13 April 2020
Here are some activities that might qualify as "collecting personal information":
Take a look at this section of Facebook's Pages, Groups and Events Policies:
You should include full contact details for your business, including its legal name, business address, and email address.
Here's an example from Product Hunt:
Note that Product Hunt refers to itself as "the Controller." This is only relevant if you have customers in the EU and have to comply with the GDPR. We'll discuss this in more detail below.
Whether you're running a physical store, an ecommerce store, or online services business, you'll need to collect basic personal information such as customers' names and contact details.
If you have a broader online presence extending beyond your Facebook Page, you'll also need to explain the other ways in which you collect personal information.
Here's an example from Pearl Daisy:
You must explain your purposes for collecting personal information, i.e. how you use it.
For example, you can use your Facebook Page to enable customers to book appointments or make orders. Or you might use Facebook Messenger to engage with customers and receive inquiries.
You should have a clear business purpose for using any personal information you collect. If you collect email addresses, names, and shipping addresses, you must explain why you do this.
Here's an example from catering business Chrissie Cakes and Supplies:
Here's an example from ecommerce business Jasmin Studio Crafts:
Note that you don't necessarily need to name the businesses with whom you share personal information: you can just identify the types of businesses.
If you've ever visited a company's Facebook Page from within the UK or the EU (or the wider European Economic Area), you might have noticed a link reading "Information about Page Insights data."
Clicking this link leads to a page explaining that Facebook and Facebook Page Admins are "joint controllers" under the GDPR.
A German court required Facebook to create this policy based on how its "Insights" product works. Here's where to find Insights:
The Insights tool automatically collects data about who visits your Page. As a Page Admin, you would never be able to actually use this data to determine whether a particular individual had visited your page. However, according to the EU, this data is personal information. And under the GDPR, you and Facebook are jointly responsible for processing it.
So, as a Facebook Page Admin, you're held jointly responsible for Insights data. Facebook's Page Insights Controller Addendum sets the rules about how you and Facebook should meet your legal obligations.
The GDPR allows joint controllers to decide among themselves how they will fulfill their legal obligations. Fortunately, Facebook has allocated almost all of the GDPR's duties to itself, and there's not much left for Page Admins to do.
Here are Page Admins' duties under the Addendum:
Facebook doesn't explain what any of this means or how you can communicate it to your customers. That's where we come in.
Facebook requires you to identify your legal basis for processing Page Insights data.
The concept of the "legal basis" (or "lawful basis") is very important under the GDPR.
We won't go into detail about the legal bases here. Essentially, there are six legal bases, and every time you collect personal information, you need to identify a legal basis for doing so.
See our article Lawful Basis for Processing Under the GDPR for more information.
So, what's your legal basis for receiving personal information from Page Insights? Well, Facebook suggests that it might be in your "legitimate interests," which is one of the six legal bases.
"Legitimate interests" can be a suitable legal basis when you process personal information in a way that benefits your business without causing any significant privacy risks. You should carry out a Legitimate Interests Assessment if you plan on relying on this legal basis.
Daimler explains how Insights works and then identifies its legitimate interests in receiving Insights data: the ability to recognize user preferences and locations and to adapt and improve its offer accordingly.
Facebook requires that you provide a name and contact details for the "responsible data controller."
The responsible data controller is your company. Your company is a data controller under the GDPR because it decides why and how to process personal information. We looked at providing your company's contact details above.
Facebook also requires that you provide contact details for your Data Protection Officer. However, unless your business has over 250 employees, or it regularly processes sensitive personal information, it's unlikely you'll need to appoint a Data Protection Officer.
First, go to your Facebook Page dashboard and select "Edit Page Info" in the top right-hand corner.
If you have customers in the UK or EU, you also need to comply with Facebook's Page Insights Joint Controller Addendum
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.