Given his role as manager of the web page or social media profile of companies, organisations, professionals and influencers, the social media manager (or digital marketer) takes on specific responsibilities in relation to the processing of personal data, carried out on behalf of their owner. In fact, the management of social profiles, like the management of websites, insofar as they involve the processing of personal data, falls under the heading of the application of the general data protection regulation (GDPR), with whose principles and provisions and those of national legislation in the sector, the processing must necessarily comply.

Table of contents

 What processings could be carried out on the social networks

The high number of registered users and vast quantity of personal information – such as photos, videos, personal data and geolocation data – continuously uploaded and published on social networks, means that a large amount of data processing is carried out continuously on these web platforms, for multiple purposes.

Processing carried out not only by the entity that has created and made available the social network, such as Facebook Inc. or Twitter Inc., but also by third parties, such as developers who create applications for social networks, and especially by the many entrepreneurs and professionals who take advantage of the great potential offered by a presence on social networks for marketing and digital communication activities, to interact directly with consumers or to improve the visibility and online reputation of their company and brands.

To identify what kind of data might be processed by opening social profiles for a company, it is useful to start from the concepts of personal data and processing as defined by the GDPR.

Personal data are any information concerning an identified or identifiable natural person, such as personal details, photographs, online identifiers, location data, while processing means any operation carried out on data, such as their collection, consultation, recording or retrieval or erasure.

From reading these definitions, it is easy to identify how many and what personal data can be subject to processing on social networks. Let’s take a Facebook page as an example: the administrator of the page may consult the list of users who are registered on the page or who follow it, namely their first and last name and profile photo, access the private messages that users send to the page and send replies, and consult and export page insights, a tool that allows to obtain statistical data on visitors to the page and on the actions performed by social media users.

So to consider that the processing of data on Facebook, or on other social networks, is the sole business and responsibility of the developer of the platform is clearly wrong. On this matter, it is sufficient to recall the well-known position expressed by the Court of Justice of the European Union, which stated clearly that the administrator of a Facebook page is joint controller of the processing of the personal data of users who visit it together with Facebook itself, since both determine the purposes and means of processing.

This implies that the page administrator will be required to comply with the obligations that the GDPR places on the data controller, first and foremost the obligation to inform data subjects under Article 13 of the GDPR. For this purpose, Facebook, for example, allows to enter a link to the statement on the processing of personal data in a special field of the page’s “Information” tab.

But when the management of the page or social profiles, instead of being carried out directly by the controller or his designees, is entrusted to outside subjects – social media managers or web agencies – operating as consultants, what role would they take on in the processing of data?

The responsibilities of the social media manager

Classifying the social media manager’s activity for the purposes of GDPR, depends essentially on the activity he or she actually carries out, on behalf of whom and how it is carried out.

The GDPR provides for two figures involved in the processing of data: the data controller, necessarily present, i.e. the natural and legal person who determines the purposes and means of processing, and possibly the data processor, i.e. the person who processes the data on behalf of the data controller and on his instructions.

Whenever the management of the company’s social network is entrusted to natural persons operating within the organisational structure of the data controller, for example its employees, they will operate as designated data processors, authorised by the data controller itself to perform specific tasks and functions.

When, on the other hand, social channel management, as is often the case, is entrusted to social media managers or web agencies outside the controller’s organisation, these will operate as data processors, pursuant to art. 28 of the GDPR, whenever the performance of activities entrusted to them involves the processing of personal data. And it is probable that in the concrete case this situation will occur very frequently because the social media manager, in providing his services, will at least be granted confidential access to pages and profiles on social networks, so being able to abstractly process the data to which he has access.

Returning to the case of a corporate Facebook page, the social media manager with the role of “Editor” of the page, would, among other things, be able to interact with users through private messages and public comments, remove and block users, view insight data, publish and manage job offers and create adverts.  All activities that would involve the processing of personal data and that require the regulation of the relationship between data controller and data processor, which must take place through a contract or other appropriate legal act, on the basis of which the data processor is bound to the data controller, establishes the duration and purpose of the processing, the types of data processed and the categories of data subjects, and outlines the obligations and powers of the parties.

When processing data on behalf of the controller, the social media manager must also comply with the instructions he receives. It is important for these instructions to be documented in writing in order to delimit the activities that the social media manager may or may not carry out, since the consequence of processing that fails to comply with the instructions given is that the data processor would be held liable for the unlawful handling of the data as data controller, just as would the real data controller.

Obviously, the social media manager does not necessarily have to process personal data. No processing would be involved, for example, if his activity were to be limited to mere strategic consultancy on the use of social networks, carried out without access to the data processed by the controller.

Why the SMM should care about data protection. Social media marketing professionals should give due consideration to data protection compliance for a variety of reasons.

First of all, since they are existing rules, compliance with them is mandatory for everyone and their violation may lead to the application of administrative and criminal sanctions, as appropriate, as well as being a source of civil liability.

Furthermore, as mentioned above, the social media manager will in most cases be required to process personal data as data processor. This figure, contemplated by Article 28 of the GDPR, must meet certain requirements, in the absence of which the data controller would not be able to use him as data processor, with the consequence that he ought not to be entrusted with the management of social channels, with access to the data contained in them.

Indeed, said Article 28 of the GDPR states that where processing is to be carried out on behalf of the data controller, the latter shall use only processors that offer sufficient guarantees to implement appropriate technical and organisational measures such that the processing meets the requirements of the GDPR and guarantees protection of the rights of the data subject.

This means that the social media manager, or the web agency that provides these services, must be able to demonstrate that they have implemented a system of compliance with privacy legislation, that they have a basic knowledge of the subject matter and that they are able to ensure that data are processed in accordance with the principles laid down in the European Regulations, with particular attention paid to data security.

It is likely, in fact, that a company – data controller – with an eye to privacy regulations, will want to verify reliability and competence before entrusting a social media manager with the management of its social channels and the respective quantities of personal data, so as not to run into the sanctions contemplated in Article 83 of the GDPR.

Finally, the protection of personal data must also be seen as an added value by those engaged in these professions, which base a large part of their activities precisely on personal data. Processing other people’s data in a lawful, transparent and secure way should be a mark of quality for the data controller and processor.

Continue reading the article: