Challenges in the handling of personal data in Real-Time Bidding (“RTB”)

The TCF (currently in its version TCF 2.0) is relied on by many organizations in Europe and Switzerland.

Moreover, the BDPA’s decision also takes a stand on the lawfulness of processing in the context of Real-Time Bidding (“RTB”):

• The BDPA’s decision applies the overall tendency of EU supervisory authorities and courts to give a very broad interpretation to the notion of joint controllership, with the BDPA holding that IAB Europe, publishers, CMPs and AdTech vendors are jointly responsible for the processing of users’ preferences and consent under the TCF, the dissemination of such information and the data processing based thereon.
• Also the notion of personal data is interpreted broadly in line with previous tendency (cf. decision of the Austrian Data Protection Authority re: Google Analytics, 22.12.21), as the BDPA referred to the concept of singularization for the definition of personal data, whereby it is in principle sufficient for the qualification as “personal data” if a person can be sufficiently singled out (e.g. by assigning identification numbers in order to individualize website visitors for advertising purposes).

The BDPA acted as lead supervisory authority and cooperated with supervisory authorities of other EU member states before finalizing its decision, hence the decision may have a wider impact. Whilst IAB Europe has publicly stated that it will appeal the decision of the BDPA, the final decision might have implications for all actors involved in the online advertising chain, as they may possibly be held responsible by an EU supervisory authority as “joint controllers” for infringements of the GDPR in the context of their participation to the TCF.