05 Jun 2018
The Court of Justice of the European Union (CJEU) ruled today that a German company operating in the field of educational services by means of a fan page on Facebook must be regarded as a controller, jointly responsible, within the EU, with Facebook Ireland (Facebook’s subsidiary) for the processing of personal data of Facebook users and persons visiting the fan page.
The processing was carried out by Facebook Ireland by placing cookies on the computer or other devices of persons visiting the fan page, whose purpose is to store information on the browser and to enable the fan page administrator to obtain statistics produced by Facebook, making it aware of the profile of the visitors so it can offer them relevant content and develop functionalities likely to be of more interest to them.
As CJEU noted, the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place the cookies and takes part in the determination of the means and purposes of processing the data of visitors, by defining the parameters depending on the target audience and the objectives of managing and promoting its activities.
Despite that the ruling was given in interpretation of the Data Protection Directive, which preceded the General Data Protection Regulation (GDPR), it is a reference point for determining, under GDPR, the entities or persons holding the position of controller under GDPR, as the concept of controller remains fundamentally similar under the Regulation.
In light of the above, the administrators of fan pages on facebook need to consider themselves as controllers and comply with their corresponding legal obligations under GDPR, e-Privacy Directive and data protection law.