The decision of The ECJ of 5 June 2018 is expected to have far-reaching significance for companies that have a fan page on Facebook (the company’s webpage on Facebook), where the company promotes themselves. The decision statues that companies which administrate a Facebook fan page, potentially can be imposed with a penalty if the company does not comply with the rules of personal data processing.
The decision is made on basis of a case from Schleswig-Holstein where a German company named Wirtschaftsakademie ran a Facebook fan page at the following Internet address www.facebook.com/wirtschaftsakademie. In 2011, the Data Protection Agency of Schleswig-Holstein decided that the company had to deactivate its Facebook fane page. The reason for this was that neither the company nor Facebook had informed the visitors of the fan page that their personal data were collected and processed by means of cookies.
The German company claimed that it could not be responsible for Facebook’s data processing operations, and that it had not instructed Facebook to process the data which Facebook was in possession of.
The ECJ found that Facebook undoubtedly is data controller of the personal data processing which comes from Facebook users and the Facebook fan pages that Facebook provides to companies such as Wirtschaftsakademie.
Furthermore, the ECJ concluded that Wirtschaftsakademie as administrator of the fan page is data controller jointly with Facebook.
The justification for the joint data responsibility is that the administrator of a fan page takes part in determining the purpose of the data processing and in relation to the methods that are used when processing the visitors’ data. Particularly, emphasize was given to the fact that the administrator can obtain demographic data by using a unique ID number and thereby request for personal data relating to the company’s target group. This is data such as age, gender, occupation, life style information etc. With these data, the company can target its marketing efforts because the unique ID numbers can be linked to the information that Facebook is in possession of.
The ECJ found that when a company chooses to be an administrator of a fan page and use the platform that Facebook provides, that company cannot be exempted from its obligations towards the protection of personal data.
Joint data responsibility is only relevant when several parties share the responsibility for processing and if each part can use the personal data for own purposes. As joint data controller, you are responsible for ensuring compliance with GDPR. The people, whose personal data are being processed, can contact any of the data controllers and exercise their rights. As joint data controllers, the parties are jointly and severally liable for potential penalties or compensation to those who are affected by a potential breach.
Lund Elmer Sandager’s comments
Organizations’ use of social media, such as Facebook, to interact with the surroundings, especially customers, has in recent years become a widespread phenomenon. The ECJ does now impose companies, organizations etc. a joint responsibility with Facebook.
Furthermore, it worth paying attention to the fact that the ECJ’s decision is made on the basis of the Data Protection Directive. The same interpretation will most likely apply when the ECJ is to interpret GDPR which came into force on 25 May 2018 because the fundamental provisions of the Directive on data controllers are re-enacted in GDPR.
As an owner of a Facebook fan page, you should be aware of the following among other aspects:
- You are jointly responsible with Facebook for complying with GDPR
- An agreement about joint data responsibility must be made
- You and Facebook are jointly and severally liable to pay any compensation
If you have questions to the article or questions in connection to personal data processing in your organization, please contact Attorney Torsten Hylleberg or Assistant Attorney Oliver Valcelli.
By certified IT Attorney Torsten Hylleberg of Lund Elmer Sandager