open search
Internationales Arbeitsrecht

European Court of Justice – A ‘Like’ button on your website? Then you are a joint data controller with Facebook!

Print Friendly, PDF & Email

Website operators who feature a ‘Like’ button have been ruled to be joint controllers for data protection purposes in a recent European Court of Justice judgement.

In a judgment of 29 July 2019 (Fashion ID GmbH & Co, C-40/17) the European Court of Justice ruled that operators of a website that features a ‘Like’ button are controllers jointly with Facebook.

This means they must make an arrangement with Facebook in order to define their joint data protection obligations. The operator itself will also need to inform users and (in principle) seek their required consent.

In this case, an online clothing retailer had embedded a Facebook ‘Like’ button on its website. Users’ personal data (IP address, browser data and content) were thereby automatically transmitted to Facebook, without the users being aware of this and regardless of whether or not they were a Facebook user or had clicked the ‘Like’ button.

The Court of Justice ruled that the company was a joint controller within the meaning of the GDPR in respect of the collection of the data and its transmission to Facebook. Indeed, the company jointly determined the purposes and means of processing, since the company itself embedded the button in order to optimise its visibility and the visibility of its products on the social network.

The fact that the company itself did not have access to the personal data was considered irrelevant. However, the Court emphasised that the company could not be held responsible for all subsequent processing by Facebook after the transmission of the data through the ‘Like’ button.

The role of an organisation under data protection legislation (individual controller, joint controller or processor) is crucial for its obligations. The designation as joint controller implies several obligations for the operator of the website, including those described below.


The operator of the website and Facebook must make an arrangement between themselves concerning their respective responsibilities, in particular regarding the exercise of rights and the obligation to provide information. It is to be expected that, following the European Court of Justice judgement, Facebook will work on a template agreement to this effect (as it did when the Court of Justice ruled in an earlier judgment that administrators of Facebook pages are also joint controllers).

Information obligation 

The website operator will have to inform its users in detail about the ‘Like’ button and the data processing related to the button.


under e-Privacy legislation, the use of a ‘Like’ button seems to require the explicit (GDPR-compliant) consent of users, especially if the button is used to transmit data from individuals who are not Facebook users. This is also the position of the Belgian Data Protection Authority.

The Court of Justice has not explicitly ruled on this, but does state that any consent must be obtained by the operator of the website (and not by Facebook), prior to the collection or transfer of the data.


The impact of the European Court of Justice judgement does not seem to be limited to the Facebook ‘Like’ button. In our view, the same principles can be applied to all features (plug-ins, widgets etc.) of third parties on a website, insofar as the website operator jointly determines the purposes and means of processing.

Action point 

‘Third-party check’ 

Operators of websites or other online services (such as apps) must check the following:

  • which external third-party features are embedded;
  • the role they play in relation to the third parties and whether they should make arrangements with them;
  • whether they properly comply with all other data protection obligations, in particular whether they correctly inform users about the processing of their personal data and whether they request (if required) a GDPR-compliant consent prior to the processing.

Ius Laboris

Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

Where can an employee sue an employer? A recent ruling and its implications for Austrian law

The European Court of Justice has ruled that an employee living in Austria has to bring a legal action against the employer with whom she had an employment contract in Germany, because the main part of her contractual obligations had to be performed in Germany, even if no work was actually performed. A recent European Court of Justice ruling (25 February 2021; C–804/19, Markt24) has clarified the law on where…
Internationales Arbeitsrecht Neueste Beiträge

Can an employer in France dismiss an employee for private Facebook content? Yes, if there is no subterfuge

The French Cour de Cassation has confirmed that an employer could dismiss an employee based on a private Facebook post that breached her confidentiality obligations, because the way it had found out about the post did not involve subterfuge or trickery.   Background In April 2014, an employee working in sales in the clothing company Petit Bateau attended a fashion show presenting the future spring-summer…
Belgium Internationales Arbeitsrecht Neueste Beiträge

How to deal with ex-employees’ email accounts: the Belgian DPA strengthens its position

The Belgian DPA has recently fined a company for delaying the closure of ex-employees’ email accounts. The Belgian Data Protection Authority (DPA) recently decided to impose an administrative fine of EUR 15,000 on a company that only closed email addresses linked to employees (surname and first name) who had left the company after 2.5 years. According to the DPA, non-closure of these email addresses constitutes…
Abonnieren Sie den KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert