In its judgment "FashionID" (C-40/17 of 29 July 2019), the European Court of Justice (ECJ) substantiates its previous rulings on the joint responsibility of website operators and social media providers. Even though the ECJ restricts their responsibility to processes that can be actually attributed to and controlled by them, ultimately the website operator still needs to meet some obligations.

When websites implement contents of social media services such as Facebook, Twitter or YouTube, personal data of website visitors are normally transmitted from the website to such services. In the case of the Facebook "like" button, which was at issue in the ECJ ruling, IP address, browser information and information on the content are sent to Facebook Ireland, regardless of whether or not the website visitor is a member of Facebook and/or clicks the button. The situation is similar regarding other website-embedded contents such as YouTube-videos or Twitter-posts. Since in doing so the website operator enables the service to process the visitor's data, the ECJ considers this as leading to the joint responsibility of the website operator and the service.

Nevertheless, the ECJ limits the website operator's joint responsibility to processing steps with regard to which it actually decides on the purposes and means, thus generally only for the collection and transmission of personal data. It is not responsible for up- or downstream steps, and in particular for data processing at the service itself. Yet it can be concluded from the ECJ's decision that the website operator's and the service's responsibility may thus be quite different; specifically, the different degrees of responsibility may lead to different competences and different degrees of liability.

The website operator's competence thus extends primarily to the duties of information which under Articles 13 and 14 of the General Data Protection Regulation (GDPR) need to be complied with at the time the data are collected, and, if necessary, to obtaining the website visitor's consent. The latter is required when it comes to cookies (Article 96 (3) of the Telecommunications Act (TKG) of 2003). As to other data, legitimate interests (Article 6 (1) f GDPR) would suffice to justify data processing, but would need to be existing both on the side of the website operator and on that of the service.

As to any embedded social media content, the website operator's duty of information may extend only to the collection and transmission of the data, especially since it decides on the purposes and means only in this respect. The website operator must thus inform the visitor at least regarding the circumstances (e.g. always or only when the visitor has logged in with the service, or already when selecting the (sub)site on which the content is embedded, or only when clicking the content) under which data are to be transmitted to which social media service for which purpose and, possibly, which suitable guarantees are available when transmitting to a third-party country. Supplementary to this, a reference/link should be given to the privacy policy of the social media service, together with the comment that any further data processing by the service is neither known nor controllable. In line with the principles of the GDPR, the basic settings should be as data-protection-friendly as possible and data be transmitted only when the visitor actually clicks and thus "activates" the content or when the visitor's consent has been obtained for the general activation of social media contents and thus the collection and transmission of relevant data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.