Ikonka home dla okruszków News and events
photo
15.04.2026

Processing of Personal Data in the Participatory Budget Procedure Requires Changes

The President of the Personal Data Protection Office, Mirosław Wróblewski, is advocating for regulations governing the processing of personal data for the purposes of conducting the so‑called participatory (civic) budget procedure. He has addressed this matter in a formal communication to the Minister of the Interior and Administration.

Members of local communities are entitled to express their will regarding the allocation of part of the public budget. The participatory budget serves this purpose. Within this form of civic participation, personal data are processed not only by public authorities but also by citizens themselves. By engaging in the management of municipalities, counties, or cities, individuals become initiators of data‑processing activities from collecting and recording data to transferring them to local government authorities on lists supporting specific projects.

The President of the Personal Data Protection Office has been informed of difficulties in applying the provisions governing participatory budgets, particularly those relating to personal data processing. Concerns are raised both by entities obliged to conduct public consultations and by individuals whose data are processed. There are no precise legal provisions comprehensively regulating the processing of personal data within the participatory budget procedure.

Local government legislation should clarify the following issues:

·       who acts as the controller of personal data;

·       the scope of personal data processed;

·       verification of the eligibility of individuals entitled to vote;

·       safeguarding of personal data.

Determining the Status of the Data Controller

The Act on Municipal Self‑Government (Article 5a(7)) states that the municipal council shall, by resolution, define the requirements that a participatory budget project must meet. However, this provision does not specify the criteria for personal data processing that such a resolution should contain. As a result, the method of conducting the vote is regulated solely by local law.

From the perspective of ensuring transparency for individuals whose data are processed, it is crucial to clearly define roles and responsibilities related to personal data processing. This is essential at every stage of implementing the participatory budget. To achieve this, the principles of data protection set out in Article 5 of the GDPR must be respected.

Scope and Method of Personal Data Processing

Currently, entities responsible for conducting public consultations have full discretion in selecting the criteria for personal data processing, the scope of data collected, and the methods and forms of verification used to carry out this task.

During voting on participatory budget projects, voters are often required to provide their PESEL number—this excludes residents who do not have one, such as foreign nationals or Polish citizens born abroad who hold only a passport. The collection and further processing of the PESEL number for strictly defined purposes should follow directly from statutory provisions. Legal uncertainty discourages residents from participating in public debates and undermines trust in local authorities. Administrative court rulings increasingly hold that requiring a PESEL number lacks legal justification.

Digital Transformation and Data Security

Consideration should be given to introducing provisions on electronic voting that ensure the secure operation of the participatory budget mechanism.

Currently, local government units do not always assume responsibility for data security before lists of support signatures are submitted. Meanwhile, individuals collecting signatures are not always aware of their responsibilities regarding personal data processing.

In the context of cybercrime, digital espionage, and the misuse of personal data for attacks on democratic institutions—including theft of individual data—it is essential to provide citizens with appropriate tools enabling them to manage and control their data online. At present, there are no regulations governing the electronic submission or endorsement of participatory budget projects.

These issues are increasingly raised during meetings with the President of the Personal Data Protection Office, as well as during conferences and debates organised by the Office and dedicated to personal data protection in local government.

Processing Personal Data Using IT Platforms

It is justified to define minimum criteria that IT platforms authorised by the legislator to conduct participatory budget voting should meet. This should be done in compliance with the GDPR (including risks related to data transfers outside the EEA) and national and EU regulations on cybersecurity and digital identity (including NIS2 and eIDAS2).

The solutions used should meet the requirements of data minimisation, ensure transparency and verifiability of the voting process—including auditing and verifying the correctness of vote counting.

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2026
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2026
Copyright.