22. February 2019

Company pages on Facebook & data protection law

Mainz, February 22nd, 2019 – What is to be considered from the point of view of data protection law, if my company operates a Facebook page? We give you a brief overview of the state of affairs below.

1. The ECJ judgment

Following a request from the Federal Administrative Court, the European Court of Justice ruled on 5 June 2018 that not only Facebook itself, but also the site operator is a person responsible for the processing of personal data.

The ECJ sees the joint responsibility for the protection of the privacy of the affected users of the Facebook pages on Facebook and the company that manages the site. The degree of liability should be assessed taking into account all the relevant circumstances of each case. The verdict is primarily about the site operator’s ability to query demographic data about his visitors as well as behavioral and interest-based advertising.

2. The assessment of the “Data Protection Conference” (DSK)

The Conference of the Independent Data Protection Authorities in Germany (DSK) saw in its first resolution of 6 June 2018 three essential points that had to be met:
– Transparent information about the data processing by the site operator and by Facebook.
– Consent of the user in personal tracking.
– Conclusion of a joint responsibility agreement, Art. 26 GDPR.

The DSK subsequently published a resolution on Fan Pages on September 05, 2018. As a result, the requirements of data protection on Facebook pages are not considered fulfilled. On September 11, 2018, Facebook announced it would inform all site owners about upcoming changes to the Terms of Use. Following this, Facebook published this information as a “page insights controller addendum“. The DSK stated in its report of January 14, 2019 under TOP 9, “that even with this side insights supplement u.a. still missing sufficiently detailed and binding information about the processing by Facebook. ”

3. What to do?

Therefore, the Facebook pages of companies are currently still in a legal gray area. The reason for this, in the view of the privacy advocates, is above all the lack of consent to the tracking of users and the question of whether the information provided by Facebook comply with the transparency principle of Art. 12 GDPR and the duty to inform under Art. 13 GDPR. The possibilities for the operators of Facebook pages to remedy these issues are currently limited:

  • A contract with Facebook according to Art. 26 GDPR does not seem to be practically possible.
  • However, the site operator can fulfill his information duties in the best possible way. In this regard, the site operator can look to the privacy policy of his own homepage.
    This information could in turn be supplemented by the hints from Facebook: “page insights controller addendum“.
  • There is currently no reason to go into actionism and delete the pages before the final decision of the BVerwG. The Federal Ministry of Justice and Consumer Protection, which can still be found on Facebook, apparently also sees this (last accessed on 22.02.2019).