The concepts of controller, joint controller and processor play a crucial role in the application of the GDPR, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice (see the “Main Actors” part of these Guidelines, mainly the sections devoted to “Controller” or “Processor”).In the case of utilization of social networks for data processing, it is equally important to properly distinguish the data controller from the data processor, since the responsibilities of each are different.
Certain doubts may arise as to which of the parties involved in this framework plays the role of data controller, data processor or, as the case may be, whether there is a situation of joint controllership. To dispel these doubts, we must first turn to the list of definitions in the GDPR, interpreted in accordance with the EDPB Guidelines 7/2020 on the concepts of controller and processor in the GDPR and the EDPB Guidelines 8/2020 on the targeting of social media users  and the relevant case law of the CJEU.
In relation to the use of social networks for research, and without prejudice to the aforementioned casuistic caution, one might state that there is no situation of joint controllership, insofar as the means and purposes of each processing operation are not determined jointly by the social network and the institution in charge of the ICT development, but rather the social network allows the developer use its environment.The relationship between researchers and social networks is usually built on the so-called Developer Policies. Most social networks only allow researchers/innovators to collect data through their Application Programming Interfaces (APIs) if they follow the instructions settled in such policies. Thus, researchers/innovators shall ensure that they actually proceed to do so if they want to avoid taking responsibility for unlawful data processing. Of course, there is a possible exception to this general rule: if a developer hires the services of a social network to process data on their behalf, this may involve joint controllership (it will depend on the concrete conditions of the contract and the way that responsibilities over the data are assigned to the partners). However, if such an exception does not apply:
- the social network shall be considered the controller in relation to the data processing it carries out in accordance with the purposes and objectives it pursues, and the ICT developer shall be data controller in respect of the data processing activities under its control;
- the relationship between the developer and the social network is as follows:
- the social network plays the role of information society service provider, and
- the research institution the role of information society service user.
- the activities carried out by the research institution from its research profile must be permitted by the social network as an information society service provider, but this does not imply that there is a situation of joint controllership nor that the licence to use the data guarantees a legal basis for personal data processing.
Thus, in most common scenarios, ICT researchers and innovators will play the role of a third party regarding social networks and data subjects. The network will provide them with data that belong to the data subjects. Once these data are already under the control of the researchers/innovators, they become controllers of those data and take the corresponding responsibilities.
Although a situation of joint controllership does not generally exist, it is not impossible for such a situation to arise at all. It is, therefore, worth recalling the safeguards of Article 26 GDPR in the case of joint controllership (see the “Main Actor” section of the General part of these Guidelines) between the social network and the research institution:
- Both the ICT developer and the social network shall, in a transparent manner, determine their respective responsibilities for compliance with the obligations under GDPR, in particular as regards to the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them.
- The arrangement
- shall be made available to the data subject;
- may designate a contact point for data subjects;
- shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects.
- Finally, all controllers, joint controllers and processors must remember that the data subjects may exercise their rights under the GDPR (art. 26.3 GDPR).
1EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, p. 3, at: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en . ↑
2EDPB Guidelines (Guidelines 8/2020 on the targeting of social media users Version 2.0 Adopted on 13 April 2021, at: https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf, p. 11). ↑
3The judgments in Wirtschaftsakademie (C-210/16), Jehovah’s Witnesses (C-25/17) and Fashion ID (C-40/17) are particularly relevant here. ↑