In general, to fulfill the requirements of Article 15 (1) GDPR and to ensure full transparency, controllers
may want to consider implementing a mechanism for data subjects to check their profile, including
details of the information and sources used to develop it. The data subject is entitled to learn of the
identity of the targeter, and controllers must facilitate access to information regarding the targeting,
including the targeting criteria that were used, as well as the other information required by Article 15
GDPR.
As regards the kind of access to be provided to data subjects, recital 63 advises that “[w]here possible,
the controller should be able to provide remote access to a secure system which would provide the data
subject with direct access to his or her personal data.” The specific features of social media providers -
the online environment, the existence of a user account - suggest the possibility to easily grant the
data subject with remote access to the personal data concerning him or her in accordance with Article
15 (1), (2) GDPR. Remote access in this case can be regarded as the most “appropriate measure” in the
sense of Article 12(1) GDPR, also taking into account the fact that this is a typical situation “where the
proliferation of actors and the technological complexity of practice make it difficult for the data subject
to know and understand whether, by whom and for what purpose personal data relating to him or her
are being collected” (see recital 58, which explicitly adds “online advertising” as concrete example). In
addition, if requested, social media users who have been targeted should also be given a copy of the
personal data relating to them in accordance with Article 15(3) GDPR.
According to Article 15(1)(c) GDPR, the user shall have access in particular to information on “the
recipients or categories of recipients to whom the personal data have been or will be disclosed, in
particular recipients in third countries or international organisations”. According to Article 4(9), the
term “recipient” refers to a natural or legal person, public authority, agency or another body, to which
the personal data are disclosed, whether they are a third party or not. A targeter will not necessarily
be a “recipient” of the personal data (see Example 1), as the personal data might not be disclosed to
it, but it will receive statistics of the targeted customers in aggregated or anonymised form, e.g. as part
of its campaign, or in a performance review of the same. Nevertheless, to the extent that the targeter
acts as a joint controller, it must be identified as such to the social media user.
Although Article 15 GDPR is not explicitly identified in Article 26(1) GDPR, the wording of this Article
refers to all “responsibilities for compliance” under GDPR, which includes Article 15 GDPR.
In order to enable data subjects to exercise their rights in an effective and easily accessible way, the
arrangement between the social media provider and the targeter may designate a single point of
contact for data subjects. Joint controllers are in principle free to determine amongst themselves who
should be in charge of responding to and complying with data subject requests, but they cannot
exclude the possibility for the data subject to exercise his or her rights in respect of and against each
of them (Article 26 (3) of the GDPR). Hence, targeters and social media providers must ensure that a
suitable mechanism is in place to allow the data subjects to obtain access to his or her personal data
in a user-friendly manner (including the targeting criteria used) and all information required by Article
15 of the GDPR.