Guidelines 08/2020 on the targeting of social media users – version for public consultation
SECTION 7 DATA PROTECTION IMPACT ASSESSMENTS (DPIA)
98 In principle, prior to initiating the envisaged targeting operations, both joint controllers should check the list of processing operations “likely to result in a high risk” adopted at national level under Article 35 (4) and recitals (71), (75) and (91) GDPR to determine if the designated targeting matches any of the types of processing operations subject to the requirement to conduct a DPIA. To assess whether the envisaged targeting operations are “likely to result in a high risk” and whether a DPIA is required, the criteria identified in the guidelines on DPIA should also be taken into account, as well as the lists that supervisory authorities have established of the kind of processing operations which are subject to the requirement for a data protection impact assessment (pursuant to article 35 (4)).
99 In some cases, the nature of the product or service advertised, the content of the message or the way the advert is delivered might produce effects on individuals whose impact has to be further assessed. This might be the case, for example, with products which are targeted at vulnerable people. Additional risks may emerge depending on the purposes of the advertising campaign and its intrusiveness, or if the targeting involves the processing of observed, inferred or derived personal data.
100 In addition to the obligations specifically referred in Article 26 (1) GDPR, joint controllers should also consider other obligations when determining their respective obligations. As stated in the EDPB guidelines on DPIAs “When the processing operation involves joint controllers, they need to define their respective obligations precisely”.
101 As a consequence, both joint controllers need to assess whether a DPIA is necessary. If a DPIA is necessary, they are both responsible for fulfilling this obligation. The EDPB recalls that the DPIA should tackle the entire processing of personal data, which means that in principle both joint controllers need to take part in the realization of the DPIA. In this context, both controllers need to ensure that they have a sufficient level of information on the processing to carry out the required DPIA. This implies that “each data controller should express his needs and share useful information without eithercompromising secrets (e.g.: protection of trade secrets, intellectual property, confidential business information) or disclosing vulnerabilities”.
102 In practice, it is possible that joint controllers decide that one of them shall be tasked with carrying carries out the DPIA as such. This should then be specified in the joint arrangement, without prejudice to the existence of joint responsibility as such. It may indeed be that one of the controllers is better placed to assess certain processing operations. For example, this controller may, depending on thecontext, be the one with a higher degree of control and knowledge of the targeting process inparticular on the back-end of the deployed system, or on the means of the processing.
103 Every DPIA must include measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and otherpersons concerned. If the identified risks cannot be sufficiently addressed (i.e. the residual risks remain high), the joint controllers are each responsible for ensuring a prior consultation with the relevant supervisory authorities. If the targeting would infringe the GDPR, in particular because the risks have insufficiently been identified or mitigated, the targeting should not take place.
The political party “Letschangetheworld” wishes to encourage social media users to vote for a particular political candidate in the upcoming elections. They wish to target elderly people living in rural areas of the country, who regularly go to Church, and who have not travelled abroad in thepast 2 years.