The EEA includes the 28 EU Member States plus Iceland, Liechtenstein, and Norway. You should note that although the UK is leaving the EU, it's still covered by these rules.
- 2. The Facebook Page Insights Controller Addendum
- 2.1. Joint Controllers
- 4.1. Declaration of Controllers
- 4.2. Facebook's Full Details
- 4.3. Your Contact Information
- 4.4. Your Legal Basis for Processing
- 6. Conclusion
- Comply with Facebook's requirements
- Explain what happens to this personal data
- Identify who is responsible for protecting the data
- Tell people who they can contact for more information and to find out what data you process
For the avoidance of doubt, personal data is essentially anything that can be used to identify an individual person. This identifier can be anything from an IP address to a name, which means there's a whole host of data that might be "personal."
So, why do you need to comply with these rules? There are 2 simple reasons.
- First, every platform can set its own rules (within the scope of the law, of course). If you want to use the platform, you need to comply with whatever rules the service provider sets.
Second, it's not just Facebook that is responsible for data protection compliance. By law, you are, too. In fact, you and Facebook share the responsibility of:
- Protecting personal data
- Informing people of their privacy rights
If you don't comply, Facebook can shut your Page down and it could be hard to start a new Page.
Let's cover some basics so you're clear on exactly what the rules are, and why they apply to you.
Privacy Policies are required by a number of laws around the world. These laws aim to help people protect their personal data. People using your website, service or platform have the right to know what happens to their information when doing so.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Facebook Pages fall under the scope of these laws meant to protect user rights because:
- Page Insights let you see how people interact with your posts and Page content. Through these analytics, you can improve your future posts.
- To use Page Insights, you're accessing personal data about Page visitors or subscribers.
- Contact details
- Outline of the type of data you collect
- Why you collect the data
- How you collect the data
- What happens to this information
- How people can opt-out of marketing and non-essential data collection
To fully comply with the GDPR, you need a few other clauses, too.
The Facebook Page Insights Controller Addendum
Facebook amended its Page Insights Controller Addendum in 2020. It confirms that Page admins are jointly responsible for protecting personal data captured for Page Insights.
So, if you're a Facebook Page admin, you agree that you and Facebook are jointly responsible for protecting personal data:
But what does this mean? In reality, you don't have as much responsibility as this implies. For the most part, Facebook is responsible for most things:
Meaning, Facebook takes responsibility for:
- Telling users about the Addendum
- Informing users of their Page Insights privacy rights
- Fulfilling data access requests
- Telling the relevant supervisory authorities if there's a data breach
So, what are you responsible for?
- Setting out your legal basis for processing the data in the first place
- Identifying yourself as a joint controller
In other words, you need a clear reason for capturing someone's personal data through Page Insights. We'll take a closer look at valid reasons below, but for now, let's consider what it means to be a joint controller.
According to Article 4 of the GDPR, a controller is someone who decides what personal data to collect and why the collection is necessary. So, a joint controller is simply someone who undertakes this responsibility alongside another controller.
But is there ever a time when you could be the single data controller? Is there ever a scenario when you're expected to take on more responsibility? Yes, actually.
If you interact directly with Page visitors and collect information from them e.g. email addresses to run a contest, you are the controller. Not Facebook.
Why? Because this type of data collection has nothing to do with Page Insights. You can see this exception in Facebook's Pages Policy:
So, you need to get someone's consent to collect their data and use it in a specific way. Always keep this rule in mind when you're using Facebook Pages.
Before we move on, let's just be clear on exactly who needs to comply with these new requirements:
- There's probably no need to make these changes if you only use your Page for personal reasons. That's because, under the GDPR, you don't need to protect personal data collected for home or purely domestic use.
- You don't need to comply if you run a Community Page, either, but you need to comply if your Page status changes.
- If you use your Page for any other reason, and collect any amount of personal data, you need to comply with the Addendum.
Declaration of Controllers
People have a right to know who the data controller is. So, you need to declare that you're a data controller. More specifically, you need to explain that you're a controller alongside Facebook.
It first identifies that the company is a data controller within the meaning of the GDPR:
Then, in clause 5, the company explains it sometimes acts as a joint controller with Facebook:
There's no specific language you need to use. All that matters is that you identify your company as a joint controller with Facebook for Page insights.
As with Eppendorf, it's good practice to link to Facebook's Addendum so people can read more about it for themselves.
Facebook's Full Details
Eppendorf, for example, puts Facebook's business details at the start of section 5, seen in the previous image here. Although the clause doesn't include an email address or telephone number, it's easy for people to click through the link provided and find these details for themselves. This is sufficient for Addendum purposes.
Your Contact Information
You should include at least one free method of contact, such as an email address or online contact form.
Lufthansa, for example, sets out its contact details beside Facebook's. Setting out contact details like this reinforces the idea that they're joint controllers, but as we can see from Eppendorf above, it's not necessary. Simply providing the contact details is enough:
Your Legal Basis for Processing
Next, you need to specify your legal basis for processing data at all. Under the GDPR, there are 6 recognized grounds for processing a data subject's information:
- You have a legitimate interest
- It's in the public interest
- You're protecting the subject's vital interests
- It's part of your contract with the subject
- You have their express consent
- You're fulfilling your legal obligations in some other way
So, for example, you don't need someone's consent to process personal data if you need that information to complete a contract. In the same way, you don't need consent or any contract in place if you're acting in the interests of public security.
Lufthansa identifies 2 legal bases: Performing a contract, and acting in the company's own legitimate interests:
Remember, people have specific rights over their personal data. Namely, they have the right of:
If people want to exercise these rights, they need to lodge a request with the data controller. There are 2 points to note here.
First, if someone makes an access request about personal data processed through Page Insights, only Facebook can deal with it. This is stated in the Addendum:
So, all you need to do is complete and submit the form linked in the Addendum. You can't complete the access request.
The second point is that if someone makes an access request for data you processed in any other capacity, it's your responsibility to deal with. You only forward the request to Facebook if it relates to insights.
- While signed in as an admin, click "About" in the left side menu
Here's an example from Lufthansa's Facebook Page:
You don't need to post your whole Policy on the Facebook Page. You only need to provide a visible link.
- Alongside Facebook, you are jointly responsible for any personal data processed through Page Insights.
- You need to inform people that you're a joint controller and that you capture personal data from them.
- You must also identify your legal basis for processing and provide your contact details.
- If you receive a data access request for information captured through Pages, you must forward it to Facebook.
- You must otherwise comply with your responsibilities under the GDPR.
If you breach these requirements, you'll probably lose your Page. Users could also raise a complaint against your company for failing to handle their data properly.