• Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Privacy Academy (in Dutch)
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Privacy Academy (in Dutch)
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Privacy data protection targeting of social media users – public consultation version

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date September 25, 2020

      Guidelines 08/2020 on the targeting of social media users – version for public consultation

      Subparagraph 5.2.1. B   Legal basis

      As joint controllers, both parties (the social media provider and the targeter) must be able to demonstrate the existence of a legal basis (Article 6 GDPR) to justify the processing of personal data for which each of the joint controllers is responsible. The EDPB recalls that no specific hierarchy is made between the different lawful basis of the GDPR: the controller needs to ensure that the selected lawful basis matches the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation.

      43 Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6 (1) (a) GDPR) or legitimate interests (Article 6 (1) (f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

      44 For what concerns the legitimate interest lawful basis, the EDPB recalls that in Fashion ID, the CJEU reiterated that in order for a processing to rely on the legitimate interest, three cumulative conditions should be met, namely (i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed, (ii) the need to process personal data for the purposes of the legitimate interests pursued, and (iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence. The CJEU also specified that in a situation of joint controllership “it is necessary that each of those controllers should pursue alegitimate interest […] through those processing operations in order for those operations to be justifiedin respect of each of them”.

      45 The EDPB recalls that in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration. Data subjects should be given the opportunity to object to the processing of their data for targeted purposes before the processing is initiated.Users of social media should not only be provided with the possibility to object to the display of targeted advertising when accessing the platform, but also be provided with controls that ensure the underlying processing of his or her personal data for the targeting purpose no longer takes placeafter he or she has objected.

      46 With regard to Example 1 in paragraph 5.2.1, the targeter might consider its legitimate interest to be the economic interest of having an increased publicity for its goods through social media targeting. The social mediaprovider could consider that its legitimate interest consists ofmaking the social media service profitable by selling advertising space. Whether the targeter and the social media provider can rely upon Article 6 (1) (f) GDPR as legal basis depends on whether all three cumulative conditions are met, as recently reiterated by the CJEU. Even if the targeter and the social media provider consider their economic interests to be legitimate, it does not necessarily mean that they will be able to actually rely on Article 6 (1) (f) GDPR.

      47 The second part of the balancing test entails that the joint controllers will need to establish that the processing is necessary to achieve those legitimate interests. “Necessary” requires a connection between the processing and the interests pursued. The ‘necessity’ requirement is particularly relevant in the context of the application of Article 6 (1) f, in order to ensure that processing of data based on legitimate interests does not lead to an unduly broad interpretation of the necessity to process data. As in other cases, this means that it should be considered whether other less invasive means are available to serve the same end.

      48 The third step in assessing whether the targeter and the social media provider can rely upon Article 6 (1) (f) GDPR as legal basis for the processing of personal data, is the balancing exercise necessary to determine whether the legitimate interest at stake is overridden by the data subject’s interests or fundamental rights and freedoms.

      49 The outcome of the balancing exercise will also depend on the presence of additional controls and safeguards. The targeter seeking to rely on legitimate interest should, for its part, make it easy for individuals to express a prior objection to its use of social media for targeting purposes. However, insofar as the targeter does not have any direct interaction with the data subject, the targeter should at least ensure that the social media platform provide the data subject with means to efficiently express their right to prior objection. As joint controllers, the targeter and social media provider should clarify how the individuals’ right to object (as well as other rights) will be accommodated in the contextof the joint arrangement (see section 6). If the balancing exercise points out that data subject’s interests or fundamental rights and freedoms override the legitimate interest of the social media provider and the targeter, the use of Article 6 (1) (f) is not possible.

      50 For what concerns the consent lawful basis, the controller needs to keep in mind that there are clearly situations in which the processing would not be lawful without the valid consent of the individuals concerned (Article 6 (1) (a) GDPR). For example, the WP29 has previously considered that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.

      51 To be valid, the consent collected for the processing needs to fulfil the conditions laid out in Articles 4 (11) and 7 GDPR. Generally speaking, consent can only be an appropriate legal basis if a data subject is offered control and genuine choice. If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given. Consent must also be specific, informed and unambiguous and the data subject must be able to refuse or withdraw consent without detriment.

      52 Consent (Article 6 (1) (a) GDPR) couldbe envisaged, provided that all the requirements for valid consentare met. The EDPB recalls that obtaining consent also does not negate or in any way diminish thecontroller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimize targeting which is disproportionate or unfair.

      53 Finally, the EDPB is of the opinion that the processing of personal data described in the Example 1 in paragraph 5.2.1 cannot be justified on the basis of Article 6 (1) (b) by neither the social platform nor the targeter.

      • Share:
      author avatar
      Richard V

      Previous post

      Privacy data protection targeting of social media users – public consultation version
      September 25, 2020

      Next post

      Privacy data protection targeting of social media users – public consultation version
      September 25, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now