Addressing GDPR compliance of Facebook fan pages for companies

If you are an owner of a Facebook business page, two questions must be bugging you: How does GDPR affect you, and how can you become GDPR compliant? The short answer is: as of the publishing date of this article, you cannot be. And it’s not because of you – it’s because of Facebook. This is the biggest social network in the world at this time, and there is huge pressure from regulators worldwide to convince Facebook to become compliant with various regulations including GDPR. In this article, you will learn more about how to handle this important issue.

Who is responsible for the processing of data; i.e., is Facebook a data controller?

First of all, the European Union Court of Justice decided that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page. This means that if you have a Facebook fan page, then you are a joint controller according to GDPR as per Article 26, Recital 79, and Working Party 29 (now the European Data Protection Board) opinion 1/2010 on the concepts of “controller” and “processor.”

To learn more about data controllers and data processors, see the following article: EU GDPR controller vs. processor – What are the differences?

Example from Germany

 So, how should you approach this area? This is how the Berlin Data Protection Authority issued a set of questions for Facebook fan page admins that they need to be able to answer:

• How will it be determined, between you and Facebook, which of you is fulfilling which obligations under Article 26(1) of the GDPR?
• On the basis of what agreement have you determined, between you and Facebook, who complies with which information obligations under Articles 13 and 14 of the GDPR?
• How will the essential aspects of such an agreement be made available to the persons concerned?
• How do you ensure that the data subject rights (Article 12) can be fulfilled, in particular the rights to deletion under Article 17, limited processing under Article 18, objection to processing under Article 21, and information access under Article 15?
• For what purposes and on what legal basis do you process the personal data of the visitors to fan pages? What personal data are stored? To what extent are profiles created or enriched as a result of visits to Facebook fan pages? Are personal data of non-Facebook members also used to create profiles? What are the deletion periods?
• For what purposes and on what legal basis are entries generated in the so-called Local Storage for non-members when a fan page is first accessed?
• For what purposes and on what legal basis will a session cookie and other cookies with lifetimes between four months and two years be stored?
• What measures have you taken to meet your obligations under Article 26 as jointly responsible for processing and to conclude an agreement to that effect?

Checklist of Mandatory Documentation Required by the EU GDPR

Free white paper that explains which documents to use and how to structure them

Download now

What to include in the agreement with Facebook

Basically, in the context of the GDPR, here are the recommendations regarding your Facebook business page:

• You need to have a signed agreement between you and Facebook, which clearly demonstrates full transparency of personal data processing on all the sides.
• This agreement needs to outline how each one of you informs Data Subjects on the personal data processing that takes place, per Articles 13 and 14.
• This agreement also needs to outline how both companies respect Data Subject rights – the rights to access, rectify, and delete personal data, as well as to object to or suspend personal data processing, and how Data Subjects can exercise these rights.
• Facebook needs to detail what they do with the personal data they are processing (including Local Storage, cookies, etc.) – and for what purpose and under which legal basis. Do you collect the data of active Facebook users who are your fans? Do you store this data in other locations? Do you have lists of “best fans”? If yes, you need to provide the purpose and legal basis for the processing.

Review your need for a Facebook page

As you can see, it is pretty difficult to make your Facebook page GDPR compliant because, at the time of publishing this article, Facebook doesn’t provide enough transparency into cookie creation, personal data processing, automatic profile creation, etc. So, in order to start, you need to ask yourself a few questions:

• Do you actually need a Facebook fan page? Most marketers tell you that you need to have one, but do you actually use it?
• Do you post regularly; do you engage with your fans?
• Have you considered other communication channels like a blog, Twitter, etc.?
• Can you accurately measure the impact of your Facebook fan pages in your marketing efforts?

Push Facebook and write a privacy notice

If the answers above are YES, and you have decided to keep your Facebook fan page, then you should do the following:

• Push Facebook to draft an agreement between you and them to make sure that it reflects your joint-controller responsibilities.
• Write a Privacy Notice in a Facebook Note outlining who you are, what personal data you process, why, on what legal basis, with whom you share this data (for example, if you have data processors like marketing agencies), for how long, and how data subjects can exercise their rights (per Article 13).

As said, this doesn’t make you GDPR compliant. But it does show that you did your part on the GDPR compliance, and now you need to push your partner, Facebook, to also do their part and become GDPR compliant.

To see which GDPR documents you need for social media pages, download this free Checklist of Mandatory Documentation Required by EU GDPR.