1) No. The Directive does not oblige or expressly empower Member States to provide in their national law that an association can represent a data subject in legal proceedings or commence legal proceedings of its own initiative against the alleged infringer. However, the Directive does not preclude this.
Although the Directive amounts to a harmonisation of national legislation on the protection of personal data, Member States have a margin of discretion in its implementation. For example, Article 24 requires Member States to adopt “suitable measures” to ensure the full implementation of the provisions, but does not define such measures. It seems that a provision making it possible for a consumer-protection association to commence legal proceedings against an alleged infringer may constitute a suitable measure that contributes to the realisation of the objectives of the Directive. Namely: (1) to ensure the effective and complete protection of the fundamental rights and freedoms of natural persons with respect to personal data, and (2) to ensure a high level of protection in the European Union through national laws.
2) Yes, although only in relation to operations in respect of which the website operator actually determines the purposes and means of processing.
In the present case, subject to investigations that the referring court would perform, it appeared that Fashion ID and Facebook Ireland determined jointly the purposes and means of the operations involving the collection and transmission of the visitors’ personal data. Relevantly:
- Fashion ID was fully aware that the ‘Like’ button served as a tool for the collection and disclosure of the personal data. It exercised “decisive influence” over the collection and transmission of the personal data, which could not have occurred without Fashion ID installing the plugin;
- Fashion ID consented (at least implicitly) to the collection and disclosure of visitors’ personal data in order to optimise publicity for its own goods by increasing their visibility on Facebook. Therefore, the processing was performed in the economic interests of both Fashion ID and Facebook Ireland.
However, Fashion ID could not be considered a controller in respect of the subsequent operations involving data transmitted to Facebook Ireland, which it had no control over.
3) Both. In light of the finding that a website operator can be considered to be a controller jointly with the social network, each of them needed to pursue a legitimate interest within the meaning of Article 7(f) in order for those operations to be justified.
4) Consent pursuant to Articles 2(h) and 7(a) of the Directive must be given prior to the collection and disclosure of the data subject’s data. In such circumstances, it is for the website operator to obtain consent, since the visitor’s consultation of their website triggers the processing of the data.
Similarly, the controller must provide the information required by Article 10 of the Directive immediately (that is, when the data is collected). It follows that the duty to inform is incumbent on the website operator, but only in connection with the portion of operations for which they were a controller.