Gathering data from social networks often involves entering into some kind of agreement with their representatives. Indeed, access to their API, or similar tools, will probably not be provided if this agreement has not been documented. Sometimes, adherence to Developer Policies is not even part of this agreement, since it is crystal clear that whoever receives data from the network has to follow them. The researcher/innovator should make sure, however, that this legal architecture is adequately fixed from the very beginning.
On the other hand, it is obvious that a controller will often entrust some of the technical tasks to a processor, who could even involve a sub-processor. In practice, however, there will be times when it will be difficult to ensure that the processor is not actually acting as a controller or joint-controller.
Researchers and innovators should do their best to avoid such issues, since the data protection regulation requires a clear answer to the question of “who is responsible for this processing?” to guarantee an “effective and complete” protection of the data subjects’ rights and freedoms. Thus, a key requirement of an adequate data protection by design policy is to clarify from the very beginning who are the formal data controllers and processors, in order to ensure that the legal accountability is understood.
In order to fulfil this goal, written agreements between all agents involved in the development of the tools should be reached and documented, whenever possible (see art. 28 of the GDPR). These should include clear specifications about the responsibilities taken by all participants. Promoting a continuous interaction between all DPOs involved might be an excellent option. Ad-hoc supervisory bodies and tools can be adopted to ensure a smooth oversight of the participants’ processing.
1See: EDPB Guidelines (Guidelines 8/2020 on the targeting of social media users Version 2.0 Adopted on 13 April 2021, at: https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf, p. 11) ↑