What to do with your business page on Facebook and other social media?
What you need to know.
Many companies today have a Facebook “fan page” to promote their products and services. Such companies use Facebook Page Insights to optimize the reach of their marketing communications. This has important consequences for their obligations under the GDPR. The European Court of Justice and the European Data Protection Board have established that companies together with Facebook must be regarded as joint controllers (see GDPR toolkit 09) when the company is using Page Insights.
What you need to do.
The use of Facebook Page Insights requires a mutual arrangement with Facebook establishing the respective responsibilities for fulfilling the obligations under the GDPR. Facebook has recently published such an arrangement (“Page Insights Controller Addendum”). The basic principle of this arrangement is that Facebook assumes all obligations under the GDPR, including the obligation to inform the users, but also takes and implements all decisions in this respect. As a consequence, the Irish Data Protection Authority is competent, given that Facebook is established in Ireland.
Nevertheless, the foregoing does not mean that you have no obligations. You are required to inform Facebook by submitting this form within 7 days of any request made by a user concerning Facebook Page Insights data. It is therefore important that your company establish the necessary internal procedures and/or make agreements in this regard with external marketing agencies.
Furthermore, and rather curiously, Facebook provides that you must ensure that there is a legal basis for the processing of Page Insights data; which means that you have to obtain consent from the user by means of an opt-in. However, it is unclear precisely how companies can obtain such opt-in from users. Facebook remains in default here and has yet to offer any solutions or take any steps in this respect.
Along with the use of Facebook Page Insights data, keeping a (fan) page on any kind of social media implies the processing of personal data. You are and remain responsible for compliance with the GDPR for such pages. This entails, amongst other things, that you have to inform the visitors of your social media (fan) page by including, for example, (a link to) your privacy statement. Facebook seems to have already provided a specific place for this in the information section on your (fan) page.
Please consult our website or contact one of our team members if you have questions or require more information:
In the Picture - December 2018
Three people can only keep a secret if two are dead. A European recipe for trade secrets.