In its judgment "FashionID" (C-40/17 of 29 July 2019), the European Court of Justice (ECJ) substantiates its previous rulings on the joint responsibility of website operators and social media providers. Even though the ECJ restricts their responsibility to processes that can be actually attributed to and controlled by them, ultimately the website operator still needs to meet some obligations.
When websites implement contents of social media services such as Facebook, Twitter or YouTube, personal data of website visitors are normally transmitted from the website to such services. In the case of the Facebook "like" button, which was at issue in the ECJ ruling, IP address, browser information and information on the content are sent to Facebook Ireland, regardless of whether or not the website visitor is a member of Facebook and/or clicks the button. The situation is similar regarding other website-embedded contents such as YouTube-videos or Twitter-posts. Since in doing so the website operator enables the service to process the visitor's data, the ECJ considers this as leading to the joint responsibility of the website operator and the service.
Nevertheless, the ECJ limits the website operator's joint responsibility to processing steps with regard to which it actually decides on the purposes and means, thus generally only for the collection and transmission of personal data. It is not responsible for up- or downstream steps, and in particular for data processing at the service itself. Yet it can be concluded from the ECJ's decision that the website operator's and the service's responsibility may thus be quite different; specifically, the different degrees of responsibility may lead to different competences and different degrees of liability.
The website operator's competence thus extends primarily to the duties of information which under Articles 13 and 14 of the General Data Protection Regulation (GDPR) need to be complied with at the time the data are collected, and, if necessary, to obtaining the website visitor's consent. The latter is required when it comes to cookies (Article 96 (3) of the Telecommunications Act (TKG) of 2003). As to other data, legitimate interests (Article 6 (1) f GDPR) would suffice to justify data processing, but would need to be existing both on the side of the website operator and on that of the service.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.