU
If data leaves the EU, the policy must explain safeguards (standard contractual clauses, adequacy decisions, etc.). European Union
h. Data Protection Officer (DPO)
If required (large-scale processing or sensitive data), provide DPO contact details. European Union
3. Election-Specific Considerations
Even for election sites, GDPR fundamentals remain the same, but there are sensitive areas worth noting:
Political Data Sensitivity
Data about political opinions is a “special category” under GDPR and generally needs explicit consent unless another strict basis applies (e.g., public interest). European Union
Transparency in Campaign-Related Processes
If a site profiles or targets individuals (e.g., filtering or analytics based on voter preferences), that activity must be fully disclosed, lawful, and explained. European Union
International Guidelines
The Council of Europe’s guidelines on data protection for political campaigns underscore that personal data collection must respect privacy rights and be tied to clear purposes. Council of Europe
4. Construction of a GDPR-Compliant Policy
A good GDPR policy for ElectionCandidates.org should cover the following sections:
1. Introduction
Who you are
Scope of the policy
Commitment to data protection
2. What Data You Collect
Contact info, public records, analytics cookies, etc.
3. Why You Collect It
Services provided, lawful basis for processing
4. How You Use It
Candidate profiles, user accounts, analytics
5. How You Share It
Third parties, legal obligations
6. International Data Transfers
How data Europeans entrust to you is protected abroad
7. Rights of Individuals
Consent, access rights, deletion rights, withdrawal of consent
8. Security Measures
How data is secured and protected
9. DPO Contact
If applicable
10. Policy Updates
How users will be notified of changes
5. Consequences of Non-Compliance
GDPR breaches can lead to very high fines:
Up to €20 million or 4% of global turnover — whichever is higher. Wikipedia
Non-compliance also exposes organisations to enforcement actions, reputational damage, and legal challenges.