The accountability principle in the GDPR is risk-based: the higher the risk of data processing to the fundamental rights and freedoms of data subjects, the greater the measures needed to mitigate those risks (See the “Accountability Principle” subsection in the “Main Principles” section of the General part of these Guidelines)^[1]. Since the processing of personal data gathered from social networks might be considered as high risk,^[2] the researchers/innovators shall also appoint a DPO and perform a DPIA. Also, controllers should create a Data Protection Policythat allows the traceability of information (See the “Accountability Principle” subsection in the “Main Principles” section of the General part of these Guidelines).
 

References

¹See Articles 24, 25 and 32 of the GDPR, which require controllers to take into account the “risks of varying likelihood and severity for the rights and freedoms of natural persons” when adopting specific data protection measures. ↑

²See, in particular, Article 35(3)(a), according to which data processing is considered as high risk in cases of, inter alia, “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”. ↑