serhii.net

In the middle of the desert you can say anything you want

30 Nov 2022

Datenschutz Beleg Vorbereitung

Meta

  • 2-3 Pages
  • Ende Januar

Task

Thema 6 – Facebook Fanpage

“Das Unternehmen möchte eine Facebook-Fanpage erstellen. Hier sollen nicht nur Kunden angesprochen werden, sondern auch potentielle neue Mitarbeiter. Prüfen Sie, welche datenschutzrechtlichen Anforderungen beachtet werden müssen.”

Resources

Additional resources

Gerichtsurteil

https://curia.europa.eu/jcms/upload/docs/application/pdf/2018-06/cp180081en.pdf

Next, the Court finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data. Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of manging or promoting its own activities), in the det+ermination of the purposes and means of processing the personal data of the visitors to its fan page.

In particular, the Court notes that the administrator of the fan page can ask for demographic data (in anonymised form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers

Kurzgutachten

Same but shorter here: Administrators of Facebook Pages are controllers under EU Data Protection Law - ULD

. According to the ECJ with regard to the responsibilities of con-trollers it is irrelevant whether the Facebook Page administrator has access to the personal data processed by Facebook.

https://www.datenschutzkonferenz-online.de/media/weitere_dokumente/DSK_Kurzgutachten_Facebook-Fanpages_V1_18.03.2022.pdf

  • looks into specific cookies
    • cookies
      • one for logged-in peepple
      • one for uniquely identifying non-lgged-in-people too
      • not all known
    • you need clear Zustimmung writing or reading cookise auf dem Engerät
    • insights
          1. Facebook Insights is not part of the Basisdienst FB does, so an eplicit OK is needed because it’s clear most people don’t want that
    • c_user
      • logged-in cookie -> needd
      • the FB logged-in profile cookie is used also for
        • insights as it allows building info about the demographic etc.
        • profile building
        • werbezwecken
    • datr
      • security
      • if really only security, can be an ausnahme acc. to nach § 25 Abs. 2 Nr. 2 TTDSG
      • but looks like profile buliding as 2 years are more than needed
    • fr
      • explicitly werbung
      • also not Ausnahme as Werbung is not needed to show facebook.com
  • Einwillgiung
    • pp. 13-14 - TL;DR cookie banner not good enough and no Einwilligung
  • Insights-2
    • FB-fan-page-Betreiber can basically set cookies on someone’s computer, regardless of FB-member or not
    • Page -> Insigths -> page-admins haben mitentschieden about the Zwecke (15)
    • FB and page-admins have a common interest in growing the page - first because ads=money, second because network-effect
  • Personenbezug - p. 16-17
    • Just visiting a page, w/ cookies and IP, definitely means Personenbezug - even w/o registraction profile with name etc.
  • Rechtskonformität
    • page-admins sind nicht in der Grundlage, eine Prüfung auf rechtskonformität zu machen+
    • FB gives some info - not enough- this alone makes it not-konform (p. 19)

FAQ

Bertsch

The legal basis for this processing and the transfer of your personal data to the USA is your consent in accordance with Article 6 (1) sentence 1 a) and Article 49 (1) sentence 1 a) DS-GVO. You have the option to revoke your consent at any time by sending us an email to datenschutz@bertschinnovation.com.

About joint controllers: TL;DR FB has the main responsibility

The primary responsibility under the GDPR for the processing of Insights Data lies with Facebook and Facebook complies with all obligations under the GDPR with regard to the processing of Insights Data. You can find more information at the following link: https://www.facebook.com/legal/terms/page_controller_addendum We, as the operator, do not make any decisions regarding the processing of Insights data and all other information resulting from Art. 13 DS-GVO, including legal basis, identity of the controller and storage period of cookies on user terminals.

On their FB page, they have too an impressum: (20+) Bertsch Innovation GmbH | Facebook

another page about FB pages

How to make a Facebook business page GDPR compliant?

Questions:

  • Deutsch/English?
  • “Hier sollen nicht nur Kunden angesprochen werden, …”
    • Existing clients you’re already in some kind of relationship with?
      • -> = Not looking for new ones through the fan-page?
    • Is it about letting your existing clients know about the fan-page in a legal way?
      • “I gave you my email to tell me about deliveries of dog food,
        • you used it for marketing”
        • you told me about it but the link to the FB page was in the footer"
      • The details about me having a list of info about clients is out of scope, I care only about the FB fan page?"
  • “… sondern auch potentielle neue Mitarbeiter. "
    • Among your existing clients or totally new people?
    • If new people - how do you find them?
      • Targeted advertising on FB?
        • (=you look like you’re a male in his 30s doing IT in Berlin and like dogs - want to work as sysadmin for our Berlin dog-food-company)
      • Advertising elsewhere, not targeted but linking to FB (“looking for X? come join our FB-page, more info there”)
      • Writing them personally somehow from the fan-page itself?3
        • Is your HR list of people you want to write - and the info you have about them from open public sources - part of the scope?
          • “I looked for FB accs of people in Berlin who like dogs and Linux, here’s the list - let’s ask them”
          • “I found X on LinkedIn and googled for his Facebook page”

Additional info

  • Gerichtsurteil Facebook einbauen

  • Alle außenstehende

  • “Empfehlung”

  • Wer ist der verantwortlich

  • Ist Facebook hilfreich für Daten löschen

  • Thema is complex so more talking

Outline

Privacy

  • Facebook - embedding it in a website means you embed Facebook w/ everything it entails
  • Facebook - advertising/targeting
    • “You look like you work in $industry” - let me target an ad to you
  • Facebook:
    • FB with your help gets more data about your clients

Impressum

  • FB pages also need an impressum2 if it’s for a commercial entity, which in this case it is.
  • It’d be good if your fan page had clear info about who is the admin and who is responsible for it all

Personenbezogene Daten involved:

You know who likes your fan page4 and have access to FB insights about the people who do.

Facebook “Insights”56

  • Data about people interacting with your fan page
    • “Interacting” includes viewing posts and hovering
    • non-logged-in users: Only clicks and views
    • Not all available from profile: FB gets it from user agent, location, profile info not available to you(?) etc.
  • Not directly identifiable but identifiable in aggregate
    • “Page admins do not have access to the personal data processed as part of events but only to the aggregated Page Insights.”5
    • Are scenarios like “only people from Germany liked this post and it has 3 likes” possible?
      • “No surprises in the language zone either: 91% US English and 6% Spanish.”1 apparently it is…
  • FB uses PB data to generate Insights
    • Your responsibility to make sure it’s legal even if you don’t have access to it yourself
    • “our trusted partners”
    • TODO anything else/
  • Are the aggregates in FB Insights considered PB data by themselves?
    • If you save them locally - does this change the picture?
  • FB Terms:
    • FB state that page admin and FB are jointly responsible for GDPR stuff
    • “Page admins do not have access to the personal data processed as part of events but only to the aggregated Page Insights.”
    • “You should ensure that you have a legal basis for the processing of Insights Data under GDPR”5
  • Core questions
    • Are things you have access to - likes, Insights, etc. PB data?
    • Are them being accessible to you through FB interafce considered “collecting” by you?

Clients

  • You have a relationship with them already and know stuff
  • They like your page
    • you have access to more data from their profile - does it fall under Datenschutz issues?
  • If you have their email and name, THEN you get and save their FB page
    • make sure they know and agree you’ll do this
    • now you have one more bit of PB data to keep track of
      • give them if they ask for it
        • and everything you AND FACEBOOK know about them from that page
      • if they ask you to delete their data - now it’s not just email address lists and order history, but also their FB account and everything you know from them
        • And don’t forget to tell FB to delete the data they have from the fan page about them - there’s a form for that
  • Using data:
    • Comments
      • “Write us a review and a comment, show it to us, and you’ll get discounts?..”
        • BUT ONLY ONCE, AND WE’LL SAVE YOU AND YOUR COMMENT for as long as we do this thing so you can’t cheat
    • “You liked all our posts about rotweillers, here’s a discount”
      • Did they consent for you to save, verarbeiten that data to offer them services?

Employees

  • No prior relationship
  • If you find out about them from their like, and get more data from their FB page and write them - is that OK?
  • If you use FB insights stuff - what then?
    • “Oh, a male 20-30y.o. who lives in Berlin liked my page - 90% of such people are IT-people. Let me open up with a funny recent ’there’s no place like 127.0.0.1’ joke, they like that stuff”
  • What if you write them on FB and start discussing work, salary etc. in private messages?

TODO

Once the above is clear

Prinzips

Rechtmäßigkeit
  • look into how Rechtsmäßig is FB’s use of their data?..
  • clients & FB pages - no ideas about how that can be part of a vertrag
Transparenz
  • Have links to your privacy policy in the FB page too
Zweckbindung
  • Don’t advertise your FB page to those who want info about deliveries
  • Don’t to head-hunting using data you got for purposes of “we’ll email you once we have sales!”
Datenminimierung
  • Don’t archive Facebook Insights data, names of every person who liked every post etc.
  • FB does part of this by itself - anonymisierung etc. of the Insights data
Richtigkeit
Speicherbegrenzung
  • Delete the list of people who wrote a comment once they get their discount
    • And if you want to keep it to avoid fraud - say so explicitly when they agree to that
Integrität und Vertraulichkeit
  • FB won’t go down
  • .. the page might - if we consider GLikes personal data, FB might delete your page and then you don’t have Wiederherstellbarkeit anymore
    • but you don’t want to save all of it to disk either
Rechenschaftpflicht
  • If your FB page gets hacked you now have a brech
    • Another attack vector

Verarbeitung

  • Löschung
  • Erhebung
  • Speicherung
  • Offenlegung
  • Nutzung

How to do it ‘right’

TODO at the end distill the above here into clear actionable bits, add sources

Clients

  • Impressums
    • have an Impressum etc. on the fan page with clear info about who are you and what do you use and what for
    • add the stuff about FB to your website’s privacy policy if you embed your fan page there
    • Mention the data you get from the FB fan page
  • Cookies
    • Don’t show links to the page, like buttons etc. on your website before the user agreed to that in the privacy pop-up
  • PB data:
    • don’t save track people’s/client’s likes etc. locally, use only the FB interface to access it
    • If you have a list of clients and see one liking something from their private FB page - don’t add their FB page to your CRM list, if they didn’t allow you to collect and save that PB data
      • And for the love of God, don’t add data you found on their FB page to the CRM
        • Unless when registering/buying you stated that you have a FB page, if they like something it’ll get added to their data, and “your likes comments etc. will be collected and we may use them to offer you services”
  • Zweckbindung:
    • don’t spam your new FB fan page page to their work emails you got for work stuff
    • if you do “share our post and get a discount” - don’t do that; if you do - don’t keep that info after you used it or be clear how long will you keep it

Employees

  • Don’t use your fan page to look for employees, if you do…
  • Don’t use PB data you (legally) got for marketing puproses to write “Bob do you want to work for us” emails
  • If your HR keeps lists of candidates - don’t add there data from the fan page, like their likes etc.
  • Can you use data you get from scrapting etc.., as long as you weren’t the one who collected it under false pretenses?..
  • Don’t use FB messenger to interview them without mentioning that FB will probably have their private data

  1. Has details about what’s available: 5 Ways to Use Facebook Audience Insights ↩︎ ↩︎

  2. Impressumspflicht | BMUV ↩︎ ↩︎

  3. Can You Write on Someone’s Wall From a Business Page on Facebook? ↩︎

  4. How To Find Out Who Liked Your Facebook Page - Business 2 Community ↩︎

  5. FB page insights addendum https://www.facebook.com/legal/terms/page_controller_addendum ↩︎ ↩︎ ↩︎

  6. FB page insights: https://www.facebook.com/legal/terms/information_about_page_insights_data ↩︎

Nel mezzo del deserto posso dire tutto quello che voglio.
Nel mezzo del deserto posso dire tutto quello che voglio.