Facebook is one of the most popular 3rd party tools to integrate into your website and app. For the most part, you will need consent to use it.

Controller vs Processor

In virtually all scenarios Facebook acts as a Data Controller, with your website/app “sharing” users’ personal data with Facebook in a Controller-to-Controller relationship (and potentially as a Joint Controller).

Facebook lists three scenarios where it acts as a Data Processor on behalf of the Data Controller, but it DOES NOT state whether it also still acts as the Data Controller for the same set of data. Without absolute clarity on this, you must assume that Facebook always takes a Data Controller role with the data you give it. In turn you must gain consent from the EEA user for this sharing of data to Facebook for Facebook’s own purposes.

Facebook lists these three scenarios for when it acts as a Data Processor (source: https://www.facebook.com/business/gdpr/).

  • Data file Custom Audiences – Facebook uses a business’s CRM data to match it to people in our database to create a Custom Audience for advertising campaigns. [Note that this is specifically relating to the processing activity of matching and creating the audience list from the data you give it. In a real world scenario you would still need to consider your lawful basis for actually sharing this data with Facebook, as well as what you intend do with it.]
  • Measurement and analytics – Facebook processes data on an advertiser’s behalf in order to measure the performance and reach of advertising campaigns and report back insights about the people who saw and interacted with the ads. [Note that this specifically relates to “advertisers” who are the companies that pay to have their ad served by Facebook, with Facebook acting as a Data Processor to provide analysis of the ad campaign. This isn’t talking about “Publishers” such as a website owner that has a Facebook Pixel to measure user activity.]
  • Workplace by Facebook –Workplace Premium allows people at a company to collaborate with their colleagues using Facebook’s tools. We process personal data in order to provide this service. …With Workplace, we operate as both the data processor for customers using the Premium version of our product, and the data controller for Standard customers. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace Agreement.

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.