Facebook verdict: Additional agreement for Fanpage operator

After it had become quiet for several weeks around the Facebook Fanpage problem, now a few things happened within a few days. In its ruling of June 2018, the ECJ found that in addition to Facebook itself, the fan page operators were also responsible for processing the data of fan page visitors. Pursuant to Art. 26 GDPR, those responsible are jointly obliged to reach an agreement in transparent form on who fulfills which obligations under the GDPR (so-called Joint-Controllership-Agreement). The obligations governed by the GDPR include, in particular, the protection of the rights of persons subject to processing, such as the right to information and information within the meaning of Art. 13 to 15 GDPR.

Just a few days after the ruling, the Conference of Independent Data Protection Authorities of the German federal and state governments (DSK) commented on the problem and demanded a corresponding agreement from Facebook and the site operators. Facebook also spoke up and announced an adaptation of the terms of use for fan page operators.


The words followed, however, initially no action, which is why the DSK took on 05.09.2018 for the second time position on the much-discussed “Fanpage” ruling of the ECJ. In the new decision now – in contrast to the rather vague first statement – concrete requirements for Fanpage operator made. In particular, the DSK deals with the agreement on joint responsibility under Art. 26 GDPR. In the absence of such an agreement, the operation of the Facebook fan page is unlawful.

Facebook provides required agreement

The judgment of the European Court of Justice, DSK’s statements and Facebook’s lack of response caused considerable uncertainty among fanpage operators. Now, however, Facebook has responded a few days after DSK’s second decision and provided a document entitled “Page Insights Supplement Regarding the Responsible”. Although the title does not indicate that this is the agreement required by the GDPR, this is not necessary under Art. 26 GDPR, the content of the document is decisive.

The amended terms and conditions set out that the site operators and Facebook are jointly responsible for processing Insights data. Using this data provided by Facebook, site operators can make a statistical evaluation of visitors to their site. The possibility of using this data was the decisive point in the decision of the ECJ to oblige site operators under data protection law.

In addition, Facebook guarantees the provision of the “essential aspects” of the document for all data subjects, thus also the criterion “in a transparent form” i.S.d. Art. 26 GDPR is to be fulfilled. Conversely, this also means that the supplement to the Terms of Use does not apply to any data processing on the fanpage, but only to the processing of Insights data.

Primary responsibility for data protection lies with Facebook

For the processing of the Insights data Facebook will take over the primary responsibility. This applies in particular to the data subject rights regulated in Articles 12 to 22 of the GDPR and the data security and notification of data breaches regulated in Art. 32-34 GDPR.

In addition, it is agreed that data controller will be Facebook Ireland (main office of Facebook in the EU). This has gem. As a result of Article 56 GDPR, the Irish data protection authorities throughout Europe will be in charge of all relevant matters. Judicial and litigation will also be Ireland. Requests from national data protection authorities and data subjects must be forwarded to Facebook Ireland within seven days via a form.

What Fanpage operators should consider now

Although the primary responsibility for processing the Insights data is now on Facebook Ireland, the new Terms of Use still imposes some obligations on the site operators.

First, the agreement requires the site operators to designate the controller. According to an English note from Facebook, the details of the responsible company and its data protection officer, including their contact details, can be entered in the “About” section via “Edit Page Info”.

Furthermore, site operators must ensure that the processing of the Insights data is based on a legal basis pursuant to Art. 6 para. 1 GDPR. A permit under Art. 6 para. 1 sentence 1 lit. Come DSGVO. This legitimizes the processing of personal data if the processing person has a predominant interest in the processing of the data subject – e.g. Direct mail.

In addition, the site operator also has the duty to inform the data subjects about the processing of the data by listing a link to their own privacy policy on the fanpage in the information area under Data Policy and displaying it to the users. Accordingly, the own privacy policy must be supplemented with a text module for joint responsibility in the operation of the fan page including legal basis.

The DSK has further requirements

In addition, it should be noted that the above-mentioned new decision of the DSK in the annex contains a questionnaire, which all site operators (and Facebook) should be able to answer. This goes in part beyond the agreement according to Art. 26 GDPR. For example, the DSK wants answers to questions like:

  • For what purposes and on what legal basis are entries made in the so-called local storage at the first call of a fan page even for non-members?
  • For what purposes and on what legal basis are a session cookie and three cookies with lifetimes between four months and two years stored after calling a subpage within the fanpage offer?

This is of course information that is not available to the site operator, but only Facebook alone. Again, the social network must move again and provide the required information.


After the uncertainty of the past few months, this agreement of Facebook reduces the risk of operating the fan page enormously, since the existing “loopholes” can be largely closed.

However, the reaction of the German data protection authorities is to be awaited. A final assessment will not be possible until initial court decisions have been taken on this matter.

Kathrin Schuermann 10X15 300Dpi
Kathrin Schürmann (Photo: Schürmann Rosenthal Dreyer)

Kathrin Schürmann, lawyer for the digital business

Kathrin Schürmann is a lawyer and partner at SCHÜRMANN ROSENTHAL DREYER. In addition to copyright and media law, data protection and competition law, Ms. Schürmann specializes in the entire marketing area, especially at the threshold between competition and data protection law. A particular focus of her work is on advising companies in the fields of digital business, technology and the media.

Leave a Reply

Your email address will not be published. Required fields are marked *