facebook-1084449_640

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind their data protection responsibilities when using plugins on their websites.

This case concerns the German company FashionID, which had a Facebook plug-in installed on its website. In addition, the program transmitted personal data to Facebook without the visitor being aware of it, regardless of whether they have a Facebook account or have pressed the “Like” button.

In its ruling, the court explained that in such a situation the website owner is jointly responsible with Facebook for the personal data collected and sent to Facebook. The website owner is not responsible for the subsequent processing of personal data by Facebook alone.

The court found that FashionID could be considered a joint controller with Facebook since FashionID and Facebook jointly determine the means and purposes of the data processing operations when assessing the collection and transfer of personal data. Using the Facebook plug-in on a website allows FashionID to optimize the promotion of its products, making them more visible and providing a clear business advantage. This shows that using the plug-in is in the economic interest of both FashionID and Facebook.

The court explained that the website must obtain the user’s consent before sending personal data to Facebook unless a legitimate interest is used as a basis for the processing. Such consent must be separate and specific to such data processing operation.

Websites send personal information to Facebook already at the time of page loading, before the user can opt-out. However, data protection rules require consent before sending personal data through plug-ins to third parties. Such consent can be added to the cookie message bar and an explanation of the services to which the personal information is transmitted. In this case, the consent request is clear and transparent. It is also possible to set up plug-ins so that they do not send information until the visitor of the web site has given their consent, i.e., clicking on the cookie banner.

Do you use Facebook “Like” button? We have created Facebook “Like” button processing activity template in GDPR Register. Subscribe for a 14-day trial to see it.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data