In its judgment in Case C-40/17 (Fashion ID case), the Court of EU finds that the operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook.
When a visitor consults the such website, that visitor’s personal data are transmitted to Facebook. That transmission occurs without that visitor being aware of it and regardless of whether or not he or she has a Facebook profile or has clicked on the ‘Like’ button.
Secondly, the Court holds, that the operator of a website cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook after those data have been transmitted to the latter.
By contrast, the operator can be considered to be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website.
Furthermore, the operator of a website must provide, at the time of their collection, certain information to those visitors. For example, its identity and the purposes of the processing of the data.
The information that the operator must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.
In addition, the operator must obtain a visitor’s prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.
In conclusion, the Court of EU rules, that the operator of a website, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller.
That liability is limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.
The court has already ruled that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data relating to visitors to its page (Case: C-210/16).
For more information regarding GDPR please do not hesitate to contact us by e-mail: firstname.lastname@example.org or call us on: +359 2 851 72 59.