The NAIH has issued a position statement on the use and legal assessment of social modules used on websites, the method of lawfully obtaining consent, and the content of the website operator’s obligations.
The NAIH has basically examined two questions:
- Who is the data controller when embedding social modules?
The website operator is a data controller with regard to all personal data that is collected and transmitted during the use of its website – this includes all data processed by the social module it uses.
For example, a website operator is a data controller if it embeds a so-called “tracking pixel” in its own website, through which the visitor’s browser transmits personal data about the visitor to the social media service provider. The collection and transmission of the personal data of the website visitors to the service provider would not have been possible without the embedding of the pixel. The service provider has also developed and made available the pixel as a software code that enables the service provider to collect, transmit and evaluate personal data in an automated manner. As a result, the website operator and the social media service provider are joint controllers in relation to the collection and transmission of personal data via pixels.
However, the website operator’s capacity as data controller is limited to those operations in which it actually determines the purposes and means. The website operator cannot be considered a data controller for further processing operations on personal data by the social media service provider after the transmission. The NAIH’s position in this regard is consistent with the European Data Protection Board (EDPB)’s draft Guidelines No. 8/2020 on the targeting of social media users - What are the requirements for the consent of the data subjects?
The consent of the data subjects must be obtained in order to use the social module. Data subjects must be able to decide individually whether they consent to the operation of a given type of cookie or not – the data subject must be able to decide whether he or she wishes the given data management (operation of the given cookie). This is possible in the case of cookies where the user can browse the site without any restrictions even if he or she does not consent to the installation of the given cookie. The voluntary nature of consent can be established if access to services and functionalities is not conditioned by the consent given to the storage of information on the user’s terminal device or to access information already stored there.
For example, if a website operator uses a script that prevents the visibility of the website’s contents – with the exception of the interface for accepting cookies and providing information about them – so that access to the content is only possible by clicking on the “Accept cookies” button, then the website user does not have a real choice. His or her consent is therefore invalid because it does not provide a real choice for the users of the site.
Practical steps
Based on the NAIH’s position, website operators should:
- examine exactly what kind of data is recorded and transmitted when using a social module,
- prepare an appropriate data protection notice regarding the use of the social module,
- provide a valid consent option for the users concerned regarding the use of the social module, and
In addition, website operators should check the data protection conditions of the social media service provider in view of their joint data controller status and should also pay attention to the provisions of the EDPB’s draft guideline No. 8/2020 on the targeting of social media users.