On March 13, 2024, the French data protection authority (CNIL) published a practical guide on the GDPR for public affairs professionals. In particular, CNIL highlighted that the guide applies to professionals working in public affairs, lobbying, consulting, and internal departments of companies that collect personal data relating to individuals in government, administrators, parliamentary actors, and media personnel, among others, under the General Data Protection Regulation (GDPR).

CNIL outlined that the guide may help public affairs professionals:

• understand who relevant stakeholders are on a given subject;
• act with the stakeholders identified; and
• maintain professional relationships.

The guide does not cover data processing operations that are not specific to public affairs activities, such as human resource (HR) management or commercial management.

Specifically, sectoral recommendations are given by the guide on:

• the legal status of controllers, processors, and subprocessors;
• the legal bases and conditions for processing sensitive data;
• circumstances where it is not necessary to inform an individual of the processing of their personal data;
• data retention periods; and
• carrying out a Data Protection Impact Assessment (DPIA).

CNIL noted that it has published separate guidance on informing individuals of the processing of their personal data in public affairs.

You can read the press release here and the guide here, both only available in French.