E-newsletter Bulletin No 01/23

    Case C-40/17 (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV), 

    Key Takeaway: the CJEU held that, under EU data protection legislation, the operator of a website featuring a Facebook "Like" button (i.e. a plugin that entails the transmission of personal data to Facebook) can be seen as acting as controller, jointly with Facebook. In consequence, that website operator is responsible for complying with the legal obligations under this context, and in particular for informing its website visitors that their personal data may be transmitted to Facebook.

    By contrast, it seems, at the outset, impossible that website operator determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland after their transmission to the latter, meaning that the website operator cannot be considered to be a controller in respect of those operations within the meaning of Article 2(d) of Directive 95/46. 

    Fashion ID, an online clothing retailer, embedded on its website the ‘Like’ social plugin from the social network Facebook (‘the Facebook “Like” button’) when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland as a result of that website including that button. It seems that that transmission occurs without that visitor being aware of it regardless of whether or not he or she is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button.

    It is apparent from the order for reference that one feature of the internet is that, when a website is visited, the browser allows content from different sources to be displayed. Thus, for example, photos, videos, news and the Facebook ‘Like’ button at issue in the present case can be linked to a website and appear there. If a website operator intends to embed such third-party content, he places a link to the external content on that website. When the browser of a visitor to that website encounters such a link, it requests the content from the third-party provider and adds it to the appearance of the website at the desired place. For this to occur, the browser, e.g. Google Chrome or Firefox, transmits to the server of the third-party provider the IP address of that visitor’s computer, as well as the browser’s technical data, so that the server can establish the format in which the content is to be delivered to that address. In addition, the browser transmits information relating to the desired content. The operator of a website embedding third-party content onto that website cannot control what data the browser transmits or what the third-party provider does with those data, in particular whether it decides to save and use them.

    The CJEU clarified that a natural or legal person may be a controller, within the meaning of Article 2(d) of Directive 95/46(currently Article 4(7) of the GDPR (General Data Protection Directive), jointly with others only in respect of operations involving the processing of personal data for which it determines jointly the purposes and means. By contrast, that natural or legal person cannot be considered to be a controller, within the meaning of that provision, in the context of operations that precede or are subsequent in the overall chain of processing for which that person does not determine either the purposes or the means.

    The Notion of Joint Controllership 

    The notion of joint controllership does not exist in Law No 6698 on the Protection of Personal Data in spite of the fact that it takes Directive 95/46/EC as a reference.

    The qualification as joint controllers may arise where more than one actor is involved in the processing. While the concept is not new and already existed under Directive 95/46/EC, the GDPR, in its Article 26, introduces specific rules for joint controllers and sets a framework to govern their relationship. In addition, the Court of Justice of the European Union (CJEU) in recent rulings has brought clarifications on this concept and its implications. For example, the CJEU held in Wirtschaftsakademie * that the administrator of a fan page hosted on Facebook, by defining parameters based on its target audience and the objectives of managing and promoting its activities, must be regarded as taking part in the determination of the means of the processing of personal data related to the visitors of its fan page.The processing of personal data through statistics of visitors to a fan page is intended to enable Facebook to improve its system of advertising transmitted via its network and to enable the administrator of the fan page to obtain statistics to manage the promotion of its activity. Each entity in this case pursues its own interest but both parties participate in the determination of the purposes (and means) of the processing of personal data as regards the visitors to the fan page.

    The CJEU adopted a wide concept of joint controllership. It found that joint controllership can exist for specific phases of the data processing (in the case at issue, the initial collection of the data and its transmission to Facebook) and that controllership can be attributed to only on one of the parties in subsequent phases.

    The CJEU also held that, as long as the website operator has a role in determining the purposes and means of the processing, a website operator may be a controller even if it does not itself have access to the personal data collected and transmitted to the other party.

    According to the case law of the CJEU, the fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership. † It is also important to underline, as clarified by the CJEU, that an entity will be considered as joint controller with the other(s) only in respect of those operations for which it determines, jointly with others, the means and the purposes of the same data processing in particular in case of converging decisions. If one of these entities decides alone the purposes and means of operations that precede or are subsequent in the chain of processing, this entity must be considered as the sole controller of this preceding or subsequent operation. The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, the CJEU has clarified that those operators may be involved at different stages of that processing and to different degrees so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.

    Please keep in mind that while aforementioned judgments were issued by the CJEU on the interpretation of the concept of joint controllers under Directive 95/46/CE, they remain valid in the context of the GDPR, given that the elements determining this concept under the GDPR remain the same as under the Directive.

    The Website Operator’s Information Duty

    Based on the CJEU’s findings, website operators have informational duties as well as other obligations regarding data security, responding to data subject Access requests and complying with the decisions of the Personal Data Protection Board (Board") in relation to the functioning of the social plugin such as Facebook, Twitter, LinkedIn that concern collection and communication of personal data to the provider of the plugin

    As far as third-party cookies or similar technologies are concerned, it is worth noting that information duties of website operators have been identified in the recent Guidance on the concepts of data controller and data processor and information duties. According to the Board‡ data controllers are under obligation to provide the bulleted information given below to the data subjects when the data are collected:

• the identity and the contact details of the controller and, where applicable, of the controller's representative;

• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;,

• the recipients or categories of recipients of the personal data, if any;

• Method used for collecting personal data,

• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.

Best regards,

Tuna Law Team

The full text of the Fashion ID decision is available in various languages, please visit the following website: https://curia.europa.eu/juris/liste.jsf?num=C-40/17

* Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie, (C-210/16), Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta (C-25/17), paragraph 36. The full text of thedecision available at: https://curia.europa.eu/juris/liste.jsf?num=C-210/16

† jehovan todıstajat v. Tıetosuojavaltuutettu / Case C-25/17 / (10 July 2018) (‘JEHOVAN’). The full text of thedecision available at: https://curia.europa.eu/juris/documents.jsf?num=C-25/17

‡“Summary of the Decision of the Personal Data Protection Board adopted on 30/01/2020 under No  2020/71 regarding the factors to be considered in the determination of the data controller and the data processor and modalities of application of information duties.. The text of the decision is available only in Turkish: https://www.kvkk.gov.tr/Icerik/6874/2020-71