Lawyer, Specialist Lawyer for Commercial and Corporate Law, Dr. med. Ronald Kandelhard
- 1 Abmahnfalle Social Media? How to secure your Fanpage against warnings after the ECJ judgment
- 2 Part I: Liability trap Social Media Fanpage
- 2.1 1. Introduction: Liability for Fanpages
- 2.2 2. What do Facebook, Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing do?
- 2.3 3. What threatens liability for fanpages?
- 2.4 4. What has the ECJ decided on liability for fanpages?
- 2.5 5. Why does the ECJ have a company liable for its fan page?
- 2.6 6. Does the liability for fanpages also apply according to the DSGVO?
- 2.7 7. Are all fanpages affected on social media platforms?
- 2.8 8. What does the privacy conference say?
- 2.9 9. What answer does Facebook give with the joint agreement on data protection responsibility?
- 2.10 10. Do not you have to do his social media Fanpage switch off?
- 3 Part II: How to reduce the liability for social media fanpages
- 4 3. What measures can I take to secure my fan page?
- 5 III. Result
Abmahnfalle Social Media? How to secure your Fanpage against warnings after the ECJ judgment
- Introduction: The liability for fanpages
- What do Facebook, Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing do?
- What threatens because of liability for fanpages?
- a) Order for annulment and fine
- b) Warning of users
- c) Warning of competitors or warning organizations
- What has the ECJ decided on liability for fanpages?
- Why does the ECJ have a company attached to its fan page?
- Does the liability for fanpages also apply according to the DSGVO?
- Are all fanpages affected on social media platforms?
- What does the privacy conference say?
- What answer does Facebook give with the joint agreement on data protection responsibility?
- Do not you have to switch off your social media fan page?
- a) Measure # 1: Add to your social media channels even if you only set links
- b) Measure # 2: Use privacy statements on your social media fan page
- aa) Where do I have to attach the clues?
- bb) How should I give the hint?
With judgment From 5 June 2018, the ECJ ruled that the operator of a Facebook fan page for Facebook's privacy violations is partly responsible!
- What? Will you ask, if you have not already heard it and found time to slowly get used to this new law.
- How should I help small users to ensure that Facebook complies with data protection laws?
- The answer to this question is simple: not at all.
- Do you have to throw in the towel and cut off all social media channels?
- This is partly advised, but I think no.
Quite so “heartless” was the ECJ in light probably not that he leaves all small entrepreneurs for Facebook and Co. adhere indiscriminately. Like me here There are good reasons that can be legally brought against a warning or a fine. Much better than afterwards to discuss in court, however, is to avoid as possible a warning or a fine. The ECJ's ruling is on its way and you need to make some arrangements to ensure that your fanpage on Facebook, Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing, etc. is reasonably secure.
You may be surprised: Do not Facebook and Co. have to comply with the DSGVO?
In principle this is true, but it is also true that Facebook in particular, but also many other social media platforms have met neither before the adoption of the General Data Protection Regulation nor after the European data protection.
Google has done much (at least externally) to implement the GDPR. Hardly any other company has introduced so many new privacy features, but daughter YouTube does not benefit as much. The other social media platforms are often not much better either. Especially in the area of tracking for advertising purposes, the platform often allows more than the DSGVO allows.
As a result, any business can face Facebook or accounts on other social media platforms, such as Twitter, Instagram, Google+, YouTube, Pinterest, Linkedin, Xing, and more, just because of a corporate page. following consequences:
First, the data protection authority can ask the company to close the social media fan page and therefore impose a penalty or a fine (that was the starting point of the ECJ ruling).
Furthermore, visitors to the fanpage can assert the rights of the DSGVO against the company. This can be a fee-based warning and a claim for damages.
Abmahnvereine or competitors could issue a warning, because the use of a social media presence with data protection offenses is an unjustified advantage in the competition, which discriminates against legitimate competitors anti-competitive. Consequence would be above all an obligation to reimburse the costs of the warning.
The authority threatened to enforce the ban on a penalty payment. By contrast, the educational institution objected. She defended herself by arguing that a company using Facebook was not responsible for Facebook's data processing.
As a result, any company is liable for any privacy breaches on any social media platform it uses. From a data protection point of view, this is consistent. Every company must choose their software and partners to ensure privacy.
The reason for the liability is that the company with the fan page, so to speak, poses a danger (as a guide to a smooth path):
“The fact that an operator of a fan page uses the platform set up by Facebook in order to use the related services can not release it from compliance with its obligations regarding the protection of personal data.”
The judgment of the European Court of Justice was still issued on the previous directive on data protection, because in the old case the GDPR was not yet applicable. However, the judgment also applies without further ado to the new General Data Protection Regulation. The concept of the person in charge of the law before the GDPR remained largely the same afterwards.
The verdict not only affects Facebook, but also applies to all other social media appearances accordingly. Whether it's Instagram, Pinterest, LinkedIn, Twitter, Google+, YouTube, Medium, Reddit, Steemit, or Quora, any social media platform would first need to check them out
a) DSGVO compliant and is
c) an agreement for joint processing is offered (previously only on Facebook the case)
Even for German or European social media platforms such as Xing that would be even more accurate.
Just now, the Conference of Independent Data Protection Supervisors (DSK) of the Federal and State Governments (on 5 September 2018) has one decision hit Facebook fanpages. It states that, despite the three months since the judgment, Facebook has taken virtually no action to comply with data protection following the judgment of the European Court of Justice. Still, the DSK notes – for people who are not users of Facebook cookies with identifiers set, at least if they call on Facebook more than just the homepage of the fan page. The DSK complains that the fanpage visits within Facebook Insights are still evaluated and made available to the operators of the fanpage.
Furthermore, the DSK misses an agreement on a joint agreement between Facebook (or the other social media platform) and the fan page operator gem. Art. 26 para. 1 p. 1 DSGVO. In such a case sees the DSGVO gem. Art. 26 (1) sentence 2 GDPR before:
“They shall specify in an agreement, in a transparent manner, who shall fulfill their obligations under this Regulation, in particular as regards the exercise of the rights of the data subject, and who shall comply with what obligations of information under Articles 13 and 14 insofar as and to the extent that the respective responsibilities of those responsible are not determined by Union or Member State legislation to which those responsible are subject. '
This is followed by a catalog with eight questions that Facebook and the fan page owners responsible for you must now fulfill:
- In what way is it determined between you and other jointly responsible persons, who of you fulfills which obligation according to the GDPR? (Article 26 (1) GDPR)
- On the basis of which agreement did you establish with each other who meets what information obligations according to Art. 13 and 14 GDPR?
- How are the essential aspects of this agreement made available to the data subjects?
- How can you ensure that the data subjects' rights (Art. 12 et seq. GDPR) can be fulfilled, in particular the rights to cancellation according to Art. 17 GDPR, to restriction of processing according to Art. 18 GDPR, to opposition according to Art. 21 GDPR and to Art Information according to Art. 15 GDPR?
- For what purposes and on what legal basis do you process the personal data of the visitors of fanpages? What personal data is stored? To what extent are profiles created or enriched by visits to Facebook fanpages? Is personal information used by non-Facebook members to create profiles? Which deletion periods are planned?
- For what purposes and on what legal basis are entries made in the so-called local storage at the first call of a fan page even for non-members?
- For what purposes and on what legal basis are a session cookie and three cookies with lifetimes between four months and two years stored after calling a subpage within the fanpage offer?
- What measures have you taken to fulfill your obligations under Art. 26 GDPR as a joint controller and to conclude a corresponding agreement?
Then on 11 September 2018 Facebook responded surprisingly quickly and on Update for Page admins in the EU and the EEA announced. This is in a so-called. Page Insights Controller Addendum reached an agreement on joint responsibility under the GDPR. This is expected to be simply announced to the operators of the fan page and then accepted by use. Currently, a formal contract is not required.
In this agreement, Facebook recognizes the primary responsibility for the fulfillment of the obligations under data protection law, in particular with regard to information and user rights. So Facebook is on the right path in each one. Nevertheless, as the operator of a Facebook fan page, you also have to fulfill various duties in order to be able to use the fan page reasonably legally.
You can not do anything against the liability for Facebook, Instagram, Linkedin, YouTube, Google+, Pinterest and Co. as a mere user. Many social media platforms are currently not compliant with data protection in many respects. There are still not enough settings available to enable data protection compliant use of the platform. Moreover, Facebook and the other social media platforms are not sufficiently transparent. It is virtually impossible to even determine the exact use of data by Facebook and Co.
Fanpage (s) are any accounts, memberships, or corporate pages that offer or even promote paid services in any form. Therefore, a private account is sufficient if you apply your (commercial) blog posts or offers or other content. Pure public relations is enough, which can already start when, for example, only the company logo or a picture of a company is shown. Purely private sites without any commercial background are not affected.
The legal situation is still unclear. Facebook has certainly taken a step in the right direction, but is the only social media platform currently offering a joint agreement. But other platforms will follow soon.
Above all, the ECJ complained that users were not informed as to which data collections were being made on the social media platform. This is not guaranteed by the agreement that Facebook has just released. Rather, the proviso of the first reaction of the Data Protection Conference from June 2018, which under the unpromising title:
“The time of irresponsibility is over”
has been published.
It called for a legitimate operation of a social media site:
“Anyone visiting a fanpage must be informed transparently and in an understandable form ….
Even if you do not use social media plugins, you should inform all visitors to your website about the fact that and where DuSocial Media Fanpage (s) operate. This is an option that is often not reflected by the generators I know.
You must describe this data processing in a special privacy statement for the social media platform (as good as this is possible due to lack of transparency) and point out ways in which the visitor can disclose as little data as possible.
Such patterns are easyRechtssicher both in the members area as well as in the plugin for WordPress and the special generator for social media fan pages. Here and there are also less formulated patterns on the Web, but here you must always check whether you may use the synonymous.
Already there are many discussions about the best places for each platform. Write your favorite place as a comment. Often there is very little room and the discussion is above all about whether one should “waste” the legal information or not. We do not want to get involved in this. The clearer the better.
- direct publication on the social media platform (but I do not know where this is already working)
If you have a website, you should use the third option. In addition, it is already integrated in our plugin and in our data protection generator for all complete protection customers. All others can use our Generator for Fanpage (s) and our Hosting Service.
Operators of a website are currently finding little peace. After the DSGVO the next shock. The consequences of the verdict can be quite considerable for fanpages and from highest legal precaution one must now recommend to close all fanpages on all non-DSGVO-compliant social media platforms.
Nevertheless, there are some arguments why the legal consequences may be less dramatic. You can also try to make yourself less vulnerable. This concerns clear references in the privacy statement to the dangers of the social media platforms and as far as possible a privacy-compliant attitude of the respective social media fan page. Of course, it also makes sense to examine your own social media profiles for your benefit and to delete profiles that are less used. The easiest privacy is still to have no data.
If you do not want to switch off your Fanpage now, you should take 2 measures: