Public affairs specialists are subject to certain obligations when collecting data on the people they target, including the duty to inform their contacts. A practical guide has been created by the CNIL and the main professional associations in the sector.
In their work, public affairs professionals (public affairs or lobbying consultancy firms, in-house corporate departments, etc.) collect personal data related to individuals such as government, administrative, association, parliamentary, and media figures. This data (name, first name, contact details, role or mandate, academic or professional background, public positions, work, etc.) can be processed for several purposes.
The first of these purposes is to understand which stakeholders are relevant to a given issue, particularly through mapping that identifies the government, administrative, association, parliamentary, and media actors within the entity’s environment. These maps may include some personal data (name, first name, role/mandate, etc.) but generally do not contain contact details, as the goal at this stage is to analyze positions and understand an ecosystem, not to contact the individuals concerned.
The second objective is to engage with actors identified during the mapping process, for example, by developing an engagement plan. When the strategy involves contacting the identified stakeholders after the mapping, an operational document for contact purposes can be created. This engagement plan typically includes the contact details of the individuals chosen to be contacted (email address, phone number, etc.). Additionally, preparing meetings with the targeted individuals may involve drafting their biographies.
The third objective is to maintain professional relationships, particularly by building an “address book” within the areas of expertise of various entities. Professionals take actions to maintain these relationships, such as sending messages, information, documents, etc. These activities can result in the creation of distribution lists linked to a specific theme or event or the establishment of a database for tracking public affairs contacts.
Ensuring Transparency of Processing
The principle of transparency, defined in Articles 12, 13, and 14 of the GDPR, requires organizations collecting personal data to inform individuals so they understand how their information will be used (why, how) and can exercise their rights (right to object, right of access, right to rectification, etc.). This principle contributes to the fairness of processing and the establishment of trust between the organizations responsible for it and the individuals concerned.
This principle applies to any processing of personal data, whether the data is directly collected from the individuals concerned (e.g., in the context of interactions with the individuals) or indirectly collected: data freely accessible on the Internet (publications on institutional or administrative websites, public service directories, press, etc.), information obtained from institutional/commercial partners, reuse of an existing database, etc.
However, there are some cases where individual notification is not mandatory, particularly when the data controller has not directly collected the personal data from the individuals concerned. It is possible to consider that individual notification would require disproportionate effort when the processing does not include contact details and meets the following cumulative conditions:
– The processing is implemented to understand which stakeholders are relevant to a given issue.
– The processing only involves individuals who, due to their activities, have high visibility in the public domain.
– The processing only concerns publicly accessible data.
– The processing is minimally intrusive.
Another exception applies when notification would severely compromise the objectives of the processing. Some data processing activities carried out by public affairs professionals pursue objectives that would be severely compromised by notifying the individuals concerned. This can occur, for example, when professionals are working with confidential information in the context of a stock market operation or a social restructuring.
Finally, a last exception is provided by regulation: when obtaining or communicating the information is required by law. This exception only applies if the organization subject to the relevant provisions (legislative or regulatory text) is the data controller and provided that appropriate safeguards are implemented.
A Guide to Support Industry Professionals
Many other obligations apply to public affairs and lobbying professionals. This is why the CNIL worked with the French Association of Lobbying and Public Affairs Consultants (AFCL), the Association of Public Affairs Professionals (APAP), the Association of Lawyers and Public Affairs Advisors (A-CAP), and the Syndicate of Public Relations Consultants. Following discussions that lasted more than two years, a practical guide was developed to promote the application of the GDPR by professionals in this sector.
The guide aims to help industry professionals understand key principles of the regulation:
– The legal classification of actors (data controller, joint controller, processor)
– The legal bases and conditions for processing “sensitive” data
– Information and the conditions under which it is possible to waive the obligation to inform individuals
– Data retention periods
This approach is part of the CNIL’s sectoral support initiative, which includes collaboration with “network leaders” to facilitate the adoption of the GDPR by professionals in a given sector. These partnerships allow for the development of practical and operational tools (guides, practical sheets, recommendations, etc.) that help promote the responsible use of data while respecting individuals’ rights.
To go further, find out how our deepeo software solution can help you with its features
Data Deletion
Deletes all data for any data subject you no longer have a business or legal reason to hold.
Data Anonymiser
Perform the same operations as the data deletion, but anonymise a data subject’s data as opposed to deleting it.