Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein – CJEU Judgment (Germany, 2018)
The Court of Justice in Europe ruled that Facebook stored cookies and processed personal data without informing users. This decision is important because it shows that companies must get consent before using tracking technologies. Website operators should take note and ensure they have clear consent mechanisms in place.
What happened
The Court ruled that Facebook placed cookies and processed user data without obtaining proper consent.
Who was affected
Facebook users whose data was processed without their knowledge were affected by this ruling.
What the authority found
The Court held that Facebook lacked valid consent mechanisms and clear information for users regarding cookie usage.
Why this matters
This ruling sets a precedent for how companies must handle user consent for cookies. Website operators should review their cookie policies to ensure compliance and protect user privacy.
National Law Articles
The company offered educational services through a fan page hosted by Facebook. As administrators, they obtained statistical information on visitors to the fan page via Facebook Insights offered by Facebook free of charge under non-negotiable conditions of use. The information was obtained using cookies, each containing a unique user code, stored by Facebook in the devices of visitors and were active for two years. The unique code could be matched with users registered on Facebook and their personal data was collected when the fan page was opened. Neither the company nor Facebook notified users/visitors of the fan page of the storing of cookies or processing of their personal data. The Independent Data Protection Centre Germany, (ULD) made a decision on 3rd November 2011 against the company ordering them to deactivate the fan page within the prescribed period or pay a penalty fine on grounds that: 1. Neither Facebook nor the company notified the users that Facebook collected Personal data of the users; 2. Facebook processed personal data of the users. The company brought a dispute against that decision arguing that it was not responsible for the processing of personal data under the data protection law. This dispute went back and forth from the Administrative Court to the Federal Court who referred the matter to the CJEU seeking clarifications on whether an administrator of a fan page hosted by a social network is a controller within the definition under Article 2 (d)of Directive 95/46. The CJEU held that the mere fact of using a social network doesn’t make the user a controller responsible for processing personal data. However, an administrator who creates a fan page, consents to the use policy, cookies policy, defines the objectives and promotes its activities has an influence on the processing of personal data for the purpose of producing a statistical report, by Facebook, on the fan page, whether anonymized or not. Thus, the administrator is a joint contro
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Violations (3)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Cases (0)
No other cases found for Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein - Germany (2018). Retrieved from cookiefines.eu
Last updated: