Banner1.jpg

EDPS - 2023-1205

From GDPRhub
EDPS - 2023-1205
LogoEDPS.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law:
Article 10
Article 26
Article 4
Article 5
Type: Complaint
Outcome: Upheld
Started: 16.11.2023
Decided: 13.12.2024
Published:
Fine: n/a
Parties: European Commission
National Case Number/Name: 2023-1205
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: GDPRhub (in EN)
Initial Contributor: ao

The EDPS issued a reprimand to the European Commission for unlawfully targeting X users based on their political views in order to promote a legislative proposal.

English Summary

Facts

The campaign

From the 15 to the 28 September 2023, the Commission ran a targeted advertising campaign on X focussing on users in eight Member States. The campaign aimed at communicating the proposal for a Regulation laying down rules to fight and prevent child sexual abuse, the so-called “Chat Control Regulation”.

The Commission, here the controller, carried out the campaign through an external contractor. For its targeting strategy, the Commission defined certain inclusion and exclusion keywords and accounts affiliated with political interests. The exclusion words selected by the Commission showed to exclude terms that correlate with a "Eurosceptic" political opinion such as “Viktor Orban”. The inclusion words then correlated to “pro-EU” sentiments and included particular parties and politicians.

This input was then used through X’s keyword targeting and look-alike strategy allowing the targeting of people with interests similar to the keywords and accounts (proxy data). Specifically, the campaign targeted X users speaking Dutch, who were from the Netherlands and were older than 18.

The complaint

On the 16 November 2023, noyb on behalf of a data subject filed a complaint with the European Data Protection Supervisor against the Commission alleging unlawful data processing for targeted advertising. The data subject based its complaint on the provisions of Regulation 2018/1725 (EU-GDPR) which is data protection legislation applicable to data processing operations conducted by EU-institution.

The data subject alleged that under Regulation 2018/1725 the Commission had processed special categories of his data under Article 10(2) in breach of the principle of lawfulness under Article 4(1)(a). The data subject laid out that this practice encompasses profiling based on special category data; here the political views of the users. Therefore, the data subject alleged that the Commission had breached Article 10(1) prohibiting the processing of special category data as none of the exceptions under Article 10(2) applied. Moreover, even if the Commission had not intended to process special categories of data, Article 10(1) and Article 4(1)(a) do not require intent on the part of the controller to be established.

The Commission’s arguments

The Commission argued that the selection of the inclusion and exclusion keywords did not draw on personal data of specific X users. The Commission explained that it targeted groups based on their age, location and spoken language but stated that it never intended to process special categories of data. The Commission explained that X’s algorithm determines people with similar interests based on what they post and re-post. The Commission concluded that it merely used X’s services for the publication of the campaign.

Further, the Commission justified the data processing as it was necessary for the performance of a task in the public interest under Article 5(1)(a), referring to the communication of legislative proposals. As a legal basis for this, the Commission referred to Article 17(2) of the Treaty of the European Union which grants the Commission a general right of initiative for legislative proposals.

Holding

Controllership

The EDPS held that the Commission determines the means and purposes of the targeted advertising for political purposes. The EDPS highlighted that pursuing an interest through a processing operation is an indication of determining the purposes of processing. The Commission chose the services provided by X and selected the keywords that in turn determined the target audience.

Therefore, the EDPS stated that the European Commission acted as a controller.

Performance of a task in the public interest

The EDPS puts forward that Article 17(2) TEU is very general in nature, not referring to promotional activities of the Commission and therefore does not meet the requirement of a clear and precise legal basis under Article 5(2). The EDPS therefore rejected the Commission’s argument that the data processing was necessary for the performance of a task in the public interest. Other legal basis such as consent were found not to be applicable, as they were not disputed.

The EDPS found that the Commission had infringed Articles 4(1)(a), 4(2), 5 and 26 of the Regulation as promoting legislation is not in the public interest.

Special category data

The EDPS set out that if a social media provider categorises users into having certain religious, philosophical or political beliefs, this must be seen a processing special categories of data. The EDPS clarified that X had targeted users with interests similar to the key accounts and words which were directly linked to a political affiliation. The EDPS stated that X acted under the instructions of the Commission and therefore was liable. It further reiterated that the intent of the Commission to process special category data is irrelevant as has been shown in CJEU case law (e.g. C-131/12).

Exceptions to processing special category data

The EDPS considered the exceptions to processing special categories of data under Article 10(2) of the Regulation but found that they did not apply. In particular, the EDPS considered:

The EDPS reiterated that in C-252/21, the CJEU showed that sharing or liking certain posts cannot be considered as manifestly making data public. The EDPS declared that even if the data had manifestly been made public, this does not in itself allow for the further processing of this data for political advertising. In particular the EDPS highlighted, with reference to the fact that the data subject had set their account to private, that this was crucial when the data subject could not reasonably have foreseen this kind of processing.

Conclusion

In conclusion, the EDPS found that the Commission had infringed Articles 4(1)(a), 4(2), 5, 10(1) and 26 of the Regulation by unlawfully processing personal data, including special category data without consent. The EDPS issued a reprimand against the Commission and explained that a fine was not necessary as the practice had already ended.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

EDPS Decision concerning investigation in complaint case
 submitted by NOYB – European Center for Digital Rights on

  behalf of                            against the European Commission
                                  (Case 2023-1205)



The European Data Protection Supervisor,


Having regard to the Treaty on the functioning of the European Union,



Having regard to Article 57(1)(e) and 58(2)(b) of Regulation (EU) 2018/1725 (‘the
Regulation’) ,


Having regard to the EDPS Rules of Procedure, as amended on 18 July 2024, and in
                                   2
particular Articles 16 to 18 thereof,


Has adopted the following decision:


1. Proceedings


1.1. On 16 November 2023, the European Data Protection Supervisor (‘the EDPS’) received
      a complaint against the European Commission (‘the Commission’) submitted by
      NOYB - European Center for Digital Rights on behalf of                            (‘the
      complainant’) under Articles 63(1) and 67 of the Regulation, alleging unlawful

      processing of the complainant’s personal data in the scope of a targeted advertising
      campaign by the Commission’s Directorate-General for Migration and Home Affairs
      (‘DG HOME’). The complaint was registered under case number 2023-1205.

1.2. The EDPSinvestigated the complaint pursuant toArticle 57(1)(e) of the Regulation and
      invited the Commission’s observations on the allegations brought forward by the
      complainant by email dated 8 December 2023. On 22 December 2023, the Commission


1Regulation(EU)2018/1725 oftheEuropeanParliamentandof theCouncil of23 October2018 ontheprotection
of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and
agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No
1247/2002/EC; OJ L 295, 21.11.2018, p. 39–98. References to Articles in this document refer to the Regulation.
2Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the
EDPS; OJ L 204, 26.6.2020, p. 49, as amended.      requested an extension of the deadline. The extension was granted and the

      Commission replied on 26 January 2024.

1.3. The EDPS requested the complainant’s comments on the Commission’s reply by email
      of 2 February 2024. The complainant provided his comments on 22 February 2024.

1.4. On 10 October 2024, the EDPS issued a preliminary assessment following his

      investigation of the complaint and shared it with the Commission, based on Article
      57(1)(e) of the Regulation and in accordance with Article 18(1) of the EDPS Rules of
      Procedure, as amended on 18 July 2024. The EDPS invited the Commission to submit
      its observations on the preliminary assessment by 31 October 2024. The purpose of the
      preliminary assessment was to present the Commission with the EDPS’ preliminary

      findings of fact, an initial legal assessment of those facts, including any alleged
      infringements of the Regulation, and the corrective measures the EDPS envisaged
      taking. This allowed the Commission to exercise its right to be heard and aimed to
      ensure that the EDPS’ findings of fact are correct and complete.


1.5. On24October 2024, the Commission requestedan extension of thedeadlineto provide
      its observations on the preliminary assessment. The extension was granted, and the
      Commission provided its observations on 22 November 2024.


2. Factual background

2.1. The Commission ran a targeted advertisement campaign on the social media platform
      X from 15 to 28 September 2023 (‘the campaign’). The aim of the campaign was to

      communicate on the proposal for a Regulation laying 3own the rules to fight and
      prevent child sexual abuse submitted in May 2022.     The advertisements focused on
      users in eight Member States. 4

2.2. The Commission conducted the campaign through an external contractor, European
      Service Network, by means of a specific contract   5 under a framework contract for

      communication activities. The Commission statesthat the design of the campaign was
      set up following technical criteria arising from communications and social media
      practices, on the basis also of the expertise of the contractor.

2.3. The Commission explains that the campaign had the objective to maximise the impact

      of the limited budget available and ensure an efficient use of financial resources
      though a ‘targeting strategy’. The Commission explains that targeting involves
      ‘determining certain segments of the audience to which the advertisement is and is
      not pushed’, and that ‘keywords targeting’ is the main tool available in X for selecting
      users to whom the advertisements are displayed.


2.4. The Commission therefore defined certain targeting segments, among others, a list of
      ‘inclusion’ and ‘exclusion’ keywords and key accounts. According to the Commission,
      ‘inclusion’ keywords were used with the intention ‘to draw the attention of a certain
      subject-related audience to the campaign and protection of children, in line with the

      content of the proposed legislation and the related Eurobarometer, while exclusion



3COM/2022/209 final.
4Belgium, Czech Republic, Finland, France, the Netherlands, Portugal, Slovenia and Sweden.
5Specific  contract  HOME-2022-ISF-TF1-FW-COMM-0055      implementing   framework    contract
COMM/2019/OP/2009.




                                                                                           2      keywords were designed to avoid mixing with debates that are not related to the scope
      of the campaign’.

2.5. The Commission shared the list of these keywords and key accounts with its

      contractor, who inserted the criteria in the dashboard of X. X applied this information
      based on its ‘keyword targeting’ and ‘look-alike strategy’ , allowing it to target people
      with interests similar to the keywords and the key accounts shared by the
      Commission.


2.6. On                                        , during a visit to the online platform X, the
      complainant was shown an advertisement of the Commission (DG HOME) promoted
      by the @EUHomeAffairs to his private X account.


2.7. The advertisement contained the following text about the proposed EU Child Sexual
      Abuse Prevention Regulation (COM/2022/209 final):


           “Misbruikers verbergen zich achter hunbeeldschermen terwijl kinderen in stilte lijden
           Het is hoog tijd om een einde te maken te maken aan seksueel kindermisbruik #online
           De meerderheid van de burgers ondersteunen het voorstel #EUvsChildSexuelAbuse
           En jij? Lees hier ↓”


           [Translation provided by the complainant: Abusers hide behind their screens
           while children suffer in silence It is high time to end child sexual abuse #online
           The majority of citizens support proposal #EUvsChildSexuelAbuse And you?

           Learn more here ↓];

      as well as a video of 47 seconds displaying further text stressing the alleged public
      support for the proposed legislation.


2.8. The complainant downloaded an archive of his personal data through X’s platform,
      using the ‘Download an archive of your data’ functionality, which shows that the
      complainant saw the advertisement described above.


2.9. Furthermore, the general ads report downloaded from X’s ‘Ads repository’ (Annex 5 to
      the complaint)   shows that with the advertisement campaign in question, between 18
      and 27 September 2023, the Commission targeted X users that were speaking Dutch,
                                                                        8
      that were from the Netherlands, and were over 18 years old.

2.10. Moreover, the general ads report shows that 44 ‘Targeting Segments’ were explicitly
      excluded from the ads campaign by the Commission.           9Of the 44 excluded targeting


6Keyword targeting reaches people on X based on keywords in their search queries, recent posts, and posts
they recently engaged with. Keyword targeting can either include or exclude users. Including means that if
someone has either posted or interacted with a post containing the keyword, and they meet the defined
geographic, language, device, and gendertargeting, they'reeligible tobe targetedby the campaign. If excluded,
someone who has either posted or interacted with a post containing the excluded keyword willnot be targeted
by the campaign, even if they meet the defined geographic, language, device, and gender. Additionally, the
campaign    will  not   appear   in   the   Search  results  for   any   excluded   keywords.   See

https://business.x.com/en/help/campaign-setup/campaign-targeting/keyword-
targeting#:%7E:text=Keyword%20targeting%20allows%20you%20to,drive%20engagements%2C%20and%20incr
7ase%20conversions, accessed 27.09.2024.
 ‘Follower look-alikes targeting’ targets people with interests similar to an account's followers. See
https://business.x.com/en/help/campaign-setup/campaign-targeting/interest-and-follower-targeting, accessed
27.09.2024.
8Column F “Targeted Segments” of Annex 5 to the complaint.
9Column G “Excluded Targeting Segments” of Annex 5 to the complaint.




                                                                                                  3      segments of the campaign, 36 segments refer to political parties (such as AfD, Vox,
      Sinn Féin, and English Defence League), politicians (such as Viktor Orbán, Marine Le

      Pen, and Giorgia Meloni), or terms regarding eurosceptic and/or nationalistic political
      opinions (such as brexit, nexit and #EUCorruption), and six segments refer to religious
      beliefs (such as Christianity, Islam and anti-Christian) .

2.11. The general ads reportshows thatthe advertisements were shownover 600.000times.        11


3. Allegations of the complainant and comments of the parties

      Allegations of the complainant

3.1. The complainant alleges that the Commission infringed Article 10 of the Regulation
      by processing special categories of personal data of the complainant without a legal

      basis under Article 10 of the Regulation. In support of this allegation, the complainant
      puts forward the arguments below:

           (a) the use of the 36 segments that refer to political parties, politicians or political
           terms, and the six segments that refer to religious beliefs, for the purpose of
           showing a targeted advertisement based on the complainant's political opinions

           and religious beliefs, amounted in his view to a processing of special categories of
           his personal data;

           (b) since the data processed related in particular to the complainant and the data
           were processed in the context of a microtargeting campaign on his X account, the
           complainant considers that personal data of an identified natural person were

           processed;

           (c) the complainant puts forward that the Commission, as the entity
           commissioning atailoredadvertising campaign onXrelying on the use of personal
           datafor this campaign, is to be considered acontroller. The complainant considers
           that in the present case, the Commission determined the purposes of the data

           processing (displaying online advertisements according to certain parameters),
           and it also determined the means of the data processing (the choice of the
           corresponding advertising tool and the ‘keyword targeting’ on the X platform). In
           addition, the complainant puts forward that the contested processing on X took
           place in particular because the controller commissioned it;


           (d) the complainant underlines that Article 10(1) of the Regulation prohibits the
           processing of special categories of personal data unless any of the exemptions laid
           down in paragraph 2 of the same article applies. In this regard, the complainant
           alleges that none of the relevant exemptions under Article 10(2) of the Regulation
           is applicable, and that the Commission has consequently infringed Article 10(1) of
           the Regulation.


3.2. The complainant further considers that, since the Commission processed special
      categories of his personal data without a legal justification under Article 10(2) of the
      Regulation, it is in breach of the principle of lawfulness under Article 4(1)(a) of the
      Regulation.



10
11The complainant has created an overview of the excluded targeting segments in Annex 6 to the complaint.
  Column H “Impressions” of Annex 5 to the complaint.



                                                                                              43.3. Moreover, the complainant considers that the Commission as the controller bears the
      burden of proof regarding the lawfulness of the processing, in accordance with the
      accountability principle set out in Article 4(2) of the Regulation.


      Comments of the parties

      On the processing of special categories of personal data

3.4. The Commission states that its selection of the ‘inclusion’ and ‘exclusion’ keywords
      was ‘not done using personal data of specific users in X’. The Commission explains
      that ‘the selection of keywords aimed at creating the basis for X to choose the specific
      users to whom the information would be pushed’. It further explains that a ‘look-alike

      strategy’ serves to target people that have similar interest to another account’s
      followers and that ‘X’s algorithm determines such users based on what they repost,
      click on and post’.

3.5. The Commission explains that ‘the complainant may have been targeted on the basis
      of one or a combination of the following criteria:

          - Demographics: The Commission decided to target on the base of age (+18),
          location (one of the chosen countries was the Netherlands) and language (one of

          the chosen languages was Dutch);

          - Keywords: The Commission agreed on the use of a list of keywords to maximise
          the impact of the ads;

          - His interactions with specific X content on the following topics: education,
          technology and computing’.

3.6. The Commission claims that it did not request the processing of special categories of

      personaldata,norwas thedesignof the campaign based onsuchprocessing.It submits
      that it ‘has not received any information on whether the implementation of the
      campaign resulted in the unlawful processing of personal data of the complainant,
      including sensitive categories of personal data, contrary to the [Regulation]’.

3.7. The Commission further claims that it ‘did not intend to trigger the processing of
      special categories of data’, and, that, ‘if such special categories were processed in the
      implementation of the campaign, this should not have happened’.


3.8. The complainant considers that the selection of the ‘exclusion’ keywords by the
      Commission intended to exclude X-users with “Eurosceptic” political opinions, since
      36 of the 44 excluded keywords refer to Eurosceptic and/or nationalistic political
      opinions, as illustrated by the complainant in Annex 6 of the complaint.

3.9. The complainant considers that Annex 1 to the Commission’s reply shows that ‘the
      “inclusion” of specific key accounts intends to target X-users with “pro EU” political

      opinions’. The complainant illustrates that these key accounts include, inter alia, a
      Dutch political party (@VVD) and several politicians. The complainant further
      considers that 15 of the 28 key accounts selected by the Commission could refer to
      ‘pro EU’ political opinions, which the complainant illustrates with a table compiled of
      these accounts.12


12
  See Annex 1 to the complainant’s comments.



                                                                                           53.10. Based on the arguments presented above, the complainant considers that the

      Commission ‘clearly intended to target X-users with specific political opinions, since
      the design of the campaign was based “to target people who have similar interests to
      another account’s followers”’, and since these accounts include accounts of politicians
      and political parties.


3.11. The complainant further considers that the Commission ‘must have clearly been
      aware’ that targeting users with certain political ideas includes profiling and
      categorisation of the user’s political interests, and that it would not even be possible
      to run such a campaign for a specific political audience otherwise.

3.12. The complainant argues that the categorisation by X, revealing a political opinion

      based on what users ‘repost, click on and post’, ‘must obviously be seen as processing
      of special category of personal data’. The complainant states that ‘such sensitive
      personal data, which is derived from other information, is also covered by the
      [Regulation] and the term ‘political opinions’ in Article 10(1) [of the Regulation]’.


3.13. The complainant argues that the comments presented by the Commission confirm
      that the Commission ‘aimed to target specific X-users and that, therefore, it was [the
      Commission] who determined the purposes and means of the processing by
      determining to run its campaign on X and by choosing the keywords to include or

      exclude X-users with specific political opinions and religious beliefs’. The complainant
      argues that the Commission is therefore the (joint) controller for this processing. The
      complainant thus considers that also the Commission is to be held responsible for the
      processing, not only X.

3.14. The complainant further submits that even if the Commission did not have the

      intention to process special categories of personal data, this does not change the fact
      that the Commission violated Article 10(1) and therefore also Article 4(1)(a), since
      intent is not required to qualify for processing of special categories of data.14

      On the lawfulness of the processing


3.15. The Commission states that the campaign was conducted within the framework of a
      specific contract between the Commission (DG HOME) and the contractor with the
      aim to ‘sustain trust, address disinformation, improve understanding and increase
      awareness of DG HOME's policy and funding instruments on Home Affairs’. The

      Commission explains that the contract envisaged a campaign including targeted
      advertising and that ‘the campaign was arranged with X via the contractor, and it was
      X which accepted it, and could be expected to implement it in accordance with the
      platform’s terms and conditions and the applicable legal rules, in particular [the
      General Data Protection Regulation (GDPR)      1]’.


3.16. The Commission explains that the campaign was conducted as part of the
      communication activities it undertakes on its legislative initiatives. The Commission
      stresses that it has a general right of initiative regarding legislative proposals, such as


13In support of his allegation, the complainant refers to para. 123 of the EDPB Guidelines 8/2020 on the
targeting of social media users.
14In this regard, the complainant refers to the CJEU Judgment of 4 July 2023 in Case C-252/21, Meta vs
Bundeskartellamt, paras. 69 and 70.
15Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation); OJ L 119 4.5.2016, p. 1.




                                                                                               6      in the present case, under Article 17(2) of the Treaty on the European Union (TEU).
      The Commission states that it ‘acted under the premise that it is part of its day-to-day
      activities to inform the public about those initiatives and its content, advocating for
      the need for the proposed legislation’ and that this was the aim of the campaign in

      question.

3.17. The Commission further states that it ‘conducted the campaign based on the
      understanding that if it resulted in any processing of personal data by third parties,
      such processing would be justified as necessary for the performance of a task in the
      publicinterest’. The Commission therefore claimsto have ‘acted under the assumption
      that, if any processing of personal data resulted from the campaign, it would have
      fallen within the scope of Article 5(1)(a) [of the Regulation]’.


3.18. The Commission further submits that it ‘acted under the premise that if any
      processing ofpersonaldatatookplaceas aresultof the campaign, this wouldbelawful,
      because of the necessity to carry out a task in the public interest where the
      Commission is vested authority, i.e., to communicate about legislative proposals
      arising from the prerogative conferred by the [TEU]’.

3.19. The complainant argues that the objectives for the campaign as described by the
      Commission cannot as such be considered an exemption to the prohibition to process
      special categories of personal data. The complainant emphasises that processing of

      special categories of personal data is only permissible if one of the exemptions of
      Article 10(2) applies.

3.20. Regarding the Commission’s statement that the possible processing of personal data
      resulting from the campaign would have been justified as necessary for the
      performance of a task in the public interest, the complainant argues that even if the
      Commission had avalid legal basisfor the processing underArticle 5of the Regulation,
      this would not exclude them from the obligation to comply with Article 10 of the

      Regulation. The complainant considers that the Commission did not meet the
      conditions laid down in Article 10(2) of the Regulation.

3.21. The complainant argues that in addition, pursuant to Article 5(2) of the Regulation,
      any processing ‘for the performance of a task carried out in the public interest’ shall
      be laid down in Union law. The complainant refers to Recital 23 of the Regulation,
      which states the Union law referred to in the Regulation should be clear and precise
      and its application should be foreseeable to persons subject to it.


3.22. The complainant considers that the provision of Article 17(2) of the TEU, to which the
      Commission refers, is ‘neither clear and precise in regard to the possible data
      processing of (special category) data for targeting on an online platform, nor does it
      make micro-targeting on such a platform foreseeable to the data subject in any way’.

3.23. Furthermore, the complainant argues that ‘it would be for [the Commission] in
      particular to assume its outstanding position as a role model and to ensure its actions
      are in line with applicable law’, noting that the Commission has vast legal knowledge
      and resources in this regard.


      Further comments

3.24. The Commission notes that ‘after the campaign was carried out, the Commission has
      ensured that colleagues are reminded of the existing rules’.




                                                                                           73.25. The Commission further notes that ‘since 25 October 2023, all Commission services

      were invited to temporarily suspend paid advertising campaigns on X in light of
      concerns regarding the spread of disinformation associated with the conflict in the
      Middle East’.


4. Legal analysis

      Admissibility of the complaint


4.1. The complainant, a Dutch citizen and a user of the online platform X, represented by
      the not-for-profit organisation NOYB – European Center for Digital Rights, alleges
      that his personal data were unlawfully processed by the Commission in the scope of a
      targeted advertising campaign ran by the latter.


4.2. NOYB – European Center for Digital Rights, fulfils the criteria laid down in Article 67
      of the Regulation to represent the complainant for the purpose of lodging a complaint
      with the EDPS, in accordance with Article 63 of the Regulation. NOYB is a not-for-
      profit body, organisation or association which has been properly constituted in
      accordance with the law of a Member State, in this case Austria, has statutory

      objectives which are in the public interest, and is active in the field of the protection
      of data subjects’ rights and freedoms with regard to the protection of their personal
      data.16 The complainant has mandated NOYB to exercise the rights referred to in
      Articles 63 and 64 on his behalf.17


4.3. Information related to the complainant that wereprocessed in the targeted advertising
      campaign, such as his nationality, age, language, political opinions and religious
      beliefs, are personal data within the meaning of Article 3(1) of the Regulation.


4.4. Targeted advertising to the complainant based on information relating to him and his
      behaviour on the online platform X constitutes processing of his personal data within
      the meaning of Article 3(3) of the Regulation.

4.5. The Commission, by defining the objectives of the campaign as well as the targeted

      (and excluded) audience of the campaign, by defining the ‘inclusion’ and ‘exclusion’
      parameters, determined the purposes and means of the processing. The Commission
      therefore acted as a controller for the processing within the meaning of Article 3(8) of
      the Regulation.


4.6. The Commission is a Union institution, as defined in Article 3180) of the Regulation,
      and DG HOME is a directorate-general of the Commission.

4.7. The complaint is therefore admissible under Article 63(1) of the Regulation.

      Controllership




16https://noyb.eu/sites/default/files/2020-03/NOYB Statute DE EN 0.pdf.
17Assignment of representation submitted by NOYB.
18TheEDPSnotes thatDG HOME is a delegated controllerfor this processing operation. However, directorate-
generals do not have a legal personality distinct from that of the Commission as a whole, and, as such, the
Commission is the liable legal entity. See Commission decision (EU) 2020/969 of 3 July 2020 laying down
implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the
application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing
Commission Decision 2008/597/EC.




                                                                                              84.8. According to Article 3(8) of the Regulation, a controller means the Union institution or
      body or the directorate-general or any other organisational entity which, alone or
      jointly with others, determines the purposes and means of the processing of personal

      data.Itfollows that19e controller mustdeterminebothpurposes and(essential) means
      of the processing.

4.9. The Commission determined the purpose of the processing of personal data of the

      complainant, which was targeted by an advertising campaign for political purposes. In
      particular, the processing operation was conducted to inform a targeted audience on
      X about the Commission’s legislative proposal and to advocate for the need for the
      proposed legislation.


4.10. The EDPS notes that pursuing an interest through a processing operation is an
      indication of determining the purposes of the relevant processing operation.     20

4.11. The Commission also determined the means of the processing by choosing to use the

      services provided by Xfor the advertisement campaign, and by selecting the key words
      and key accounts for targeting users of X. Through these key words, the Commission
      determined the ‘inclusion’ and ‘exclusion’ parameters used in the campaign. This is

      analogous to the circumstances of the case C-210/16, Wirtschaftsakademie, where the
      creator of a social media fan page, by using Facebook’s filters, defined the parameters
      of the processing. The Commission, by defining the parameters of processing,
      determined the means of processing.    21


4.12. It follows that the Commission is a controller for the present processing operation.

4.13. The EDPS understands that X may have jointly determined the purposes and means
                                                                                                22
      of the processing operation alongside the Commission as a possible joint controller.
      However, the EDPS is only competent to supervise the processing of personal data
      done by Union institutions and bodies.     23 As such, this Decision only examines the
      processing of personal data imputable to the Commission as falling under its sphere

      of control.

      Lawfulness of the processing - Infringement of Articles 4(1)(a), 4(2), 5 and 26
      of the Regulation












19See EDPS Guidelines of 7 November 2019 on the concepts of controller, processor and joint controllership
underRegulation (EU) 2018/1725,p.9 andEDPBGuidelines07/2020 on theconceptsof controller and processor
in the GDPR, version 2.1 adopted on 07 July 2021, paras. 36 and 45.
20
  See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 2.1 adopted
21 7 July 2021, paras. 60 to 62 and paras. 50 and 51.
   Case C-210/16, Wirtschaftsakademie, ECLI:EU:C:2018:388, paras. 36 to 39. See also case C-683/21,
22LI:EU:C:2023:949, paras. 32, 33, 35, 36 and 38.
  See Case C-210/16, Wirtschaftsakademie, where the administrator of a fan page on Facebook was regarded
as taking part in the determination of the means and purposes of the processing of personal data alongside
the social media platform.
23See Articles 1 and 2 of the Regulation.




                                                                                                94.14. Article 4(1)(a) of the Regulation states that personal data shall be processed ‘lawfully’.

4.15. In accordance with Article 5(1) of the Regulation, processing shall be lawful only if and
      to the extent that at least one of the grounds listed in the provision applies.

      Article 5(1)(a) - necessary for the performance of a task carried out in the public interest


4.16. The Commission states that it ‘conducted the campaign based on the understanding
      that if it resulted in any processing of personal data by third parties, such processing
      would be justified as necessary for the performance of a task in the public interest’.
      The Commission therefore relies on Article 5(1)(a) as the lawful ground for the
      processing.

4.17. Article 5(1)(a) of the Regulation provides that the processing shall be lawful if and to
      the extent that the processing is ‘necessary for the performance of a task carried out

      in the public interest or in the exercise of official authority vested in the Union
      institution or body’. Article 5(2) provides that this basis shall be laid down in Union
      law.

4.18. The Commission underlines that it has ‘a general right of initiative regarding
      legislative proposals, such as in the case of the proposal, under Article 17(2) of the
      [TEU]’. It considers that it falls within its activities to inform the public about
      legislative proposals and their content and to advocate for the need for the proposed
      legislation.


4.19. In its observations on the EDPS’ preliminary assessment of the present case, the
      Commission notes that ‘certain sentences of the [EDPS’] preliminary findings imply
      that Article 17(2) TEU cannot serve as a legal basis for the processing of personal data
      in any type of promotional activities by the Commission in the context of its proposals
      for legislative acts’, and, that ‘[t]his would be contrary to the case-law of the General
      Court according to which a Union institution has the power to communicate with the
      public, even in the absence of an explicit provision to that effect, given that informing

      the public is an ancillary activity to that authority’s principal administrative activity’.
      The Commission considers that it ‘may organise communication campaigns, including
      on social media, to pursue the tasks with which the Commission is entrusted, such as
      the task to propose Union legislation based on Article 17(2) TEU’. The Commission
      further notes that Article 17(1) expressly states that ‘[t]he Commission shall promote
      the general interest of the Union and take appropriate initiatives to that end’.

4.20. Moreover, the Commission considers that ‘[c]ertain campaigns, even on social media,

      would seem to be inherently associated with such tasks, even when involving certain
      processing of personal data’, and that, therefore, ‘the Commission would disagree to
      any finding which addresses the Commissions communication activities beyond the
      very limited and very specific parameters of the campaign in question which was the
      object of the current EDPS investigation’. The Commission further emphasises ‘the
      institutional importance of its role in proposing new legislation and the corresponding
      duties and obligations towards citizens in the field of transparency, communication

      and openness’. The Commission notes that ‘[c]onveying accurate, objective and
      relevant information to citizens on the activities of the Commission is amatter of good
      administration and accountability’, and that ‘the possibility offered by social media to
      reach a diverse range of audiences provides a suitable platform for institutions to






                                                                                            10      engage with citizens within its competences and roles, which was the aim of the
      campaign’.

4.21. In support of its arguments, the Commission references a judgment of the General
                                                                                  24
      Court of 12 September 2007, in case T-259/03, Nikolaou v Commission , which states
      that ‘the argument that a Community institution or body cannot confer on itself the
      power to issue press releases or otherwise communicate with the public, in the absence

      of a provision expressly empowering it to do so, is unfounded’. The General Court
      further states that ‘the fact that an administration informs the public of its activities,
      in particular by publishing press releases, may be regarded as an activity ancillary to
      its main administrative activity’. 25


4.22. Article 17(2) TEU states that Union legislative acts may only be adopted on the basis
      of a Commission proposal, except where the Treaties provide otherwise. The provision
      does not mention anything regarding the promotional activities of the Commission in

      relation to informing the publicabout such legislative proposals or advocating for their
      need.

4.23. Recital 23 of the Regulation specifies that ‘the Union law referred to in this Regulation

      should be clear and precise and its application should be foreseeable to persons subject
      to it, in accordance with the requirements set out in the Charter and the European
      Convention for the Protection of Human Rights and Fundamental Freedoms (‘the
      Convention’)’. The general standard of lawfulness set by the Convention requires that

      laws be sufficiently precise to allow the person – if need be, with appropriate advice –
      to foresee, to adegree that is reasonable in the circumstances, the consequences which
      a given action may entail  26.


4.24. According to case law, any legislation which entails interference with the individual
      rights to privacy and personal data protection must be ‘clear and precise rules
      governing the scope and application of the measure in question’.     27The law must ‘meet

      quality requirements: it must be accessible to the person concerned and foreseeable as
      to its effects’ to guarantee that the ‘law’ permitting for an interference with
      fundamental rights is compatible with the rule of law and that the individuals are
      protected from arbitrariness of public authorities.       28 A legal base permitting an








24Case T-259/03, Nikolaou v Commission, ECLI:EU:T:2007:254.
25Ibid., para. 218: ‘L’argument selon lequel une institution ou un organe communautaire ne peut s’attribuer le
pouvoirde publier descommuniqués depresseou decommuniquer autrement avec le public, enl’absenced’untexte
qui l’habilite expressément à le faire, n’est pas fondé. En effet, le fait pour une administration d’informer le public
de ses activités, notamment par la publication de communiqués de presse, peut être considéré comme une activité
accessoire à son activité administrative principale.’
26Judgment of the European Court of Human Rights (‘the ECHR’) of 21 October 2013, Del Río Prada v Spain,
CE:ECHR:2013:1021JUD004275009, para. 125, as well as ECHR judgment of 26 April 1979, Sunday Times v. the

27, CE:ECHR:1979:0426JUD000653874, para. 49.
  EDPS Supervisory opinion on the use of social media monitoring for epidemic intelligence purposes by the
European Centre for Disease Prevention and Control, 9 October 2023, para. 15 and the case law cited: case C-
439/19, Latvijas Republikas Saeima(Penalty Points), ECLI:EU:C:2021:504, para.105, as well as case C-175/20, SIA,
ECLI:EU:C:2022:124, para. 55.
28EDPS Supervisory opinion on the use of social media monitoring for epidemic intelligence purposes by the
European Centre for Disease Prevention and Control, 9 October 2023, para. 15 and Case C-601/15, PPU,
EU:C:2016:84, para. 81.




                                                                                                11      interference with the fundamental right to personal data protection must itself define
      the scope of the interference with that right. 29


4.25. Given that the content of Article 17(2) TEU is very general in nature, and clearly does
      not mention anything regarding the promotional activities of the Commission in the
      context of its proposals for legislative acts, the EDPS does not consider Article 17(2)
      TEU to be a ‘clear and precise’ legal basis within the meaning of Article 5(2) of the

      Regulation and as further described in Recital 23, for processing personal data for
      thepurposes of a targeted advertising campaign to inform the targeted audience about
      a legislative proposal on a social media platform.

4.26. Furthermore, the EDPS considers that the application of Article 17(2) TEU as a legal
      basis for processing personal data for the purposes of targeted advertising on a social

      media platform cannot be considered foreseeable to the data subject within the
      meaning of Recital 23 of the Regulation. The EDPS considers that data subjects cannot
      reasonably expect this provision to authorise interferences with their fundamental
      rights to privacy and data protection. Indeed, while it cannot be objected that the
      legislation adopted on the basis of proposals made by the Commission under Article

      17(2) may provide for interferences with fundamental rights on the conditions laid
      down in Article 52(1) of the Charter, this cannot imply that the right of initiative of
      the Commission as such entails the kind of interference consisting in the targeted
      processing of personal data for the purposes of promoting such initiatives.


4.27. The EDPS also notes that case T-259/03 differs on its facts from the case at hand. Press
      publications on a Union institution or body’s (‘EUI’) website are not analogous to
      targetedadvertising onasocial mediaplatform. The presentdecisionbythe EDPSdoes
      not limit the Commission from issuing press releases, which in judgment T-259/03 is
      considered by the General Court to be an activity ancillary to the main administrative

      activity of an EUI.

4.28. Moreover, the EDPS notes that accepting the Commission’s argument would mean
      interpreting Articles 5(1)(a) and 5(2) of the Regulation as not requiring a ‘provision
      expressly empowering’ the processing of personal data for the performance of a task
      carried out in the public interest or in the exercise of official authority vested in the

      EUI, which is to be laid down in Union law. This interpretation would be contrary to
      the interpretation of Articles 5(1)(a) and 5(2), and as further laid down in Recital 23,
      which require the basis for the processing to be laid down in Union law and for this
      law to be clear and precise and its application foreseeable to persons subject to it.

4.29. Finally, the EDPS notes that paragraph 219 of judgment T-259/03 clarified that the

      rejection of the argument according to which OLAF did not have the power to adopt
      a communication policy was without prejudice to the question whether OLAF
      complied with its obligations, in particular as regards the processing of personal data,
      by publishing the press release in that case.  30The General Court ultimately found at


29EDPS Supervisory opinion on the use of social media monitoring for epidemic intelligence purposes by the
European Centre for Disease Prevention and Control, 9 October 2023, para. 17 and cases C-175/20, SIA,
ECLI:EU:C:2022:124, para. 54 and C-623/17, Privacy International, ECLI:EU:C:2020:790, para. 65.
30Case T-259/03, Nikolaou v Commission, ECLI:EU:T:2007:254, para. 219 : ‘Il s’ensuit que l’OLAF n’a pas
outrepassé ses attributions en publiant le communiqué de presse et ce volet de l’argumentation de la requérante
doit être rejeté, sans qu’il soit besoin d’examiner en l’espèce la question de savoir si les règles d’attribution des
pouvoirs ont pour objet de conférer des droits aux particuliers au sens de l’arrêt Bergaderm, point 30 supra (point
42). Ce rejet est toutefois sans préjudice de la question de savoir si l’OLAF a respecté ses obligations, notamment
en matière de traitement des données à caractère personnel, en publiant le communiqué de presse en l’espèce.’




                                                                                              12      paragraph 231 of that judgment that OLAF did not have a valid ground for processing
      personal data under Article 5 a) or e) of Regulation (EC) 45/2001, thereby engaging in
      unlawful processing.

4.30. Therefore, and in any event, the EDPS considers that the Commission could not show

      that the processing of personal data in the context of the targeted advertising
      campaign was justified as necessary for exercising its right of initiative under Article
      17(2) TEU.

4.31. Since the Commission has not demonstrated any valid legal basis to rely on the
      performance of a task in the public interest or in the exercise of official authority as a
      ground for lawfulness for the processing, it follows that the Commission cannot rely
      on Article 5(1)(a) as a ground for lawfulness for the processing of personal data at

      stake.

      Article 5(1)(d) - consent

4.32. Given that Article 5(1)(a) is not applicable in the present case, the only ground for
      lawfulness left for the Commission to rely on would be consent in accordance with
      Article 5(1)(d) and as defined by Articles 3(15) and 7 of the Regulation.

4.33. The EDPS notes that, since the Commission processed special categories of personal
      data, as specified below, the type of consent required would be ‘explicit consent’ as
      laid down in Article 10(2)(a) of the Regulation.


4.34. It is undisputed that the Commission did not obtain the complainant’s explicit consent
      to process special categories of his personal for the specific purpose at hand. The
      complainant submits that he has not given his explicit consent for the processing of
      special categories of his personal data for these specific purposes, and in its response,
      the Commission did not contest this fact nor submit evidence that would challenge
      this fact.

4.35. Itfollows thatthe Commission cannot relyon Article 5(1)(d) as aground for lawfulness

      for the processing of personal data at hand.

4.36. The EDPS therefore concludes that the Commission has not demonstrated any legal
      basis to lawfully process the complainant’s personal data, including special categories
      of personal data.It follows thatthe EDPSfinds aninfringement of Articles 5and 4(1)(a)
      of the Regulation.

4.37. In accordance with the principle of accountability laid down in Article 4(2) and the
      responsibility of the controller as laid down in Article 26 of the Regulation, it is for the

      Commission as the controller todemonstrate thatprocessing is in compliance with the
      principle of lawfulness and is performed in accordance with the Regulation.

4.38. As the Commission could not demonstrate compliance with the Regulation, the EDPS
      further finds an infringement of Articles 4(2) and 26 of the Regulation.

      Processing ofspecialcategories of personaldata -Infringement of Article10(1)
      of the Regulation

4.39. Article 10(1) of theRegulation providesthatprocessing ofspecialcategories ofpersonal
      data is prohibited. Dataconsidered as special categories of personal dataare, inter alia,





                                                                                            13      data revealing racial or ethnic origin, political opinions or religious or philosophical
      beliefs.

4.40. In order for a processing of special categories of personal data to be lawful, the

      controller must have a lawful ground to process personal data under Article 5(1) of the
      Regulation, but also meet the conditions of a derogation listed in Article 10(2) of the
      Regulation. 31

      Article 10(1) of the Regulation


4.41. The processing in the present case constituted processing of special categories of
      personal data, within the meaning of Article 10(1) of the Regulation.

4.42. In the context of the advertising campaign, X, acting under the instructions of the

      Commission, targeted the advertising campaign to some of its specific users by
      including and excluding users that had interacted with posts containing specific
      keywords set by the Commission. Some of these keywords referred to certain political

      parties, politicians, eurosceptic and/or nationalistic political opinions and to religious
      beliefs.Further,Xappliedthe parametersshared bythe Commission basedon its‘look-
      alike strategy’, targeting users with interests similar to the key accounts shared by the
      Commission. X targets advertisements to specific users based on information such as

      posts, link clicks, likes, replies and searches that demonstrate engagement or            32
      interaction with posts containing the specific keywords set by the user of the service.

4.43. The EDPS notes that if a social media provider or an entity using that service for the

      purposes of targeted advertising uses observed data to categorise individuals as having
      certain religious, philosophical or political beliefs, this categorisation of the individuals
      must be seen as processing of special categories of personal data in this context.   33

4.44. Further, if the data provided by the user, when compiled, indicate a certain political

      opinion or a religious belief, and even when no explicit statement on such an opinion
      or belief is provided, such data are to be considered as belonging to a special category
      of personal data. 34


4.45. As the Commission, based on X’s ‘look-alike strategy’, targeted users with interests
      similar to the key accounts it had selected, and as these key accounts included
      accounts of political parties and politicians, political opinions of users were likely
      indicated and could have been derived from these similar interests. Assigning an

      inferred political opinion to a user constitutes processing of special categories of data,
      which in this case has been performed by X but following the instructions of the
      Commission.   35


4.46. Regarding the Commission’s argument that it didnot request the processing of special
      categories of personaldata,nor did it intend to trigger suchprocessing, the EDPSnotes
      that, first, as a controller it assumed liability even though it did not or could not



31
32Case C-667/21, Krankenversicherung Nordrhein, ECLI:EU:C:2023:1022, para. 79.
  See https://business.x.com/en/help/campaign-setup/campaign-targeting/keyword-targeting.html, accessed
27.09.2024.
33EDPB Guidelines 8/2020 on the targeting of social media users, version 2.0, adopted on 13 April 2021, para.
123.
34Ibid.
35Ibid, para. 125.




                                                                                               14      entirely control that processing. Secondly, in line with the case law of the Court of

      Justice of the European Union (‘CJEU’), the intent of the controller is irrelevant to the
      determination of whether the processing is to be considered processing of special
      categories of personal data: in view of the significant risks to the fundamental
      freedoms and rights of data subject arising from the processing of special categories
      of personal data falling within Article 10(1) of the Regulation, the objective of the
                                                                                               37
      Regulation is to prohibit the processing such data, irrespective of the stated purpose.

      Exemptions under Article 10(2) of the Regulation

4.47. Article 10(2) of the Regulation providesfor certainexemptions to whichthe prohibition
      laid down in paragraph 1 do not apply, and where the processing can thus be lawful.

      In accordance with the accountability principle set out in Article 4(2) of the Regulation,
      the controller is responsible for ensuring lawfulness of processing, and must be able to
      demonstrate compliance.

4.48. In the present case, the Commission did not raise that any of the exemptions set out

      in Article 10(2) of the Regulation would apply to the relevant processing of special
      categories of personal data. As such, the Commission did not demonstrate that the
      processing of special categories of personal data would be lawful.

4.49. The EDPS nevertheless deems appropriate to consider potentially applicable

      exemptions. Given the circumstances in the case at hand, the only exemptions that
      could apply would in any event be those laid down in Articles 10(2)(a), 10(2)(e) and
      10(2)(g) of the Regulation. However, the conditions laid down in these provisions are
      not met for the reasons specified below.


      Article 10(2)(a) of the Regulation - explicit consent

4.50. Article 10(2)(a), (‘the data subject has given explicit consent to the processing of those
      personal data for one or more specified purposes’) is not applicable in the present case,
      since, as already stated above, it is undisputed that the Commission did not obtain
      the complainant’s explicit consent to process special categories of his personal for the

      specific purpose at hand.

4.51. It should be noted that explicit consent carries a heavier burden than normal consent
      and requires that the data subject must give an express statement of consent.     38

      Article 10(2)(e) of the Regulation - data manifestly made public by the data subject


4.52. The EDPSconsiders thatthe conditionsfor the derogation laiddownin Article 10(2)(e),
      ‘the processing relates to personal data which are manifestly made public by the data
      subject’, were not met in the present case.

4.53. The EDPS notes that the CJEU has held that that where social media users, on the

      basis of individual settings selected with full knowledge of the facts, have clearly made
      the choice to have the data they enter into the platform made accessible to the general
      public, and where theyhave voluntarilyentered sensitive information onto their public


36Case C‑131/12, Google Spain and Google, EU:C:2014:317, para. 34 and Case C‑231/22, Belgian State (Données
traitées par un journal officiel), ECLI:EU:C:2024:7, para. 38. See also Article 28(3) of Regulation (EU) 2018/1725.
37Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, paras. 69 and 70.
38See EDPB Guidelines 5/2020 on consent under Regulation 2016/679, version 1.1, adopted on 04 May 2020,
   para. 93.




                                                                                              15      account, they can be regarded as manifestly making such data public, within the
      meaning of Article 10(2)(e) of the Regulation.  39

4.54. Since X, in its settings, provides users with the possibility of using a protected (private)

      account rather than a public account, thereby allowing the user to choose whether to
      make their data accessible to a limited number of selected people or to anyone with
      access to X, it could be argued that users of the platform who use a public account and

      post, like or comment on certain content connected to their political or religious beliefs
      on that public account, are manifestly making this information public.

4.55. As the CJEU has clarified, for the purposes of the application of the exception laid
      down in Article 10(2)(e) of the Regulation, it is important to ascertain whether the data

      subject had intended, explicitly and by a clear affirmative action, to make the personal
      data in question accessible to the general public.      40To ascertain whether such an
      affirmative action exists, it must be checked in turn whether it is possible for the users

      concerned to decide, on the basis of settings selected with full knowledge of the facts,
      whether to make the information entered into the apps in question and the data from
      clicking or tapping on buttons integrated into that app accessible to the general public
      or, rather, to a more or less limited number of selected persons. When the users

      concerned actuallyhave thatchoice, theycan be regarded, when theyvoluntarilyenter
      information into a website or app or when they click or tap on buttons integrated into
      them, as manifestly making public, within the meaning of Article 9(2)(e) of the GDPR,

      data relating to them only in the circumstance where, on the basis of individual
      settings selected with full knowledge of the facts, those users have clearly made the
      choice to have the data made accessible to an unlimited number of persons. If no such
      individual settings are available, according to the CJEU, users must have explicitly

      consented, on the basis of express information provided by that website or app prior
      to any such entering or clicking, to the data being viewed by any person having access
      to that website or app. 41


4.56. The EDPS notes that the use of the adverb ‘manifestly’ and the fact that that provision
      constitutes an exemption to the general prohibition on processing special categories of
      personal data require a particularly stringent application of that exemption.    42The user

      must, be fu43y aware that, by an explicit act, he is making his personal data accessible
      to anyone.

4.57. The CJEU has already held that the use of a socialnetwork, such as following accounts

      or interacting with posts through ‘share’ or ‘like’44uttons, cannot automatically be
      considered as making data ‘manifestly’ public.        Whether data has been manifestly









39
40Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 82.
41Ibid., para. 77.
42Ibid. para. 83.
  AG Opinion, Case C‑446/21, Maximilian Schrems v MetaPlatforms Ireland Limited, ,ECLI:EU:C:2024:366, para.
35.
43Ibid., para. 35 and footnote 32. See also Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para.
77.
44Ibid., para. 37 and Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 80.




                                                                                               16      made public or not on a social network depends on the individual settings chosen by
      that user. 45


4.58. In the case at stake, such settings exist due to the possibility of turning on ‘protected
      posts’.46It appears to the EDPSthatthis has been turned on, making the complainant’s
      data only available to those who own an X account and follow him.           47 This gives the

      complainant control over who can access his data and, if anything, is a48se of X’s
      individual settings to protect his data rather than make it public.

4.59. Moreover, the complainant couldnot have expected the resultthathis dataon Xwould

      be used for political advertising, given that targeting based on political affiliation
      and/or beliefs and based on religious or philosophical affiliation and/or beliefs is
      prohibited as declared under X’s policy on targeting sensitive categories of data.           49

      Therefore, in any event, the complainant could not have knowingly waived the
      protections afforded to special categories of data as he would not have expected the
      processing of those to begin with.


4.60. Also, the EDPS notes that even if the complainant’s data would be considered
      ‘manifestly’ made public within the meaning of Article 10(2)(e) of the Regulation, that
      does not, in itself, allow the further processing of that data for the purposes of
                                           50
      personalised political advertising.     If data is made ‘manifestly’ public, then it is no
      longer considered a special category of personal data. However, as it is still personal
      data, it must be processed lawfully under the conditions laid down in the Regulation.        51


4.61. The fact that a data subject publishes a post online does not mean that a controller
      can reuse (i.e. further process) that individual’s public information, without complying
      with the Regulation, for what must be considered a new processing operation. In

      accordance with the relevant data protection rules, the controller still needs a lawful
      ground for the further processing of this data.    52

      Article 10(2)(g) of the Regulation- processing is necessary for reasons of substantial public

      interest

4.62. Article 10(2)(g), ‘the processing is necessary for reasons of substantial public interest,

      on the basis of Union law which shall be proportionate to the aim pursued, respect the
      essence of the right to data protection and provide for suitable and specific measures
      to safeguard the fundamental rights and the interests of the data subject’, would also







45
46Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 80.
   See https://help.x.com/en/safety-and-security/public-and-protected-posts on protected posts, accessed
27.09.2024.
47Ibid.
48Ibid.
49See https://business.x.com/en/help/ads-policies/campaign-considerations/targeting-of-sensitive-
categories.html, accessed 28.06.2024
50 AG Opinion, Case C‑446/21, Maximilian Schrems v Meta Platforms Ireland Limited, ECLI:EU:C:2024:366, para.
45.

52 Ibid., para. 46.
 Ibid., para. 45 and 46 and Case C-667/21, Krankenversicherung Nordrhein, ECLI:EU:C:2023:1022, para. 77-78.
See also EDPS Supervisory Opinion of 09/11/2023 on the use of social media monitoring for epidemic
intelligence purposes by the ECDC, para. 65.




                                                                                                  17      not be applicable in the present case, as the requirements listed in the provision cannot
      be considered fulfilled.

4.63. While the Commission has the right to communicate about its activities, including

      legislative proposals, it has not demonstrated that the processing of special categories
      of personaldatain the context of atargeted advertising campaign, in order to advocate
      for the need for the proposed legislation, would be necessary for reasons of substantial
      public interest and proportionate to the aim pursued by Article 17(2) TEU while
      respecting the right to data protection. It has also not demonstrated that the
      processing would provide suitable and specificmeasures to safeguard the fundamental
      rights and the interests of the data subject.


4.64. The EDPS therefore considers that the conditions laid down in Article 10(2) to lift the
      prohibition and lawfully process special categories of personal data are not met in the
      present case.

4.65. The EDPS therefore finds an infringement of Article 10(1) of the Regulation.

5. Conclusions


5.1. In conclusion, the EDPS finds that the Commission has infringed Articles 4(1)(a), 4(2),
      5, 10(1) and 26 of the Regulation by unlawfully processing the complainant’s personal
      data, including special categories of personal data, without a valid legal basis in the
      context of the targeted advertising campaign that the Commission ran on the social
      media platform X from 15 to 28 September 2023, as referred in point 2.1. of the present

      decision.

6. Corrective measures

6.1. On the basis of the facts and findings described above, the EDPS issues a reprimand

      the Commission for the above infringements, in accordance with Article 58(2)(b) of the
      Regulation.

6.2. The EDPS has chosen a reprimand as an appropriate and proportional corrective
      measure, given the seriousness of the infringements and the fact that the processing
      involved special categories of personal data. A primary purpose of the EDPS’ power to
      issue a reprimand under Article 58(2)(b) of the Regulation is to achieve a dissuasive
      effect and to make it clear to the EU institution concerned that it has infringed the

      Regulation.

6.3. As per now settled case-law, the Regulation leaves the supervisory authority a
      discretion as to the manner in which it must remedy the shortcomings found, since
      Article 58(2) thereof confers on that authority the power to adopt various corrective
      measures. Thus, the Court has already held that the supervisory authority must
      determine which action is appropriate and necessary, and must do so taking into

      consideration all the circumstances of the specific case and executing its responsibility
      for ensuring thatthe Regulation is fullyenforcedwith alldue diligence. Thatdiscretion
      is, however, limited by the need to ensure a consistent and high level of protection of
      personal data through strong enforcement of the data protection rules.    53



53
  Case C-768/21, TR v Land Hessen, ECLI:EU:C:2024:785, paras. 37 and 38.



                                                                                            186.4. In the consideration on the exercise of corrective powers, the EDPS has taken into
      account, as a mitigating factor, that the Commission has stopped the campaign in
      question and, thus, the relevant processing is no longer ongoing. Given that the
      relevant processing of personal data is no longer ongoing, the EDPS notes that other
      corrective powers, such as an order to bring the processing operation into compliance

      as per Article 58(2)(e) of the Regulation, or to impose a temporary or definitive
      limitation on processing as per Article 58(2)(g) of the Regulation, would not be fit for
      purpose in the present case.

6.5. The present Decision is without prejudice to any follow-up or other actions the EDPS
      might undertake in the future with regard to the supervision of the Commission.

6.6. Pursuant to Article 59 of the Regulation, the Commission must inform the EDPS of its
      views and describe the measures it has taken in response to our remarks within three
      months of the date of this Decision.

6.7. The EDPS intends to make public the facts of this complaint and the final outcome,

      including the actions taken in response by the Commission. If any part of this Decision
      should be regarded as confidential, this should beindicated clearly and reasons should
      be provided, so that those parts can be dealt with accordingly where appropriate.

6.8. This may be particularly relevant from the perspective of the right of access to the file
      under Article 41(2)(b) of the Charter. In accordance with that provision, everyone has
      a right of access to his or her file, while respecting the legitimate interests of
      confidentiality and of professional and business secrecy. In order for the EDPS to be
      able to assess, and possibly accept, any claim of confidentiality, the stated reasons

      should detail, in respect of each part the party considers confidential, how disclosure
      would likelycause serious harm to the party’s interests or the interests of athird party.

7. Judicial remedy

7.1. Pursuant to Article 64 of the Regulation, the Commission and any party which could
      be adversely affected by this Decision may bring an action for annulment against this

      Decision before the Court of Justice of the European Union, within two months from
      the adoption of the present Decision and according to the conditions laid down in
      Article 263 TFEU.




Done at Brussels

















                                                                                            19