{"id":2022,"date":"2021-11-30T04:07:24","date_gmt":"2021-11-30T03:07:24","guid":{"rendered":"https:\/\/monblogeur.tech\/index.php\/2021\/11\/30\/facebook-and-privacy-risks-five-ways-to-ensure-your-company-stays-compliant-privacy-norway-mondaq-news-alerts\/"},"modified":"2021-11-30T04:07:24","modified_gmt":"2021-11-30T03:07:24","slug":"facebook-and-privacy-risks-five-ways-to-ensure-your-company-stays-compliant-privacy-norway-mondaq-news-alerts","status":"publish","type":"post","link":"https:\/\/monblogeur.tech\/index.php\/2021\/11\/30\/facebook-and-privacy-risks-five-ways-to-ensure-your-company-stays-compliant-privacy-norway-mondaq-news-alerts\/","title":{"rendered":"Facebook And Privacy Risks: Five Ways To Ensure Your Company Stays Compliant &#8211; Privacy &#8211; Norway &#8211; Mondaq News Alerts"},"content":{"rendered":"<div class=\"cfbc967f0983488262956e73eca9483a\" data-index=\"1\" style=\"float: none; margin:10px 0 10px 0; text-align:center;\">\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3859091246952232\" crossorigin=\"anonymous\"><\/script>\r\n<!-- blok -->\r\n<ins class=\"adsbygoogle\" data-ad-client=\"ca-pub-3859091246952232\" data-ad-slot=\"1334354390\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\r\n\n<\/div>\n<p>                      Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.                  <br \/>What kind of privacy risk can it have when a business  communicates through Facebook? In a recent report, The Norwegian  Data Protection Authority states that it will stop using Facebook.  The decision came after the authority conducted a risk assessment,  which concluded that having a page on Facebook entails too high  risk.<br \/>All companies that processes personal data must ensure that they  comply with the obligations in the EU&#39;s General Data Protection  Regulation (GDPR). The obligations will also apply when a company  uses social media, for example by creating a business page on  Facebook.<br \/>In essence, a company&#39;s compliance efforts shall include  measures to ensure that the privacy of data subjects is  safeguarded. Companies that ignore the fundamental GDPR  requirements risk administrative fines, monetary claims from data  subjects and unwanted press coverage. According to the GDPR, a  company shall evidence that it has carried out a risk assessment  and considered privacy consequences of using Facebook for business  communication.<br \/>The roles and responsibilities in social media have been  emphasized through case law from the European Court of Justice  (CJEU). In particular, two judgments, Wirtschaftsakademie  (C-210\/16) and Fashion ID (C-40\/17), show that interaction between  social media and other actors can lead to joint responsibility  under Article 26 of GDPR.<br \/>The conclusion of The Norwegian Data Protection Authority to  stop using Facebook, is based on a Data Protection Impact  Assessment (DPIA) including the requirements for so-called joint  data controllers. In our opinion, most companies may continue using  Facebook in their business communication if they follow this  step-by-step guide:<br \/>A company using Facebook for business communication should  acknowledge its responsibility for processing and for fulfilling  the obligations in GDPR, just like all other companies that process  personal data. The company shall define itself as data controller,  including implementing appropriate technical and organisational  measures to ensure and to be able to demonstrate that processing is  performed in accordance with GDPR. This includes maintaining a  record of processing activities, i.e. a systematic overview of  personal data that is being processed by the company. The record  should also describe processing of personal data that takes place  by having a page on Facebook.<br \/>As data controller, the company creating a Facebook page should  take measures to provide transparent information to the data  subjects. The communication should be concise, intelligible and  easily accessible, using clear and plain language. The company  should provide the information in writing through a privacy notice  on its webpage or similar. Certain mandatory information needs to  be included in the privacy notice, such as legal basis, purposes  and data subjects&#39; rights. The privacy notice should also  include specific information about the company&#39;s use of  Facebook.<br \/>A company having presence on Facebook should assess whether the  processing is necessary and proportional. The goal is to ensure  that the choices the company makes as data controller are  legitimate and carried out so that the processing is proportional  to the purposes. The company should address whether the privacy  principles (GDPR Articles 5, 6 and 9) and the data subjects&#39;  rights (GDPR Articles 12-22) a) have been safeguarded. Built-in  privacy and \u00ab\u00a0privacy as default\u00a0\u00bb are also keys  requirements that should be described by the company. The company  may use information in Facebook&#39;s Help Center to facilitate the  assessment.<br \/>As indicated by recent EU case law, the company and Facebook may  be seen as so-called joint controllers according to GDPR Article  26. Essentially, this requires an arrangement that determines the  responsibilities for compliance with GDPR, in particular as regards  the exercising of the rights of data subjects and the duties to  provide information referred to in GDPR Articles 13 and 14.<br \/>The issue here is that companies will not have the opportunity  to enter into its own agreements with Facebook. Interestingly, the  CJEU clarified in Fashion ID that although the term  \u00ab\u00a0controller\u00a0\u00bb should be given a broad interpretation, a  company cannot be held responsible for upstream or downstream  processing operations in the chain for which it does not determine  the purpose or the means of processing. In this regard, CJEU held  that Facebook (not Fashion ID) was the data controller for the  processing taking place after the personal data related to the  \u00ab\u00a0Like\u00a0\u00bb plug-in has been transferred to Facebook. To put  it short, companies that do not embed Facebook&#39;s  \u00ab\u00a0Like\u00a0\u00bb button seems to be better off in terms of  compliance than those who do.<br \/>An important tool to ensure compliance is to carry out risk  assessments and consider privacy consequences, e.g. by conducting a  DPIA. The risk assessment of using Facebook in business  communication shall be evidenced\u00a0by the company in writing.  The assessment should include the nature, scope, purpose, context,  sources and recipients of the personal data processing, as well as  an assessment of information security consequences by having a page  on Facebook. The aspect of international data transfers should also  be taken into account (please read our previous newsletters  regarding Schrems II). If the assessment concludes that that the  processing of personal data through a page on Facebook entails a  high risk for the data subjects, the company \u2013 as the owner  of a Facebook page \u2013 must be able to implement measures that  reduce the risk sufficiently.<br \/>The Norwegian Data Protection Authority has chosen not to use  Facebook. This does not mean that your company&#39;s risk  assessment will conclude in the same way.<br \/>Firstly, the report by the authority would only apply to the  authority&#39;s own use of Facebook. The DPIA conducted by the  authority is not a general assessment of the legality of using  Facebook for business communication. Secondly, there is also much  to indicate that the authority has made a quite strict  interpretation of Facebook in light of its role as Norway&#39;s  privacy watchdog and ombudsman.<br \/>However, it is clear that companies need to assess the privacy  risk associated with having a page on Facebook. Specific  information should be given in a privacy notice about the legal  basis and purpose of using Facebook for business communication. The  aspect of joint controllers, necessity, proportionality and  built-in privacy should be taken into account. There are several  thing to keep in mind for companies that choose to use  Facebook.<br \/><em>Originally Published 05 October 2021<\/em><br \/><em>The content of this article is intended to provide a general  guide to the subject matter. Specialist advice should be sought  about your specific circumstances.<\/em><br \/>                      <a class=\"footerBottomLink\" href=\"\/Copyright\">&nbsp; \u00a9 Mondaq\u00ae Ltd 1994 &#8211; 2021. All Rights Reserved<\/a>.                  <br \/>                  <label class=\"image-replace cd-email\" for=\"signin-email\">Email<\/label>                  <input class=\"full-width has-padding has-border\" id=\"signin-email\" type=\"email\" placeholder=\"Email\" data-val=\"true\" data-val-email=\"The Email field is not a valid e-mail address.\" data-val-required=\"The Email field is required.\" name=\"Email\" value=\"\">              <br \/>                  <label class=\"image-replace cd-password\" for=\"signin-password\">Password<\/label>                  <input class=\"full-width has-padding has-border clearable\" id=\"signin-password\" placeholder=\"Password\" onmouseout=\"this.type='password'\" type=\"password\" data-val=\"true\" data-val-required=\"The Password field is required.\" name=\"Password\">                  <\/p>\n<div class=\"passwordnote\">Passwords are Case Sensitive<\/div>\n<p><a href=\"\/Account\/ResetPassword?returnUrl=%2Fprivacy-protection%2F1136048%2Ffacebook-and-privacy-risks-five-ways-to-ensure-your-company-stays-compliant\">Forgot your password?<\/a><br \/>Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms<br \/>Articles tailored to your interests and optional alerts about important changes<br \/>Receive priority invitations to relevant webinars and events<br \/>You\u2019ll only need to do it once, and readership information is just for authors and is never sold to third parties.<br \/>We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (\u00ab\u00a0Contributors\u00a0\u00bb) who contribute Content for free for your use.<\/p>\n<p><a href=\"https:\/\/www.mondaq.com\/privacy-protection\/1136048\/facebook-and-privacy-risks-five-ways-to-ensure-your-company-stays-compliant\">source<\/a><\/p>\n<!--CusAds0-->\n<div style=\"font-size: 0px; height: 0px; line-height: 0px; margin: 0; padding: 0; clear: both;\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy. What kind of privacy risk can it have when a business communicates through Facebook? In a recent report, The Norwegian Data Protection Authority states that it will stop using Facebook. The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"googlesitekit_rrm_CAow1sXXCw:productID":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-2022","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/posts\/2022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/comments?post=2022"}],"version-history":[{"count":0,"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/posts\/2022\/revisions"}],"wp:attachment":[{"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/media?parent=2022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/categories?post=2022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/monblogeur.tech\/index.php\/wp-json\/wp\/v2\/tags?post=2022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}