facebook-1084449_640

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind their data protection responsibilities when using plugins on their websites.

This case concerns the German company FashionID, which had a Facebook plug-in installed on its website. In addition, the program transmitted personal data to Facebook without the visitor being aware of it, regardless of whether they have a Facebook account or have pressed the “Like” button.

In its ruling, the court explained that in such a situation the website owner is jointly responsible with Facebook for the personal data collected and sent to Facebook. The website owner is not responsible for the subsequent processing of personal data by Facebook alone.

The court found that FashionID could be considered a joint controller with Facebook since FashionID and Facebook jointly determine the means and purposes of the data processing operations when assessing the collection and transfer of personal data. Using the Facebook plug-in on a website allows FashionID to optimize the promotion of its products, making them more visible and providing a clear business advantage. This shows that using the plug-in is in the economic interest of both FashionID and Facebook.

The court explained that the website must obtain the user’s consent before sending personal data to Facebook unless a legitimate interest is used as a basis for the processing. Such consent must be separate and specific to such data processing operation.

Websites send personal information to Facebook already at the time of page loading, before the user can opt-out. However, data protection rules require consent before sending personal data through plug-ins to third parties. Such consent can be added to the cookie message bar and an explanation of the services to which the personal information is transmitted. In this case, the consent request is clear and transparent. It is also possible to set up plug-ins so that they do not send information until the visitor of the web site has given their consent, i.e., clicking on the cookie banner.

Do you use Facebook “Like” button? We have created Facebook “Like” button processing activity template in GDPR Register. Subscribe for a 14-day trial to see it.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...