- As is well known, on June 5, 2018, the ECJ ruled contrary to the previous instances in the matter of Facebook Fanpages following a referral by the German Federal Administrative Court (Rs. C‑210/16) that the operator of a Facebook Fanpage jointly responsible with Facebook because the operator influences through suitable settings which personal data is Facebook collects and processes data from the visitors to the fan page, among other things in order to provide the operator with anonymized evaluations. This ruling is explosive not so much because of Fanpages, but because it significantly expands the scope of joint responsibility by making it clear,
- that also a very limited co-determination of a company is sufficient, to establish joint responsibility (because “joint” does not mean “equal”), and
- that also the one can have a common responsibility who is no access at all to the personal data in question and does not necessarily process them himself (as long as he only influences the purposes or means of the processing). This is relevant, for example, in the case of jointly used but client-separated systems within the group.
In practice, this raises the question of what space is left at all for separate responsibility and commissioned processing relationships, along with a number of Follow-up questions (e.g.: Can a Swiss company be jointly responsible within the meaning of the GDPR if it is not itself subject to the GDPR [probably no; on the other hand, according to the ECJ ruling, its own data processing – for which the applicability of the GDPR would have to be examined – is apparently not required]; is the exchange of data between jointly responsible persons privileged, so that a separate legal basis for the exchange is not required; how are agreements between the jointly responsible persons to be structured?V. within the meaning of Art. 26 GDPR; what is to be stated in data protection declarations in this regard [e.g., a link on the fan page to a data protection declaration in which the topic of fan pages is covered as well as possible makes sense]; how is joint responsibility to be depicted in intra-group data exchange agreements, etc.).
On September 5, 2018, the German Data Protection Conference subsequently issued a Decision taken:
Without agreement according to Art. 26 DSGVO is the operation of a fan page as currently offered by Facebook, unlawful. Therefore, the DSK demands that the requirements of data protection law are now met when operating fan pages. This includes, in particular, that the jointly responsible parties create clarity about the current factual situation and provide the required information to the affected persons (= visitors to the fan page).
However, shared responsibility also means that Fan Page operators (whether public or non-public) must Legality of the data processing for which they are jointly responsible, and this prove can. In addition, data subjects can exercise their rights under the GDPR with and vis-à-vis any person responsible (Article 26 (3) of the GDPR).
In particular, the companies listed in the annex Questions must therefore Answered by both Facebook and and fan page operators. can be.
Facebook has now, on September 11, 2018, already submitted an agreement within the meaning of Article 26 of the GDPR that was created under time pressure (“Page Insights Controller Addendum”), including the following:
Facebook Ireland Limited (“Facebook Ireland”) and you are joint controllers for the processing of Insights Data.
[…] Facebook Ireland agrees to take primary responsibility under the GDPR for the processing of Insights Data and to comply with all applicable obligations under GDPR with respect to the processing of Insights Data […]. Facebook Ireland will also make the essence of this Page Insights Addendum available to data subjects. […] You agree that only Facebook Ireland may take and implement decisions about the processing of Insights Data.Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. […] […]
If you are contacted by data subjects or a supervisory authority under the GDPR with regard to the processing of Insights Data and the obligations assumed by Facebook Ireland under this Page Insights Addendum (each a “Request”), you will forward all relevant information to us promptly but within a maximum of 7 calendar days.
[…] You agree to take all reasonable endeavours in a timely manner to cooperate with us in answering any such Request. […].
[…]
Facebook’s assumption of primary responsibility is undoubtedly a relief for page operators. It also shows once again that joint responsibility need by no means be an equal responsibility. Nevertheless, fan page operators are recommended to continue to refer to their own privacy policy and to refer there, for example, to the legal basis for the use of the fan page (e.g., to their legitimate interest).