THE GENERAL DATA PROTECTION REGULATION (GDPR), WHICH WILL APPLY FROM 25 MAY 2018, CREATES CONSISTENT DATA PROTECTION RULES ACROSS EUROPE. IT APPLIES TO COMPANIES THAT ARE BASED IN THE EU AND GLOBAL COMPANIES THAT PROCESS PERSONAL DATA ABOUT INDIVIDUALS IN THE EU.
While many of the principles build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens individuals’ rights with respect to accessing and porting their data. It also establishes significant enforcement powers, allowing a company’s supervisory authority to seek fines of up to 4% of global annual revenue for certain violations.
Businesses who advertise with the Facebook companies can continue to use Facebook platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today. For more information about specific Facebook ad products, see the FAQ section.
KEY LEGAL BASES
Under GDPR, there are a number of grounds to legitimise the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.
Basis Requirements and product implications
- Data processed must be necessary for the Service and defined in the contract with the individual
- Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
- People have a right to withdraw consent, which must be brought to their attention
- Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent/guardian
- Explicit consent is required for some processing (e.g., special categories of personal data)
- If a business or a third party has legitimate interests that are not overridden by individuals’ rights or interests.
- Processing must be paused if objection is raised by an individual
FACEBOOK AS DATA CONTROLLER VS DATA PROCESSOR
You are the data controller when you decide the “purposes” and “means” of any processing of personal data.
- Similar to what’s already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.
You are the data processor when you process personal data on behalf of a data controller. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure that data is processed safely and legally.
While Facebook operates the majority of its services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties. When Facebook is processing data as a data processor acting on your behalf, your business needs to have your own legal basis to process and share the data with us. Examples include:
- Custom Audiences
When we match your CRM data to our user database and create a Custom Audience for your advertising campaigns, we are the data processor.
- Measurement and analytics
We process data on your behalf in order to measure the performance and reach of your ad campaigns and provide insights about the people who use your services, and report back to you.
- Workplace by Facebook
Workplace Premium offering allows you to collaborate with your colleagues using Facebook’s tools. We process personal data as a data processor in order to provide this service to you.
As is the case today, any transfers of personal data outside of the EEA (European Economic Area) must meet certain legal requirements.
Facebook Inc. is certified under the Privacy Shield framework where we receive and process personal data from our advertisers in the EU in connection with certain products, including data file Custom Audiences, attribution check-up and certain offline conversion lift studies, and as further described in our Privacy Shield certification.
Where Facebook provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors. We’ve updated any necessary contractual obligations to align with the GDPR.
Where we appoint parties to act as data processor on our behalf, we’ve ensured that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data. Where we act as a data processor on an advertiser’s behalf, we will be relying on our advertiser’s legal basis as data controller for our processing of such data.
With Workplace, we operate as both the data processor for customers using the Premium version of our product and the data controller for Standard customers. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. In advance of May, we’re working with product, design and engineering teams to make sure that our products comply with the GDPR. This includes making sure that our contractual commitments allow customers to demonstrate their compliance and we will be updating our agreements to provide the undertakings required from data processors. For more information on Workplace and its security certificates, visit our site here.
Excerpt from Facebook – read the full article here.