Im Rahmen einer öffentlichen Konsultation veröffentlichte der Europäische Datenschutzausschuss (EDSA/EDPB) Anfang September seine Guideline 08/2020 über das Targeting von Social Media Usern. Der EDSA nimmt bis 19. Oktober 2020 Stellungnahmen zur vorgenannten Guideline entgegen.
Das Ziel dieser Guideline wird wie folgt umschrieben: „(…) to clarify the roles and responsibilities among the social media provider and the targeter. In order to do so, the guidelines also identify the potential risks for the rights and freedoms of individuals (section 3), the main actors and their roles (section 4), and tackles the application of key data protection requirements (such as lawfulness and transparency, DPIA, etc.) as well as key elements of arrangements between social media providers and the targeters“ (vgl. Rz. 7).
Dabei geht der EDSA insbesondere auf die Rechtsprechung des EuGH i.S. „Fashion ID“ (C-40/17), „Wirtschaftsakademie“ (C-210/16) sowie den „Zeugen Jehovas“ (C-25/17) und Fragestellungen rund um die gemeinsame Verantwortlichkeit gemäss Art. 26 DSGVO ein.
Ausserdem enthält die Guideline wertvolle Ausführungen zur Verarbeitung besonderer Kategorien personenbezogener Daten, insbesondere wann diese durch die betroffene Person als offensichtlich öffentlich gemacht i.S.v. Art. 9 Abs. 2 lit. e DSGVO gelten:
„In practice, a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:
(i) the default settings of the social media platform (i.e. whether the data subject took a specification to change these default private settings into public ones); or
(ii) the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, media sharing, social platforms to share online reviews, etc... ; or
(iii) the accessibility of the page where the sensitive data is published (i.e. whether the information is publicly accessible or if, for instance, the creation of an account is necessary before accessing the information); or
(iv) the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the information will be made public...); or
(v) if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred" (vgl. Rz. 120).
Michal Cichocki
Das Ziel dieser Guideline wird wie folgt umschrieben: „(…) to clarify the roles and responsibilities among the social media provider and the targeter. In order to do so, the guidelines also identify the potential risks for the rights and freedoms of individuals (section 3), the main actors and their roles (section 4), and tackles the application of key data protection requirements (such as lawfulness and transparency, DPIA, etc.) as well as key elements of arrangements between social media providers and the targeters“ (vgl. Rz. 7).
Dabei geht der EDSA insbesondere auf die Rechtsprechung des EuGH i.S. „Fashion ID“ (C-40/17), „Wirtschaftsakademie“ (C-210/16) sowie den „Zeugen Jehovas“ (C-25/17) und Fragestellungen rund um die gemeinsame Verantwortlichkeit gemäss Art. 26 DSGVO ein.
Ausserdem enthält die Guideline wertvolle Ausführungen zur Verarbeitung besonderer Kategorien personenbezogener Daten, insbesondere wann diese durch die betroffene Person als offensichtlich öffentlich gemacht i.S.v. Art. 9 Abs. 2 lit. e DSGVO gelten:
„In practice, a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:
(i) the default settings of the social media platform (i.e. whether the data subject took a specification to change these default private settings into public ones); or
(ii) the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, media sharing, social platforms to share online reviews, etc... ; or
(iii) the accessibility of the page where the sensitive data is published (i.e. whether the information is publicly accessible or if, for instance, the creation of an account is necessary before accessing the information); or
(iv) the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the information will be made public...); or
(v) if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred" (vgl. Rz. 120).
Michal Cichocki