Guidelines 08/2020 on the targeting of social media users – version for public consultation
Section 9.2 Levels of responsibility
129 The EDPB observes that targeters who wish to use targeting tools provided by a social media providermay be confronted with the need to adhere to pre-defined arrangements, without any possibility to negotiate or make modifications (‘take it or leave it’ conditions). The EDPB considers that such a situation does not negate the joint responsibility of the social media provider and the targeter and cannot serve to exempt either party from its obligations under the GDPR. Both parties to the joint arrangement are also bound to ensure that the allocation of responsibilities duly reflects their respective roles and relationships vis-à-vis data the subjects in a practical, truthful and transparent manner.
130 It is important to stress that an arrangement pursuant to Article 26 GDPR cannot override the legal obligations incumbent upon a (joint) controller. While joint controllers shall, in accordance with Article 26 GDPR “determine their respective responsibilities for compliance” with the GDPR, each controller remains, as a matter of principle, responsible for the compliance of processing. This means that each controller is – inter alia – responsible for compliance with the principles set out under Article 5 (1) GDPR, including the principle of lawfulness established under Article 5 (1) (a) of the GDPR.
131 However, the degree of responsibility of the targeter and of the social media provider in relation to specific obligations may vary. In Wirtschaftsakademie, the CJEU noted that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data.[…]those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”.
132 In other words, although joint controllers are both responsible for complying with the obligations under the GDPR, and although the data subject may exercise his or her rights as against each of the controllers, their level of responsibility must be assessed on their actual role in the processing. In Google Spain, the CJEU clarified that a controller must ensure, “within the framework of its responsibilities, powers and capabilities”, that the processing of personal data meets the requirementsof EU data protection law.
133 When it comes to assessing the level of responsibility of targeters and social media providers, several factors may be relevant, such as the ability to influence the processing on a practical level, as well asthe actual or constructive knowledge of each of the joint controllers. It is also important to be clear atwhat stage of the processing and to what extent or degree the targeter and the social media providerare responsible for the processing.
In Example 1 in Paragraph 5.2.1, Company X sets up an advertising campaign so that users corresponding to specific targeting criteria may be shown advertisements for the company on the social media platform.However, although it sets the parameters for the advertising campaign, it does not collect or have access to any personal data, nor does it have any direct contact with the data subject. Each of these elements may be relevant when assessing the level (or “degree”) or responsibility of the targeter and social media provider in case a violation of the GDPR is established (e.g. in case of lack of transparency towards the data subject or failure to ensure lawfulness of processing). As indicated earlier, notwithstanding, both parties are obliged to undertake appropriate measures in order to meet the requirements of the GDPR and protect the rights of data subjects against unlawful forms of processing.
In Example 3, which involved list-based targeting, the situation is slightly different than Example 1. In Example 3, the bank initially collected the personal data and shared it with the social media provider for targeting purposes. In that case, the targeter has voluntarily caused the collection and transmission stage of the data processing. Each of these elements should be taken into account when assessing the level of responsibility of each actor and should be duly reflected in the terms of the joint arrangement.
Similarly, in Example 4 in Section 5.3, in case of pixel-based targeting, it should be taken into account that the website operator enables the transmission of personal data to the social media provider. It is indeed the website “BestBags.com” that integrates a tracking pixel on its website so that it can target Mr. Schmidt, although he has decided not to make a purchase. The website is therefore actively involved in the collection and transmission of the data. As a joint controller, however, the social media provider is also under an obligation to undertake appropriate measures to meet the requirements of the GDPR and protect the rights of data subjects against unlawful forms of processing. In this case, if the data subject’s consent is sought, the joint controllers should agree upon the way in which consent is collected in practice.