Hallo! Mein Name ist Marc Dauenhauer. Ich bin Datenschutzbeauftragter und IT-Architekt. Sie befinden sich hier auf einem Blog, auf dem ich über Themen der Digitalisierung im weitesten Sinne berichte. Wenn Sie meine Dienstleistungen als Datenschutz-Experte oder IT-Spezialist suchen, klicken Sie bitte hier!

Kennen Sie schon unsere Beratung zu Alltagsfragen im Datenschutz?

Haben Sie Fragen zur Umsetzung des Datenschutzes in Ihrem Unternehmen und brauchen eine schnelle aber fundierte Antwort, um weitermachen zu können, dann sind Sie hier genau richtig. In 2 einfachen Schritten zur hilfreichen Antwort ohne langes Suchen im Internet. Klicken Sie hier für mehr Informationen.

Answering the questionnaire of the Berlin data protection commissioner

The document was automatically translated from German using DeepL.com

1. Have you completed the Insights addition with Facebook? If so, how did this happen?

Facebook has put a supplementary agreement online under the link https://www.facebook.com/legal/terms/page_controller_addendum, which represents a general terms and conditions according to its character. It becomes immediately valid through the use of the fan page function in connection with the data processing of Facebook Insights. In this respect, the Insights conditions represent a valid agreement between Facebook and me as the operator of a fan page.
Article 26 GDPR does not prescribe the type of contract to be concluded or the observance of any particular form. In this respect, nothing stands in the way of the publication of the corresponding agreement as part of the GTC.

2. to which text / to which agreement does the Insights supplement constitute a supplement? Please make this text available to us or present the corresponding contents, which will be supplemented by the Insights supplement.

In its judgment, the ECJ states in C-210/16 (marginal 32):

” In this respect, it appears that any person who wishes to set up a fan page on Facebook enters into a specific agreement with Facebook Ireland to open such a page and signs the terms of use of that page, including the relevant cookie policy, which is a matter for the national court to determine”.

The Insights supplement is an extension of these terms and conditions.

3. Is the Insights amendment an agreement within the meaning of Article 26 para 1, first sentence, of the GDPR?

The Insights supplement constitutes a valid agreement within the meaning of Art. 26 para. 1 sentence 1 GDPR. Due to the decision of the ECJ of 05.06.2018, the joint responsibility between Facebook and the page operator is undisputed.
The contents of Art 26 GDPR are reflected in the agreement:

  1. The agreement shall clearly and transparently define the responsibilities for the processing referred to in the second sentence of Article 26(1):

    “Facebook Ireland agrees to assume the primary responsibility under the GDPR for the processing of Insights Data and to comply with all obligations under the GDPR with respect to the processing of Insights Data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). In addition, Facebook Ireland will provide the essence of this Page Insights supplement to the individuals concerned.”

  2. This passage also complies with the provisions of Art. 26 (1) sentence 2, Art. 26 (2) GDPR.

4. what specific processing operations of personal data are shared responsibilities under this agreement? Please describe this in detail.

As the ECJ states in its ruling on C-210/16, the data processing by Facebook to be considered here consists of the following (C-210/16 marginal 33):

“As is apparent from the documents before the Court, the data processing at issue in the main proceedings is essentially carried out in such a way that Facebook places cookies on the computer or any other device of the persons who visited the Fanpage, the purpose of which is to store information in web browsers and which remain effective for a period of two years, unless they are deleted. In addition, the records show that in practice Facebook receives, records and processes the information stored in cookies, in particular when a person visits the “Facebook services, services provided by other members of the Facebook group of companies, and services provided by other companies that use the Facebook services”. In addition, other sites such as Facebook partners or even third parties may “use cookies on Facebook services to provide [this social network directly] or services to companies advertising on Facebook”.

There is no shared responsibility for all data collection (including insight processing) that is done outside of the fan page by Facebook.

5. what is meant by the “Insights Data” mentioned in the Insights Supplement and Insights Information? Please explain finally.

Facebook collects and processes visitor usage data and interactions with the fan page and its sub-pages. Facebook collects the user data (as far as registered users are concerned), data of the devices used and the actions on the fan page such as clicking buttons, viewing contributions or videos and makes these available as anonymous statistics. By limiting the audience of the fan page, it can only be accessed by registered Facebook users. This does not result in the collection of data from non-registered users – in particular those without a Facebook account.

6 The Insights Supplement refers to the “Processing of Insights Data”. What specific processing operations are involved and for what purposes? Please explain in detail.

The Insights data are processed for two purposes:

  1. Provision of statistical evaluations for the fanpage operator about the visitors and their activities on the fanpage, in order to optimize the page offer for the interest of the visitors.
  2. Optimization of the offer and the advertising processes of Facebook itself.

We have already explained the core of the processing in a previous question.

7. how are the persons concerned (Facebook members and non-members) informed of the essence of the agreement pursuant to Art. 26 para. 2 GDPR?

Facebook undertakes under the Insights Additional Agreement to make available to Site Visitors the essence of the Article 26 Agreement. Notwithstanding the foregoing, we also fulfill our obligation as the responsible party to a) link to the Additional Agreement in the Data Policy and b) also refer to the Facebook Data Policy for information to our visitors.

8. what information have you received or are receiving from Facebook about the processing of personal data of visitors to your fan page? Does the information available to you enable you to meet your obligations under the GDPR, in particular your obligations under Art. 5 para. 2 GDPR?

The ECJ has aptly stated in its above cited judgment:

“It should be made clear that the existence of a shared responsibility, as the Advocate General pointed out in points 75 and 76 of his Opinion, does not necessarily entail an equivalent responsibility on the part of the various actors involved in the processing of personal data. Rather, these actors may be involved in the processing of personal data at different stages and to different degrees, in such a way that the degree of responsibility of each of them must be assessed in the light of all relevant circumstances of the case”. C-210/16 marginal 43

Having said that, we believe that the level of accountability between Facebook and us as a site operator is distributed in such a way that the information provided to us is sufficient to

  1. to inform the visitors of the site about the nature of the division of tasks
  2. to provide basic information about Facebook’s data collection by referring to Facebook’s Cookie Policy and Privacy Policy,
  3. adjust the audience of our fan page so that users without a Facebook account cannot access the page.

The ECJ has further elaborated:

“It should also be noted that the fan pages maintained on Facebook can also be visited by people who are not Facebook users and therefore do not have a user account on this social network. In this case, the responsibility of the Fanpage operator with regard to the processing of the personal data of these persons shall appear even higher, since the mere fact that visitors access the Fanpage automatically triggers the processing of their personal data”. C-210/16 marginal 41″.

The fact that we have excluded the aforementioned facts by means of an audience setting reduces our responsibility in the sense of the ECJ’s argumentation. Schwartmann/Jaspers/Thüsing/Kugelmann. Art 26 marginal 21 fixed:

A shared responsibility is not precluded by the fact that not every jointly responsible person may be able to fulfil all rights and obligations under the DS Block Exemption Regulation, although his role as controller obliges him to process personal data in accordance with the Regulation (para. 12). It is sufficient if the jointly responsible party can make use of one of the other jointly responsible parties to fulfil his rights and obligations.[ 31] The GDPR does not require direct fulfilment by the responsible party itself in this respect. However, this delegation of duties does not alter the full liability of the jointly responsible party (para. 46) in the event of any infringements of the DS Block Exemption Regulation.
Atzert, Michael; Buchmann, Antonia; Dietze, Lars; Ferik, LL.M., Levent; Frank, Lorenz; Frey, LL.M., Dieter; Hermann, Maximilian; Hilgert, LL.M., Felix; Hünermann, Rolf; Jacquemain, LL.M.., Tobias; Jaspers, Andreas; Keber, Tobias O.; Keppeler, Lutz Martin; Klein, David; Kremer, Sascha; Kugelmann, Dieter; Leutheusser-Schnarrenberger, Sabine; Martini, Mario; Mühlenbeck, Robin Lucien; Müthlein, Thomas; Pabst, Heinz-Joachim; Pieper, LL.M.., Fritz Ulli; Reif, LL.M., Yvette; Richter, Philipp; Ritter, Steve; Rombey, Sebastian; Römer, Sandra; Rost, Maria Christina; Rudolph, Matthias; Schmidt, Maximilian; Schneider, Adrian; Schwartmann, Rolf; Seckelmann, Margrit; Thüsing, Gregor; Traut, Johannes; Weiß, Steffen; Wybitul, Tim. DS-GVO/BDSG: Data Protection Basic Regulation Federal Data Protection Act (Heidelberger Kommentar) (German Edition) (Kindle-Positionen32266-32272). CF Muller. Kindle version.

9. Please explain how the personal data of visitors to your fan page is processed. What are the purposes of these processing operations?

On the Facebook Platform, we only process the data of registered Facebook users in accordance with the above-mentioned purposes. In addition, we use Facebook’s contact options to interact with visitors to our pages. Personal data is not used outside the Facebook platform.

10. on what legal basis do you process the personal data of visitors to your fanpage?

Personal data is processed in accordance with Art. 6 para. 1 lit f GDPR (German Data Protection Act) on the basis of our legitimate interest in presenting our services and ourselves to the public on Facebook and in order to measure the success of our measures or to align our offer to the interests of visitors.
We process other personal data only if they are voluntarily provided to us by the users and are used for interaction with the users. In this respect, we assume an implied consent pursuant to Art. 6 para. 1 lit. a DSGVO.
Since we only process data from Facebook users, Art. 6 para. 1 lit a GDPR can also be considered insofar as all users have agreed to the General Terms and Conditions, Data Protection Guidelines and Cookie Guidelines when setting up a Facebook account.

11. in what way and with what content are the persons concerned (Facebook members and non-members) informed about the processing of their data when visiting your fan page according to Art. 12 and Art. 13?

Due to the audience settings of our fanpage, non-members are not able to visit our site. Therefore, information to non-members is obsolete. Members have generally agreed to the collection of your information through the Terms and Conditions, Privacy Policy and Cookie Guidelines when setting up their account. In addition, we have included such information in our own privacy policy, which is available through our site.

12. How do you ensure that the rights of data subjects (Art. 12 et seq. GDPR) can be fulfilled, in particular the rights to cancellation under Art. 17 GDPR, to restriction of processing under Art. 18 GDPR, to objection under Art. 21 GDPR and to information under Art. 15 GDPR?

Under the Insights Additional Agreement, Facebook is required to enforce these user rights. As already stated by the Article 29 Group in WP 169, a controller may use another controller within the framework of joint responsibility to fulfil his obligations. In this respect, we make use of this option and use the form provided by Facebook for this purpose to report any enquiries.
In addition, we have established our own process to ensure that requests made to us are (1) reported to Facebook as part of the Insights Agreement, and (2) checked at least randomly by asking the person concerned whether Facebook responded promptly and fully to the request. We do not process personal data outside the Facebook Platform.

13. The Insights Supplement states in relation to Affected Persons’ Rights: “If a data subject or a supervisory authority under the DS Block Exemption Regulation contacts you regarding the processing of Insights Data and Facebook Ireland’s obligations under this Page Insights Supplement (each an “Inquiry”), you are required to provide us with all relevant information promptly, but no later than within 7 calendar days. For this purpose you can submit this form. Facebook Ireland will respond to requests in accordance with our obligations under this Page Insights Supplement. You agree to promptly make all reasonable efforts to cooperate with us in responding to any such request. You may not act or respond on behalf of Facebook Ireland.” Please explain specifically how Facebook handles the requests you submit and what concrete measures you have taken to check whether the rights of the persons concerned are being fulfilled in this way in accordance with the GDPR.

As stated by the Article 29 Group in WP169, as part of our shared responsibility, we use Facebook’s services to fulfill our obligations under the GDPR. Article 26 GDPR does not require any jointly responsible person to monitor the fulfilment of the legal obligations of the other responsible person. Nor are jointly responsible persons obliged to disclose all internal processes to the other responsible persons.
As mentioned above, we have established an internal process to track requests made to us and to verify Facebook’s compliance, at least on a sample basis, by consulting with the parties concerned.

14. are entries in the so-called Local Storage also created for non-members when you call up your fanpage for the first time? For what purposes and on what legal basis is this done?

First of all, we have excluded non-members from accessing our fan page. Therefore, the creation of data in the local storage is only the case for Facebook members. The creation of this data in local storage and session storage is basically comparable to the creation of cookies and is a technology that has found its way into browsers with HTML5. Since we only process the data of Facebook members, they have already agreed to the processing of their data on the entire Facebook platform. We therefore consider the consent of Facebook members pursuant to Art. 6 para. 1 lit. a GDPR to be relevant in addition to our legitimate interest in the processing pursuant to Art. 6 para. 1 lit. f GDPR. We do not consider a separate check of the consent to be necessary, since the use of our site is not possible without Facebook membership and thus consent to the processing of personal data and the setting of cookies.

15. are one session cookie and three cookies with life spans between four months and two years stored after calling up a subpage within your fanpage offer? For what purposes and on what legal basis is this done?

In the case of our fan page, cookies are set in accordance with the above arguments.