Guidelines 08/2020 on the targeting of social media users – version for public consultation

Section 4.5  Roles and responsibilities

29 In order to clarify the respective roles and responsibilities of social media providers and targeters, it is important to take account of the relevant case law of the CJEU. The judgments in Wirtschaftsakademie (C-210/16), Jehovah’s Witnesses (C-25/17) and Fashion ID (C-40/17) are particularly relevant here.

30 The starting point of the analysis is the legal definition of controller. According to Article 4(7) GDPR, a “‘controller” means “the natural or legal person […] which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

31 In Wirtschaftsakademie, the CJEU decided that the administrator of a so-called “fan page” on Facebook must be regarded as taking part in the determination of the purposes and means of the processing of personal data. According to the submissions made to the CJEU, the creation of a fan page involves the definition of parameters by the administrator, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page. Using the filters provided by Facebook, the administrator can define the criteria in accordance with which the statistics are to be drawn up, and even designate the categories of persons whose personal data is to be made use of by Facebook:

• “In particular, the administrator of the fan page can ask for—and thereby request the processing of—demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitorsto its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.”

As the definition of parameters depends inter alia on the administrator’s target audience “and the objectives of managing and promoting its activities”, the administrator also participates in determining the purposes of the processing of personal data. The administrator was therefore categorised as a controller jointly responsible for the processing of personal data of the visitors of its ‘page’, together with the social media provider.

32 As further developed in section 9 of the present guidelines, controllers may be involved at different stages of the processing of personal data and to different degrees. In such circumstances, the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case:

• “[T]he existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”

While concluding that the administrator of a page acts as a controller, jointly with Facebook, the CJEU also noted that in the present case, Facebook must be regarded as primarily determining the purposes and means of processing the personal data of users of Facebook and persons visiting the fan pages hosted on Facebook.

33 In Fashion ID, the CJEU decided that a website operator can be a considered a controller when it embeds a Facebook social plugin on its website that causes the browser of a visitor to transmit personaldata of the visitor to Facebook. The qualification of the website operator as controller is, however, limited to the operation or set of operations in respect of which it actually determines the purposesand means. In this particular case, the CJEU considered that the website operator is only capable of determining, jointly with Facebook, the purposes and means of the collection and disclosure by transmission of the personal data of visitors to its website. As a result, the CJEU ruled that, for what concerns the embedding of a social plug-in within a website, the liability of the website operator is:

• “limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.”

The CJEU considered that the website operator was not a controller for subsequent operations involving the processing of personal data carried out by Facebook after their transmission to the latter, as the website operator was not in a position to determine the purposes and means of those operations by virtue of embedding the social plug-in:

• “By contrast, in the light of that information, it seems, at the outset, impossible that Fashion ID determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland after their transmission to the latter, meaning that Fashion ID cannot be considered to be a controller in respect of those operations […]”.

34 In case of joint controllership, pursuant to Article 26(1) GDPR, controllers are required to put in place an arrangement which, in a transparent manner, determines their respective responsibilities for compliance with the GDPR, in particular as regards the exercising of the rights of the data subject andtheir respective duties to provide the information referred to in Articles 13 and 14 GDPR.

35 The following sections clarify, by way of specific examples, the roles of targeters and social media providers in relation to different targeting mechanisms. Specific considerations are given in particular as to how the requirements of lawfulness and purpose limitation apply in this context. Next, the requirements concerning transparency, data protection impact assessments and the processing of special categories of data are analysed. Finally, the Guidelines address the obligation for joint controllers to put in place an appropriate arrangement pursuant to Article 26 GDPR, taking into account the degree of responsibility of the targeter and of the social media provider.