Social media: Data protection impact assessment

Due to the provisions of the GDPR, a data protection impact assessment (DPIA) pursuant to Art. 35 GDPR may be considered for the social media offerings of the City of Stuttgart if, pursuant to Art. 35 para. 1 GDPR, there is a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances and purposes of the processing, in particular when using new technologies. According to this, the DPIA would not be mandatory under formal law after a preliminary classification (so-called threshold analysis), but is possible in the present case - also taking into account the requirements of the competent data protection authority - with regard to scope and circumstances (e.g. a possible transfer to unsafe third countries).

In the present case, the DPIA is therefore not carried out in the sense of a mandatory legal constellation, but in the sense of a data protection law admissibility check and risk analysis with derivation of the necessary protective measures. For the examination of several similar processing operations (several social media offers) with similarly high risks, a single assessment can be carried out in accordance with Art. 35 para. 1 sentence 2 GDPR, so that in the present case the DPIA is summarized for all social media channels of the state capital Stuttgart.

The City of Stuttgart's own social media pages do not trigger the risk described in Art. 35 GDPR due to the rather small scope of its own data processing. This is particularly true in view of the fact that the company's own contributions are mainly purely a matter of posting content without personal reference, and in any communication with users, only the data that they have voluntarily provided themselves is processed.

However, the use of social media through such offerings has far-reaching consequences, particularly with regard to the evaluation of data by the respective platform operator for advertising purposes, etc. This constitutes high-risk processing. This constitutes high-risk processing for which a DPIA can be carried out.

 The State Commissioner for Data Protection and Information Security Baden-Württemberg (opens in a new tab) (hereinafter LfDI) assumes that public bodies that use social media for public relations work and to provide general information bear joint responsibility. Shared responsibility does not mean that the public body confirms or guarantees the data protection compliance of the respective social network. Rather, shared responsibility means that the LHS makes itself and others aware of the risks of social networks. Users are made aware of these risks, which are generally associated with the use of social media, in particular in the data protection declaration of the City of Stuttgart.

The risks for users associated with the use of social media also exist in principle independently of use by the City of Stuttgart. In the vast majority of cases, the contributions of the City of Stuttgart do not make any reference to personal data, but rather disseminate factual content. After all, the data that is processed through interaction with the respective user account in social media is usually already publicly accessible or freely available on the internet.

However, by appearing on the social media pages of the City of Stuttgart and the interaction, the content is made available to a broader/"more specific" public and may therefore achieve greater attention and wider distribution than without this interaction. The fact that the LHS networks with other accounts within social media also creates additional cross-connections and information about the respective user of the account. Finally, log data is also collected by the respective platform provider when users passively read the page.

The expansion of the distribution circle and the increase in the number of possible links facilitates the processing of data for other purposes by the platform operator and secret profiling. The possibility of user contributions can also lead to detrimental consequences such as inappropriate, discriminatory or offensive comments or the dissemination of sensitive data.

Such damages are to be classified as significant if caused by the respective platform operator, but are only increased to a limited extent by the social media pages of the state capital Stuttgart. As the respective information in the posts of the LHS is also published elsewhere, there is no obligation to participate in one of the social networks of the LHS.

The following risks to the rights and freedoms of natural persons must be particularly emphasized due to the use of social networks:

• The platform operators process personal user data through the use of cookies, tracking tools and similar technologies for the operation and provision of the services, but also for (personalized) advertising purposes. The information is used to evaluate the activities and behavior patterns of users of the platform or to report misconduct. This also applies to users who are not logged in or registered on the platform while visiting the site.
  
  
• The platform operators sometimes transfer the information collected to partners or affiliated companies in unsafe third countries.
  
  
• Many social media platforms store data not only on servers in the EU, but also in the USA or other third countries. The social media platforms are responsible for determining the storage period, but usually provide information about this in their privacy policies.

The risk to the "rights and freedoms" and the legal interests of the users concerned (in particular the protection of personality) must first be determined. This is followed by an assessment of the risks to the legal interests of the data subjects.

The risk assessment includes in particular the factors(*1):

Probability of occurrence

• Risk sources must be determined
• Existing technical and organizational protective measures
• Circumstances of the specific situation and processing
• Severity of the damage
• Level of protection required, e.g. due to the sensitivity or scope of the personal data
• a high need for protection does not necessarily result in a high risk, e.g. if the probability of occurrence is low
• Possible negative consequences for those affected (users, employees, etc.)

(*1): The criteria for assessing the probability of occurrence of the risks and the severity of the impending damage are based on ISO/IEC 29134:2017 (standard for DPIA), WP 248 and the publications of the supervisory authorities in Germany and France (CNIL).

• Confidentiality, integrity, availability and transparency of personal data
• Data minimization
• Damage to reputation
• Loss of control over own data
• Profiling
• Pressure to monitor
• Discrimination
• identity theft
• Financial loss

In view of the known risks associated with the use of social media channels, the City of Stuttgart has reacted and taken the following risk-mitigating measures:

For each individual social media channel, the state capital of Stuttgart creates a comprehensive data protection declaration with detailed data protection information for users. This bundles and increases the transparency of the confusing data protection information provided by the platform operators.

The City of Stuttgart has created a comprehensive  social media concept (opens in a new tab) that ensures the necessary transparency of data processing, risks and remedial measures.

The City of Stuttgart provides detailed information to enable users to protect themselves against the analysis of user behavior. This includes, in particular, information regarding the adjustment of device, privacy and browser settings, the deactivation and management of cookies, tracking technologies, remarketing and personalized advertising, see also the social media concept and the data protection declarations of the individual social media channels of the City of Stuttgart.

The City of Stuttgart makes the transfer and transmission of data to insecure third countries by the platform operators transparent and checks whether the data protection requirements for international data transfer (in particular EU standard contractual clauses, TIA and Data Privacy Framework) are complied with by the platform operators.

The City of Stuttgart ensures that the necessary data protection contracts are concluded, e.g. the necessary contracts for order processing or joint responsibility with the platform operator, see e.g. the Joint Controller Addendum for TikTok Analytics, which regulates responsibilities and makes the exercise of data subjects' rights transparent.

Data security: The City of Stuttgart pursues an information security concept that implements the technical and organizational security measures required according to the state of the art and the relevant standards and is laid down in a "Guideline on Information Security".

The City of Stuttgart respects the settings made by users, e.g. in the browser or user account (such as the deactivation of cookies, tracking tools or location data) and will not make any efforts to switch off or circumvent such protective and defensive measures.

Storage period: The City of Stuttgart only stores the personal data of users on its systems for as long as this is necessary for the intended purpose or for as long as there are statutory retention obligations. In the case of inquiries to the LHS, the data is stored during the processing period and for six months after the end of processing. LHS will then delete the data immediately. In the various data protection declarations for the individual social media platforms, the LHS will provide information about the storage periods of the platform operators as far as possible.

Dealing with comments, netiquette: As far as possible, the LHS will continuously monitor and edit its social media pages in order to immediately recognize and prevent discriminatory or offensive comments and the dissemination of sensitive data. The  netiquette (opens in a new tab) of the City of Stuttgart sets out rules of conduct for the use of the city's channels and is available on the website.

The use of social media by the City of Stuttgart would not be necessary and therefore disproportionate if the interests pursued could also be achieved by milder, equally suitable means.

Social networks are only used if the communication and information objectives pursued by the City of Stuttgart cannot be achieved equally effectively via traditional city channels (website, official gazette, press work). The City of Stuttgart will review this necessity on an ongoing basis and discontinue the operation of social networks that are no longer required.

According to Art. 35 para. 2 GDPR, the Data Protection Officer (DPO) of the state capital Stuttgart must be involved in the DPIA. This has been done to a sufficient extent. The DPO of the City of Stuttgart has provided ongoing advice on the use of social media. Its data protection assessments have been incorporated into the decisions on the use of social media. The DPO will also continue to carry out data protection reviews regarding the use of social media.

The services offered by the City of Stuttgart on the social platforms are justifiable in view of the risks described and the binding measures planned. The City of Stuttgart also undertakes to monitor further developments and, if necessary, to repeat and further develop the review carried out here.

In the present case, it is not necessary to consult the competent data protection supervisory authority in accordance with Art. 36 para. 1 GDPR, as the DPIA carried out did not reveal any remaining high risk. On the contrary, the use of social media

by the City of Stuttgart is possible with the acceptance of acceptable risks. Due to the remedial measures described, the existing risk could be sufficiently minimized.