Social media is often used for targeted marketing. This raises the question who is responsible for the different processing’s and if it is possible to avoid responsibility, since there are different actors involved. This blogpost aims to clarify the roles and responsibilities among the social media provider and the targeter.


Published June 9th 2021


What is what?

Social media providers: the social media provider decides which data to process and for what purpose. The social media provider also decides how the personal data shall be processed. The provider has the opportunity to gather large amounts of personal data.

Targeters: targeters use social media services in order to direct specific messages at users based on specific criteria. Targeters can be e.g. brands, political parties or non-profit organizations – basically any type of organization. Targeting might occur through a banner shown on the top of a website or a display in the user´s ”feed”.

Profiling: targeting of social media users often involve profiling. Profiling is an automated processing of personal data, which aims at evaluating personal aspects. Profiling may be lawful in reference to any of the legal grounds in article 6 (1) of the GDPR, but the legal ground must be applicable in the specific situation and it must be used properly. Read more about profiling here, in Swedish.


Targeting through social media

Many social media providers offer targeting services. The targeting of individuals is based on a wide range of criteria, which might have been based on personal data that the user has actively provided. However, the targeting criteria is in more and more cases developed on the basis of personal data which has been observed and collected. The targeting of social media therefor involves an entire process which results in specific messages to individuals with social media accounts.

The combination and analysis origination from different sources creates risks to the fundamental rights and freedoms of individuals. These risks relate to the fact that there in many cases are a lack of transparency and user control. We therefor recommend you to go through your social media accounts with this in mind, to make sure that you actually inform the social media users what will happen to their personal data and that you do not process personal data in a way that is in conflict with the GDPR.

This blog post will focus on the GDPR. However, please note that in many cases the ePrivacy directive may be applicable, e.g. the use of tracking techniques triggers the applicability of article 5(3) of the ePrivacy directive, which means that consent must be given.


Examples of roles and responsibilities

A relationship between two legal entities can be a controller – processor situation, a controller – controller situation or a processor – processor situation. Read more here. In this paragraph, we will give some examples regarding the different situations.

Example 1: when creating a fan page on Facebook, the administrator can be considered a joint controller with the social media provider (controller – controller). However, the controllers do not have to be joint controllers for the whole processing operation. For example, the administrator can use the filters to decide which criteria to use when drawing up statistics. The level of responsibility can therefor vary (see C-210/16 Wirtschaftsakademie).

Example 2: a website operator can be considered a controller if the website operator embeds a social media plugin on its website and personal data regarding visitors is send to the social media provider due to this plugin. As in the first example, the responsibility as a controller is limited. The website operator is only the controller of the operation or operations in respect of which it actually determines the purpose and means. The Court of Justice of the EU has determined that the website operator was not the controller for the subsequent processing’s, that the social media provider performed after the transmission. The website operator can not decide the purposes and means of processing’s performed after the transmission (see C-40/17 Fashon ID).


Some of the responsibilities of the actors

1. Legal basis

if you are joint controllers, both parties (e.g. the social media provider and the administrator of a fan page or a website operator) must have a legal basis for the processing. The legal basis must be appropriate for the processing in question. You can read more about the legal bases here. In most cases involving targeting of social media users, the two legal bases consent and legitimate interest are the ones that most likely can be used. In some cases, consent is the only option for processing the personal data, e.g. for intrusive profiling.

When using legitimate interest, joint controllers should clarify how the data subjects´ right to object will be met in the arrangement.

When using consent, it is important to remember the following points.

  • Valid consent must be obtained before the processing.
  • Joint controllers are individually responsible for ensuring a valid consent.
  • The data subject must be able to withdraw or refuse consent without detriment.
  • When consent is to be relied upon by multiple controllers, each controller should be named.

When targeting social media users, it must be easy for the users to access information regarding the targeting, including the targeting criteria.

2. Data Protection Impact Assessments

When it is a situation where the entities are joint controllers, both of them have a responsibility to check if any of the processing operations are likely to result in a high risk prior to initiating the targeting operations. If the targeting operations are likely to result in a high risk, a Data Protection Impact Assessment (DPIA) must be conducted before the processing operation can start. In some cases, the impact has to be further assessed. This could be the case if a product is targeted at vulnerable people. Both joint controllers must assess whether a DPIA is necessary. If the result of this assessment is that a DPIA is necessary, they are both responsible for fulfilling this obligation. However, the joint controllers can stipulate that one of them shall be tasked with carrying out the DPIA.


Do you need help?

We are happy to help you with your GDPR-related questions – no matter how small or big they might be.

Please, do not hesitate to contact us for further information!


Josefin Karlström


The content presented in this blog contains general information and is not to be considered as legal advice.