Version 1.0 dated 02 September 2020 adopted for public consultation. Go to the finalized version.
Go to official PDF version.
The European Data Protection Board
Having regard to Article 70(1)(e) of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
HAS ADOPTED THE FOLLOWING GUIDELINES
1. A significant development in the online environment over the past decade has been the rise of social media. More and more individuals use social media to stay in touch with family and friends, to engage in professional networking or to connect around shared interests and ideas. For the purposes of these guidelines, social media are understood as online platforms that enable the development of networks and communities of users, among which information and content is shared.1)Additional functions provided by social media may include, for example, personalization, application integration, social plug-ins, user … Continue reading Key characteristics of social media include the ability for individuals to register in order to create “accounts” or “profiles” for themselves, to interact with one another by sharing user-generated or other content and to develop connections and networks with other users.2)In addition to “traditional” social media platforms, other examples of social media include: dating platforms where registered users present … Continue reading
2. As part of their business model, many social media providers offer targeting services. Targeting services make it possible for natural or legal persons (“targeters”) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. 3)Targeting has been defined as “the act of directing or aiming something at a particular group of people” and “the act of attempting to appeal … Continue reading A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered. The underlying assumption is that the better the fit, the higher the reception rate (conversion) and thus the more effective the targeting campaign (return on investment).
3. Mechanisms to target social media users have increased in sophistication over time. Organisations now have the ability to target individuals on the basis of a wide range of criteria. Such criteria may have been developed on the basis of personal data which users have actively provided or shared, such as their relationship status. Increasingly, however, targeting criteria are also developed on the basis of personal data which has been observed or inferred, either by the social media provider or by third parties, and collected (aggregated) by the platform or by other actors (e.g., data brokers) to support ad-targeting options. In other words, the targeting of social media users involves not just the act of “selecting” the individuals or groups of individuals that are the intended recipients of a particular message (the ‘target audience’), but rather it involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts.4)The messages delivered typically consist of images and text, but may also involve video and/or audio formats.
4. The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media5)Personal data processed in the context of social media may constitute ‘special categories of personal data’ pursuant to Article 9 GDPR, relate to … Continue reading , creates risks to the fundamental rights and freedoms of individuals. From a data protection perspective, many risks relate to the possible lack of transparency and user control. For the individuals concerned, the underlying processing of personal data which results in the delivery of a targeted message is often opaque. Moreover, it may involve unanticipated or undesired uses of personal data, which raise questions not only concerning data protection law, but also in relation to other fundamental rights and freedoms. Recently, social media targeting has gained increased public interest and regulatory scrutiny in the context of democratic decision making and electoral processes.6)See, for example: EDPB Statement on Elections; ICO’s Recommendations on Data Analytics in Political Campaigns;Data Protection Law Electoral … Continue reading
5. Targeting of social media users may involve a variety of different actors which, for the purposes of these guidelines, shall be divided into four groups: social media providers, their users, targeters and other actors which may be involved in the targeting process. The importance of correctly identifying the roles and responsibilities of the various actors has recently been highlighted with the judgments in Wirtschaftsakademie and Fashion ID of the Court of Justice of the European Union (CJEU).7)CJEU, Judgment in Wirtschaftsakademie, 5 June 2018, C-210/16, ECLI:EU:C:2018:388; CJEU, Judgment in Fashion ID, 29 July 2019, C-40/17, … Continue reading Both judgments demonstrate that the interaction between social media providers and other actors may give rise to joint responsibilities under EU data protection law.
6. Taking into account the case law of the CJEU, as well as the provisions of the GDPR regarding joint controllers and accountability, the present guidelines offer guidance concerning the targeting of social media users, in particular as regards the responsibilities of targeters and social media providers. Where joint responsibility exists, the guidelines will seek to clarify what the distribution of responsibilities might look like between targeters and social media providers on the basis of practical examples8)The present guidance is without prejudice to the EDPB Guidelines 07/2020 on the concepts of controller and processor under the GDPR adopted on 02 … Continue reading.
7. The main aim of these guidelines is therefore to clarify the roles and responsibilities among the social media provider and the targeter. In order to do so, the guidelines also identify the potential risks for the rights and freedoms of individuals (Section 3), the main actors and their roles (Section 4), and tackles the application of key data protection requirements (such as lawfulness and transparency, DPIA, etc.) as well as key elements of arrangements between social media providers and the targeters.
3. RISKS TO THE RIGHTS AND FREEDOMS OF USERS POSED BY THE PROCESSING OF PERSONAL DATA
8. The GDPR underlines the importance of properly evaluating and mitigating any risks to the rights and freedoms of individuals resulting from the processing of personal data.9)According to Article 24 GDPR, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate … Continue reading The mechanisms that can be used to target social media users, as well as the underlying processing activities that enable targeting, may pose significant risks. These guidelines do not seek to provide an exhaustive account of the possible risks to the rights and freedoms of individuals. Nonetheless, the EDPB considers it important to point out certain types of risks and to provide a number of examples how they may manifest themselves.
9. Targeting of social media users may involve uses of personal data that go against or beyond individuals’ reasonable expectations and thereby infringes applicable data protection principles and rules. For example, where a social media platform combines personal data from third-party sources with data disclosed by the users of its platform, this may result in personal data being used beyond their initial purpose and in ways the individual could not reasonably anticipate. The profiling activities that are connected to targeting might involve an inference of interests or other characteristics, which the individual had not actively disclosed, thereby undermining the individual’s ability to exercise control over his or her personal data.10)See also European Data Protection Supervisor, EDPS Opinion on online manipulation, Opinion 3/2018, 19 March 2018, p. 15 (“The concern of using data … Continue reading Moreover, a lack of transparency regarding the role of the different actors and the processing operations involved may undermine, complicate or hinder the exercise of data subject rights.
10. A second type of risk concerns the possibility of discrimination and exclusion. Targeting of social media users may involve criteria that, directly or indirectly, have discriminatory effects relating to an individual’s racial or ethnic origin, health status or sexual orientation, or other protected qualities of the individual concerned. For example, the use of such criteria in the context of advertising related to job offers, housing or credit (loans, mortgages) may reduce the visibility of opportunities to persons within certain groups of individuals. The potential for discrimination in targeting arises from the ability for advertisers to leverage the extensive quantity and variety of personal data (e.g. demographics, behavioral data and interests) that social media platforms gather about their users.11)T. Speicher a.o., Potential for Discrimination in Online Targeted Advertising, Proceedings of the 1st Conference on Fairness, Accountability and … Continue reading Recent research suggests that the potential for discriminatory effects exists also without using criteria that are directly linked to special categories of personal data in the sense of Article 9 GDPR.12)Idem
11. A second category of risk relates to potential possible manipulation of users. Targeting mechanisms are, by definition, used in order to influence the behavior and choices of individuals, whether it be in terms of their purchasing decisions as consumers or in terms of their political decisions as citizens engaged in civic life.13)European Data Protection Supervisor, Opinion 3/2018, p. 18. Certain targeting approaches may however go so far as to undermine individual autonomy and freedom, e.g. by delivering individualized messages designed to exploit or even accentuate certain vulnerabilities, personal values or concerns. For example, an analysis of content shared through social media can reveal information about the emotional state (e.g. through an analysis of the use of certain key words). Such information could be used to target the individual with specific messages and at specific moments to which he or she is expected to be more receptive, thereby surreptitiously influencing his or her thought process, emotions and behaviour.14)See ‘Experimental evidence of massive-scale emotional contagion through social networks’, Adam D. I. Kramer, Jamie E. Guillory, and Jeffrey T. … Continue reading
12. Mechanisms to target social media users can also be used to unduly influence individuals when it comes to political discourse and democratic electoral processes.15)See also European Data Protection Board, Statement 2/2019 on the use of personal data in the course of political campaigns, 13 March 2019, p. 1. While ‘traditional’ offline political campaigning intends to influence voters’ behaviour via messages that are generally available and retrievable (verifiable), the available online targeting mechanisms enable political parties and campaigns to target individual voters with tailored messages, specific to the particular needs, interests and values of the target audience.16) Information Commissioner’s Office (ICO), Democracy disrupted? Personal information and political influence, 10 July 2018, p. 14 Such targeting might even involve disinformation or messages that individuals find particularly distressing, and are therefore (more) likely to stimulate a certain emotion or reaction by them. When polarising or untruthful (disinformation) messages are targeted at specific individuals, with no or limited contextualisation or exposure to other viewpoints, the use of targeting mechanisms can have the effect of undermining the democratic electoral process.17)See also European Commission, Commission Guidance on the application of Union data protection law in the electoral context, A contribution from the … Continue reading
13. In the same vein, the use of algorithms to determine which information is displayed to which individuals may adversely affect the likelihood of access to diversified sources of information in relation to a particular subject matter. This may in turn have negative consequences for the pluralism of public debate and access to information.18)See also European Parliament resolution of 3 May 2018 on media pluralism and media freedom in the European Union. Targeting mechanisms can be used to augment the visibility of certain messages, while giving less prominence to others. The potential adverse impact may be felt at two levels. On the one hand, there are risks related to so-called ‘filter-bubbles’ where people are exposed to ‘more-of-the-same’ information and encounter fewer opinions, resulting in increased political and ideological polarisation.19)European Data Protection Supervisor, Opinion 3/2018, p. 7. On the other hand, targeting mechanisms may also create risks of “information overload”, whereby individuals cannot make an informed decision because they have too much information and cannot tell if it is reliable.
14. The collection of personal data by social media providers may not be limited to the activities performed by individuals on the social media platform itself. The targeting of social media users on the basis of information concerning their browsing behaviour or other activities outside the social media platform can give individuals the feeling that their behaviour is systematically being monitored. This may have a chilling effect on freedom of expression, including access to information.20)European Data Protection Supervisor, Opinion 3/2018, p. 9 and Committee of experts on media pluralism and transparency of media ownership (MSI-MED), … Continue reading Such effects may be exacerbated if targeting is also based on the analysis of content shared by social media users. If private messages, posts and comments are subject to analysis for commercial or political use, this may also give rise to self-censorship.
15. The potential adverse impact of targeting may be considerably greater where vulnerable categories of individuals are concerned, such as children. Targeting can influence the shaping of children’s personal preferences and interests, ultimately affecting their autonomy and their right to development. Recital 38 of the GDPR indicates that specific protection should apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.21)See also Article 29 Data Protection Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation … Continue reading
16. The EDPB recognizes that the increase in concentration in the markets of social media and targeting may also increase risks to the rights and freedoms of individuals. For example, certain social media providers may be able to combine, either alone or in connection with other companies, a higher quantity and diversity of personal data. This ability, in turn, may increase the ability to offer more advanced targeting campaigns. This aspect is relevant from both a data protection (more in-depth profiling of the persons concerned) and competition law viewpoint (the unrivalled insight capabilities provided by the platform may make it an ‘unavoidable trading partner’ for online marketers). The degree of market and informational power, in turn, as the EDPB has recognised, “has the potential to threaten the level of data protection and freedom enjoyed by consumers of digital services”.22) Statement of the EDPB on the data protection impacts of economic concentration
17. The likelihood and severity of the aforementioned risks will depend, inter alia, on the nature of the targeting mechanism and how and for which exact purpose(s) it is used. Elements which may affect the likelihood and severity of risks in the context of the targeting of social media users will be discussed in greater detail in Section 7.
4 ACTORS AND ROLES
18. Individuals make use of social media in different capacities and for different purposes (e.g. to stay in touch with friends, to exchange information about shared interests, or to seek out employment opportunities). The term “user” is typically used to refer to individuals who are registered with the service, i.e. those who have an “account” or “profile”. Many social media services can, however, also be accessed by individuals without having registered (i.e. without creating an account or profile).23)The personal data and profiling information maintained by social media providers in relation to non-registered users are sometimes referred to as … Continue readingSuch individuals are typically not able to make use of all of the same features or services offered to individuals who have registered with the social media provider. Both users and non-registered individuals may be considered “data subjects” within the meaning of Article 4(1) GDPR insofar as the individual is directly or indirectly identified or identifiable.24)See also recital (26) (“singling out”). See also Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, 20 … Continue reading
19. Whether or not individuals are expected to register with a real name or use a nickname or pseudonym may vary according to the social media service in question. It will generally still be possible, however, to target (or otherwise single out) the user in question even in the absence of a real name policy, as most types of targeting do not rely on user names but other types of personal data such as interests, sociographic data, behaviour or other identifiers. Social media providers often encourage users to reveal “real world” data, such as telephone numbers.25)In some cases, social media providers ask for additional documentation to further verify the data provided, for example by requesting users to upload … Continue readingFinally, it is worth noting that social media providers may also enable targeting of individuals who do not have an account with the social media provider.26)Such targeting may be rendered possible on the basis of online identifiers provided by their devices, applications, tools and protocols, such as … Continue reading
4.2 Social media providers
20. Social media providers offer an online service that enables the development of networks and communities of users, among which information and content is shared. Social media services are typically offered through web browsers or dedicated apps, often after having requested the user to provide a set of personal data to constitute the user’s “account” or “profile”. They also often offer users associated account “controls”, to enable them to access and control the personal data processed in the context of the use of their account.
21. The social media provider determines the functionalities of the service. This in turn involves a determination of which data are processed, for which purpose, under which terms, as well as how personal data shall be processed. This allows for the provision of the social media service but also likely the provision of services, such as targeting, that can benefit business partners operating on the social media platform or in conjunction with it.
22. The social media provider has the opportunity to gather large amounts of personal data relating to users’ and non-registered users´ behaviour and interactions, which enables it to obtain considerable insights into the users’ socio-demographic characteristics, interests and preferences. It is important to note that the ‘insights’ based on user activity often involve inferred or derived personal data. For example, where a user interacts with certain content (e.g. by “liking” a post on social media, or watching video content), this action can be recorded by the social media provider, and an inference might be made that the user in question enjoyed the content he or she interacted with.
23. Social media providers increasingly gather data not only from activities on the platform itself, but also from activities undertaken ‘off-platform’, combining data from multiple sources, online and offline, in order to generate further insights. The data can be combined with personal data that individuals actively disclose to the social media provider (e.g. a username, e-mail address, location, and phone number), alongside data which is “assigned” to them by the platform (such as unique identifiers).
24. These guidelines use the term “targeter” to designate natural or legal persons that use social media services in order to direct specific messages at a set of social media users on the basis of specific parameters or criteria.27)Processing of personal data by a natural person in the course of a purely personal or household activity does not fall under the material scope of … Continue readingWhat sets targeters apart from other users of social media is that they select their messages and/or their intended audience according to the perceived characteristics, interests or preferences of the individuals concerned, a practice which is sometimes also referred to as “microtargeting”.28)Simply sharing information on a social media page which is intended for the public at large (e.g. information about opening hours) without prior … Continue reading Targeters can engage in targeting to advance commercial, political, or other interests. Typical examples include brands who use social media to advertise their products including to increase brand awareness. Political parties also increasingly make use of social media as part of their campaigning strategy. Charities and other non-profit organisations also use social media to target messages at potential contributors or to develop communities.
25. It is important to note that social media users can be targeted in different ways. For example, targeting might occur not only through displaying personalized advertisement (e.g. through a “banner” shown on the top or side of a webpage), but – as far as it is happening within the social media platform – also through display in a user’s “feed”, ”timeline“ or “story”, where the advertising content appears alongside user-generated content. Targeting may also involve the creation of content hosted by the social media provider (e.g. via a dedicated “page” or other social media presence) or elsewhere (i.e. on third-party websites). Targeters may have their own websites and apps, where they can integrate specific social media business tools or features such as social plugins or logins or by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers.
4.4 Other relevant actors
26. Targeters may directly use targeting mechanisms offered by social media providers or enlist the services of other actors, such as marketing service providers, ad networks, ad exchanges, demand-side and supply-side platforms, data management providers (DMPs) and data analytics companies. These actors are part of the complex and evolving online advertising ecosystem (which is sometimes known as “adtech”) that collects and processes data relating to individuals (including social media users) by, for example, tracking their activities across websites and apps.29)On the description of the different actors, see WP29, Opinion 2/2010 on behavioural advertisement, at page 5
27. Data brokers and data management providers are also relevant actors playing an important role in the targeting of social media users. Data brokers and DMPs differentiate themselves from other adtech companies to the extent that they not only process data collected by means of tracking technologies, but also by means of data collected from other sources, that can include both online and offline sources. In other words, data brokers and DMPs aggregate data collected from a wide variety of sources, which they then might sell to other stakeholders involved in the targeting process.30)See Consumer Policy Research Centre, “A day in the life of data”
28. While each of the other actors mentioned above can play an important role in targeting of social media users, the focus of the current guidelines is on the distribution of roles and data protection obligations of social media providers and targeters. Analogous considerations may apply, however, to the other actors involved in the online advertising ecosystem, depending on the role of each actor in the targeting process.
4.5 Roles and responsibilities
29. In order to clarify the respective roles and responsibilities of social media providers and targeters, it is important to take account of the relevant case law of the CJEU. The judgments in Wirtschaftsakademie (C-210/16), Jehovah’s Witnesses (C-25/17) and Fashion ID (C-40/17) are particularly relevant here.
30. The starting point of the analysis is the legal definition of controller. According to Article 4(7) GDPR, a “‘controller” means “the natural or legal person […] which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
31. In Wirtschaftsakademie, the CJEU decided that the administrator of a so-called “fan page” on Facebook must be regarded as taking part in the determination of the purposes and means of the processing of personal data. According to the submissions made to the CJEU, the creation of a fan page involves the definition of parameters by the administrator, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page.31)Judgment in Wirtschaftsakademie, C-210/16, paragraph 36Using the filters provided by Facebook, the administrator can define the criteria in accordance with which the statistics are to be drawn up, and even designate the categories of persons whose personal data is to be made use of by Facebook:
“In particular, the administrator of the fan page can ask for — and thereby request the processing of — demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.”
As the definition of parameters depends inter alia on the administrator’s target audience “and the objectives of managing and promoting its activities”, the administrator also participates in determining the purposes of the processing of personal data.32)Judgment in Wirtschaftsakademie, C-210/16, paragraph 39The administrator was therefore categorised as a controller jointly responsible for the processing of personal data of the visitors of its ‘page’, together with the social media provider.
32. As further developed in Section 9 of the present guidelines, controllers may be involved at different stages of the processing of personal data and to different degrees. In such circumstances, the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case:
“[T]he existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”33)Judgment in Wirtschaftsakademie, C-210/16, paragraph 43; Judgment in Jehovah’s Witnesses, C-25/17, paragraph 66 and Judgment in Fashion ID, … Continue readingJudgment in Wirtschaftsakademie, C-210/16, paragraph 43; Judgment in Jehovah’s Witnesses, C-25/17, paragraph 66 and Judgment in Fashion ID, C-40/17, paragraph 70.
While concluding that the administrator of a page acts as a controller, jointly with Facebook, the CJEU also noted that in the present case, Facebook must be regarded as primarily determining the purposes and means of processing the personal data of users of Facebook and persons visiting the fan pages hosted on Facebook.34)Judgment in Wirtschaftsakademie, C-210/16, paragraph 30
33. In Fashion ID, the CJEU decided that a website operator can be a considered a controller when it embeds a Facebook social plugin on its website that causes the browser of a visitor to transmit personal data of the visitor to Facebook.35)Judgment in Fashion ID, C-40/17, paragraph 75 and following and paragraph 107.The qualification of the website operator as controller is, however, limited to the operation or set of operations in respect of which it actually determines the purposes and means. In this particular case, the CJEU considered that the website operator is only capable of determining, jointly with Facebook, the purposes and means of the collection and disclosure by transmission of the personal data of visitors to its website. As a result, the CJEU ruled that, for what concerns the embedding of a social plug-in within a website, the liability of the website operator is:
“limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.”36)Judgment in Fashion ID, C-40/17, paragraph 107.Judgment in Fashion ID, C-40/17, paragraph 107.
The CJEU considered that the website operator was not a controller for subsequent37)Subsequent processing is any processing operation or set of processing operations which follows (i.e. takes place after) the data collection. In … Continue readingoperations involving the processing of personal data carried out by Facebook after their transmission to the latter, as the website operator was not in a position to determine the purposes and means of those operations by virtue of embedding the social plug-in:
“By contrast, in the light of that information, it seems, at the outset, impossible that Fashion ID determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland after their transmission to the latter, meaning that Fashion ID cannot be considered to be a controller in respect of those operations […]”.38)Judgment in Fashion ID, C-40/17, paragraph 76.Judgment in Fashion ID, C-40/17, paragraph 76.
34. In case of joint controllership, pursuant to Article 26(1) GDPR, controllers are required to put in place an arrangement which, in a transparent manner, determines their respective responsibilities for compliance with the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 GDPR.
35. The following sections clarify, by way of specific examples, the roles of targeters and social media providers in relation to different targeting mechanisms. Specific considerations are given in particular as to how the requirements of lawfulness and purpose limitation apply in this context. Next, the requirements concerning transparency, data protection impact assessments and the processing of special categories of data are analysed. Finally, the Guidelines address the obligation for joint controllers to put in place an appropriate arrangement pursuant to Article 26 GDPR, taking into account the degree of responsibility of the targeter and of the social media provider.
5. ANALYSIS OF DIFFERENT TARGETING MECHANISMS
36. Social media users may be targeted on the basis of provided, observed or inferred data, as well as a combination thereof:
a) Targeting individuals on the basis of provided data – “Provided data” refers to information actively provided by the data subject to the social media provider and/or the targeter.39)Article 29 Data Protection Working Party, Guidelines on the right to data portability, WP 242 rev.01, 5 April 2017, p. 10 For example:
- A social media user might indicate his or her age in the description of his or her user profile. The social media provider, in turn, might enable targeting on the basis of this criterion.
- A targeter might use information provided by the data subject to the targeter in order to target that individual specifically, for example by means of customer data (such as an email address list), to be matched with data already held on the social media platform, leading to all those users who match being targeted with advertising40)See for example the decision by the Administrative Court of Bayreuth (Germany), Beschluss v. 08.05.2018, B1 S 18.105..
b) Targeting on the basis of observed data – Targeting of social media users can also take place on the basis of observed data.41)In its Opinion 2/2010 on online behavioural advertising the WP29 noted that “there are two main approaches to building user profiles: i) Predictive … Continue readingObserved data are data provided by the data subject by virtue of using a service or device.42) Article 29 Data Protection Working Party, Guidelines on the right to data portability, WP 242 rev.01, 5 April 2017, p. 10.For example, a particular social media user might be targeted on the basis of:
- his or her activity on the social media platform itself (for instance the content that the user has shared, consulted or liked);
- the use of devices on which the social media’s application is executed (for instance GPS coordinates, mobile telephone number);
- data obtained by a third-party application developer by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers;
- data collected through third-party websites that have incorporated social plugins or pixels;
- data collected through other third parties (e.g. parties with whom the data subject has interacted, purchased a product, subscribed to loyalty cards, …); or
- data collected through services offered by companies owned or operated by the social media provider.
c) Targeting on the basis of inferred data – “Inferred data” or “derived data” are created by the data controller on the basis of the data provided by the data subject or as observed by the controller.43)IdemFor example, a social media provider or a targeter might infer that an individual is likely to be interested in a certain activity or product on the basis of his or her web browsing behaviour and/or network connections.
5.2 Targeting on the basis of provided data
5.2.1 Data provided by the user to the social media provider
37. Individuals may actively disclose a great deal of information about themselves when making use of social media. The creation of a social media account (or “profile”) involves disclosure of a number of attributes, which may include name, date of birth, gender, place of residence, language, etc. Depending on the nature of the social media platform, users may include additional information such as relationship status, interests or current employment. Personal data provided by social media users can be used by the social media provider to develop criteria, which enables the targeter to address specific messages at the users of the social media.
Example 1 – Company X sells gentlemen’s shoes and wishes to promote a sale of its winter collection. For its advertising campaign, it wishes to target men between the age of 30 and 45 who have indicated that they are single in their social media profile. It uses the corresponding targeting criteria offered by the social media provider as parameters to identify the target audience to whom its advertisement should be displayed. Moreover, the targeter indicates that the advertisement should be displayed to social media users while they are using the social media service between the hours of 5pm and 8pm. To enable targeting of social media users on the basis of specific criteria, the social media provider has previously determined which types of personal data shall be used in order to develop the targeting criteria and which targeting criteria shall be offered. The social media provider also communicates certain statistical information once the advertisements has been displayed to the targeter (e.g. to report on the demographic composition of individuals that interacted with the advertisement).Example 1
38. In Example 1, both the targeter and the social media provider participate in determining the purpose and means of the processing personal data. This results in the display of the advertisement to the target audience.
39. As far as the determination of purpose is concerned, Company X and the social media provider jointly determine the purpose of the processing, which is to display a specific advertisement to a set of individuals (in this case social media users) who make up the target audience.
40. As far as the determination of means is concerned, the targeter and the social media provider jointly determine the means, which results in the targeting. The targeter participates in the determination of the means by choosing to use the services offered by the social media provider, and by requesting it to target an audience based on certain criteria (i.e. age range, relationship status, timing of display).44)See in this respect Wirtschaftsakademie, C‑210/16, para. 39 – ECLI:EU:C:2018:388.
In doing so, the targeter defines the criteria in accordance with which the targeting takes place and designates the categories of persons whose personal data is to be made use of. The social media provider, on the other hand, has decided to process personal data of its users in such a manner to develop the targeting criteria, which it makes available to the targeter.45)See in the same vein also Fashion ID, C-40/17, para. 80: “those processing operations are performed in the economic interests of both Fashion ID … Continue readingIn order to do so, the social media provider has made certain decisions regarding the essential means of the processing, such as which categories of data shall be processed, which targeting criteria shall be offered and who shall have access (to what types of) personal data that is processed in the context of a particular targeting campaign.46)See Opinion 1/2010.
41. The joint control among the targeter and social media provider only extends to those processing operations for which they effectively co-determine the purposes and means. It extends to the processing of personal data resulting from the selection of the relevant targeting criteria and the display of the advertisement to the target audience. It also covers the processing of personal data undertaken by the social media provider to report to the targeter about the results of the targeting campaign. The joint control does not, however, extend to operations involving the processing of personal data at other stages occurring before the selection of the relevant targeting criteria or after the targeting and reporting has been completed, and in which the targeter has not participated in determining the purposes and means”.47)See also Judgment in Fashion ID, C-40/17, para. 74 (“[a] natural or legal person cannot be considered to be a controller, within the meaning of … Continue reading
42. The above analysis remains the same even if the targeter only specifies the parameters of its intended audience and does not have access to the personal data of the users that are affected. Indeed, joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned.48)Judgment in Wirtschaftsakademie, C-210/16, para. 38 – ECLI:EU:C:2018:388; Judgment in Jehovah’s Witnesses, C-25/17, para. 69 – … Continue reading48 The EDPB recalls that actual access to personal data is not a prerequisite for joint responsibility.49)CJEU Judgment 10 July 2018 (C-25/17, para. 68 to 72)
B. Legal basis
As joint controllers, both parties (the social media provider and the targeter) must be able to demonstrate the existence of a legal basis (Article 6 GDPR) to justify the processing of personal data for which each of the joint controllers is responsible. The EDPB recalls that no specific hierarchy is made between the different lawful basis of the GDPR: the controller needs to ensure that the selected lawful basis matches the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation.50)See paragraph 18, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services … Continue reading
43. Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.
44. For what concerns the legitimate interest lawful basis, the EDPB recalls that in Fashion ID, the CJEU reiterated that in order for a processing to rely on the legitimate interest, three cumulative conditions should be met, namely51)CJEU, Judgment in Fashion ID, 29 July 2019, C-40/17, para. 95 – ECLI:EU:C:2019:629. (i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed, (ii) the need to process personal data for the purposes of the legitimate interests pursued, and (iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence. The CJEU also specified that in a situation of joint controllership “it is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them”.52)Idem, para 97
45. The EDPB recalls that in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration. Data subjects should be given the opportunity to object to the processing of their data for targeted purposes before the processing is initiated. Users of social media should not only be provided with the possibility to object to the display of targeted advertising when accessing the platform, but also be provided with controls that ensure the underlying processing of his or her personal data for the targeting purpose no longer takes place after he or she has objected.
46. With regard to Example 1, the targeter might consider its legitimate interest to be the economic interest of having an increased publicity for its goods through social media targeting. The social media provider could consider that its legitimate interest consists of making the social media service profitable by selling advertising space. Whether the targeter and the social media provider can rely upon Article 6(1)(f) GDPR as legal basis depends on whether all three cumulative conditions are met, as recently reiterated by the CJEU. Even if the targeter and the social media provider consider their economic interests to be legitimate, it does not necessarily mean that they will be able to actually rely on Article 6(1)(f) GDPR.
47. The second part of the balancing test entails that the joint controllers will need to establish that the processing is necessary to achieve those legitimate interests. “Necessary” requires a connection between the processing and the interests pursued. The ‘necessity’ requirement is particularly relevant in the context of the application of Article 6(1)f, in order to ensure that processing of data based on legitimate interests does not lead to an unduly broad interpretation of the necessity to process data. As in other cases, this means that it should be considered whether other less invasive means are available to serve the same end.53)Article 29 Working Party Opinion 06/2014 on the concept of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP217, … Continue reading
48. The third step in assessing whether the targeter and the social media provider can rely upon Article 6(1)(f) GDPR as legal basis for the processing of personal data, is the balancing exercise necessary to determine whether the legitimate interest at stake is overridden by the data subject’s interests or fundamental rights and freedoms.54)When assessing the impact on the interests, fundamental rights and freedoms of the individual concerned, thefollowing considerations are particularly … Continue reading
49. The outcome of the balancing exercise will also depend on the presence of additional controls and safeguards. The targeter seeking to rely on legitimate interest should, for its part, make it easy for individuals to express a prior objection to its use of social media for targeting purposes. However, insofar as the targeter does not have any direct interaction with the data subject, the targeter should at least ensure that the social media platform provide the data subject with means to efficiently express their right to prior objection. As joint controllers, the targeter and social media provider should clarify how the individuals’ right to object (as well as other rights) will be accommodated in the context of the joint arrangement (see Section 6). If the balancing exercise points out that data subject’s interests or fundamental rights and freedoms override the legitimate interest of the social media provider and the targeter, the use of Article 6(1)(f) is not possible.
50. For what concerns the consent lawful basis, the controller needs to keep in mind that there are clearly situations in which the processing would not be lawful without the valid consent of the individuals concerned (Article 6(1)(a) GDPR). For example, the WP29 has previously considered that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.55)Article 29 Working Party, Opinion on profiling and automated decision making, WP 251, rev. 01, p. 15, see also Article 29 WP, Opinion on legitimate … Continue reading
51. To be valid, the consent collected for the processing needs to fulfil the conditions laid out in Articles 4(11) and 7 GDPR. Generally speaking, consent can only be an appropriate legal basis if a data subject is offered control and genuine choice. If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given. Consent must also be specific, informed and unambiguous and the data subject must be able to refuse or withdraw consent without detriment.56)See Article 29 Working Party, Guidelines on consent under Regulation 2016/679, WP259 rev.01.
52. Consent (Article 6(1)(a) GDPR) could be envisaged, provided that all the requirements for valid consent are met. The EDPB recalls that obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimize targeting which is disproportionate or unfair.57)See Article 29 Working Party, Guidelines on consent under Regulation 2016/679, WP259 rev.01, p. 3-4.
53. Finally, the EDPB is of the opinion that the processing of personal data described in the Example 1 cannot be justified on the basis of Article 6(1)(b) by neither the social platform nor the targeter.58)See Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data … Continue reading
5.2.2 Data provided by the user of the social media platform to the targeter
54. Targeting can also involve data provided by the data subject to the targeter, who then uses the data collected in order to target the data subject on social media. For example, “list-based” targeting occurs where a targeter uploads pre-existing lists of personal data (such as e-mail addresses or phone numbers) for the social media provider to match against the information on the platform. In this case, the social media provider compares the data uploaded by the targeter with user data that it already possesses, and any users that match are added to or excluded from the target audience (that is, the ‘cluster’ of persons to which the advertisement will be displayed on the social media platform). The social media provider may also allow the targeter to ‘check’ the list prior to finalising it, meaning that some processing takes place even before the audience has been created.
Example 2 – Ms. Jones contacts Bank X to set up an appointment regarding a possible mortgage because she is buying a house. She contacts the bank via e-mail to set up the appointment. Following the appointment, Ms. Jones decides not to become a customer of the bank. The bank has nevertheless added the e-mail address of Ms. Jones to its customer e-mail database. Then, the bank uses its e-mail database, by allowing the social media provider to ‘matching’ the list of e-mail addresses it holds with those held by the social media platform, in order to target the individuals concerned with the full range of financial services on the social media platform.Example 2
Example 3 – Mr. Lopez has been a customer at Bank X for almost a year. When he became a customer, he provided an e-mail address and was informed by Bank X, at the moment of collection, that: (a) his e-mail address would be used for advertising of offers linked to the bank services that he is already using; and (b) he may object to this processing at any time. The bank has added his e-mail address to its customer email database. Afterwards, the bank uses its e-mail database to target its customers on the social media platform with the full range of financial services it has on offer.59)In situations where e-mail addresses are used for direct marketing purposes controllers must also take into account the provisions of Article 13 … Continue readingExample 3
55. In these examples, the targeter, i.e. the bank, acts as a controller because it determines the purposes and means of the processing by actively collecting, processing and transmitting the personal data of the individuals concerned to the social media provider for advertising purposes. The social media provider, in turn, acts as a controller because it has taken the decision to use personal data acquired from the social media user (i.e. the e-mail address provided when setting up his or her account) in order to enable the targeter to display advertising to an audience of specific individuals.
56. Joint controllership exists in relation to the processing operations for which the social media provider and the targeter jointly determine the purposes and means, in this case, uploading unique identifiers related to the intended audience, matching, selection of targeting criteria and subsequent display of the advertisement, as well as any reporting relating to the targeting campaign.60)The determination of purposes and means of the processing of the targeter and social media provider is similar (albeit not identical) to Example 1. … Continue reading
57. In both examples the bank acts as the sole controller regarding the initial collection of the email address of Ms. Jones and Mr. Lopez respectively. The social media provider does not participate in any way to determine the means and purposes of this collection. The joint control begins with the transmission of the personal data and the collection of it by the social media provider and the following processing for the purpose of displaying targeted advertising (and until the deletion of the data).
58. The reason why the bank acts as sole controller when collecting the e-mail address from Ms. Jones and Mr. Lopez respectively, is because the collection of data occurs prior to (and is not inextricably linked to) the targeting campaign. Therefore, in this case one must distinguish between the initial set of processing operations for which only the bank is a controller and a subsequent processing for which joint control exists. The responsibility of the bank does not extend to operations occurring after the targeting and reporting has been completed and in which the targeter has not participated in the purposes and means and for which the social media provider acts as the sole controller.
B. Legal basis
59. In Example 2, Article 6(1)f GDPR does not provide an appropriate legal basis to justify the processing in this case, taking into account the context in which the personal data was provided. Indeed, Ms. Jones contacted the bank for the sole purpose of setting up an appointment, following which she communicated her intention not to make use of the services offered by the bank. Hence, one can consider that there is no reasonable expectation by Ms. Jones that her personal data shall be used for targeting purposes (‘re-targeting’). Moreover, a compatibility test under Article 6(4) GDPR will lead to the outcome that this processing is not compatible with the purpose for which the personal data are initially collected.
60. In Example 3, the targeter might be able to rely on legitimate interest to justify the processing, taking into account inter alia that Mr. Lopez was: (a) informed of the fact that his e-mail address may be used for purposes of advertising via social media for services linked to the one used by the data subject; (b) the advertisement relates to services similar to those for Mr. Lopez is already a customer, and (c) Mr. Lopez was given the ability to object prior to the processing, at the moment where the personal data were collected by the bank. However, the mere fulfilment of information duties according to Articles 13 and 14 GDPR is not a transparency measure to be taken into consideration for the weighing of interests according to Article 6 (1)(f) GDPR.
5.3 Targeting on the basis of observed data
61. There are several ways in which social media providers may be able to observe the behaviour of its users. For example, observation is possible through the social media service itself or may also be possible on external websites by virtue of social plug-ins or pixels.
Example 4: Pixel-based targeting – Mr. Schmidt is browsing online in order to purchase a backpack. He visits the website “BestBags.com”, views a number of items, but decides not to make a purchase. The operator of “BestBags.com” wishes to target social media users who have visited their website without making a purchase. To this end, it integrates a so-called “tracking pixel”61 on its website, which is made available by the social media provider. After leaving the website of BestBags.com and logging into his social media account, Mr. Schmidt begins to see advertisement for the backpacks he was considering when browsing BestBags.com.Example 4
Example 5: Geo-targeting – Mrs. Michu has installed the application of a social media provider on her smartphone. She is walking around Paris during her holidays. The social media provider collects information regarding Mrs. Michu’s whereabouts via the GPS functionalities of her smartphone on an ongoing basis61)A social media provider may also be able to determine the whereabouts of their users on the basis of other data points, including IP address and WiFi … Continue reading, using the permissions that have been granted to the social media provider when the application was installed. Mrs. Michu is staying at a hotel that is located next to a pizzeria. The pizzeria uses the geo-targeting functionality offered by the social media provider to target individuals who are within 1km of its premises for the first time in the last 6 months. When opening the social media provider’s application on her smartphone, Mrs. Michu sees an advertisement from the pizzeria, decides that she is hungry and buys a pizza via its website.Example 5
Later on, she visits the website “Thelatesthotnews.com” that has a social media button integrated on it. A small but clearly visible banner appears on the right edge of the screen, asking Mrs. Ghorbani to consent to the transmission of her personal data to the social media provider using cookies and social media plug-ins. The website operator undertook technical measures so that no personal data is transferred to the social media platform until she gives her consent.
62. In Example 4, both the targeter and the social media provider participate in determining the purposes and means of the processing personal data, which results in the display of the advertisement to Mr. Schmidt.
63. As far as the determination of purpose is concerned, Bestbags.com and the social media provider jointly determine the purpose of the processing, which is to display a specific advertisement on the social media platform to the individuals who make up the target audience. By embedding the pixel into its website, Bestbags.com exerts a decisive influence over the means of the processing. The collection and transmission of the personal data of visitors of the website to the social media provider would not have occurred without the embedding of that pixel. The social media provider, on the other hand, has developed and offers the software code (pixel) that leads to the automatic collection, transmission and evaluation for marketing purposes of personal data to the social media provider. As a result, joint controllership exists in relation to the collection of personal data and its transmission by way of pixels, as well as in relation to the matching and subsequent display of the advertisement to Mr Schmidt on the social platform, and for any reporting relating to the targeting campaign. Joint controllership also exists, for similar reasons, in Example 6.
64. In Example 5, the pizzeria exercise a decisive influence over the processing of personal data by defining the parameters of the ad targeting in accordance with its business needs (for instance, opening hours of the pizzeria and geo-location of persons close to the pizzeria in this time-slot), and therefore must be regarded as taking part in the determination of the purposes and means of the data processing. The social media provider, on the other hand, has collected the information regarding Mrs. Michu’s location (via GPS) for its purpose of enabling such location-based targeted advertising. As a result, joint control exists between the targeter and the social platform in relation to the collection and analysis of Mrs. Michu’s location, as well as the display of the advertisement, in order to target her (as a person appearing within 1km of the pizzeria for the first time in the last 6 months) with the ad.
5.3.2 Legal basis
66. In this regard, it should be noted that Article 5(3) of the ePrivacy Directive requires that users are provided with clear and comprehensive information, inter alia about the purposes of the processing, prior to giving their consent 62)Court of Justice of the European Union, Judgment in Planet 49 Gmbh, Case C-673/17, paragraph 73., subject to very narrow exceptions 63)See Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data … Continue reading64 . Clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.64)Idem, paragraph 74As a result, the controller will have to inform data subjects about all the relevant purposes of the processing – including any subsequent processing of the personal data obtained by accessing information in the terminal equipment.
68. Any (joint) controller seeking to rely on consent as a legal basis is responsible for ensuring valid consent is obtained. In Fashion ID, the CJEU emphasized the importance of ensuring the efficient and timely protection of the data subject rights, and that consent should not be given only to the joint controller that is involved later in the processing. Valid consent must be obtained prior to the processing, which implies that (joint) controllers need to assess when and how information should be provided and consent should be obtained. In other words, the question as to which of the joint controllers should be in charge of collecting the consent comes down to determining which of them is involved first with the data subject. In Example 6, as the placement of cookies and processing of personal data occurs at the moment of account creation, the social media provider must collect her valid consent before the placement of advertisement cookies.
69. The EDPB also recalls that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named.68)9EDPB Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, p. 16, paragraph 65.Insofar as not all joint controllers are known at the moment when the social media provider seeks the consent, the latter will necessarily need to be complemented by further information and consent collected by the website operator embedding the social media plugin (i.e. Thelatesthotnews.com in Example 6).
70. The EDPB emphasizes that the consent that should be collected by the website operator for the transmission of personal data triggered by its website (by embedding a social plug-in) relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means69)Judgment in Fashion ID, 29 July 2019, C-40/17, ECLI:EU:C:2019:629, paragraphs 100-101.. The collection of consent by a website operator, i.e. “Thelatesthotnews.com” in Example 6 for instance, does not negate or in any way diminish the obligation of the social media provider to ensure the data subject has provided a valid consent for the processing for which it is responsible as a joint controller 70)This is all the more the case insofar as that for most targeting tools, it is the social media that carries out theread/write operations on the … Continue reading, as well as for any subsequent or further processing it carries out for which the website operator does not jointly determine the purposes and means (e.g. subsequent profiling operations for targeting purposes).
71. In addition, any subsequent processing of personal data, including personal data obtained by cookies, social plug-ins or pixels, must also have a legal basis under Article 6 GDPR in order to be lawful.71)Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data … Continue reading72 For what concerns the legal basis of the processing in Examples 4, 5 and 6, the EDPB considers that legitimate interest cannot act as an appropriate legal basis, as the targeting relies on the monitoring of individuals’ behavior across websites and locations using tracking technologies.72)Article 29 Working Party, Opinion on profiling and automated decision making, WP 251, rev. 01, p. 15, see also Article 29 WP, Opinion on legitimate … Continue reading
72. Therefore, in such circumstances, the appropriate legal basis for any subsequent processing under Article 6 GDPR is also likely to be the consent of the data subject. Indeed, when assessing compliance with Article 6 GDPR, one should take into account that the processing as a whole involves specific activities for which the EU legislature has sought to provide additional protection. 73)Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data … Continue readingMoreover, controllers must take into account the impact on data subjects’ rights when identifying the appropriate legal basis in order to respect the principle of fairness.74)European Data Protection Board, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of … Continue reading
5.4 Targeting on the basis of inferred data
73. Inferred data refers to data which is created by the controller on the basis of the data provided by the data subject (regardless of whether these data were observed or actively provided by the data subject, or a combination thereof).75)See also Article 29 Data Protection Working Party, Guidelines on the right to data portability, WP 242 rev.01,
5 April 2017, p. 10.Inferences about data subjects can be made both by the social media provider and the targeter.
74. For example, by virtue of monitoring the behaviour of its users over a long period of time, both on and off the social media (e.g. pages visited, time spent on each page, number of reconnections to that page, words searched, hyperlinks followed, “likes” given), the social media provider may be able to infer information regarding the interests and other characteristics of the user of the social media. In the same vein, a targeter might also be able to infer data about specific individuals and use that knowledge when targeting him or her to display ads on his or her social media page.
Example 7 – Mrs. Delucca often “likes” photos posted by the Art Gallery “Beautifulart” by impressionist painter Pataolito on its social media page. Museum Z is looking to attract individuals who are interested in impressionist paintings in light of its upcoming exhibition. Museum Z uses the following targeting criteria offered by the social media provider: “interested in impressionism”, gender, age and place of residence. Ms. Delucca subsequently receives targeted advertisement by Museum Z related to the upcoming exhibition of Museum Z on her social media page.Example 7
Example 8 – Mr. Leon has indicated on his social media page that he is interested in sports. He has downloaded an application on his mobile phone to follow the latest results of his favorite sport games, has set on his browser the page www.livesportsresults.com as his homepage on his laptop, often uses his desktop computer at work to search for the latest sports results on the internet. He also visits a number of online gambling websites. The social media provider tracks Mr Leon’ online activity across his multiple devices, i.e. his laptop, his cell mobile phone, and his desktop computer. Based on this activity and all the information provided by Mr. Leon, the social media provider infers that he will be interested in online betting. In addition, the social media platform has developed targeting criteria enabling companies to target people who are likely to be impulsive and have a lower income. The online betting company “bestpaydayloans” wishes to target users that are interested in betting and that are likely to be betting heavily. It therefore selects the criteria offered by the social media provider to target the audience to whom its advertisement should be displayed.Example 8
75. For what concerns the determination of the roles of the different actors, the EDPB notes the following: in Example 7, joint controllership exists between Museum Z and the social media provider concerning the processing of personal data for the purposes of targeted advertising, taking into account the collection of these data via the ‘like’-functionality on the social media platform, and the ‘analysis’ undertaken by the social media provider in order to offer the targeting criterion (“interested in impressionism”) to the targeter fitting the purpose of finally displaying the advertisement.76)As regards social media pages, joint controllership may also exist in relation to statistical information provided by the social media provider to … Continue reading
76. In Example 8, joint control exists between “bestpaydayloans” and the social media provider in relation to the processing operations jointly determined, in this case the selection of targeting criteria and subsequent display of the advertisement, as well as any reporting relating to the targeting campaign.
5.4.2 Legal basis
77. Targeting of social media users on the basis of inferred data for advertising purposes typically involves profiling77)78. The WP29 has previously clarified that according to the GDPR, profiling is an automated processing of personal data which aims at evaluating personal aspects, in particular to analyse or make predictions about individuals, adding that “[t]he use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person”.77)79 Profiling may be lawful by reference to any of the legal grounds in Article 6(1) GDPR, subject to the validity of this legal basis.
78. In Example 7, Article 5(3) of ePrivacy is applicable, insofar as the display of the advertisement on Mrs. Delucca’s page related to the painter Pataolito requires a read/write operation to match this “like” with information previously held on her by the social media provider. Consent will therefore be required for these operations.
79. For what concerns Example 8, the EDPB recalls that in the case of automated decision-making which produces legal effects or similarly significantly affects the data subject, as set out in Article 22 GDPR data controllers may rely on the following exceptions:
- explicit consent of a data subject;
- the necessity of the automated decision-making for entering into, or performance of, a contract; or
- authorisation by Union or Member State law to which the controller is subject.
80. WP29 has already stated that “In many typical cases the decision to present targeted advertising based on profiling will not have a similarly significant effect on individuals (…). However, it is possible that it may do, depending upon the particular characteristics of the case, including:
- the intrusiveness of the profiling process, including the tracking of individuals across different websites, devices and services;
- the expectations and wishes of the individuals concerned;
- the way the advert is delivered; or
- using knowledge of the vulnerabilities of the data subjects targeted.”77)80
Where the profiling undertaken by the social media provider is likely to have a “similarly significant [effect]” on a data subject, Article 22 GDPR shall be applicable. An assessment as to whether targeting will “similarly significantly [effect]” a data subject will need to be conducted by the controller (or joint controllers, as the case may be) in each instance with reference to the specific facts of the targeting.
81. In such circumstances as described in Example 8, the display of online betting advertisements may fall under the scope of Article 22 GDPR GDPR (targeting financially vulnerable persons that are interested in online betting which have the potential to significantly and adversely affect his financial situation). Therefore, in accordance with Article 22, explicit consent would be required. Furthermore, the use of tracking techniques triggers the applicability of Article 5(3) of the ePrivacy Directive, resulting in a requirement of prior consent. Finally, the EDPB recalls that for the processing to be lawful, the controller must conduct a case-by-case assessment, and that obtaining consent does not reduce other obligations to observe the requirements of fairness, necessity, proportionality and data quality, as stated in Article 5 GDPR.
6. TRANSPARENCY AND RIGHT OF ACCESS
82. Article 5(1)(a) GDPR states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 5(1)(b) GDPR also states that personal data shall be collected for specified, explicit and legitimate purposes. Articles 12, 13 and 14 GDPR contain specific provisions on the transparency obligations of the data controller. Finally, recital 39 states that “it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed”.77)81
83. Information presented to data subjects in respect of the way in which their personal data are processed, should be, in all cases, concise, transparent, in an intelligible and easily accessible form, using clear and plain language.
84. The EDPB recalls that the mere use of the word “advertising” would not be enough to inform the users that their activity is being monitored for the purpose of targeted advertising. It should be made transparent to individuals what types of processing activities are carried out and what this means for the data subject in practice. Data subjects should be informed in an easily understandable language if a profile will be built based on their online behaviour on the platform or on the targeter’s website, respectively, by the social platform and by the targeter, providing information to the users on the types of personal data collected to build such profiles and ultimately allow targeting and behavioural advertising by targeters.77)82 Users should be provided with the relevant information directly on the screen, interactively and, where appropriate or necessary, through layered notices.77)83
6.1 Essence of the arrangement and information to provide (Article 26 (2) GDPR)
85. According to Article 26(1) GDPR, joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects”.
86. A further expression of the transparency principle is the obligation to make the essence of the joint controllership arrangement available to the data subject according to Article 26 (2) GDPR. Indeed, Article 26 GDPR requires joint controllers to take appropriate measures to ensure that data subjects are made aware of the allocation of responsibilities.
87. As a matter of principle, the information provided to the data subject must cover all aspects of the data processing operation(s) for which the joint controllers are jointly responsible. Indeed, the data subject is entitled to receive all information (including regarding envisaged subsequent processing where there is joint controllership) at the outset, so that the information is fair and appropriate. More precisely, this joint arrangement needs to ensure that the data subject will be provided information required by Articles 13 and 14 GDPR, including on their shared or closely linked purposes, storage periods, transmission to third parties etc., which need to be communicated to the data subject upon collection of the data or before the processing starts. The arrangement needs to make it clear where the responsibilities lie in this regard. To meet these requirements, such arrangement must contain (or reference) clear and comprehensive information in respect of the processing to which it relates with explanations, where appropriate, on the various phases and actors of the processing.77)84
88. Although both joint controllers are subject to the duty to inform where there is joint responsibility, they can mutually agree that one of them shall be tasked with providing the initial information to data subjects, especially in cases where only one of the controllers interacts with the users prior to processing, for example on its website77)85. This exchange of information to provide to the data subject should be an integral part of the joint arrangement (e.g. an appendix). In case one of the joint controllers does not have all information in detail because, for example, it does not know the exact technical execution of the processing activities, the other joint controller shall provide all necessary information to enable him to provide the data subject with full information in accordance with Articles 13 and 14 GDPR.
89. The EDPB notes that controllers are not directly responsible for providing the information required by Articles 13 and 14 GDPR in relation to further processing operations that do not fall under the scope of joint controllership. Therefore, the targeter is not directly responsible for providing the information relating to any further processing which will be carried out by the social media platform.
90. However, the EDPB emphasizes that the joint controller who intends to further use the personal data has specific obligations of information for this further processing where there is no joint responsibility, according to Article 14(4) of the GDPR, as well as obligations of compatibility of the further processing under Article 6(4).For example, the targeter and social media provider could agree that the targeter will provide certain information on behalf of the social media provider. The social media provider, however, remains ultimately responsible for ensuring that the data subject has been provided with the relevant information in relation to all the processing activities under its control.
In Example 3 (Mr. Lopez being targeted for advertisement for Bank X on his social media page following the upload by the Bank of his email address to the social media provider), the Bank needs to inform Mr. Lopez that his email address will be used for advertising, via the social media provider, of offers linked to the bank services. Any further processing by the social media provider must be lawful and compatible with the purposes for which the Bank collected the data.
In addition, to the extent that the social media provider intends to further process Mr. Lopez’s email for another purpose, it must ensure that Mr. Lopez is provided with the information required by Article 14(4) GDPR prior to doing so.
The social media provider and the Bank may agree that the Bank will provide Mr. Lopez with the relevant information on behalf of the social media provider. Even if that is the case, however, the social media provider remains ultimately responsible for ensuring that the data subject has been provided with the relevant information in relation to all the processing activities for which it is (alone) responsible. This obligation would not apply if Mr. Lopez has already been informed by the Bank of this processing, according to Article 14(5)(a) GDPR.
These transparency obligations are to be considered without prejudice of the specific obligations applicable to legal basis considerations.
6.2 Right of access (Article 15)
92. Data controllers must enable users to easily and fully exercise their data subjects’ rights. An easy-to-use and efficient tool should be available for the data subject to ensure the easy exercise of all of their rights, at any time, in particular the right of erasure, objection, and the right of access pursuant to Article 15 GDPR.86 The following paragraphs focus on how and by whom the right of access should be accommodated in the context of targeting of social media users.77)87
93. In general, to fulfill the requirements of Article 15 (1) GDPR and to ensure full transparency, controllers may want to consider implementing a mechanism for data subjects to check their profile, including details of the information and sources used to develop it. The data subject is entitled to learn of the identity of the targeter, and controllers must facilitate access to information regarding the targeting, including the targeting criteria that were used, as well as the other information required by Article 15 GDPR.
94. As regards the kind of access to be provided to data subjects, recital 63 advises that “[w]here possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.” The specific features of social media providers – the online environment, the existence of a user account – suggest the possibility to easily grant the data subject with remote access to the personal data concerning him or her in accordance with Article 15 (1), (2) GDPR. Remote access in this case can be regarded as the most “appropriate measure” in the sense of Article 12(1) GDPR, also taking into account the fact that this is a typical situation “where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected” (see recital 58, which explicitly adds “online advertising” as concrete example). In addition, if requested, social media users who have been targeted should also be given a copy of the personal data relating to them in accordance with Article 15(3) GDPR.
95. According to Article 15(1)(c) GDPR, the user shall have access in particular to information on “the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations”. According to Article 4(9), the term “recipient” refers to a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether they are a third party or not. A targeter will not necessarily be a “recipient” of the personal data (see Example 1), as the personal data might not be disclosed to it, but it will receive statistics of the targeted customers in aggregated or anonymised form, e.g. as part of its campaign, or in a performance review of the same. Nevertheless, to the extent that the targeter acts as a joint controller, it must be identified as such to the social media user.
96. Although Article 15 GDPR is not explicitly identified in Article 26(1) GDPR, the wording of this Article refers to all “responsibilities for compliance” under GDPR, which includes Article 15 GDPR.
97. In order to enable data subjects to exercise their rights in an effective and easily accessible way, the arrangement between the social media provider and the targeter may designate a single point of contact for data subjects. Joint controllers are in principle free to determine amongst themselves who should be in charge of responding to and complying with data subject requests, but they cannot exclude the possibility for the data subject to exercise his or her rights in respect of and against each of them (Article 26 (3) of the GDPR). Hence, targeters and social media providers must ensure that a suitable mechanism is in place to allow the data subjects to obtain access to his or her personal data in a user-friendly manner (including the targeting criteria used) and all information required by Article 15 of the GDPR.
7. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)
98. In principle, prior to initiating the envisaged targeting operations, both joint controllers should check the list of processing operations “likely to result in a high risk” adopted at national level under Article 35(4) and recitals (71), (75) and (91)