Guidelines 08/2020 on the targeting of social media users – version for public consultation
Section 6.1 Essence of the arrangement and information to provide (Article 26 (2) GDPR)
85 According to Article 26(1) GDPR, joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects”.
86 A further expression of the transparency principle is the obligation to make the essence of the joint controllership arrangement available to the data subject according to Article 26 (2) GDPR. Indeed, Article 26 GDPR requires joint controllers to take appropriate measures to ensure that data subjectsare made aware of the allocation of responsibilities.
87 As a matter of principle, the information provided to the data subject must cover all aspects of the data processing operation(s) for which the joint controllers are jointly responsible. Indeed, the data subject is entitled to receive all information (including regarding envisaged subsequent processing where there is joint controllership) at the outset, so that the information is fair and appropriate. More precisely, this joint arrangement needs to ensure that the data subject will be provided information required by Articles 13 and 14 GDPR, including on their shared or closely linked purposes, storage periods, transmission to third parties etc., which need to be communicated to the data subject uponcollection of the data or before the processing starts. The arrangement needs to make it clear where the responsibilities lie in this regard. To meet these requirements, such arrangement must contain (or reference) clear and comprehensive information in respect of the processing to which it relates with explanations, where appropriate, on the various phases and actors of the processing.
88 Although both joint controllers are subject to the duty to inform where there is joint responsibility, they can mutually agree that one of them shall be tasked with providing the initial information to data subjects, especially in cases where only one of the controllers interacts with the users prior to processing, for example on its website. This exchange of information to provide to the data subject should be an integral part of the joint arrangement (e.g. an appendix). In case one of the joint controllers does not have all information in detail because, for example, it does not know the exact technical execution of the processing activities, the other joint controller shall provide all necessary information to enable him to provide the data subject with full information in accordance with Articles13 and 14 GDPR.
89 The EDPB notes that controllers are not directly responsible for providing the information required by Articles 13 and 14 GDPR in relation to further processing operations that do not fall under the scope of joint controllership. Therefore, the targeter is not directly responsible for providing the information relating to any further processing which will be carried out by the social media platform.
90 However, the EDPB emphasizes that the joint controller who intends to further use the personal data has specific obligations of information for this further processing where there is no joint responsibility, according to Article 14(4) of the GDPR, as well as obligations of compatibility of the further processing under Article 6 (4). For example, the targeter and social media provider could agree that the targeter will provide certain information on behalf of the social media provider. The social media provider, however, remains ultimately responsible for ensuring that the data subject has been provided with the relevant information in relation to all the processing activities under its control.
In Example 3 (Mr. Lopez being targeted for advertisement for Bank X on his social media pagefollowing the upload by the Bank of his email address to the social mediaprovider), the Bank needs to inform Mr. Lopez that his email address will be used for advertising, via the social media provider, of offers linked to the bank services. Any further processing by the social media provider must be lawful and compatible with the purposes for which the Bank collected the data.
In addition, to the extent that the social media provider intends to further process Mr. Lopez’s emailfor another purpose, it must ensure that Mr. Lopez is provided with the information required by Article 14(4) GDPR prior to doing so.
The social media provider and the Bank may agree that the Bank will provide Mr. Lopez with the relevant information on behalf of the social media provider. Even if that is the case, however, the social media provider remains ultimately responsible for ensuring that the data subject has been provided with the relevant information in relation to all the processing activities for which it is (alone) responsible. This obligation would not apply if Mr. Lopez has already been informed by theBank of this processing, according to Article 14(5)(a) GDPR.
These transparency obligations are to be considered without prejudice of the specific obligations applicable to legal basis considerations.