Frank Spaeing

DSK publishes decision on Facebook Fan pages

Results of the 4thspecial conference of independent supervisory authorities of the Federal State and the States (DSK) on 5 September 2018.

As already reported here on 5 June 2018, the EuGH [European Court of Justice] ruled in its judgement of 5 June 2018 that Facebook and the operators of Facebook Fan pages will be held jointly responsible for Facebook Fan pages.

The DSK in its resolution of the same day commented on this, heightening concerns by the media in general (the resolution addressed, among other, several demands made on the operators of Facebook Fan pages, describing these asquite vague).

Facebook Fan page operators subsequently hoped that Facebook would act on its promise of providing an agreement pursuant to Article 26 GDPR.

Apart from publication of the Terms of use for data processing(Attention, this is a direct link to Facebook) early in August 2018, this remained an empty promise (at least to the author’s knowledge*).The linked terms of use also do not meet the requirements pursuant to Article 26 GDPR for agreements on joint responsibility.

The DSK held a special conference three months later, on 5 September 2018, where it passed a resolution on the Facebook Fan pages. The Berlin Data Protection Officer (Berliner Beauftragte für den Datenschutz) published this resolution on its website** today, 10 September 2018.

The DSK stipulates in this resolution that “running a Fan page as currently offered by Facebook is unlawful unless by an agreement pursuant to Art. 26 GDPR (…)”.
This is a clear statement, not addressed in this way under the first resolution.

This resolution, however, also poses concrete questions to the operators of Facebook Fan pages and Facebook itself on page three, questions they will need to respond to when the responsible supervisory authority questions them about a concrete Facebook Fan page (as expected soon).

The questions per se appear simple, but complications will soon arise:

“Annex: Questionnaire

  1. How is it determined who, between you and other jointly responsible entities, will meet which obligation under GDPR? (Art. 26 Para. 1 GDPR)
  2. Based on which agreement have you determined who will meet which duties to inform pursuant to Art. 13 and 14 GDPR?
  3. How are the main aspects of this agreement made available to the affected persons?
  4. How do you ensure that the rights of affected persons (Art. 12 et.seq. GDPR) can be fulfilled, especially rights to deletion as per Art. 17 GDPR, to limitation of processing as per Art. 18 GDPR, to objection as per Art. 21 GDPR and to information as per Art. 15 GDPR?
  5. For what purposes and on what legal basis are you processing the personal data of Fan page visitors? What personal data are stored? To what extent are profiles compiled or supplemented based on Facebook Fan page visits? Are personal data of non- members of Facebook also used to compile profiles? What are the deadlines for deletion?
  6. For what purposes and on which legal basis are entries created in so-called local storage also for non-members when they first call up a Fan page?
  7. For which purposes and on what legal basis are one session cookie and three cookies with life times between four months and two years stored after a subpage is called up from the Fan page offer?”
  8. What measures have you taken to meet your obligations as per Art. 26 GDPR pertaining to your joint responsibility for processing and conclusion of a corresponding agreement?”

Facebook Fan page operators may find some of these questions very difficult or impossible to answer on their own. The commentator quoted above expects that Facebook will soon present a legally sound agreement and also asserts:

“For companies operating a Fan page, this means giving thought to how they plan to handle their pages.The statements by the DSK and what these are aiming at according to my interpretation are much clearer than in the first resolution.”

There is nothing more to add other than showing things for what they are, but the author will refrain from doing so right now.


Frank Spaeing

The special meeting of the DSK on 5 September 2018 addressed not just Facebook Fan pages but also Application of the GDPR in parliaments, by factions, by representatives and by political parties and rejection of treatment by doctors should patients refuse to sign for receipt of information as per Art.13 GDPR.
Who would have thought that the DSK would actually need to explicitly respond to the second topic. . .

* This contribution was written on the way back from the Summer academy 2018. A talk was given there on the topic of “Social media: What should companies be aware of in terms of their Internet presence?”. Attending staff of various supervisory authorities were evidently also not aware of a relevant agreement by Facebook.
** Did not the DSK basically intend to publish only via its new website?