Social media targeting: advertiser and platform joint controllers under GDPR

Published on 12 October 2020 categories , ,

Targeting social media users is a method of targeted advertising and is part of the business model of many social media platforms. The European Data Protection Board (EDPB) has published new guidelines on targeting social media users. The new guidelines focus on the roles and responsibilities of advertisers and social media platforms. The guidelines address, among other things, the privacy risks for social media users and the most important requirements of privacy legislation.

How are social media users targeted?

Targeting of social media users takes place in different ways. For example, targeting can take place by displaying personalised advertising through a “banner” shown on the top or side of a webpage. On social media platforms you see that advertisements are also displayed in a user’s “feed”, ”timeline“ or “story”, where the advertising content appears alongside user-generated content. The EDPB addresses three ways of targeting with personal data. Social media users may be targeted on the basis of provided, observed or inferred data, as well as a combination thereof.

“Provided data” refers to information actively provided by the data subject to the social media provider and/or the advertiser. For example, a social media user might indicate his or her age in the description of his or her user profile. The social media provider, in turn, might enable targeting on the basis of this criterion. Targeting can also take place on the basis of personal data that the user has provided to the advertiser himself.  For example, a user has shared his e-mail address with a web shop. This web shop may share the hashed e-mail address with Facebook and Facebook may check whether the user has a profile on Facebook. If so, the user is shown an advertisement of the web shop on Facebook. On behalf of the web shop, Facebook can also use the hashed e-mail address of a specific user to target Facebook users with a similar profile.

Targeting of social media users can also take place on the basis of observed data. Observed data are data provided by the data subject by virtue of using a service or device. For example, a particular social media user might be targeted on the basis of  his or her activity on the social media platform itself (for instance the content that the user has shared, consulted or liked).

Finally, advertisers can also target on the basis of derived data. For example, the social media platform or the advertiser can conclude on the basis of a user’s surfing behaviour that he is probably interested in a certain product.

Controller and processor

Previous examples show that the social media platform and the advertiser are two important players in the advertising process. But who is responsible for the privacy of social media users? When it comes to the processing of personal data, the GDPR defines two roles: controller and processor. Most of the GDPR´s obligations apply to the controller.

Joint controllership

On the basis of the various examples, the guidelines conclude that the advertiser and the social media platform are qualified as joint controllers for the processing of personal data of social media users. The advertiser and the social media provider jointly determine the purpose of the processing, which is to display a specific advertisement to a set of individuals (in this case social media users) who make up the target audience. In doing so, the advertiser defines the criteria in accordance with which the targeting takes place and designates the categories of persons whose personal data is to be made use of. The social media provider, on the other hand, has decided to process personal data of its users in such a manner to develop the targeting criteria, which it makes available to the advertiser. In order to do so, the social media provider has made certain decisions regarding the essential means of the processing, such as which categories of data shall be processed, which targeting criteria shall be offered and who shall have access (to what types of) personal data that is processed in the context of a particular targeting campaign.


Joint controllers are required to put in place an arrangement which determines their respective responsibilities for compliance with the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide information to social media users. Joint controllers thus need to set “who does what” by deciding between themselves who will have to carry out which tasks in order to make sure that the processing complies with the GDPR. The arrangement may also cover the following subjects:

  • Implementation of general data protection principles
  • Legal basis of the processing
  • Security measures
  • Notification of a personal data breach to the supervisory authority and to the data subject
  • Data Protection Impact Assessments
  • The use of a processor
  • Transfers of data to third countries

Other topics that could be considered, depending on the processing at stake and the intention of the parties, are for instance the limitations on the use of personal data for another purpose by one of the joint controllers. For example, the advertiser may agree with Facebook that Facebook will only use the personal data for displaying advertisements to specific users.

Joint controllers have a certain degree of flexibility in distributing and allocating obligations among them as long as they ensure full compliance with the GDPR with respect of the given processing. The allocation should take into account factors such as, who is competent and in a position to effectively ensure data subject’s rights as well as to comply with the relevant obligations under the GDPR. The obligations do not need to be equally distributed among the joint controllers.


The EDPB guidelines are not yet final. All comments and suggestions regarding the guidelines can be sent to the EDPB until 19 October 2020.





Related posts