(1) Yes. The operator of a social network and the administrator of a fan page are jointly responsible for the processing of personal data, even if their roles are not equal.
In the present case, Facebook Inc and Facebook Ireland primarily determined the purposes and means of processing the personal data of Facebook users and persons visiting the fan pages, and therefore fell within the concept of ‘controller’ within the meaning of Article 2(d) of the Directive. However, W could also be regarded as a controller as it took part in determining the purposes and means of processing the personal data of the visitors to its fan page. Relevantly:
- by creating a fan page, an administrator gives Facebook the opportunity to place cookies on the computer or device or a person visiting the fan page;
- the creation of a fan page involves the “definition of parameters by the administrator”, which has an influence on the processing of personal data for the purposes of producing statistics based on visits to the fan page. For example, the administrator can choose filters to define the criteria for statistics to be drawn up. In particular, the administrator can ask for (and therefore request the processing of) demographic data relating to its target audience to enable it to target its customers, including trends in terms of age, sex, relationship, occupation, lifestyles, centres of interest, purchasing habits and geography.
(2) Yes. It follows from a reading of Article 4 of the Directive in conjunction with Articles 28(1) and (3) that, where the national law of the Member State of the supervisory authority applies (because the processing is carried out in the context of activities of an establishment of the controller in the territory of the Member State), that supervisory authority can exercise all the powers conferred on it by that law in respect of that establishment. This is regardless of whether the controller also has establishments in other Member States.
In the present case, German law was applicable to the processing of personal data at issue. First, it was common ground that Facebook Inc had a permanent establishment in Germany within the meaning of Article 4(1)(a) of the Directive. Second, Facebook Germany carried out activities addressed to persons residing in Germany, including selling advertising space. As a result, ULD was competent for the purpose of ensuring compliance in German territory with the rules on the protection of personal data. The fact that strategic decisions on the collection and processing of personal data were taken by Facebook Ireland was not capable of calling this competence into question.
(3) Yes. Pursuant to the second subparagraph of Article 28(1) of the Directive, supervisory authorities are to act with complete independence in exercising the functions entrusted to them. Although Article 28(6) requires supervisory authorities to cooperate with each other (in particular by exchanging useful information), the Directive does not lay down any criterion of priority.
In the present case, the ULD was entitled to assess, independently of the assessments made by the Irish supervisory authority, the lawfulness of the data processing at issue in the main proceedings.