On July 29, 2019, the Court of Justice of the European Union (CJEU) found that a website operator using a social media plugin is a joint controller with the social media company providing the plugin and can be held jointly liable in relation to such processing activities. Although the case was decided under the Privacy Directive 95/46, since the ruling concerns definitions that also exist under the General Data Protection Regulation (GDPR), website operators should take note and may want to review their previous legal bases determinations and notices as well as their existing contractual arrangements with the social media company to ensure they are in compliance with GDPR.

The case arose when a German consumer protection association sued a German online fashion retailer, Fashion ID, for allegedly breaching the then-existing national data protection laws when it enabled the transfer of visitors’ personal data to a third party via a social plugin. The German Higher Regional Court referred the matter to the CJEU.

In the proceedings it became apparent that the social media plugin (a “like” button) on Fashion ID’s website caused the visitor’s browser to request content from the company providing the plugin; then the browser transmitted the visitor’s personal data to the social plugin company. This happened as soon as the visitor consulted the website and regardless of whether or not the visitor:

  • was aware of such an operation;
  • was a member of the social media platform; or
  • had clicked on the plugin.

Click here for the full GT Alert on the CJEU’s finding, the website operator’s responsibilities, and key takeaways for website operators.