Facebook comments

Thursday, November 29, 2018

GDPR decision to use Facebook Custom Audience

Is the ruling of the ECJ ruling on Facebook fan pages adequately implemented?

in 2018 an agreement on the General Data Protection Regulation (GDPR) was published as the result of the ECJ's Facebook fan pages decision. It should have the goal for Facebook to comply with this judgment. An analysis on the decision of the Facebook Custom Audience.

The European Court of Justice ruling on the Data Protection Regulation

Following a ruling by the European Court of Justice, as confirmed on the 5th of June 2018, Facebook is directly responsible for processing and collection of personal data at the EU level. On its platform Facebook determines all purposes and means of its processing activity. Proof of this is the fact that companies or persons who want to maintain a Facebook fan page, commit themselves with their registration to agree to the terms of use and the data processing of Facebook.

Facebook is not acting as a processor in this questionable relationship, but in computing it determines the purpose and way in which it stores and evaluates the user's data.

On the other hand, the operator of the fan page is also considered responsible, who can define parameters in his pages and the activities developed from them. He can thus define target groups and decide which other activities and campaigns he wants to organize via his fan page. For example, companies that operate Facebook fan pages are classified as jointly responsible according to the ECJ ruling (Art. 26 GDPR).

The implementation of the ECJ ruling of the Bavarian Administrative Court based on Facebook

Following the implementation of the ECJ ruling, Facebook has published an agreement as a result. This provides that the company wants to comply with the requirements of the judgment. However, on closer inspection, there are considerable doubts. The "Agreement" of Facebook presented in this context reflects some elements of the order processing of Article 28 of the GDPR, instead of conforming to Article 26 of the Regulation, which refer to the Joint-Controller Contract. This comes in particular to the course, if an online shop is operated with the participation of Facebook. Here is to be mentioned in particular.

  • Not only data and documented instructions of the customer are processed by Facebook.
  • Employees and employers which have access to personal information need to have a special confidentiality clause, for which they must declare their consent.
  • Under special conditions, Facebook undertakes to delete or otherwise return personal data.
  • Persons in charge who have a Facebook account or have it created by an authorized auditor have the right to scrutinize.
  • As data from the Facebook user is transferred to the US, a reference to existing EU standard contractual clauses must be made.

Further critical points resulting from this ruling to keep in mind

  • Subcontracting is permitted without written permission or a right to object.
  • For requests from stakeholders, the support does not require a required format.
  • No further documentation is needed for organizational and technical measures.
  • Evidence provided in SOC 2 Type II shall be declared as appropriate and so as to comply with all technical and organizational measures.


One should expect a global corporation, such as Facebook, to be aware of the difference between an agreement between a joint controller contract and the article 28 of the Data Protection Regulation. He should work out an agreement on this which contains well-sounding phrases that are almost right under data protection law. This should make it clear to everyone involved that Facebook is the sole person responsible, as they only process data for their own purposes.