Targeting in social networks. Part 2

In the first part of the series of articles "Targeting in social networks", we talked about:

• what is targeting and who are its actors;
• what are the targeting mechanisms, how are they applied and on what grounds are personal data processed.

Now let's talk about risks for data subjects from targeting, transparency of data processing and the data subject's right of access, as well as about sensitive data

Risks for data subjects from targeting

Risks to the rights and freedoms of data subjects resulting from the processing of personal data (Guidelines 8/2020, Article 6):

• lack of transparency of personal data processing, which may complicate the realization of the rights of data subjects;
• discrimination (reducing the visibility of advertising for data subjects of certain groups);
• “filter-bubbles”: data subjects encounter the same information, other types of information are not seen;
• information overload;
• the emergence of data subjects feeling that their behavior is systematically controlled - as a result of self-censorship.

The simple use of the word "advertising" will not be sufficient to inform users that their activity is being tracked for targeting purposes (Guidelines 8/2020, Article 26).

‍Users must be informed in plain language about:

• information specified in Articles 13 and 14 of the General Data Protection Regulation (GDPR) and (Article 26 (1) GDPR);
• the essence of the agreement on joint control: purposes, means of processing, roles of controllers, information on the controllers' exercise of the rights of the data subject and the corresponding obligations regarding the provision of information specified in Articles 13 and 14, the relationship of the controllers with the data subject (Article 26 ( 2) GDPR);

Users should be provided with relevant information directly on the screen, interactively and, where appropriate or necessary, through multi-layered messages.

The subject's right to access data

Targeters and social media providers must ensure that there is an appropriate mechanism in place that allows users to access their personal data in a convenient way (including the targeting criteria used) and all information required by Article 15 of the GDPR.

Regarding the type of access, given the large number of participants, technological complexity, which make it difficult for the user to understand by whom and for what purpose personal data concerning him is collected, the most appropriate measure will be remote access to a protected system, which will provide users with direct access to his personal data.

According to Article 15(1)(c) GDPR, the user must have access, in particular, to information about recipients or categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations.

The targeter will not necessarily be the recipient of personal data, as the personal data may not be disclosed to them, but they will receive customer statistics as part of their campaign or when reviewing its performance. Nevertheless, to the extent that the targeter acts as a joint controller, it must be identified as such to the social media user (Guidelines 8/2020 art. 29).

Joint controllers are free to determine among themselves who should respond to data subjects' requests and fulfill them, but they cannot exclude the possibility for the data subject to exercise his rights with respect to each of them and against them (Article 26 (3) GDPR).

Targeting and sensitive data

Sensitive data are defined in Article 9 of the GDPR as special categories of personal data and include:

• a person's state of health;
• racial or ethnic origin;
• biometric data;
• religious or philosophical beliefs;
• political views;
• membership in trade unions;
• sex life or sexual orientation.

For example, the processing of a single piece of location data that indicates that the user has (once or more) visited a place that is commonly visited by people with certain religious beliefs is generally not in itself considered as processing of special categories of data.

However, this may be considered as processing of special categories of data if this data is combined with other data or because of the context in which the data is processed or the purposes for which it is used.

The subject of targeting sensitive PDs

In order to target sensitive PDs in social networks, it is necessary to identify the subject. It can be the targeter or the social network provider, or both.

Basis of processing

Controllers may lawfully process special categories of data only if they can fulfill one of the conditions set out in Article 9(2) GDPR: obtaining the express consent of the data subject, or if the PD has been explicitly made public by the data subject, etc.

In addition to the terms and conditions - 

Article 9 of the GDPR, the processing of special categories of data must be based on the legal basis set out in Article 6 of the GDPR and be carried out in accordance with the basic principles set out in Article 5 of the GDPR.

For example, a person in a social network profile indicates that he is a member of a specific political party. The targeter wants to target his mailing to such persons based on their affiliation with the political views of such a party. Such information will be considered sensitive data and its processing is prohibited (Article 9(1) GDPR).

Therefore, the only applicable grounds for processing sensitive data in such a situation will be:

• obtaining the express consent of the data subject (Article 9(2)(a) GDPR); or
• when the person has explicitly disclosed such sensitive personal data (Article 9(2)(e) GDPR).

In the next article, we will talk about what documents are needed for transparency and legality of targeting in different countries.

Subscribe to our channels on social networks:

LinkedIn
‍YouTube
‍Instagram
‍Facebook
‍Telegram
‍Medium‍

Contact us:

business@avitar.legal