• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Social media plug-ins have just become a big deal

08 August 2019
Commercial Law
The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website, according to the recent judgment of the Court of Justice of the European Union (CJEU).

What happened?

Fashion ID, a German online retailer selling clothing, embedded a social media plug-in (Facebook's 'Like' button) on its webite. As a result, when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. This transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the ‘Like’ button and whether or not such user has a Facebook account.

A German consumer protection association questioned the legality of using such a plug-in, considered it to be in breach of data protection legislation and started legal proceedings. The Higher Regional Court in Dusseldorf, Germany, heard the dispute and asked the CJEU to interpret several provisions of Directive 95/46/EC (the predecessor of the GDPR). 

The main question in this case related to whether Fashion ID, with regards to the data processing following from having Facebook's 'Like' button on its website, should be classified as a ‘controller’. The CJEU decided the following:

  • "Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations."
  • "By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations."

The CJEU considered the fact that the processing operations appeared to be performed in the economic interest of both Fashion ID and Facebook Ireland to be an important factor in its decision. This recent judgment further develops the issue of (joint) controllership and adds to several other recent cases on the topic: Wirtschaftakademie Schleswig-Holstein (administrator of Facebook fan page acts as joint controller together with Facebook) and Jehovan todistajat (access to all of the personal data is not required for there to be joint control and responsibility). It further confirms the reasoning in previous cases that joint controllership is established when one party makes it possible for personal data to be collected and transferred, potentially coupled with some input of such joint controller regarding the parameters (including when there is silent endorsement of them).

The Fashion ID case is also an interesting development in terms of setting out individual obligations of joint controllers, applicability of lawful processing grounds and provision of information requirements. The CJEU has clarified that:

  • The operator of a website (such as Fashion ID), as a joint controller, must provide certain information to their website users at the time of collection, such as its identity and the purpose of processing.
  • In cases whereby website users have given their consent and the website operator uses this a lawful ground to process personal data, the operator of the website must obtain prior consent in respect of operations for which it is a joint controller (collection and transmission of data).
  • In cases whereby legitimate interest is relied on as a lawful processing ground, each of the joint controllers (the website operator and the provider of the plug-in) must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.

Organisations using social media plug-ins on their websites should be aware of this case and clarify their respective responsibilities as controllers in a contractual arrangement where applicable. Organisations should also consider what lawful grounds they rely on to justify such processing and ensure that the information provision to data subjects involved is sufficient, clear and timed correctly. 

Please contact the Data Protection team if you have any questions or require assistance in this area.

Further Reading

We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

Manage cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

Functional cookies


These cookies let you use the website and are required for the website to function as expected.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.