How can websites share control with Facebook – on personal data. 10 things to remember from the ruling in the case of Fashion ID

1. If there is a “Like” button inserted in the site, the administrator of the site (“admin”) is considered joint controller with Facebook regarding data processing through this plugin, according to the most recent decision of CJEU

2. The data transmission via the plugin to Facebook is done without the visitors being aware of it and regardless of them being members of the Facebook network or having clicked the “Like” button

3. The status of joint controller is acquired because the admins have their own economic interest in promoting the business by inserting the plugin in the site

4. The status of joint controller is acquired even if the admins do not have access to data and have no influence on the processing of the data transmitted to Facebook

5. The admins are considered joint controllers only for the actions in which they participate – the collection and transmission of data, and not for other processing operations from Facebook, previous or subsequent

6. The responsibility for obtaining consent and informing the user rests primarily with the admins, with whom the user first comes into contact

7. It is not clear how Facebook, in turn, will inform visitors who are not members of the network

8. If relying on consent, it is not clear how sites will be able to obtain it in a “prior” fashion, as long as Facebook seems to start processing immediately after accessing the site, irrespective of the user’s clicking the “Like” button

9. According to the press release following the CJEU decision, should the basis of the processing be legitimate interest, both joint controllers must justify a legitimate interest for the processing

10. Conclusion – for data collection and transmission operations through Facebook (or other social networks) plug-ins, sites must quickly change their privacy policies by assuming the role of data controllers and by fully informing users, according to GDPR. As for the legal basis for processing, legitimate interest might not be expected solution. Consent we already know that doesn’t really work. I will soon resume the topic with more in depth insight.