The General Data Protection Regulation was defined to protect EU citizens’ personal data in an increasingly digital world. Accordingly, when companies analyze the vast data sets available within the digital ecosystem, it needs to be assessed when GDPR applies and when it does not. And brands and companies do have a firm interest in data containing personal information.*
Understanding the marketplace, the needs of their stakeholders and how these are addressed by different commercial and non-commercial players are critical for the commercial viability of a company. Thus, companies also have an interest in analyzing behavior within the social media channels. For this purpose, many companies use social media monitoring and execute influencer analyses to understand digital life of their stakeholders.
Understanding the market is, in Vertic’s point of view, a legitimate interest, and constitutes the lawful basis for processing subject to GDPR Article 6(1)(f):
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Arguably, the lawful basis is also reinforced by the prior given ‘Consent’ to 3rd parties on which social media conversations most often take place. In this regards, it is important to note the difference between personal and sensitive data. Sensitive data cannot be processed (including health data) except under certain, specific circumstances including: "The personal data was manifestly made public by the individual". Some have argued that the act of engaging in a public conversation on a public social media falls under this criteria.**
The company is to provide a privacy notice within a month when the personal information is retrieved indirectly, in this case via the use of different monitoring software which have APIs to a number of third-party social media platforms.
There are exemptions to this rule, namely if it is deemed impossible to provide privacy information to individuals, or it would involve a disproportionate effort. If a notice is not provided, the company needs to carry out a data protection impact assessment (DPIA) in order to minimize the risk of the negative effects of the processing on the data subjects (i.e. the social media users).
In sum, social media monitoring and influencer analysis remain possible as well as critical as a source of insights for companies' multi channel strategies and value proposition development.