Social media in particular, and specifically microblogging
Companies that are active on social media especially need to pay attention to a few data protection issues.
For processing, there are two main aspects to consider:
Processing on your own website:
Companies must first ensure that this data processing is legal. Since most of the data processing is cookie-based, as a rule it will only be legal if the data subjects provide their consent. This is often accomplished with a cookie consent banner.
In addition, as mentioned above, data is frequently also transmitted to the operator of the respective social medium. That often leads to a long chain of transmissions that end with the relevant parent company in the United States. Since the USA (at the time of this writing :-)) is not a member of the EU, the companies have to obtain security guarantees for the data and the data subjects (e.g. standard contractual clauses). Depending on the circumstances, that can present a complex challenge.
On top of that, the processes also need to be sufficiently transparent and secure. Well, if that’s all there is to it…
Processing within the account in social media:
When data subjects access a social medium on their own, additional processing steps may take place. For instance, visitor statistics may be analyzed or targeted marketing may continue (for example through ads).
For the most part, this brings up the same issues around legality, transparency, and security. But there is one more fact to consider: companies that are represented in social media and process data usually have very little influence on the actual data processing. Among other things, that means the companies share responsibility for data processing with the social media operators.
As a rule, using a social medium, including a microblogging service, requires:
- consent from the data subjects.
- a guarantee that the data will be processed securely outside the EU.
- transparency regarding the processing steps.
- a customized security concept
How does that work with Mastodon?
With Mastodon, the situation is different. Mastodon and Twitter diverge in many ways. Unlike Twitter, Mastodon is a decentralized microblogging service. In other words, instead of a central provider, it consists of private individuals, associations, and other organizations that operate interlinked servers (known as instances), and the data is processed “only” by the accessed instance.
That means central data processing (publishing posts, retrieving posts, interacting with posts) is the responsibility of the instance operator. Companies with a Mastodon account thus process data only in the sense that they document responses to their posts.
However, this process doesn’t generally require consent. According to Article 6 (1) Sentence 1 lit. f GDPR, such processing steps may be permissible even without consent. The legitimate interest should follow from the basic rights regarding freedom of communication and freedom of opinion.
So how can Mastodon be used in compliance with data protection laws?
To use Mastodon in compliance with data protection laws, the following points must be considered:
- Your own list of processing activities should include the use of Mastodon.
As a rule, it will not be necessary to obtain consent.
Incidentally, Stanhope is also active on Mastodon, under @firstname.lastname@example.org.