Am I responsible for what Facebook does with visitor data?

Partly. You are a joint controller with Facebook (Meta) for personal data collected through your business page. Facebook has drafted an addendum for this (Page Insights Controller Addendum). It divides responsibilities, but does not relieve you of your own obligations.

Do I need to delete my business page to be GDPR-compliant?

No. You may have a business page, but you must be aware of your responsibilities. Add privacy information to your page, include the business page in your processing register and inform visitors about the data processing.

Does this also apply to LinkedIn and Instagram?

Yes. The European Court ruling concerns the principle of joint controllership for business pages on social media. This applies to any platform that provides statistics about your page visitors, including LinkedIn and Instagram.

What are Insights and why are they relevant?

Insights are the statistics platforms provide about your page visitors: demographics, reach, interactions. To generate those statistics, the platform processes personal data of visitors. Because you receive and benefit from those statistics, you share responsibility for that processing.

Social Media Business Page and GDPR - Joint Controllership

Do you have a business page on Facebook, Instagram or LinkedIn? You are a joint controller with the platform for visitor data. Learn what this means and what you need to do.

A business page is a processing activity

You have a page on Facebook, Instagram or LinkedIn. That makes sense - that is where your customers are. But what many business owners do not realise: by creating and managing that business page, you share responsibility for the personal data the platform collects from your visitors.

The GDPR is clear about this, and the European Court of Justice confirmed it in 2018.

The Wirtschaftsakademie ruling

In June 2018, the European Court of Justice ruled in the Wirtschaftsakademie Schleswig-Holstein case (C-210/16) that the administrator of a Facebook business page is a joint controller with Facebook for the processing of visitors’ personal data.

Why? Because as a page administrator you:

Deliberately choose a platform that processes personal data to generate statistics
Set parameters that determine what data is collected (target audience, demographic filters)
Benefit from the statistics (Insights) the platform provides about your visitors
Influence the processing by creating and configuring your page

The fact that you do not have technical access to the raw personal data is irrelevant. You benefit from it and you helped initiate the processing.

What does “joint controller” mean?

Article 26 of the GDPR requires joint controllers to agree on who fulfils which GDPR obligations. The major platforms have drafted documents for this:

Facebook/Instagram (Meta): Page Insights Controller Addendum
LinkedIn: Joint Controller Addendum for Page Insights

These documents place most of the operational responsibility with the platform. But they do not fully relieve you. As a page administrator, you remain obliged to:

Inform visitors about the data processing
Include the processing in your processing register
Have a legal basis for your part of the processing

What should you do in practice?

1. Privacy information on your page

Add information about the processing of personal data to your business page. On Facebook, you can do this in the “About” section or via a link to your privacy policy. On LinkedIn, you can include a link to your privacy policy in the company profile.

At a minimum, state:

That you are a joint controller with the platform
Where visitors can find your privacy policy
How visitors can contact you with privacy questions

2. Update your processing register

Include your social media business pages in your processing register. Per page:

Purpose: business communication, marketing, customer service
Data categories: visitor statistics, interaction data, messages
Legal basis: legitimate interest (business communication and marketing)
Joint controller: Meta / LinkedIn / platform
Reference to the Controller Addendum of the platform

3. Update your privacy policy

State in your general privacy policy that you manage business pages on social media and that you are a joint controller with the platform. Refer to the platform’s privacy policy for the details of their processing.

4. Be mindful with Insights

The Insights data you receive is anonymised or aggregated - you do not see individual profiles. But the fact that the platform generates those statistics based on personal data makes you partly responsible. Be aware of this and do not use Insights data for purposes not documented in your processing register.

Common mistakes

No privacy information on the business page
Not including the business page in the processing register
Thinking the platform handles everything - the platform handles its own obligations, not yours
Not treating customer messages via social media as processing of personal data - when a customer sends you a private message with personal information, you are processing personal data

No reason to panic

A business page on social media is not a problem as long as you know your obligations. You do not need to delete your page. You do not need to draft complicated contracts, because the platforms have already prepared the addenda. You mainly need to be transparent toward your visitors and ensure your processing register is complete.

auto_awesome Is your processing register in order?

GDPRWise helps you document all your processing activities, including your social media pages. Complete processing register, automatically generated.

Start free scan

Business Page on Social Media: What Does the GDPR Say?