A company publishes photos featuring images of employees and board members in social media posts and on its website. Should all internet users be indicated as recipients of personal data in such a case, or only the platform owner?

ANSWER

When publishing photos containing images of employees or board members on a company's website or on social media, the recipients of personal data should be indicated primarily as the owner of the relevant platform (e.g. Meta, LinkedIn, X), and not every internet user.

Users of these platforms do not as a rule become recipients of data within the meaning of the GDPR in relation to the controller publishing the data — they are not the party to whom data is disclosed by the controller.

It may however be accepted that users of a social media platform may become recipients of data in relation to the platform owner — e.g. Meta — if they independently determine the purposes and means of further processing of the data (e.g. they copy, share or use the photo for their own purposes). In such a case, it is Meta that acts as the data controller in relation to those actions and that relationship.

In the context of transfers of personal data to third countries — publishing an image on social media platforms such as Meta may involve transferring data to entities established outside the European Economic Area, in particular to the United States.

At present, transfers of personal data to the USA in connection with services provided by Meta may take place on the basis of the EU–US Data Privacy Framework (the so-called Privacy Shield 2.0), approved by European Commission Implementing Decision of 10 July 2023 (Data Privacy Framework). Meta Platforms, Inc. has been certified under this mechanism.