05 Jun 2018
The Court of Justice of the European Union (CJEU) ruled today that a German company operating in the field of educational services by means of a fan page on Facebook must be regarded as a controller, jointly responsible, within the EU, with Facebook Ireland (Facebook’s subsidiary) for the processing of personal data of Facebook users and persons visiting the fan page.
The processing was carried out by Facebook Ireland by placing cookies on the computer or other devices of persons visiting the fan page, whose purpose is to store information on the browser and to enable the fan page administrator to obtain statistics produced by Facebook, making it aware of the profile of the visitors so it can offer them relevant content and develop functionalities likely to be of more interest to them.
As CJEU noted, the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place the cookies and takes part in the determination of the means and purposes of processing the data of visitors, by defining the parameters depending on the target audience and the objectives of managing and promoting its activities.
Despite that the ruling was given in interpretation of the Data Protection Directive, which preceded the General Data Protection Regulation (GDPR), it is a reference point for determining, under GDPR, the entities or persons holding the position of controller under GDPR, as the concept of controller remains fundamentally similar under the Regulation.
Most legal obligations under the GDPR have been allocated to the controller, such as providing information to the data subjects, ensuring that the processing has a legitimate basis, complying with the data protection principles, conducting data protection impact assessments in case of high risk, ensuring the appropriate security of data and determining whether notification to the supervisory authorities or data subject is necessary in case of a personal data breach. Under the e-Privacy Directive, the use of cookies for gaining access to or storing of information in the terminal equipment of a user is allowed only on the condition that the user concerned has given their consent, having been provided with clear and comprehensive information, in accordance with data protection law.
In light of the above, the administrators of fan pages on facebook need to consider themselves as controllers and comply with their corresponding legal obligations under GDPR, e-Privacy Directive and data protection law.