Do you target your advertising on social media platforms? (Of course, you do). Then you should know that you may be responsible for compliance with personal data processing along with the social media operators. But what exactly are you responsible for and what are your obligations?
Thanks to social media, marketers have the ability to target individuals, in order to communicate their tailor-made advertising messages, on the basis of a wide range of criteria. Targeted advertising can be based on personal data actively provided by the users or observed or inferred, either by the social media provider or by third parties and collected (aggregated) by the social media platform or by other actors (e.g. data brokers).
Due to the development of sophisticated targeting mechanisms, the targeting of social media users may involve a variety of different actors. Interaction between social media providers and such other actors may give rise to joint responsibilities under EU data protection law.
In order to clarify the roles and responsibilities of social media providers, “targeters” and other actors of the targeted advertising process, EDPB now adopted a final version of the Guidelines on the targeting of social media users (Guidelines).
The Guidelines follow up on previous CJEU case law and offer guidance concerning the targeting of social media users, in particular in regards to the responsibilities of targeters and social media providers. Where joint responsibility exists, the Guidelines seek to clarify what the distribution of responsibilities might look like between targeters and social media providers on the basis of practical examples.
Although EDPB observes that targeters who wish to use targeting tools provided by social media providers are usually offered only ‘take it or leave it’ conditions of the social media platforms, the EDPB considers that it does not negate the joint responsibility of the social media provider and the targeter and cannot serve to exempt either party from its obligations under the GDPR.
If you are a “targeter”, the Guidelines should help you understand what legal basis is appropriate for you and which part of the data processing exactly are you responsible for. The Guidelines are now available online on the EDPB website.
EDPB adopted documents - 48th plenary
https://edpb.europa.eu/news/news/2021/edpb-adopted-documents-48th-plenary_en