Messy toolbox led to serious criticism and an injunction

A housing portal used Facebook Business Tools on its website. By doing so, it was collecting a range of personal data about the users, including IP addresses, operating systems, and the time of visit.

However, a user filed a complaint about the use of the tool. The Danish Data Protection Agency was unable to address the specific issue in the complaint but decided to investigate the company’s use of the tool more generally.

Joint responsibility under the spotlight

Initially, the Danish Data Protection Agency stated that Meta and the company were joint data controllers. However, the company had not complied with the rules for joint data controllers. The reason was that the roles and responsibility had not been properly allocated between them.

The Danish Data Protection Agency referred to the fact that joint data controllers jointly must ensure that data protection rules are complied with – and be able to document it. Such documentation was not in place between the company and Meta.

IUNO's opinion

Joint data controller responsibility occurs when two or more data controllers jointly determine why and how a processing activity is carried out. When there is a joint data responsibility, the parties must agree on how the different roles and responsibilities should be managed. In this connection, the information obligation along with the other general obligations are addressed.

IUNO recommends that companies check whether there is a joint data controller responsibility when conducting assessments of the various data processing activities. It is not always easy to identify if there is a joint or separate responsibility. Therefore, each processing activity should be assessed separately.

[The Danish Data Protection Agency’s judgment of 20 April 2023 in case no. 2021-7329-0052]