In the wake of Cambridge Analytica, the use of personal data by political parties has been subject to increased scrutiny. Given the specific policy challenges which such use poses, this article examines the conditions for the lawful processing of personal data under the General Data Protection Regulation (GDPR), as it applies to political parties. It identifies the extensive flexibilities afforded by the GDPR to Member States and argues that granular Member State analysis is required if the GDPR regime is to be meaningfully evaluated in this context. [---]