Facebook page admin jointly responsible for data processing

The administrator of Facebook fan page shall jointly be responsible with Facebook for the data processing of its visitors.

The Court of Justice of the European Union has held that a Facebook page administrator must be regarded as a controller jointly responsible, within the EU, together with Facebook for the processing of that data.

Such an administrator takes part in the determination of the purposes and means of processing the personal data of the visitors to its fan page.

According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.

The Court stated that the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that fan page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46 on data protection.

The case originated in Germany where in November 2011, the Unabhängiges Landeszentrum für Datenschutz SchleswigHolstein (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany) had ordered education company Wirtschaftsakademie Schleswig-Holstein to deactivate its Facebook fan page because neither Wirtschaftsakademie nor Facebook informed visitors that personal data was being collected and processed.

Wirtschaftsakademie brought an action against that decision before the German administrative courts, arguing that the processing of personal data by Facebook could not be attributed to it, and that it had not commissioned Facebook to process data that it controlled or was able to influence.

The Bundesverwaltungsgericht (Federal Administrative Court, Germany) then referred the case to the Court to interpret Directive 95/46 on data protection.

The case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C-210/16).