Module 8 · Online behavioural advertising (OBA) & cloud computing
OBA targets website ads on observed behaviour over time, often via third-party ad networks placing cookies with unique identifiers. OBA data is personal data (an online identifier), and all parties can be controllers. ePrivacy Article 5(3) applies to cookies regardless of whether the data is personal - consent + clear information required. In cloud computing the provider is usually a processor but becomes a controller if it determines essential means or processes for its own purposes.
OBA targets website advertising on observed behaviour over time, often via third-party ad networks placing cookies with unique identifiers. OBA data is personal data ('online identifier'). All parties can be controllers: the ad network (often a controller), the publisher (possibly a joint controller) and advertisers (independent controllers). ePrivacy Article 5(3) applies to cookies regardless of whether the data is personal - consent + clear information are required.
| Role | When |
|---|---|
| Processor (usual) | Acts on the customer's instructions; may pick hardware (a non-essential means) and stay a processor. |
| Controller | Determines essential means (e.g. retention periods), processes for its own purposes, or acts outside the customer's instructions. |
There is no cloud-specific EU law - the technology-neutral GDPR governs, applying via Article 3. Even if the provider isn't directly subject to the GDPR, its customer may be, so the Article 28 contract must contain the required controls.