Social media: Data protection impact assessment

The own offers themselves do not trigger the risk described in Art. 35 GDPR due to the only very small scope of own data processing. This applies in particular with regard to the fact that the company’s own contributions mainly involve the pure sending of content without any personal reference, and in the case of any communication with other users, only the data that they have provided themselves and voluntarily is processed.

However, the use of social media through such offers has far-reaching effects, especially with regard to the evaluation of the data by the respective platform operator for advertising purposes and the like. This represents processing with a high risk, for which a data protection impact assessment must be carried out.

In this respect, the State Commissioner for Data Protection and Information Security of Baden-Württemberg (hereinafter LfDI) assumes that public bodies that use social media for public relations work and to provide general information bear joint responsibility. Co-responsibility does not mean that the respective public body confirms or guarantees the data protection conformity of the respective social network. Rather, co-responsibility means that the state capital makes itself and others aware of the risks of social networks. Users are made aware of these risks, which are generally associated with the use of social media, in particular in the data protection declaration of the state capital.

Against this background, the assessment of the consequences of using social media is as follows:

The risks described at the beginning, which are associated with the use of social media, exist in principle independently of the state capital’s own use. Also, in the vast majority of cases, the contributions made by the state capital in the offerings themselves do not relate to personal data, but rather disseminate their own, factual content.

Finally, the data processed through interaction with the respective account in social media or other accounts is already publicly accessible or freely available on the Internet.

However, by appearing on the respective offer of the state capital and the interaction, the content is made available to a broader/“more specific” public and thus possibly achieves greater attention and wider dissemination than without this interaction.

Also, by the state capital networking with other accounts within social media, additional cross-connections and information about the respective user of the account are created.

Finally, log data is also collected by the respective platform provider when users passively read the page.

The expansion of the dissemination circle and the increase in the number of linking options encourage the processing of data for other purposes by the operator of the respective social network and clandestine profiling. Also, openness to visitor contributions may lead to adverse social consequences such as inappropriate or discriminatory comments or the dissemination of sensitive data.

While these harms may present themselves as substantial if caused by the respective platform operator itself, they are only increased to a very limited extent by the respective offer of the state capital. Since the respective posts are also published elsewhere, there is also no compulsion to participate in one of the social networks.

Overall, the additional risk caused by the offerings can therefore be classified as low to medium.

In addition, the state capital is actively helping to further reduce the risk. This includes, in particular, providing information about the respective data privacy statement of the state capital.

However, a large part of these measures lies within the sphere of the user: For example, when using social networks, there is no obligation to use the respective clear name. In addition, users can protect themselves to a certain extent through various settings, such as deleting their browsing history, deactivating cookies, or not sharing their location when using photos.

In addition, the continuous editorial support enables the state capital to intervene in the event of any comments that violate honor or personality, up to and including blocking the account of the “disturbing” user. The state capital has also formulated a netiquette for the use of its offerings, which it ensures is observed during support.

The offerings of the state capital in the aforementioned social media are justifiable in view of the risks described and the binding measures envisaged. The state capital also undertakes to monitor further developments and, if necessary, to repeat and further develop the review carried out here.