Privacy Policy for Facebook Pages

If you operate a Facebook Page, both you and Facebook may need to follow the European Union's General Data Protection Regulation (GDPR). Facebook has specific rules on how it splits GDPR responsibilities with Page administrators.

Having a Privacy Policy is a key part of complying both with these rules and with the GDPR's requirements. Here's what you need to know.

GDPR Basics

The General Data Protection Regulation (GDPR) is a European Union regulation, meaning it has legal effect in every country that's a member of the EU.

The GDPR applies to any personal data processing if:

• The business that processes the data (or decides how it's processed) is in an EU country
• The data subject (the person the data is about) is in an EU country, or
• The data processing physically takes place in an EU country

(Note that although the United Kingdom is no longer an EU country, it is currently scheduled to follow EU Regulations until the end of 2020. After that the same measures will still apply in the UK through domestic law until this law is revoked, amended or replaced.)

The GDPR sets out a wide range of rules about personal data processing. The fundamentals are that:

• It's only legal to process personal data in a limited range of circumstances, most commonly that the data subject has given meaningful consent or the processing is necessary for your legitimate interests.
• Processing means any use of data, including collection and disclosure.
• You must tell the data subject, in advance, the purpose or purposes for which you will process data.
• You must inform the data subject again (and get fresh consent if appropriate) before processing the data for a new purpose.
• The data subject has the right to know what data you store about them and whether you've disclosed it to a third party. They also have the right to correct errors and, in some circumstances, ask you to delete data.
• You must adequately secure the data.

GDPR Controllers and Processors

The GDPR holds two groups responsible for data processing.

• Controllers decide what data is collected and how it is processed. They may also carry out the processing.
• Processors carry out processing following the instructions of controllers.

In simple terms, both controllers and processors are responsible for complying with the GDPR, while controllers are also responsible for making sure processors working for them are complying with the GDPR.

The GDPR also allows for the situation where two different controllers make decisions about processing the same data. As long as the same data is processed for the same purpose, the two are considered joint controllers.

This has important legal consequences. Ultimately both joint controllers are individually responsible for all the processing and could be individually responsible for paying compensation after a breach. However, the GDPR does allow the joint controllers to set out who will be in charge of complying with which specific GDPR requirements. This includes who will take responsibility for dealing with any complaints or any communication with regulators (known under the GDPR as supervisory authorities).

Facebook Page Insights and Personal Data

For the most part the data processing and GDPR situation with Facebook is simple. When individuals post on their own account or in groups, it is Facebook that is collecting and processing data and thus Facebook that is classed as the controller whenever that processing comes under the GDPR.

The situation is more complicated with Pages. These work in a similar way to a personal profile but cover an organization, business or brand. Rather than users becoming "friends," users choose to "like" a page and can then see updates from it. Each Page is set up by a Facebook user who then acts as its administrator.

The GDPR element comes into play because the administrator is able to access information about people who interact with the page. This information comes through a service called Page Insights which uses cookies to collect data about page interactions and users.

That created a legal argument that the Page administrator could be classed as a data controller because their decision to create the Page contributed to data being collected and processed.

As Facebook is also clearly a data controller in this context, it's down to Facebook and the Page administrator to determine whether they have joint controller status and how this will operate.

Page Insights Controller Addendum

The joint controller set-up is covered by the Page Insights Controller Addendum, which is part of Facebook's Pages, Groups and Events Policies. By creating a Page, you agree to this addendum and its position on joint controllers. In this context, "Facebook" means Facebook Ireland Limited.

The key points are as follows:

• Facebook and the Page administrator are joint controllers in the case of data collected through Page events (that is, interactions with the Page) and then aggregated to provide it to the administrator through Page Insights.
• The Page administrator is responsible for having a legal basis to process Insights Data.
• Facebook is responsible for most other aspects of GDPR compliance, specifically:
  • Facebook's own legal basis for processing data
  • Informing data subjects about the collection and processing
  • Handling the data subject's rights such as access, correction and deletion
  • Making any notifications after a data breach

Facebook decides how to comply with its GDPR obligations.

If a Page Administrator receives a data access request regarding Page Insights data, they must not respond. Instead they must pass the request on to Facebook within seven days using this form:

What to Include in Your Privacy Policy for Facebook Pages

You need to distinguish between the information Facebook specifically requires you to include because you use (or can use) Page Insights, and the information the GDPR requires you to include in your Privacy Policy.

Facebook Requirements

Legal Basis

Facebook requires you to tell users what your legal basis is for the collection and processing of data through Page Insights. (Remember that you are jointly responsible for such processing.)

The GDPR sets out six allowable legal bases in Article 6:

1. Consent
2. Processing necessary to perform a contract
3. Processing necessary to comply with a legal obligation
4. Processing necessary to protect someone's vital interests
5. Processing necessary to carry out a task in the public interest or to exercise official authority
6. Processing necessary for the controller's legitimate interests

Page visitors don't get enough information or give specific meaningful consent to make basis 1 suitable in most cases involving Page Insights. Bases 2 through 5 will rarely if ever apply to Page Insights.

This leaves basis 6, legitimate interests. For this basis to apply, you must go through a three point checklist:

• What exactly is the legitimate interest?
• Is the processing necessary to achieve this interest?
• Do the individual's personal data rights and freedoms override this interest?

Normally your access to Page Insights should meet these tests and thus legitimate interests is an acceptable legal basis.

Using Page Insights helps you learn more about your audience and thus improve and target the service and information you provide. The fact you can only access the information in aggregated form means it doesn't pose a serious risk or breach of privacy for an individual.

Romantic Germany goes beyond simply stating it relies on "legitimate interests" and instead explains to users what this means:

Joint Controller Statement

Facebook requires that you make clear to users of your Page that you and Facebook are joint controllers of the data collected and processed for Page Insights. You can do so in a brief statement in your Privacy Policy, preferably at or near the beginning to reduce the risk of confusion.

Lufthansa does this in a policy dedicated to its Facebook Page:

BASF gives additional detail on what data is processed through Page Insights, listing specifics like your country of location, number of visits, gender relations, etc.:

GDPR Requirements

If you collect or use any data from visitors to your Facebook Page, beyond what you can access through Page Insights, you are a controller in your own right for that data. This means you need to provide specific information in your Privacy Policy including:

• Your identity and contact details that of your data protection officer (if you have one)
• What data you process
• The purpose for processing
• The legal basis for processing
• How long you'll keep the data
• Whether you share the data with anyone else
• The user's rights to access data, correct it, and ask you to delete it

Good Game Studios puts this information directly after the details of the Page Insights data processing:

It isn't difficult to meet the requirements of both Facebook and the GDPR when it comes to your Privacy Policy for your Facebook Page.

How to Create a Privacy Policy

Where to Publish Your Privacy Policy for Facebook Pages

After you have your Privacy Policy, you need to make sure users can see all relevant information about data processing in appropriate places. To do so you'll need to publish a Privacy Policy on your own website and then add relevant details to the About section of your Page.

You don't need to publish the text of the Privacy Policy on Facebook itself. The About section lets you add or edit a direct link to your Privacy Policy:

For added clarity you should address your joint controller status in two ways. The first, as previously noted, is to do so at or near the very start of your Privacy Policy.

The second is to make sure your identity and contact details are clearly listed in the About section of your Page. To avoid confusion, do so through the standard About field rather than posting it elsewhere on the Page, for example as a pinned post:

Summary

Let's recap what you need to know and do to comply with the joint controller rules for Facebook Page Insights:

• The GDPR applies if a data controller, a data subject, or the processing itself is in an EU country.
• When the GDPR applies, the data controller must give the data subject details of what data is processed, how and why. They must have a legal basis to process the data.
• A data controller is the person or organization that decides what data to process and how to do so. The GDPR allows for joint controllers of particular data. They share legal responsibility but can divide compliance tasks between them.
• Facebook collects data about interactions with Pages and makes this data available to Page administrators through the Page Insight program.
• Facebook's terms - which Page administrators must agree to - say that Facebook and the Page administrator are joint controllers for the Page Insight data.
• Facebook agrees to handle most of the GDPR compliance tasks relating to the Page Insight data. It requires the Page administrator to take responsibility for having a legal basis for the data's processing. In most cases this will be "legitimate interests."
• Page users can make data access requests to the Page administrator, but the Page administrator must pass this on to Facebook within seven days. Facebook will handle the request.
• The Page administrator will need to do the following in their Page's About section to comply with Facebook's rules:
  • Add their full contact details
  • Link to a Privacy Policy that includes a joint controller statement
• These requirements only cover data processed for Page Insights. If the Page administrator collects other data from users, for example from the content of posts on the page, they'll be classed as the sole data controller for this processing. They'll need to address this processing in full in their Privacy Policy, including what data is collected, why, how, for how long, and whether it's shared.

Note that Facebook also requires a Privacy Policy for anyone who engages in Facebook Retargeting.