Software Providers May Be Considered Data Controllers

Posted on 07/12/2018

joint controllers

The data protection world turned upside down on June 5th with the decision in the Court Justice for the European Union (CJEU) that both Facebook Inc and the moderators who run fan pages on the website should jointly be considered data controllers. Let’s take a look at some of the implications of that decision and how the giant social media platform has responded. 

Joint Controllers

Every Facebook group or community that determines the purpose or means of the processing of personal data is a joint controller with Facebook (this will also apply to other social media platforms).  As such, the moderators of fan pages and business pages should provide data subjects who sign up for these groups with an appropriate information notice explaining why and how their personal data is being processed.

Facebook’s Response

The CJEU’s ruling also means that Facebook must have ‘written arrangements’ with other joint controllers that specify who provides such information notices, who handles data breaches, and who communicates with data protection authorities. Since the ruling, Facebook has produced a legal document outlining data processing relationships. However, there has been some criticism that Facebook’s response does not comply with the decision of the CJEU.

Criticisms of Facebook’s Response

The document produced by Facebook seems to be a controller to processor agreement. The format of these types of agreement is defined in Article 28 of the GDPR. However, the CJEU ruled that Facebook was a joint controller and as such any legal agreement should take its lead from Article 26 of the GDPR which describes what arrangements need to be made between parties that have joint control of data. 

A list of omissions and errors in the Facebook agreement has been compiled in an English language blog post on the German website Datenschutz-Notizen. The writer of the blog post recommends that businesses using Facebook services cover their backs by requesting an agreement in terms of Article 26 and documenting both their request and Facebook’s reply.

At Priviness, we provide comprehensive training on privacy and data protection legislation, including GDPR and other global laws. For further information, please call 0203 2878 243 or email

For the latest news relating to data protection, follow us on Twitter.

Back To all catagories
Contact Us

For more information about any of our data protection and privacy consultancy services, please don’t hesitate to get in touch.

Email or call 0203 2878 243

Before giving us your personal data, please do read our privacy charter

Privacy Charter