Communication
Processing personal data on social media
It is common for companies to process personal data on social media. In addition, it is not uncommon for companies to believe that only the social media platform has a responsibility, and not the company that uses the service.
Processing personal data on social media
Companies have a responsibility when processing personal data in social media and therefore it is good to know the rules. Individuals may also be subject to the GDPR when they publish images or videos containing personal data. Please note, however, that special rules apply if the processing is for journalistic purposes.
There may be joint responsibility for personal data
It is not always easy to determine exactly when companies that use social media and process personal data have a joint controllership with the platform.
Two examples of joint controllership
If a company uses a statistical tool from the platform, the company and the platform provider have a joint controllership.
Many companies answer questions from customers/followers via their social media. In other words, social media is sometimes used as a complementary customer service, or the only customer service for some smaller companies. In such cases, the company and the social media platform have a joint controllership. This means, among other things, that the company must clear out its inbox and outbox regularly, just as in emails and other communication channels.
Social media
Join almost 30,000 others and follow the author Carolina P on LinkedIn!
Can companies post pictures of their employees on their social media?
Yes, it can be legal. The legal basis is usually legitimate interest, if it is a professional group that is used to such processing, such as brokers, lawyers, etc. Another legal basis may be performance of a contract with the data subject. Consent is not appropriate because there is an unequal power relationship between the employer and the employee. However, it is good to ask the employees anyway, as it can be perceived as privacy sensitive to get pictures of themselves published.
Do individuals have to comply with GDPR when publishing images on social media?
Yes, if the images contain personal data. Images, sound and video recordings may be personal data. The requirement is that it is possible to identify an individual.
This means that anyone who publishes content on social media classified as personal data under the GDPR must comply with the GDPR, even if it is for private use. For example, the person needs to have a legal basis for the processing.
Does the GDPR's private exemption apply to the use of social media for private purposes?
The private or household exemption in the GDPR means that natural persons who process personal data in connection with their household or for purely private use do not have to comply with the rules in the GDPR. However, the exception does not apply if a person publishes personal data (such as an image of an individual) on social media, as it is disseminated to a wider audience. This is the view of the Swedish supervisory authority. However, the private exceptions may apply if, for example, a person has a closed profile, where only his or her followers can see the content and the individual only has his or her family as a follower. The same can be true if a person publishes pictures of their friends to a limited number of people. In other words, it is a question of dissemination in order to determine whether the private exemption applies.
An example of when the private exemption applies
If a private individual has a physical or digital address book at home, with personal data of relatives and/or friends (such as name, phone number and address).
More about GDPR
Processing personal data through the website
Many companies today have a website and it is not uncommon to process personal data through it. For example, if the website contains images of employees, has contact forms that visitors can use to send messages to the company, uses cookies or similar. In addition, companies should publish their privacy notice on the website, so that users can easily find information about the processing of personal data.