Main concepts
Home » Social networks » Introduction to social networks and data protection issues » Main concepts

The imprecise nature of the data gathered by social networks, along with personal data protection legal rules,suggests to social network managers, and those who use data gathered from these networks for research purposes,that, rather than the category of the social network, they should take into account both the type of data being processed and the following main criteria:

  • the purpose for which they are using the data;
  • the applicable regulation, and in particular the regulatory conflicts that may arise from their activity and the original purposes of personal data collection in the social networks.

A social network is an information society service. The concept of information society service is mentioned in Article 2.a and Recitals 17 and 18 of EC Directive 2000/31, as well as in Article 4 (25) GDPR. They all refer to Article 1.1.b of EU Directive 2015/1535. An information society service is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

The operators of a social network have the dual status of social service provider and data controller, according to their privacy policy, which considers them as such.[1] As social service providers, they are subject to liability under Articles 12 to 15 of Directive 2000/31/EC. As data controllers, they are responsible both for ensuring that the data are processed in accordance with Article 5 GDPR, as well as for being able to demonstrate this (Art. 5.2 GDPR). Those who use the social network for purposes that go beyond being a mere user (e.g., using social networks for research) shall also be regarded as data controller, and shall be liable accordingly. However, it is also true that,in case of joint controllership, controllers may be involved at different stages of the processing of personal data and to different degrees. In such scenario, the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.[2]



1In order to clarify the respective roles and responsibilities of social media providers and targeters, it is important to take account of the EDPB Guidelines (Guidelines 8/2020 on the targeting of social media users Version 2.0 Adopted on 13 April 2021, at:, p. 11) and the relevant case law of the CJEU. The judgments in Wirtschaftsakademie (C-210/16), Jehovah’s Witnesses (C-25/17) and Fashion ID (C-40/17) are particularly relevant here.

2See: 4 Judgment in Wirtschaftsakademie, C-210/16, paragraph 43; Judgment in Jehovah’s Witnesses, C-25/17, paragraph 66 and Judgment in Fashion ID, C-40/17, paragraph 70.

Skip to content