The administrator of a fan page hosted on Facebook is responsible for the personal data of the visitors to its fan page: the fact that an administrator uses the platform provided by Facebook cannot exempt it from compliance with its obligations concerning the protection of personal data. Where an undertaking established outside the European Union establishments in different Member States, the supervisory authority of a Member State is entitled to exercise powers with respect to an establishment situated in the territory of that Member State even if exclusive responsibility for collecting and processing personal data belongs to an establishment situated in another Member State. Where the supervisory authority of a Member State intends to exercise its powers with respect to an entity established in the territory of that Member State on the ground of infringements committed by a third party whose seat is in another Member State, that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State, the lawfulness of the data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.
From the CJEU press release: “In today’s judgment, the Court of Justice starts by observing that it is not disputed in the present case that the American company Facebook and, for the EU, its Irish subsidiary Facebook Ireland must be regarded as ‘controllers’ responsible for processing the personal data of Facebook users and persons visiting the fan pages hosted on Facebook. Those companies primarily determine the purposes and means of processing that data.
Next, the Court finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.
Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of manging or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. In particular, the Court notes that the administrator of the fan page can ask for demographic data (in anonymised form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers.
According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.
Read the press release here.
The IPPT-version will follow.