# 21 Websites with a Facebook “Like“ button – the recent CJEU judgement sheds light on some key questions regarding the application of GDPR

If a website operator embeds a social plugin, such as the Facebook “Like” button, this triggers the collection and transmission of the visitors’ personal data to the plugin provider. The processed data include the IP address and the page content accessed by the visitors and are transmitted automatically by the browser even if the visitor does not have a social media account and regardless of whether the visitor clicks on the button.

This caused a legal dispute in Germany after the Verbraucherzentrale NRW, a public-service association tasked with safeguarding the interests of consumers, brought legal proceedings against the online retailer FashionID that used such social plugins, collecting and transmitting personal data to Facebook Ireland without informing its visitors or requesting their consent. Following a decision of the Regional Court Düsseldorf that ruled against FashionID, the Higher Regional Court Düsseldorf referred the case to the Court of Justice of the European Union (CJEU) requesting interpretation of several provisions of the former Data Protection Directive of 1995.

Although the Directive was repealed by the General Data Protection Regulation (GDPR) last year, the recent judgement of the CJEU can lead to a better understanding of the current European data protection law.

Admissibility of the Action

The Court held that consumer protection associations are granted the right to bring legal proceedings against a party that is allegedly responsible for the infringement of the protection of personal data under both the former Directive and the new General Data Protection Regulation.

Processing of Data

The Court found that FashionID shall be considered a joint controller together with Facebook Ireland regarding the processes it has influence on, namely the collection and transmission of personal data on its website. However, FashionID is not liable for the data processing carried out by Facebook after the data has been transmitted.

Therefore, the website operators must thoroughly inform their visitors about the data processing operations. Furthermore, a legal basis is necessary to lawfully process the personal data of the website visitors. The Court provides interpretation of two of the legal grounds enlisted in Article 6 GDPR.

The website operator must obtain the consent of the visitors regarding the operations in which it acts as a joint controller, namely the collection and transmission that occurs through the website plugins.

When it comes to the pursuit of a legitimate interest, it can be a legal basis only if the processing is necessary for the legitimate interests of both joint controllers.

A social plugin brings a lot of advantages for a website such as bigger outreach of its content, optimisation of its visibility on social media, keeping track on the popularity of the goods offered. In order to still use it and avoid liability, a website operator should inform the website visitors on all points enlisted in Article 13 GDPR such as the ways it processes data, the purposes of processing and legal grounds and the recipients of the data. In most cases these would be Facebook and Google as the most popular social plugin providers.

A possible solution to data protection concerns is implementing social plugins in a way that prevents the automatic transmission of data. In the case of Facebook, the technological giant provides the Like and Share Button as a program code. Instead of embedding it without changing anything, the button can be designed as a link to a pop-up window – the so called “Two-click method“.This way, the plugin and the transmission of data it facilitates are activated not by just opening the website, but only after clicking on the button and giving consent to the processing of data. All this information must be included in the privacy policy statement and its terms and conditions.

Sources:

Case C-40/17, CJEU, Second Chamber, 29 July 2019, available at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=C928F3FB3CCCF093027557F27F1CCD39?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8508664

#20 Proceedings before the Commission for Personal Data Protection

The Rules of Procedure for the Commission for Personal Data Protection were published on the 30 July 2019. They provide details regarding the Commission’s internal structure and organisation, the proceedings before it, as well the consulting and advising activities through which the Commission provides assistance to controllers.

The Rules of Procedure contain a list of all the proceedings before the Commission: handling of complaints regarding data rights violations; application of the powers granted to supervisory authorities by Regulation (EU) 679/2016 (GDPR); issuing statements on queries regarding personal data protection; approval of standard data protection contractual clauses in accordance with the Regulation; observation of procedures for the transfer of personal data to third parties or international organisations; conduct of preliminary consultations; investigations of notifications of personal data breach; approval of codes of conduct; accreditation and revocation of accreditation of code of conduct of the monitoring bodies.

Other procedures may also be established in legislation. In this article we will examine the main proceedings and the ones applicable to most subjects.


Complaints and alerts for data subject rights violations
Complaints and alerts are the means of informing the Commission of a violation of rights protected under the GDPR and the Personal Data Protection Act (PDPA). A complaint is filed for the violation of one’s own rights, whereas an alert is sent when another person’s rights have been violated. Such complaints and alerts cannot be anonymous or unsigned and must explicitly identify the person or entity, against which they are submitted, date and nature of the violation being specified as well. In case of irregularities, the person lodging the complaint or alert is given 3 days to correct the complaint. The validity, admissibility and merits of the complaint are assessed by the Legal Proceedings and Surveillance Direction of the Commission. The hearings for examination of complaints and alerts are public and the parties concerned are informed about their date and hour. At the end of the proceedings the Commission may decide to apply measures according to GDPR or PDPA and, alternatively or cumulatively, impose administrative penalties.

Notifications of a personal data breach
This notification is submitted by a controller, and the required content is set out in Article 67, paragraph 3 PDPA and Article 33, paragraph 3 GDPR. Once the notification is submitted, the Commission, within a period of two weeks, conducts an investigation, to determine its own level of involvement (whether it is the lead authority or it is supporting other personal data protection authorities in other Member States), the nature of the breach, the number of affected data subjects and records, the possible consequences and measures taken, as well as the level of risk involved in the breach.

Prior consultation
The Regulation requires controllers to consult the Commission where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Commission is given all the information related to the data processing, and base on it the Commission issues a written statement. The Regulation also provides for the for the possibility for Member States to make this procedure mandatory for certain types of data processing activities concerning public interest, public health, and social protection. The CPDP’s Rules of Procedure also provides that that in some cases the Commission may require controllers to seek consultation and preliminary permission regarding a particular processing operation where public interest and social protection are concerned. This prior consultation is intended to provide preliminary supervision, on the one hand, and to assist controllers in taking the necessary precautions to ensure protection of the data subjects’ rights. After the consultation, the Commission can exercise any of its powers under the Regulation (for example to impose a temporary or definitive limitation including a ban on processing, to impose an administrative fine or to issue warnings to the data controller or processor), or to issue a permission for the planned processing.

Approval of Codes of Conduct
Enterprises, associations, representative structures and categories of controllers are provided with the possibility to adopt their own Code of Conduct. Its purpose is to facilitate the application of the Regulation’s requirements and to guarantee the rights and freedoms of the data subjects whose data will be processed. The proceedings are again initiated by filing an application which must contain information on the applicant proposing the Code of Conduct, a unique name for the Code, and the categories of controllers it is applied to. The draft Code is evaluated as to whether it complies with the Regulation, facilitates the uniform application of the Regulation and guarantees the observation of data subject rights. In case a draft is not approved, it is sent back to the applicant for complementing or amending. The approved draft is translated and sent to the European Data Protection Board. This procedure is also applied to amendments and supplements to Codes of Conduct already in effect.

Trainings
Organizing and conducting training programmes on personal data protection is the activity of the Commission where the widest range of subject might be involved. Such training can be organised upon the Commission’s initiative or at a specific request. The request must include the names, address and phone number of the applicant, the relevant documents and information, and it also has to be signed and dated. Regarding activities of high public interest and ones that, by their nature, require special attention, the Commission takes the initiative to organise training programmes for controllers and data processing personnel. According to the Rules of Procedure, data subjects, certifying bodies, controllers, data processing personnel and data protection officers may take part in the trainings. Sessions begin with a test for determining the level of initial knowledge, and there is a final exam as well. The participants receive a certificate confirming successful completion of the training.