Guidelines 08/2020 on the targeting of social media users – version for public consultation
Subparagraph 5.4.2 B Legal basis
77 Targeting of social media users on the basis of inferred data for advertising purposes typically involves profiling. The WP29 has previously clarified that according to the GDPR, profiling is an automated processing of personal data which aims at evaluating personal aspects, in particular to analyse or make predictions about individuals, adding that “[t]he use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person”. Profiling may be lawful by reference to any of the legal grounds in Article 6 (1) GDPR, subject to the validity of this legal basis.
78 In Example 7, Article 5 (3) of ePrivacy is applicable, insofar as the display of the advertisement on Mrs.Delucca’s page related to the painter Pataolito requires a read/write operation to match this “like” with information previously held on her by the social media provider. Consent will therefore be required for these operations.
79 For what concerns Example 8, the EDPB recalls that in the case of automated decision-making which produces legal effects or similarly significantly affects the data subject, as set outin Article 22 GDPR data controllers may rely on the following exceptions:
explicit consent of a data subject;
the necessity of the automated decision-making for entering into, or performance of, acontract; or
authorisation by Union or Member State law towhich the controller is subject.
80 WP29 has already stated that “In many typical cases the decision to present targeted advertising based on profiling will not have a similarly significant effect on individuals (…). However, it is possible that it may do, depending upon the particular characteristics of the case, including:
the intrusiveness of the profiling process, including the tracking of individuals across different websites, devices and services;
the expectations and wishes of the individuals concerned;
the way the advert is delivered; or
using knowledge of the vulnerabilities of the data subjects targeted.