Social Media Marketing has developed rapidly in recent years. For companies in B2C business fields, it is the marketing method with which many new customers can be reached quickly and new business fields can be developed. From a data protection perspective, marketing campaigns via social media repeatedly raise questions that cannot (yet) be answered uniformly. In addition to the basic question of what information companies must or may provide on social media channels they use, there are always challenges when companies involve influencers if the influencer is supposed to get in touch with users, e.g. because he or she is organising a sweepstake on behalf of the company.
When Instagram was launched in October 2010 and made available to the general public, no one could have imagined the social, legal and economic significance that this app with the instant camera symbol would one day have. Unlike Facebook, Instagram users were primarily supposed to share photos and thus let a – more or less – selected community participate in their lives. Users could – unlike on Facebook – not only follow their own friends, but also get very private insights into the “private life” of one or another celebrity. Companies and agencies quickly realised that Instagram was an excellent way for marketing actions. But where there are marketing actions, laws must be observed and user groups must be protected.
What do companies generally have to consider?
When using social media platforms, companies must comply with certain requirements. The most important requirements are:
- Legal notice obligation: If a company operates a social media channel, the company’s legal notice must be provided.
- Privacy Policy: Companies should also provide a data protection statement or link to it. This is because the company processes personal data, especially when using analysis tools or when contacting or responding to users’ enquiries. In this respect, the requirements of Article 13 GDPR also apply to the operation of a social media channel.
- No anti-competitive statements: Information and promotional statements shared by the company via the social media channel must be true and transparent. The same principles apply here as for advertising on television or via websites.
- Compulsory labelling: Advertising via social media must be labelled as such. How, when and where can also depend on how the content is played out. In general, however, the principle applies that it must be clearly recognisable to the consumer that the content is advertising. The labelling matrix of the state media authorities shows the different labelling options.
- Images, videos and texts: When using photos, videos and texts, companies should make sure that they have the necessary permission from the originators for promotional use via social media. In the best case, self-created images should be used. If persons are depicted, the personal rights of these persons can also be violated if these recordings are used without permission.
Assignment of Influencers
The lynchpin for the question of how the commissioning of influencers is to be handled from a data protection perspective is the question of the data protection responsibilities in the relationship between the influencer and the company. Controller according to Article 4 No. 7 GDPR is
“the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data”.
Example: Sweepstake by Influencers as a marketing measure
Taking the example of a sweepstake organised by an influencer on behalf of a company, the question arises whether the influencer is the controller, whether the entrepreneur and the influencer are joint controllers within the meaning of Article 26 GDPR or whether the influencer is the processor of the entrepreneur within the meaning of Article 28 GDPR. The answer to this question is not as simple as it sounds: it depends.
Depending on the individual case – and in particular on the contractual agreement between the entrepreneur and the Influencer – all three possibilities can be considered:
Option 1: Responsibility of the Influencer
If the entrepreneur commissions the influencer to process a sweepstake on his/her own channel, but does not provide any further specifications and does not wish to receive the personal data collected in the context of the competition (e.g. to determine the winner and to send the prize), i.e. if the implementation and processing of the sweepstake is solely the responsibility of the influencer, the influencer will be classified as controller. This case will seldom occur in practice, as companies usually make certain specifications on the type and manner of the content to be played out.
Option 2: Influencer is a processor
If the company commissions the influencer to carry out the sweepstake in accordance with the requirements to be met and if the company wishes to receive the personal data collected (e.g. the relevant insights in order to determine the prize itself and to send the prize itself), a processing relationship within the meaning of Article 28 GDPR must be assumed. A data processing agreement must be concluded.
Option 3: Joint Controllership of Influencer and company
Joint Controllership within the meaning of Article 26 GDPR is also conceivable in cases where the company and the influencer jointly conduct the competition and jointly determine the purposes and means of data processing. The decisive factor in this constellation will be how much say the influencer has in the design of the specific data processing.
Precisely because it depends on the individual case, it is advisable for advertisers not to insist on a blanket solution, but to decide which constellation is relevant depending on the concrete “advertising situation”.
This decision not only determines whether and which data protection agreement must be concluded between the company and the Influencer, but also the different structuring and assumption of rights and obligations under data protection law, e.g. the duty to inform under Articles 13, 14 GDPR or the guarantee of data subject rights.
Feel free to contact us if you are unsure or you have questions about the legally compliant use of social media by your company. We will be happy to support you.