A recent European Court of Justice (ECJ) decision has ruled that the administrator of a fan page on Facebook was a joint data controller with Facebook for the processing of data on that page, a decision which should make those who run similar pages on Facebook or other social media websites sit up and take note.
The ruling in the case (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C‑210/16) EU:C:2018:388 (5 June 2018)) was based on the Data Protection Directive which has since been superseded by the General Data Protection Regulation (GDPR), but the outcome of the case is arguably equally valid under the GDPR.
The dispute was between the German data protection authority and a German company which offered educational services via a fan page hosted on Facebook. Viewing statistics were collected about the page using Facebook’s cookies and this information was used by the German company as the administrator of that fan page.
The German data protection authority alleged that the fan page infringed data protection law as it did not warn visitors that their personal data was collected by the placing of cookies on their computer. This would be the data controller’s responsibility and the question was therefore whether the data controller was Facebook alone or both Facebook and the page administrator.
The ECJ ruled that the page administrator was a joint data controller with Facebook as it was responsible for determining the purposes and means by which Facebook processed the personal data of those visiting it (by requesting data from visitors and using it to target its product through special offers and events). Even though Facebook hosted the platform, the administrator was benefiting from the fan page.
The ruling from this case confirms that an administrator of a fan page hosted on a social network can be considered a “controller” of personal data and would, therefore, be subject to the obligations placed on data controllers in the GDPR. The case also highlights the need to have suitable privacy notices in place setting out how processing (including the use of cookies) will occur.
If you want to discuss any aspect of your business’ compliance with the GDPR, please contact Matt Worsnop on 0116 281 6235.
Categorised in: Corporate and Commercial, IT & Telecoms, News
Tags: Data Protection, GDPR, General Data Protection Regulation