Guidelines 08/2020 on the targeting of social media users – version for public consultation
Section 9.1 Joint controller arrangement and determination of responsibilities (Art. 26 GDPR)
122 Article 26 (1) GDPR requires joint controllers to determine – in a transparent manner – their respective responsibilities for compliance with the obligations of the GDPR in an arrangement, including, as explained above, the requirements for transparency.
123 In terms of scope, the EDPB considers that the arrangement between targeters and social media providers should encompass all processing operations for which they are jointly responsible (i.e. which are under their joint control). By concluding an arrangement that is only superficial and incomplete, targeters and social media providers would be breach of non-compliance with their obligations under Article 26 of the GDPR.
For instance, in Example 4 in Section 5.3 the arrangement should cover the entire processing of personal data where there is joint controllership, i.e. from the collection of personal data in the context of the visitby Mr. Schmidt of the website “BestBags.com” with a tracking pixel, to the display of the advertisement on his social media page, as well as any eventual reportingrelating to the targeting campaign.
124 In order to develop a comprehensive arrangement, both the social media provider and the targeter must be aware of and have sufficiently detailed information regarding the specific data processing operations taking place. The arrangement between the targeter and the social media provider should therefore contain (or refer to) all necessary information to enable both parties to comply with their obligations under the GDPR, including their duty to comply with the principles under Article 5(1) GDPR and their duty to demonstrate their compliance according to Article 5(2) GDPR.
125 If, for example, the controller is considering to rely on Article 6 (1) (f) GDPR as a legal basis, it isnecessary, among other things, to know the extent of the data processing in order to be able to assess whether the interest of the controller(s) are overridden by the interests or fundamental rights and freedoms of the data subjects. Without sufficient information concerning the processing, such anassessment cannot be performed. The importance of including or referencing the necessary information in the context of a joint arrangement cannot be overstated, especially in situations where one of the parties almost exclusive has the knowledge and access to the information necessary for both parties to comply with the GDPR.
For instance, in Example 1 in Paragraph 5.2.1, when Company X is assessing whether it can rely on the legitimate interest as a legal basis to target men between the age of 30 and 45 and who have indicated that they are single, it is necessary that it has access to sufficient information concerning the processing carried out by the social media platform, including for instance for what concerns the additional measures (such as the right to prior objection) put into place by the latter, to ensure that legitimate interests are not overridden by the data subject’s interests or fundamental rights and freedoms.
126 In order to ensure that the rights of the data subject can be accommodated effectively, the EDPB takes the view that the purpose of the processing and the corresponding legal basis should be also reflected in the joint arrangement between targeters and social media providers who are joint controllers. Although the GDPR does not preclude joint controllers to use different legal basis for different processing operations they carry out, it is recommended to use, whenever possible, the same legal basis for a particular targeting tool and for a particular purpose. Indeed, if each stage of the processing is processed on a different legal basis, this would render the exercise of rights impracticable for the data subject (e.g. for one stage there would be a right to data portability, for another there would bea right of objection).
As controllers the targeter and the social media provider are both responsible for ensuring that the principle of purpose limitation is complied with and should therefore incorporate appropriate provisions to that end within the joint arrangement.
For example, if the targeter wishes to use personal data provided to it by the data subject in order to target on social media, it must take appropriate measures to ensure that the data provided shall not be further used by the social media provider in a manner that is incompatible with those purposes, unless the valid consent of the data subject has been obtained pursuant to Article 6 (4) of the GDPR.
In Example 3 in Paragraph 5.2.2, the Bank X should ensure that there are appropriate provisions in the jointarrangement with the social media platform that Mr. Lopez’ email address is not used for otherpurposes that advertising of offers linked to the bank services that he is already using without Mr.Lopez’ consent.
Likewise, the social media provider must ensure that use of data for targeting purposes by the targeters is in compliance with the principles of purpose limitation, transparency and lawfulness.
127 Other obligations that should be considered by the targeter and social media provider in the contextof their joint arrangement include: other general data protection principles contained in Article 5 GDPR, security of processing, data protection by design and by default, notifications and communications of personal data breaches, data protection impact assessments, the use of processors and transfers to third countries.
For instance, in Example 13 in Paragraph 8.1.2 , the joint arrangement should address the question of which of the controllers should carry a DPIA and ensure that a relevant exchange of knowledge takes place. In other words, the political party “Letschangetheworld” should ensure that it has a sufficient level of information, for instance on the security measures put into place by the social media platform, whena DPIA is carried out.