Are you the owner of a Facebook fan page?
Then you should be aware that, according to the new ECJ ruling of June 5, 2018, the use of social networks entails a data protection responsibility for the fan page operator. The latter must comply with all the obligations defined in the GDPR. What is also new here is the fact that the fan page operator can no longer refer to Facebook, but that data subjects and data protection authorities can contact the respective fan page operator directly.
This ruling states that the operator of a Facebook Fanpage is jointly responsible with Facebook for processing the personal data of visitors to its page. The owner of a fan page should therefore fulfill its extensive data protection obligations, such as Article 5 DSGVO (principles for the processing of personal data – keyword purpose limitation or also data minimization), in order not to risk prohibition orders, warnings or penalty payments.
Facebook collects a large amount of user data for the owners of the pages and makes this available to the owners free of charge, which takes place without the knowledge of the visitors through cookies. Fan page owners cannot refuse this data provided by Facebook. With the help of the cookies, which contain user IDs, and together with the login data at Facebook, anonymity can no longer be maintained.
Is the ruling already legally binding?
Currently, the ruling of the Federal Administrative Court is still pending, which must implement the ECJ’s requirements into national law, which may take several months.
Does it make sense to shut down my Facebook fan page until this decision is made?
If you are generally afraid of the risk, you should think twice about operating a Facebook fan page. Otherwise, you can also wait for the pending ruling of the Federal Administrative Court and then act accordingly.
Where do legal pitfalls lurk?
Since Facebook Fan Page operators have no direct insight into Facebook’s processing activities, it is difficult to adequately inform users about all processing steps and purposes. From a technical point of view, it is also a great challenge to implement a legally flawless consent according to Article 7 GDPR. Bear in mind that consent can be revoked at any time in accordance with Article 17 of the GDPR, the “right to be forgotten”, which then also removes the basis for data processing.
Sources: