Guidelines 08/2020 on the targeting of social media users – version for public consultation

Subparagraph 5.4.2 B  Legal basis

77 Targeting of social media users on the basis of inferred data for advertising purposes typically involves profiling. The WP29 has previously clarified that according to the GDPR, profiling is an automated processing of personal data which aims at evaluating personal aspects, in particular to analyse or make predictions about individuals, adding that “[t]he use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person”. Profiling may be lawful by reference to any of the legal grounds in Article 6 (1) GDPR, subject to the validity of this legal basis.

78 In Example 7, Article 5 (3) of ePrivacy is applicable, insofar as the display of the advertisement on Mrs.Delucca’s page related to the painter Pataolito requires a read/write operation to match this “like” with information previously held on her by the social media provider. Consent will therefore be required for these operations.

79 For what concerns Example 8, the EDPB recalls that in the case of automated decision-making which produces legal effects or similarly significantly affects the data subject, as set outin Article 22 GDPR data controllers may rely on the following exceptions:

• explicit consent of a data subject;

• the necessity of the automated decision-making for entering into, or performance of, acontract; or

• authorisation by Union or Member State law towhich the controller is subject.

80 WP29 has already stated that “In many typical cases the decision to present targeted advertising based on profiling will not have a similarly significant effect on individuals (…). However, it is possible that it may do, depending upon the particular characteristics of the case, including:

• the intrusiveness of the profiling process, including the tracking of individuals across different websites, devices and services;

• the expectations and wishes of the individuals concerned;

• the way the advert is delivered; or

• using knowledge of the vulnerabilities of the data subjects targeted.

Where the profiling undertaken by the social media provider is likely to have a “similarly significant[effect]” on a data subject, Article 22 shall be applicable. An assessment as to whether targeting will “similarly significantly [effect]” a data subject will need to be conducted by the controller (or joint controllers, as the case may be) in each instance with reference to the specific facts of the targeting.

81 In such circumstances as described in Example 8, the display of online betting advertisements may fall under the scope of Article 22 GDPR (targeting financially vulnerable persons that are interested in online betting which have the potential to significantly and adversely affect his financial situation). Therefore, in accordance with Article 22, explicit consent would be required. Furthermore, the use of tracking techniques triggers the applicability of Article 5 (3) of the ePrivacy Directive, resulting in a requirement of prior consent. Finally, the EDPB recalls that for the processing to be lawful, the controller must conduct a case-by-case assessment, and that obtaining consent does not reduce other obligations to observe the requirements of fairness, necessity, proportionality and data quality, as stated in Article 5 GDPR.