Abmahnfalle Social Media Fanpage – easyRight

Lawyer, Specialist Lawyer for Commercial and Corporate Law, Dr. med. Ronald Kandelhard

Abmahnfalle Social Media? How to secure your Fanpage against warnings after the ECJ judgment

Part I: Liability trap Social Media Fanpage

  1. Introduction: The liability for fanpages
  2. What do Facebook, Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing do?
  3. What threatens because of liability for fanpages?
  4. a) Order for annulment and fine
  5. b) Warning of users
  6. c) Warning of competitors or warning organizations
  7. What has the ECJ decided on liability for fanpages?
  8. Why does the ECJ have a company attached to its fan page?
  9. Does the liability for fanpages also apply according to the DSGVO?
  10. Are all fanpages affected on social media platforms?
  11. What does the privacy conference say?
  12. What answer does Facebook give with the joint agreement on data protection responsibility?
  13. Do not you have to switch off your social media fan page?

Part II: How to reduce the liability for social media fanpages

  1. What are Fanpage (s)?
  2. Is the legal position for liability for fanpages clarified?

3. What measures can I take to secure my fan page?

  1. a) Measure # 1: Add to your social media channels even if you only set links
  2. b) Measure # 2: Use privacy statements on your social media fan page
  3. aa) Where do I have to attach the clues?
  4. bb) How should I give the hint?

III. Result

Part I: Liability trap Social Media Fanpage

1. Introduction: Liability for Fanpages

With judgment From 5 June 2018, the ECJ ruled that the operator of a Facebook fan page for Facebook's privacy violations is partly responsible!

  • What? Will you ask, if you have not already heard it and found time to slowly get used to this new law.
  • How should I help small users to ensure that Facebook complies with data protection laws?
  • The answer to this question is simple: not at all.
  • Do you have to throw in the towel and cut off all social media channels?
  • This is partly advised, but I think no.

Quite so “heartless” was the ECJ in light probably not that he leaves all small entrepreneurs for Facebook and Co. adhere indiscriminately. Like me here There are good reasons that can be legally brought against a warning or a fine. Much better than afterwards to discuss in court, however, is to avoid as possible a warning or a fine. The ECJ's ruling is on its way and you need to make some arrangements to ensure that your fanpage on Facebook, Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing, etc. is reasonably secure.

2. What do Facebook, Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing do?

You may be surprised: Do not Facebook and Co. have to comply with the DSGVO?

In principle this is true, but it is also true that Facebook in particular, but also many other social media platforms have met neither before the adoption of the General Data Protection Regulation nor after the European data protection.

Google has done much (at least externally) to implement the GDPR. Hardly any other company has introduced so many new privacy features, but daughter YouTube does not benefit as much. The other social media platforms are often not much better either. Especially in the area of ​​tracking for advertising purposes, the platform often allows more than the DSGVO allows.

3. What threatens liability for fanpages?

As a result, any business can face Facebook or accounts on other social media platforms, such as Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing, and more, just because of a corporate page. following consequences:

a) Order for annulment and fine

First, the data protection authority can ask the company to close the social media fan page and therefore impose a penalty or a fine (that was the starting point of the ECJ ruling).

b) Warning of users

Furthermore, visitors to the fanpage can assert the rights of the DSGVO against the company. This can be a fee-based warning and a claim for damages.

c) Warning of competitors or warning organizations

Abmahnvereine or competitors could issue a warning, because the use of a social media presence with data protection offenses is an unjustified advantage in the competition, which discriminates against legitimate competitors anti-competitive. Consequence would be above all an obligation to reimburse the costs of the warning.

4. What has the ECJ decided on liability for fanpages?

The reason for the judgment of the European Court of Justice was the operation of a corporate website by a training provider. The responsible state office for data protection objected to these and asked the educational institution to switch off the Fanpage on Faceboook. The State Office for Data Protection stated that Facebook has collected personal data from users of the fanpage and that neither Facebook nor the educational provider had informed the fanspage visitors (by means of a privacy policy) that these data were being collected. One of the main reasons for the prohibition was therefore the lack of a privacy policy.

The authority threatened to enforce the ban on a penalty payment. By contrast, the educational institution objected. She defended herself by arguing that a company using Facebook was not responsible for Facebook's data processing.

But this was not followed by the ECJ. In consistent interpretation of the person responsible referred back to the previous privacy policy. The ECJ ruled that the company had made it possible to misuse the data by opening the fan page and therefore has to be held responsible for the violations of Facebook.

5. Why does the ECJ have a company liable for its fan page?

As a result, any company is liable for any privacy breaches on any social media platform it uses. From a data protection point of view, this is consistent. Every company must choose their software and partners to ensure privacy.

The reason for the liability is that the company with the fan page, so to speak, poses a danger (as a guide to a smooth path):

“The fact that an operator of a fan page uses the platform set up by Facebook in order to use the related services can not release it from compliance with its obligations regarding the protection of personal data.”

6. Does the liability for fanpages also apply according to the DSGVO?

The judgment of the European Court of Justice was still issued on the previous directive on data protection, because in the old case the GDPR was not yet applicable. However, the judgment also applies without further ado to the new General Data Protection Regulation. The concept of the person in charge of the law before the GDPR remained largely the same afterwards.

7. Are all fanpages affected on social media platforms?

The verdict not only affects Facebook, but also applies to all other social media appearances accordingly. Whether it's Instagram, Pinterest, LinkedIn, Twitter, Google+, YouTube, Medium, Reddit, Steemit, or Quora, any social media platform would first need to check them out

a) DSGVO compliant and is
b) all precautions are possible, which the DSGVO requires (Cookie Notice, Privacy Policy etc.)
c) an agreement for joint processing is offered (previously only on Facebook the case)

Even for German or European social media platforms such as Xing that would be even more accurate.

8. What does the privacy conference say?

Just now, the Conference of Independent Data Protection Supervisors (DSK) of the Federal and State Governments (on 5 September 2018) has one decision hit Facebook fanpages. It states that, despite the three months since the judgment, Facebook has taken virtually no action to comply with data protection following the judgment of the European Court of Justice. Still, the DSK notes – for people who are not users of Facebook cookies with identifiers set, at least if they call on Facebook more than just the homepage of the fan page. The DSK complains that the fanpage visits within Facebook Insights are still evaluated and made available to the operators of the fanpage.

Furthermore, the DSK misses an agreement on a joint agreement between Facebook (or the other social media platform) and the fan page operator gem. Art. 26 para. 1 p. 1 DSGVO. In such a case sees the DSGVO gem. Art. 26 (1) sentence 2 GDPR before:

“They shall specify in an agreement, in a transparent manner, who shall fulfill their obligations under this Regulation, in particular as regards the exercise of the rights of the data subject, and who shall comply with what obligations of information under Articles 13 and 14 insofar as and to the extent that the respective responsibilities of those responsible are not determined by Union or Member State legislation to which those responsible are subject. '

This is followed by a catalog with eight questions that Facebook and the fan page owners responsible for you must now fulfill:

  1. In what way is it determined between you and other jointly responsible persons, who of you fulfills which obligation according to the GDPR? (Article 26 (1) GDPR)
  2. On the basis of which agreement did you establish with each other who meets what information obligations according to Art. 13 and 14 GDPR?
  3. How are the essential aspects of this agreement made available to the data subjects?
  4. How can you ensure that the data subjects' rights (Art. 12 et seq. GDPR) can be fulfilled, in particular the rights to cancellation according to Art. 17 GDPR, to restriction of processing according to Art. 18 GDPR, to opposition according to Art. 21 GDPR and to Art Information according to Art. 15 GDPR?
  5. For what purposes and on what legal basis do you process the personal data of the visitors of fanpages? What personal data is stored? To what extent are profiles created or enriched by visits to Facebook fanpages? Is personal information used by non-Facebook members to create profiles? Which deletion periods are planned?
  6. For what purposes and on what legal basis are entries made in the so-called local storage at the first call of a fan page even for non-members?
  7. For what purposes and on what legal basis are a session cookie and three cookies with lifetimes between four months and two years stored after calling a subpage within the fanpage offer?
  8. What measures have you taken to fulfill your obligations under Art. 26 GDPR as a joint controller and to conclude a corresponding agreement?

9. What answer does Facebook give with the joint agreement on data protection responsibility?

Then on 11 September 2018 Facebook responded surprisingly quickly and on Update for Page admins in the EU and the EEA announced. This is in a so-called. Page Insights Controller Addendum reached an agreement on joint responsibility under the GDPR. This is expected to be simply announced to the operators of the fan page and then accepted by use. Currently, a formal contract is not required.

In this agreement, Facebook recognizes the primary responsibility for the fulfillment of the obligations under data protection law, in particular with regard to information and user rights. So Facebook is on the right path in each one. Nevertheless, as the operator of a Facebook fan page, you also have to fulfill various duties in order to be able to use the fan page reasonably legally.

Whether Facebook has acted sufficiently, of course, is not yet clear. The addendum is still very rudimentary. Of the eight questions raised by the Privacy Conference, at least the questions 1, 2, 4 and 8 can be answered with the joint responsibility agreement. You can also ask questions 3 and 5 as a site operator through your own privacy policy to the social media fan page.

10. Do not you have to do his social media Fanpage switch off?

You can not do anything against the liability for Facebook, Instagram, Linkedin, YouTube, Google+, Pinterest and Co. as a mere user. Many social media platforms are currently not compliant with data protection in many respects. There are still not enough settings available to enable data protection compliant use of the platform. Moreover, Facebook and the other social media platforms are not sufficiently transparent. It is virtually impossible to even determine the exact use of data by Facebook and Co.

Part II: How to reduce the liability for social media fanpages

1. What are Fanpage (s)?

Fanpage (s) are any accounts, memberships, or corporate pages that offer or even promote paid services in any form. Therefore, a private account is sufficient if you apply your (commercial) blog posts or offers or other content. Pure public relations is enough, which can already start when, for example, only the company logo or a picture of a company is shown. Purely private sites without any commercial background are not affected.

2. Is the legal position for liability for fanpages clarified?

The legal situation is still unclear. Facebook has certainly taken a step in the right direction, but is the only social media platform currently offering a joint agreement. But other platforms will follow soon.

There are still questions left, but it turns out that it is possible with a separate privacy policy to operate Fanpages at least reasonably secure.

3. What measures can I take to secure my fan page?

Above all, the ECJ complained that users were not informed as to which data collections were being made on the social media platform. This is not guaranteed by the agreement that Facebook has just released. Rather, the proviso of the first reaction of the Data Protection Conference from June 2018, which under the unpromising title:

“The time of irresponsibility is over”

has been published.

It called for a legitimate operation of a social media site:

“Anyone visiting a fanpage must be informed transparently and in an understandable form ….

This is an essential consequence of the judgment of the ECJ: Both in the privacy policy on your own website, you must point to the social media platform and also on the social media platform itself, so on your own fan page.

a) Measure # 1: Add to your social media channels even if you only set links

Even if you do not use social media plugins, you should inform all visitors to your website about the fact that and where DuSocial Media Fanpage (s) operate. This is an option that is often not reflected by the generators I know.

Actually, it is easily possible to link to his own social media account. But after the judgment of the ECJ you have to pay attention, that you put your visitors “in danger”, that their data will be processed by the social media platform. You have to enlighten about that. Therefore, only links to your social media account in the privacy policy should be mentioned. That's about with the WordPress plugin or privacy generator of www.easyRechtssicher.depossible. There you will find appropriate options and of course all the other patterns you need.

Only with such an extension of your privacy policy do you inform your users that their data may also be accessible to the social media platform (yes, the ECJ bases itself here on rather unsuspecting users of your website).

b) Measure # 2: Use privacy statements on your social media fan page

But that's not all. The user can not only come from your website to the social media platform, but also directly access the fan page on the social media platform. In that case he will not be able to find out about the privacy policy on your site, but must also be able to find this information on the social media platform.

Please note that this privacy policy is not identical to the privacy policy on your website. The visitor to your fanpage is not on your website, but on the website of Facebook, Google+, YouTube, Instagram, Pinterest and Co. It is therefore not primarily about the data you collect, but also the data and the tracking through the social media Platform.

You must describe this data processing in a special privacy statement for the social media platform (as good as this is possible due to lack of transparency) and point out ways in which the visitor can disclose as little data as possible.

Such patterns are easyRechtssicher both in the members area as well as in the plugin for WordPress and the special generator for social media fan pages. Here and there are also less formulated patterns on the Web, but here you must always check whether you may use the synonymous.

aa) Where do I have to attach the hints?

Locally, the Privacy Policy should be as clear as possible, either at a specially designated location for the privacy policy (Facebook, for example, allows a link to the Data Policy under “Info”) or in company information (Facebook on Facebook) or as a pinned post.

Already there are many discussions about the best places for each platform. Write your favorite place as a comment. Often there is very little room and the discussion is above all about whether one should “waste” the legal information or not. We do not want to get involved in this. The clearer the better.

bb) How should I give the hint?

The reference to the special privacy policy for your fan page on Facebook, Instagram, Google+, YouTube, Pinterest and Co. can be incorporated in three ways:

If you have a website, you should use the third option. In addition, it is already integrated in our plugin and in our data protection generator for all complete protection customers. All others can use our Generator for Fanpage (s) and our Hosting Service.

III. Result

Operators of a website are currently finding little peace. After the DSGVO the next shock. The consequences of the verdict can be quite considerable for fanpages and from highest legal precaution one must now recommend to close all fanpages on all non-DSGVO-compliant social media platforms.

Nevertheless, there are some arguments why the legal consequences may be less dramatic. You can also try to make yourself less vulnerable. This concerns clear references in the privacy statement to the dangers of the social media platforms and as far as possible a privacy-compliant attitude of the respective social media fan page. Of course, it also makes sense to examine your own social media profiles for your benefit and to delete profiles that are less used. The easiest privacy is still to have no data.

If you do not want to switch off your Fanpage now, you should take 2 measures:

  1. Point out the use of the social media platform (even with mere links to your account) in your privacy policy.
  2. In the social media platform refer to a privacy policy for this platform (this may also be a text that is at the end of your privacy policy, so you can create both documents in one).

In our guides in the member area for the Complete protection and at the Plugin with complete protection you will find a chapter on fanpages. You can also find patterns for your privacy policy and privacy policy on the social media page. With the next update of our plugin, you can easily set the privacy policy in the backend and use the new texts. At the same time we will also offer a generator for the Fanpages.

Source link


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.