Guidelines 08/2020 on the targeting of social media users – version for public consultation

Subparagraph 5.2.2. A  Roles

55 In these examples in paragraph 5.2.2, the targeter, i.e. the bank, acts as a controller because it determines the purposes and means of the processing by actively collecting, processing and transmitting the personal data of the individuals concerned to the social media provider for advertising purposes. The social mediaprovider, in turn, acts as a controller because it has taken the decision to use personal data acquired from the social media user (i.e. the e-mail address provided when setting up his or her account) in order to enable the targeter to display advertising to an audience of specific individuals.

56 Joint controllership exists in relation to the processing operations for which the social media providerand the targeter jointly determine the purposes and means, in this case, uploading unique identifiers related to the intended audience, matching, selection of targeting criteria and subsequent display of the advertisement, as well as any reporting relating to the targeting campaign.

57 In both examples the bank acts as the sole controller regarding the initial collection of the email address of Ms. Jones and Mr. Lopez respectively. The social media provider does not participate in any way to determine the means and purposes of this collection. The joint control begins with the transmission of the personal data and the collection of it by the social media provider and the following processing for the purpose of displaying targeted advertising (and until the deletion of the data).

58 The reason why the bank acts as sole controller when collecting the e-mail address from Ms. Jones and Mr. Lopez respectively, is because the collection of data occurs prior to (and is not inextricably linked to) the targeting campaign. Therefore, in this case one must distinguish between the initial set of processing operations for which only the bank is a controller and a subsequent processing for which joint control exists. The responsibility of the bank does not extend to operations occurring after the targeting and reporting has been completed and in which the targeter has not participated in the purposes and means and for which the social media provider acts as the sole controller.