On June 5, the European Court of Justice (ECJ) released its preliminary ruling in the case Wirtschaftsakademie Schleswig-Holstein. The ECJ found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page.

By creating a fan page on Facebook and defining the criteria for drawing up of statistical data by Facebook “the administrator … contributes to the processing of the personal data of visitors to its page“. This is notwithstanding the fact that “the audience statistics compiled by Facebook are indeed transmitted to the fan page administrator only in anonymised form” – a statement which may have an impact on data-driven business models beyond the circumstances of this particular case.

According to the ECJ, Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned. The administrator of a fan page “must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page“.

The ECJ further notes that the fact that Facebook and the administrator of a fan page are jointly responsible does not necessarily mean equally responsible as they may be involved in different stages of the processing and to different degrees.

In its essence, the ECJ’s preliminary ruling seems to confirm that Facebook and the administrators of fan pages hosted on Facebook should be qualified as joint controllers. Although existing under Directive 95/46, that concept is now further clarified by the GDPR, applicable as of 25 May 2018. Article 26 requires from joint controllers to establish (by an arrangement) in a transparent manner their respective responsibilities for complying with the Regulation, in particular as regards the exercising of the rights of the data subjects and their respective duties to provide the information referred to in Articles 13 and 14 GDPR. The parties may also designate a common point of contact for the data subjects. A particularly sensitive matter in such contracts is the distribution of risks and responsibilities between the joint controllers as Article 82(4) GDPR establishes that each joint controller may be held liable for the entire damage which may be caused to a data subject.

The information contained in this post is not intended to and does not constitute a legal advice under Bulgarian law or under the laws of any other jurisdiction and is provided for informational purposes only.