Messy toolbox led to serious criticism and an injunction
After a user filed a complaint, the Danish Data Protection Agency investigated a housing portal’s use of Facebook Business Tools. It found that the company could not prove that the joint data controller responsibility was organized correctly. As a result, it issued serious criticism and an injunction ordering the company to address the issues with using the tool.
A housing portal used Facebook Business Tools on its website. By doing so, it was collecting a range of personal data about the users, including IP addresses, operating systems, and the time of visit.
However, a user filed a complaint about the use of the tool. The Danish Data Protection Agency was unable to address the specific issue in the complaint but decided to investigate the company’s use of the tool more generally.
Joint responsibility under the spotlight
Initially, the Danish Data Protection Agency stated that Meta and the company were joint data controllers. However, the company had not complied with the rules for joint data controllers. The reason was that the roles and responsibility had not been properly allocated between them.
The Danish Data Protection Agency referred to the fact that joint data controllers jointly must ensure that data protection rules are complied with – and be able to document it. Such documentation was not in place between the company and Meta.
IUNO's opinion
Joint data controller responsibility occurs when two or more data controllers jointly determine why and how a processing activity is carried out. When there is a joint data responsibility, the parties must agree on how the different roles and responsibilities should be managed. In this connection, the information obligation along with the other general obligations are addressed.
IUNO recommends that companies check whether there is a joint data controller responsibility when conducting assessments of the various data processing activities. It is not always easy to identify if there is a joint or separate responsibility. Therefore, each processing activity should be assessed separately.
[The Danish Data Protection Agency’s judgment of 20 April 2023 in case no. 2021-7329-0052]
A housing portal used Facebook Business Tools on its website. By doing so, it was collecting a range of personal data about the users, including IP addresses, operating systems, and the time of visit.
However, a user filed a complaint about the use of the tool. The Danish Data Protection Agency was unable to address the specific issue in the complaint but decided to investigate the company’s use of the tool more generally.
Joint responsibility under the spotlight
Initially, the Danish Data Protection Agency stated that Meta and the company were joint data controllers. However, the company had not complied with the rules for joint data controllers. The reason was that the roles and responsibility had not been properly allocated between them.
The Danish Data Protection Agency referred to the fact that joint data controllers jointly must ensure that data protection rules are complied with – and be able to document it. Such documentation was not in place between the company and Meta.
IUNO's opinion
Joint data controller responsibility occurs when two or more data controllers jointly determine why and how a processing activity is carried out. When there is a joint data responsibility, the parties must agree on how the different roles and responsibilities should be managed. In this connection, the information obligation along with the other general obligations are addressed.
IUNO recommends that companies check whether there is a joint data controller responsibility when conducting assessments of the various data processing activities. It is not always easy to identify if there is a joint or separate responsibility. Therefore, each processing activity should be assessed separately.
[The Danish Data Protection Agency’s judgment of 20 April 2023 in case no. 2021-7329-0052]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing