CJEU - C-210/16 - Wirtschaftsakademie Schleswig-Holstein

From GDPRhub
CJEU - C-210/16 Wirtschaftsakademie Schleswig-Holstein
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 1 Directive 95/46
Article 17 Directive 95/46
Article 2 Directive 95/46
Article 24 Directive 95/46
Article 28 Directive 95/46
Article 4 Directive 95/46
Recital 10 Directive 95/46
Recital 18 Directive 95/46
Recital 19 Directive 95/46
Recital 26 Directive 95/46
Paragraph 11 German Federal Law on Data Protection (BDSG)
Paragraph 3(7) German Federal Law on Data Protection (BDSG)
Paragraph 38(5) German Federal Law on Data Protection (BDSG)
Paragraph 12 German Law on Electronic Media 2007 (BGBI)
Decided: 05.06.2018
Parties: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Wirtschaftsakademie Schleswig-Holstein GmbH
Case Number/Name: C-210/16 Wirtschaftsakademie Schleswig-Holstein
European Case Law Identifier: ECLI:EU:C:2018:388
Reference from: BVerwG (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Elaine Thuo


The case concerns a fan page created by a company (Wirtschaftsakademie) and hosted by Facebook. The court was tasked to clarify whether the administrator of the fan page was a controller within the definition of a controller under Article 2(d) of Directive 95/46.

English Summary

Facts

The company offered educational services through a fan page hosted by Facebook. As administrators, they obtained statistical information on visitors to the fan page via Facebook Insights offered by Facebook free of charge under non-negotiable conditions of use. The information was obtained using cookies, each containing a unique user code, stored by Facebook in the devices of visitors and were active for two years. The unique code could be matched with users registered on Facebook and their personal data was collected when the fan page was opened. Neither the company nor Facebook notified users/visitors of the fan page of the storing of cookies or processing of their personal data.

Dispute

The Independent Data Protection Centre Germany, (ULD) made a decision on 3rd November 2011 against the company ordering them to deactivate the fan page within the prescribed period or pay a penalty fine on grounds that:

1. Neither Facebook nor the company notified the users that Facebook collected Personal data of the users;

2. Facebook processed personal data of the users.

The company brought a dispute against that decision arguing that it was not responsible for the processing of personal data under the data protection law. This dispute went back and forth from the Administrative Court to the Federal Court who referred the matter to the CJEU seeking clarifications on whether an administrator of a fan page hosted by a social network is a controller within the definition under Article 2 (d)of Directive 95/46.

Holding

The CJEU held that the mere fact of using a social network doesn’t make the user a controller responsible for processing personal data. However, an administrator who creates a fan page, consents to the use policy, cookies policy, defines the objectives and promotes its activities has an influence on the processing of personal data for the purpose of producing a statistical report, by Facebook, on the fan page, whether anonymized or not. Thus, the administrator is a joint controller with Facebook under Article 2(d) Directive 95/46.

It also held that, as a joint controller with Facebook, the administrator’s responsibility is not equal to that of Facebook because they may be involved at different stages of that processing of personal data and to different degrees.

Comment

Administrators of fan pages on a social network should be keen on the purpose of their page. The context of the purpose is crucial in determining whether an administrator would be regarded as a joint controller with a social network or not.

Further Resources

Share blogs or news articles here!