Blog
Blog » I GET “ONLY” STATISTICAL DATA FROM FACEBOOK – AM I DATA CONTROLLER UNDER GDPR?
I GET “ONLY” STATISTICAL DATA FROM FACEBOOK – AM I DATA CONTROLLER UNDER GDPR?
18 June 2018
Besides having a website, vast majority of businesses have company pages on the social networks like Facebook, Linkedin, etc. Do you become a data controller, being primarily responsible for data processing, if you get “only” statistical information of your visitors? The Court of Justice of the European Union addressed this question in its recent ruling.
Facts
Wirtschaftsakademie Schleswig-Holstein Gmbh is a company registered in Germany, providing educational services, having a website and maintaining a so-called “fan page” on Facebook.
Together with creating its Facebook page, Wirtschaftsakademie has started to use the Facebook Insights function, provided to him by Facebook, based on a free, non-negotiable contract.
In the framework of “Facebook insights” Facebook places “cookies” on the hard drive of the user visiting the fan page, which contains an individual code and is active for 2 years. Facebook collects personal data of the user by means of cookies and forwards these data in anonymized form to the administrator of the Facebook fan page.
Given that neither Facebook, nor Wirtschaftsakademie informed the users about the use of cookies, the German data protection authority established the breach of rules governing the processing of personal data, and ordered Wirtschaftsakademie to deactivate its fan page.
Wirtschaftsakademie held that the German data protection authority should have started procedures directly against Facebook, because he used only a free function.
In addition, in the company’s opinion, the personal data was collected by Facebook who shall be considered as the data controller in this case. Since Wirtschaftsakademie received only anonymized, statistical data from the data controller, he is not responsible for notifying users.
The case in Luxembourg
The Court of Justice of the European Union had to decide the question who the data controller is, primarily responsible for the data processing: Facebook, Wirtschaftsakademie, or both?
As a starting point the EU Court laid down that in order to protect the data subjects effectively, instead a narrow interpretation of the concept of “data controller”, that term must be interpreted broadly.
Secondly, the EU Court emphasized, that it is out of question that Facebook shall be considered as data controller of the personal data of Facebook users, because he determines the purpose and means of data processing.
At the same time, in the EU Court’s view, it must be highlighted that Wirtschaftsakademie has significantly contributed to determining the purposes and means of the data processing. That is because when creating the fan page, it could set different filters through which he could determine the criteria that Facebook used for making the statistics.
Based on the above, Wirtschaftsakademie could request Facebook to collect demographic data (e.g age, sex, family status) or data relating to the lifestyle, center of interest or purchasing habits of the target audience, in order to make the advertisement of its educational services more targeted.
The EU Court held that by reason of the above factors, Wirtschaftsakademie has participated in determining the purposes and means of data processing, and thereby it must be considered together with Facebook, as a joint data controller.
Lastly, the EU Court remarked that it has no significance that the personal data were collected only by Facebook, and Wirtschaftsakademie received them in anonymised form, as statistic data, because data controllers shall not have access to the personal data collected for them.
Lesson learnt
If your company maintains a page on social networks, and participates in collecting personal data of users, it is important to check, whether users are informed about the data processing, even if you receive only statistical data of users from the operator of the social site.
Being joint data controller with the operator of the social network means that the joint controllers are responsible jointly and severally towards the users. So, in case a user thinks that his rights upon the GDPR were infringed, he is free to make a complaint against the operator of social network or your company.
-
CAN YOUR DEBTOR ESCAPE LIQUIDATION BY SETTING OFF CLAIMS IN HUNGARY?
The initiation of a liquidation procedure is an effective debt collection method, since the debtor may only avoid being liquidated by paying the claim if the conditions specified in the Act on Bankruptcy Proceedings and Liquidation (Bankruptcy Act) are met. For this reason, in the case of liquidation, one of the most common defences of the debtor is the reference to offsetting. But can the debtor refer to offsetting without limitation during liquidation? In our short article we answer this question.
Read more » -
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.
Read more » -
CONSTRUCTION TRUSTEESHIP IN HUNGARY - GETTING PAID IN CONSTRUCTION PROJECTS AS SUBCONTRACTOR
Construction trusteeship, as mandatory collateral management of major private construction projects in Hungary, strives for protecting subcontractors against non-paying general contractor, by allowing direct payments from employer under certain conditions. How does it work in practice and what are the limits of subcontractor protection? We address these issues in this article.
Read more »