October 26, 2021

Volume XI, Number 299


October 25, 2021

Subscribe to Latest Legal News and Analysis

CJEU Finds Website Operators Using Social Media Plugins Are Joint Controllers

On July 29, 2019, the Court of Justice of the European Union (CJEUfound that a website operator using a social media plugin is a joint controller with the social media company providing the plugin and can be held jointly liable in relation to such processing activities. Although the case was decided under the Privacy Directive 95/46, since the ruling concerns definitions that also exist under the General Data Protection Regulation (GDPR), website operators should take note and may want to review their previous legal bases determinations and notices as well as their existing contractual arrangements with the social media company to ensure they are in compliance with GDPR.

The case arose when a German consumer protection association sued a German online fashion retailer, Fashion ID, for allegedly breaching the then-existing national data protection laws when it enabled the transfer of visitors’ personal data to a third party via a social plugin. The German Higher Regional Court referred the matter to the CJEU.

In the proceedings it became apparent that the social media plugin (a “like” button) on Fashion ID’s website caused the visitor’s browser to request content from the company providing the plugin; then the browser transmitted the visitor’s personal data to the social plugin company. This happened as soon as the visitor consulted the website and regardless of whether or not the visitor:


was aware of such an operation;


was a member of the social media platform; or


had clicked on the plugin.

Website Operator Is a Joint Controller

Even though Fashion ID could not influence the social plugin’s processing activities and did not have access to the data itself, the CJEU determined that Fashion ID is a joint controller. The CJEU reasoned that Fashion ID was a joint controller because it, along with the social media plugin company, “co-determined” the parameters of the data collected by the social media plugin by making the decision to embed the plugin in its website. Furthermore, Fashion ID benefitted from the plugin, as the plugin permitted targeted advertising and increased exposure on the social plugin company’s website. The CJEU noted that the Privacy Directive defines broadly what constitutes a “controller,” and that the concept of a controller does not necessarily refer to a single entity and may concern several actors.

On the other hand, the CJEU also ruled that Fashion ID was only liable in relation to the processing operations where it actually determines the purposes and means – i.e., the collection and disclosure by transmission of the data at issue – but was not responsible for the subsequent operations by the social media company after the transmission to the latter.

Both Joint Controllers Must Be Pursuing a Legitimate Interest 

As a joint controller under the Privacy Directive and GDPR Article 6, Fashion ID must have a legal basis for the processing of the personal data to be lawful. While one of the legal bases controllers can rely on is that the processing of the data subject’s personal data is necessary for pursuing a legitimate interest by the controller or a third party, the CJEU clarifies that as joint controllers both Fashion ID and the social media company must be pursuing a legitimate interest to rely on legitimate interest as the legal basis for processing.

Website Operator’s Responsibilities

The CJEU also analyzed whether a website visitor’s consent should be obtained by Fashion ID or the social media plugin company to the extent the parties rely on consent of the data subject as the legal basis for processing. Here, the CJEU ruled that Fashion ID would be responsible for obtaining consent, and that it must do so prior to the collection and disclosure of the data. According to the CJEU, Fashion ID also has the duty to provide data subjects with notice about the processing of their personal data, but its obligations in relation to its status as a joint controller are limited to those processing activities for which it acts as a joint controller.

Takeaways for Website Operators

In light of this decision, website operators subject to the GDPR should consider reassessing their data sharing relationships and:


assess whether their website visitors’ personal data are collected and shared to a social media company by means of a plugin;


determine whether they qualify as a joint controller;


check whether they have a GDPR-compliant joint-controllership agreement with the social media company;


determine the legal bases for processing in relation to instances where they are joint controllers; and


assess whether as a controller they are complying with their notice and various other obligations under the GDPR.

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume IX, Number 213

About this Author

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of...

Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

Willeke Kemkers IP lawyer Greenberg Traurig

Willeke Kemkers is an associate in the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.  

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border...

+31 (0) 64.718.0845