Facebook page administrator is jointly responsible with Facebook for processing of personal data

June 2019 – Linda Eijpe

In the summer of 2018, the European Court of Justice (‘EUCJ’) rendered a noteworthy decision having far-reaching implications for owners/administrators of Facebook fan pages.

The EUCJ ruled that the administrator of the Facebook page, is a controller, jointly with Facebook, in respect of personal data which are processed on the Facebook page, through cookies.

Cookies on Facebook page process personal data

The case concerned the Facebook fan page of the German Wirtschaftakademie Schleswig-Holstein (‘WSH’). By means of cookies (personal) data of the visitors of this Facebook page were collected by Facebook. Said (personal) data were not provided to WSH. However, WSH did receive from Facebook (anonymous) user statistics. Said statistics could be used for promotional purposes of WSH.

Administrator and Facebook joint controller

In this case the EUCJ ruled that WSH could be considered, next to Facebook, to be joint controller, since WSH participated in deciding purposes (promotion) and means (settings/user statistics). According to the EUCJ, it is irrelevant to this that WSH did not receive the personal data, nor that it could have any impact on the policy and service of Facebook. Being jointly responsible, WSH is also co-responsible for complying with the GPDR.

Major impact for administrators

This decision has a major impact on the administrators of the Facebook pages. After all, they fully depend upon Facebook and can only check and enforce compliance with the obligations of the GDPR to a limited degree.