The EU Court of Justice (CJEU) has determined that Fan Page Administrators, alongside Facebook, are jointly responsible as data controllers for the processing of users' personal data on their Business Fan Pages.
In a case opposing a regional German Data Protection Authority (DPA) and a privately-run education academy, a Federal Administrative Court referred the case to the CJEU, seeking guidance on 2 points, namely the interpretation of the notion of data controller and the scope of a German DPA's competence over a company (Facebook) with EU headquarters in another EU country (Ireland).
The CJEU's decision was based on Fan Page Administrators' input for the filters that Facebook applies to aggregate user statistics. Because Fan Page Administrators determine the parameters for data collection and receive data on fan profiles, albeit anonymized, from Facebook, they must be considered as data controllers, which are jointly responsible with Facebook for compliance with data protection law.
The Court also determined that because Facebook had a subsidiary in Germany, which is responsible for Facebook's advertising system and pursues operations in the context of Facebook's data processing activities, the local DPA was competent to intervene.
Although the Court's ruling is based on the 1995 EU Data Protection Directive which was replaced on 25 May 2018 by the GDPR, the analysis remains relevant because identical wording is used in both instruments for the definition of controller.
EBU Members operating a Fan Page on Facebook will in the future be considered as joint controllers and will have to comply with relevant requirements set out in the GDPR. This may include, among others, concluding a joint controller agreement with Facebook and determining respective responsibilities, for example in relation to information obligations and users' rights.