PROCESSING SITUATIONS

Social media to promote my business

In today’s digital age, most companies rely on social media to promote their business. They usually have their own ‘page’ or account on one or more social networking websites. Additionally, some companies feature social media plug-ins on their own website, to generate more traffic their way. Making use of social media brings along certain legal consequences. What exactly this means for your role and responsibilities under data protection law, will be discussed in this section.

Most likely you are the administrator of a (fan) page for your company on a social networking website. This inevitably brings along processing of personal data. In this context, processing is essentially carried out by the social networking site, placing cookies and processing the information stored in the cookies. By creating such a page, you give the social networking site the opportunity to place cookies on the computers of visitors, from which you benefit by obtaining statistics useful to manage and promote your activities. Regardless of the fact that you often do not have factual or legal influence on the purposes and means of processing, you will be considered to be involved in the production of the statistics through defining the criteria for the statistics and designating the persons whose personal data is to be made use of by the social networking site. The fact that you only receive the statistics in anonymized form and do not have access to the actual personal data concerned, does not take away the fact that you will be considered to have an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page.

Consequently, as an administrator of a fan page hosted on a social networking site you contribute to the processing of the personal data of your visitors and under the GDPR you will be seen as a joint controller – together with the social networking site. This is only the case for those processing activities which consist in the collection by the social networking site of personal data on your page. This results in the shared responsibility to inform visitors of the page about the fact that information of them was collected via cookies.

The existence of joint responsibility does not necessarily imply equal responsibility of you and the social network operator. The level of responsibility must be assessed taking into account all relevant circumstances of the particular case: if your joint processing only relates to the collection of data from visitors of your page and to the processing of this data for statistical purposes (and not to the use of the data by the social networking site for its own analysis and advertising unrelated to your company) you will likely only carry responsibility for these processing activities.

The GDPR specifies that joint controllers need to determine their respective responsibilities under data protection law in a transparent manner. For more information on what this means, see here. Following from joint controllership, individuals will be free to choose to turn to your company or the social networking site to obtain full damages. If you are not able to prove that you are not responsible for the event giving rise to the damage, the social networking site is allowed to claim back part of the compensation corresponding to your responsibility for the damage.

Time for action

As a fan page administrator, you will need to conclude a joint controller agreement with the hosting social networking site. In this agreement, each party’s responsibilities need to be set out, including visitors’ rights and information obligations. E.g. Facebook has put in place a joint controller addendum with which you will have to agree in case you would like to create a Facebook page for your company.
Comply with the controller obligations in the GDPR: inform visitors about the identity of the joint controllers, the purpose of the processing, the legal basis relied upon, data retention periods and all data processing activities and their rights (e.g. access, rectification, erasure). Also make sure that visitors can exercise these rights.
To the extent possible, put in place measures to ensure adequate protection of your page’s visitors and their personal data.
Data processed for the purpose of providing targeted advertising will require visitors’ consent.

Social plugins

Often companies embed social plugins on their website to obtain certain commercial benefits.

Social plugins are buttons – such as a ‘like button’ or a ‘share button’ – which allow visitors to share their experiences on other websites with friends on certain social networking sites.

When a visitor consults a website featuring plugins, his or her personal data are transmitted to the social networking site. It allows companies to optimise the publicity for its goods or services by increasing visibility on social media.

If you feature a third-party plugin on you website, you most likely will be a joint data controller together with the social media company concerned in respect of the collection of personal data of the website visitors and the transmission of this data to the social networking site. This is because both parties have an economic interest and you jointly determine the means and purposes of the processing of the personal data that were transferred to the social networking site. You will, however, not be a controller regarding the processing after the transmission of the data carried out by the social networking site alone, as you do not determine the purposes and means of those operations.

In respect of such operations involving the processing of personal data of visitors to your website, you will also carry a list of responsibilities under the GDPR.

Time for action

At the time of the collection of their personal data, you must provide certain information to your visitors, including for example your identity and the purposes of the processing.
In case you rely on consent of the individuals concerned, you only are required to obtain prior consent for operations for which you act as a (joint) controller (i.e. the collection and transmission of the data).
In cases where the processing of personal data is justified by relying on necessity for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely you as the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard. It is not enough if only one of the joint controllers is pursuing a legitimate interest through the collection and transmission of personal data.