1. Preamble, Regulatory Framework and Definitions
1.1. Preamble
CL CORPORATE AFFAIRS CONSULTING (hereinafter "the Company" or "we") is a French single-shareholder company registered in the French Business and Establishment Directory under number 902 992 189, with its registered office at 1 avenue de l'Observatoire, 75006 Paris, France, and a representation office in Brussels, Belgium, at Avenue de Tervueren 103, B-1040 Brussels, tel.: +33 1 82 28 00 30 / +32 2 886 00 68.
In the course of its public affairs and interest representation activities, the Company may collect and process personal data concerning you. It does so in compliance with Regulation (EU) 2016/679 of 27 April 2016 (the "GDPR") and French Law No. 78-17 of 6 January 1978 on data processing, files and individual liberties (the "Loi Informatique et Libertés").
1.2. Sector-Specific Regulatory Framework
This policy has been drawn up in accordance with the GDPR practical guide for public affairs professionals, a sector-specific framework co-developed by the four main French professional associations of the public affairs industry and published in concertation with the CNIL (Commission nationale de l'informatique et des libertés), France's independent data protection authority responsible for ensuring that data processing complies with the rights and freedoms of individuals.
The professional associations involved in the drafting of this guide are:
- AFCL — Association française des Conseils en Lobbying et affaires publiques (French Association of Lobbying and Public Affairs Consultancies);
- APAP — Association des professionnels des affaires publiques (Association of Public Affairs Professionals);
- A-CAP — Association des Avocats-Conseils en Affaires publiques (Association of Lawyers-Consultants in Public Affairs);
- SCRP — Syndicat du Conseil en relations publiques (Public Relations Consultancy Union).
France is one of the few European countries where the application of the GDPR to the public affairs sector has been the subject of a structured co-construction process between professional associations and the competent data protection authority. This collaborative effort, carried out over more than two years of exchanges with the CNIL, has produced a comprehensive sectoral guide that addresses the specific data processing needs of public affairs professionals — from stakeholder mapping and interest representation to the maintenance of professional relationships and compliance with transparency obligations.
CL Corporate Affairs Consulting adheres to these professional standards. Integrity and transparency are the core values that guide all of the Company's activities, and this data protection policy is an integral part of that commitment. For more information on the CNIL's sector-specific guidance, please refer to the CNIL's dedicated page on public affairs and lobbying.
1.3. Definitions
- "Recipient": any natural or legal person, public authority, agency or other body that receives communication of personal data, whether or not a third party.
- "Personal data": any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
- "Data controller": the natural or legal person that determines the purposes and means of processing.
- "Processor": the natural or legal person that processes personal data on behalf of the controller.
- "Processing": any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, alignment, restriction, erasure or destruction.
For any questions, please contact us at the details provided in Section 4 below.
2. Why and How Do We Use Your Data?
Your data may be collected directly from you (in the course of our exchanges and interactions) or indirectly from third parties. Third-party sources may include:
- Websites or publications of institutions, organisations or public bodies to which you are affiliated;
- Newsletters, publications or other publicly accessible information sources (e.g. Lettre A, Contexte, Politico, Euractiv, etc.);
- Professional databases (e.g. lesbiographies.com, Acteurs publics, le Guide du Pouvoir) or public directories (e.g. the Who's Who maintained by the European Commission);
- The press, websites or professional social networks (e.g. LinkedIn), where you have publicly shared information about yourself;
- Our clients.
In general, we process your personal data for the purposes of managing and monitoring our public affairs and interest representation activities. Specifically, data is processed for the following purposes:
2.1. Understanding the Positions, Expectations and Scope of Influence of Stakeholders
Purpose: processing carried out as part of our activities aimed at understanding the positions, expectations and scope of action and/or influence of stakeholders (e.g. stakeholder mapping and biographies, monitoring notes, reports, anticipation of crisis communication procedures).
Legal basis: legitimate interest of the Company in carrying out its business.
Data processed: identity (title, surname, first name), functions/mandates/positions, affiliated organisation, positions taken, areas of interest, areas of expertise, preferred subjects, biographical information (training, academic qualifications, professional and political career, etc.).
Automated decision-making: No.
Retention period: duration of the mission/project + 1 year in active database, then archived for up to 6 years from the end of the mission/project for administrative and/or evidentiary purposes.
2.2. Building and Maintaining Dialogue Between Represented Entities and Relevant Stakeholders
Purpose: activities aimed at building and maintaining dialogue between the entities whose interests are represented and relevant stakeholders, and developing relevant communications (e.g. engagement plans, contact programmes, outreach, briefing notes, organisation of meetings, interest representation and lobbying activities).
Legal basis: legitimate interest of the Company.
Data processed: identity (title, surname, first name), functions/mandates/positions, affiliated organisation, positions taken, areas of interest and expertise, contact details (postal address, email address, phone and fax numbers), biographical information, monitoring of exchanges and interactions.
Automated decision-making: No.
Retention period: duration of the mission/project + 1 year in active database, then archived for up to 6 years from the end of the mission/project.
2.3. Maintaining Professional Relationships and the Company's Expertise
Purpose: activities aimed at maintaining professional relationships, monitoring contacts and sustaining expertise (e.g. monitoring notes, sending information, news, invitations, organising meetings or events, prospecting).
Legal basis: legitimate interest of the Company.
Data processed: identity, functions, affiliated organisation, areas of interest and expertise, contact details, biographical information, monitoring of exchanges and participation in meetings or events.
Automated decision-making: No.
Retention period: until the end of the data subject's relevant expertise activity, then archived for 6 years from the last contact for administrative and/or evidentiary purposes.
2.4. Complying with Legal and Regulatory Obligations Applicable to Public Affairs Professionals
Purpose: compliance with obligations incumbent on public affairs professionals, including declarations to the French High Authority for Transparency in Public Life (HATVP) and registration obligations under the EU Transparency Register.
Legal basis: legal obligation, and legitimate interest where applicable (in particular for retaining data to respond to potential HATVP audit requests).
Data processed: identity (title, surname, first name), functions/mandates/positions, affiliated organisation.
Additional information: the collection and retention of this data is required by applicable legal and regulatory provisions; failure to do so may result in sanctions. As noted in the AFCL/APAP/A-CAP/SCRP practical guide, the client is generally considered the data controller where processing is sub-contracted; roles should be specified in contractual documents.
Automated decision-making: No.
Retention period: current accounting year + 3 months in active database, then archived for 5 years from the end of the accounting year following that in which the interest representation activity was carried out.
2.4.1. EU Transparency Register
Purpose: compliance with disclosure obligations under the EU Transparency Register (pursuant to the Interinstitutional Agreement of 20 May 2021, OJ C 229 of 17.06.2021).
Legal basis: legal obligation and legitimate interest.
Data processed: identity (first name, last name, position), affiliated organisation, subject matter of exchanges, date and nature of declared institutional contacts.
Retention period: 5 years after the declaration, to allow for ex-post verification. Such data may be made publicly accessible via the EU Transparency Register, under the responsibility of the European institutions.
2.5. Managing Requests to Exercise Data Rights
Purpose: processing requests from data subjects to exercise their rights (access, rectification, erasure, objection, restriction, portability), and managing the consequences thereof.
Legal basis: legal obligation.
Data processed: identity (title, first name, last name), contact details, content and nature of the request, exchanges and response, and where required (in the event of reasonable doubt as to identity), a copy of an identity document.
Automated decision-making: No.
Retention period: until the request is responded to, then a maximum of 6 years in archive depending on the type of request. Any identity document collected is deleted immediately once identity has been verified, or retained in archive for 6 years where litigation risk is identified.
Where relevant, certain sensitive data (political opinions, religious or philosophical beliefs, trade union membership) may be processed for the above purposes, subject to the necessity of doing so and either your express prior consent or the fact that you have clearly made such information public.
3. Who Are the Recipients of Your Data?
3.1. Within the Company
Only authorised persons within the Company may access your personal data, where such access is strictly necessary for the performance of their duties.
3.2. Outside the Company
In limited and specific circumstances, the following external parties may also receive or access your personal data:
- Services or entities responsible for monitoring the Company (e.g. auditors, supervisory bodies, the HATVP);
- Legal, financial or accounting advisers to the Company and/or its clients;
- The Company's partners and/or clients, including service providers and technical suppliers whose access to personal data is necessary and justified in the context of our activities. As highlighted in the AFCL/APAP/A-CAP/SCRP guide, the role of each party (controller or processor) should be clearly defined in contractual documents;
- The Company's clients and prospects.
3.3. Disclosure to Public Authorities
The Company may be required to disclose your personal data in response to legitimate requests from judicial, police or administrative authorities, on the basis of applicable legal and regulatory provisions.
3.4. Limited Access
Recipients receive only the personal data strictly necessary for the purpose that justifies such communication.
4. What Are Your Rights and How Can You Exercise Them?
4.1. Your Rights
Subject to the conditions and limits set out in applicable data protection law, you have the following rights in respect of the processing of your personal data by the Company:
- Right of access: obtain confirmation as to whether your personal data is being processed, and if so access to that data and related information.
- Right of rectification: request correction of personal data that is inaccurate or incomplete.
- Right to erasure: request deletion of your personal data in certain circumstances (e.g. where it is no longer necessary for the purposes for which it was collected, subject to the Company's legal obligations and evidentiary needs).
- Right to restriction of processing: request that processing of your data be restricted in certain cases.
- Right to data portability: receive your personal data in a structured, machine-readable format, or have it transferred to a third party, where processing is based on consent or contract and carried out by automated means.
- Right to withdraw consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
- Right to define post-mortem instructions: define instructions regarding the retention, deletion or disclosure of your personal data after your death.
You also benefit from a right of objection, allowing you to object to the processing of your personal data on grounds relating to your particular situation. With regard to prospecting operations, including related profiling, you have an absolute right of objection, exercisable at any time without justification.
4.2. How to Exercise Your Rights
These rights may be exercised through our contact form or by post to: CL Corporate Affairs Consulting, 1 avenue de l'Observatoire, 75006 Paris, France.
Requests will be responded to as soon as possible and in any event within one month of receipt. This period may be extended by two months in view of the complexity and number of requests received, in which case you will be informed accordingly.
Where there is reasonable doubt as to the identity of the person making the request, additional information — and where necessary a copy of an identity document — may be requested. Response times are suspended pending receipt of such information.
4.3. Right to Lodge a Complaint
You have the right to lodge a complaint with the competent supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL): 3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07; tel.: 01 53 73 22 22. For more information on your rights: cnil.fr.
5. Is Your Personal Data Transferred Outside the EU?
No transfer of personal data is carried out outside the European Union. Your personal data is processed preferentially within the European Union, in countries benefiting from an adequacy decision issued by the European Commission within the meaning of Article 45 of the GDPR.
6. How Is This Policy Made Accessible?
In accordance with the recommendations of the CNIL and the practical guide for public affairs professionals published by AFCL, APAP, A-CAP and SCRP, this policy is accessible from the Company's website and from the email signatures of its representatives. Any data subject who has been contacted by the Company in the course of its public affairs activities may request a copy at any time through our contact form.
7. Right to Amend
The Company reserves the right to amend the content of this GDPR personal data protection notice at any time, in order to comply with any legislative, regulatory or case law developments. The most recent version of this notice is always available on the Company's website.
8. Contact
CL Corporate Affairs Consulting
1 avenue de l'Observatoire
75006 Paris, France
Contact form