• Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Privacy Academy (in Dutch)
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Privacy Academy (in Dutch)
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Privacy data protection targeting of social media users – public consultation version

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date September 25, 2020

      Guidelines 08/2020 on the targeting of social media users – version for public consultation

      Section 4.5  Roles and responsibilities

      29 In order to clarify the respective roles and responsibilities of social media providers and targeters, it is important to take account of the relevant case law of the CJEU. The judgments in Wirtschaftsakademie (C-210/16), Jehovah’s Witnesses (C-25/17) and Fashion ID (C-40/17) are particularly relevant here.

      30 The starting point of the analysis is the legal definition of controller. According to Article 4(7) GDPR, a “‘controller” means “the natural or legal person […] which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

      31 In Wirtschaftsakademie, the CJEU decided that the administrator of a so-called “fan page” on Facebook must be regarded as taking part in the determination of the purposes and means of the processing of personal data. According to the submissions made to the CJEU, the creation of a fan page involves the definition of parameters by the administrator, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page. Using the filters provided by Facebook, the administrator can define the criteria in accordance with which the statistics are to be drawn up, and even designate the categories of persons whose personal data is to be made use of by Facebook:

      • “In particular, the administrator of the fan page can ask for—and thereby request the processing of—demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitorsto its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.”

      As the definition of parameters depends inter alia on the administrator’s target audience “and the objectives of managing and promoting its activities”, the administrator also participates in determining the purposes of the processing of personal data. The administrator was therefore categorised as a controller jointly responsible for the processing of personal data of the visitors of its ‘page’, together with the social media provider.

      32 As further developed in section 9 of the present guidelines, controllers may be involved at different stages of the processing of personal data and to different degrees. In such circumstances, the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case:

      • “[T]he existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”

      While concluding that the administrator of a page acts as a controller, jointly with Facebook, the CJEU also noted that in the present case, Facebook must be regarded as primarily determining the purposes and means of processing the personal data of users of Facebook and persons visiting the fan pages hosted on Facebook.

      33 In Fashion ID, the CJEU decided that a website operator can be a considered a controller when it embeds a Facebook social plugin on its website that causes the browser of a visitor to transmit personaldata of the visitor to Facebook. The qualification of the website operator as controller is, however, limited to the operation or set of operations in respect of which it actually determines the purposesand means. In this particular case, the CJEU considered that the website operator is only capable of determining, jointly with Facebook, the purposes and means of the collection and disclosure by transmission of the personal data of visitors to its website. As a result, the CJEU ruled that, for what concerns the embedding of a social plug-in within a website, the liability of the website operator is:

      • “limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.”

      The CJEU considered that the website operator was not a controller for subsequent operations involving the processing of personal data carried out by Facebook after their transmission to the latter, as the website operator was not in a position to determine the purposes and means of those operations by virtue of embedding the social plug-in:

      • “By contrast, in the light of that information, it seems, at the outset, impossible that Fashion ID determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland after their transmission to the latter, meaning that Fashion ID cannot be considered to be a controller in respect of those operations […]”.

      34 In case of joint controllership, pursuant to Article 26(1) GDPR, controllers are required to put in place an arrangement which, in a transparent manner, determines their respective responsibilities for compliance with the GDPR, in particular as regards the exercising of the rights of the data subject andtheir respective duties to provide the information referred to in Articles 13 and 14 GDPR.

      35 The following sections clarify, by way of specific examples, the roles of targeters and social media providers in relation to different targeting mechanisms. Specific considerations are given in particular as to how the requirements of lawfulness and purpose limitation apply in this context. Next, the requirements concerning transparency, data protection impact assessments and the processing of special categories of data are analysed. Finally, the Guidelines address the obligation for joint controllers to put in place an appropriate arrangement pursuant to Article 26 GDPR, taking into account the degree of responsibility of the targeter and of the social media provider.

      • Share:
      author avatar
      Richard V

      Previous post

      Privacy data protection targeting of social media users – public consultation version
      September 25, 2020

      Next post

      Privacy data protection targeting of social media users – public consultation version
      September 25, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now