Skip to main content
News

Facebook and Administrators of Fan Pages considered as Joint Personal Data Controllers

9. July, 2018No Comments

Facebook and Administrators of Fan Pages considered as Joint Personal Data Controllers

A German educational company (Wirtschaftsakademic Schleswig Holstein – WSH) set up its page on the Facebook platform (i.e. a fan page). Through this page WSH marketed its services by publishing notifications. To publish the notifications that are most relevant to its visitors, WSH used the function called “Facebook Insights”. This function operates in a way that WSH, using available filters, choses the criteria based on which Facebook generated its page statistics for WSH. Based on these statistics, WSH became acquainted with profiles of the visitors of WSH’s page and could therefore offer them the content the visitors were more interested in (for example, if WSH’s page was mostly visited by people in the age group between 18-25, WSH prepared content for this age group). The data was collected in such a way that Facebook set up cookies on the computer of the WSH page visitors. Visitors to the WSH page were not notified of this cookie installation page. As a result, the question arose, as to whether WSH should have informed the visitors about this and further, whether WSH was considered to be the controller of its visitors’ personal data.
In a recent judgment (Case C-210/16), the Court of Justice of the European Union decided that WSH is responsible for the processing of data and is, therefore, in addition to Facebook, considered to be the data controller of its page visitors’ personal data. Namely, this is because WSH choose and determined the criteria and the means of processing personal data of WSH’s page visitors, along with Facebook. Facebook and the administrators of such fan pages on Facebook are, therefore, considered as joint personal data controllers, which means that both of them must respect the provision of Article 26 of the GDPR.
From 25 May 2018 onwards, joint operators have been required, in a transparent manner and by mutual agreement (for example by concluding a contract on the joint management of personal data), determine how individuals are to be informed about the information referred to in Article 13 of the GDPR and how they will implement the rights of visitors or users of such Facebook pages. Based on the above-mentioned judgment that the responsibility to inform individuals is vested to both Facebook and the company using the Facebook platform as the administrator or public profile administrator. However, several questions remain, namely as to how Facebook shall accept requests from companies wishing to sign a joint management contract with Facebook, whether companies shall decide to remove their pages for fear of astronomical penalties, etc. One company, for example, has already opted to do so.