Originally Published on Facebook.com
The General Data Protection Regulation (GDPR), which went into effect May 25, 2018, creates consistent data protection rules across Europe. It applies to all companies that process personal data about individuals in the EU, regardless of where the company is based. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.
While many of the principles of this regulation build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens the rights individuals have for accessing and transferring their data. Failure to comply with the GDPR can result in significant fines — up to 4% of global annual revenue for certain violations.
Facebook’s Commitment & Preparation
Data protection is central to the Facebook Companies (Facebook and Messenger, Instagram, Oculus and WhatsApp). We comply with current EU data protection law, which includes the GDPR. Our GDPR preparations were led by our Dublin-based data protection team and supported by the largest cross-functional team in Facebook’s history.
Throughout the preparation process, Facebook is committed to the following:
Our Data Policy defines how we process people’s personal data. We’ll provide education on our Data Policy to people using Facebook Company Products. We’ll do this through in-product notifications and consumer education campaigns to ensure people understand how their data is being used and the choices they have.
We’ll continue to provide people with control over how their data is used. We’ve launched a new control center to make privacy settings easier to understand and update. We also remind people as they use Facebook about how to view and edit their settings.
We have Privacy Principles that explain how we think about privacy and data protection. We have a team of people who help ensure we are documenting our compliance. Additionally, we meet regularly with regulators, policymakers, privacy experts and academics from around the world to keep them apprised of our practices, get feedback and continue to improve how we protect personal information.
Information for Businesses
Businesses that advertise with the Facebook Companies can continue to use Facebook platforms and solutions in the same way they do today. Each company is responsible for complying with the GDPR, just as they are responsible for complying with the laws that apply to them today. For more information about specific Facebook ad products, see the FAQs.
Key Legal Bases
Under the GDPR, there are a number of approved reasons (or “legal bases”) a company might legitimately process a person’s data. Below, we’ve outlined the most relevant legal bases under the GDPR.
Facebook as the Data Controller vs. Facebook as the Data Processor
“Data controller” and “data processor” are important concepts in understanding a company’s responsibilities under the GDPR. Depending on the scenario, a company may be a data controller, data processor or both — and has specific responsibilities as a result:
A company is a data controller when it has the responsibility of deciding why and how (the ‘purposes’ and ‘means’) the personal data is processed.
- Under the GDPR, data controllers have to adopt compliance measures to cover how data is collected, what it’s used for and how long it’s retained. They also need to make sure people can access the data about them.
- Data controllers must ensure data processors meet their contractual commitments to process data safely and legally.
A company is a data processor when it processes personal data on behalf of a data controller. Under the GDPR, data processors have obligations to process data safely and legally.
While Facebook operates the majority of our services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties. When Facebook processes data on an advertiser’s behalf, the advertiser must have an appropriate legal basis for Facebook to process this data.
Examples where Facebook acts as the data processor include:
Data File Custom Audiences
Facebook uses a business’s CRM data to match it to people in our database to create a custom audience for advertising campaigns.
Measurement and analytics
Facebook processes data on an advertiser’s behalf in order to measure the performance and reach of advertising campaigns and report back insights about the people who saw and interacted with the ads.
Workplace by Facebook
Workplace Premium allows people at a company to collaborate with their coworkers using Facebook’s tools. We process personal data in order to provide this service.
As is the case today, any transfers of personal data outside of the EEA (European Economic Area) must meet certain legal requirements. Facebook Inc. is certified under the Privacy Shield framework. Under this framework, we receive and process personal data from our advertisers in the EU. We do this in connection with certain products, including data file Custom Audiences, Attribution Checkup and certain Offline Conversion Lift studies. Learn more.
Where Facebook acts as a data processor on the behalf of our EU advertisers and business partners, we ensure that we comply with the specific requirements for data processors. We’ve updated any related terms of service to align with the GDPR. Where we appoint parties to act as data processor on our behalf, we’ve ensured that we have appropriate terms in place to comply with our requirements under the GDPR and to safeguard personal data. And where we act as a data processor on an advertiser’s behalf, we rely on our advertiser’s legal basis as data controller for our processing of this data.
With Workplace, we operate as both the data processor for customers using the Premium version of our product, and the data controller for Standard customers. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. We’ve made sure our contractual commitments allow customers to confirm their compliance with the GDPR. More information on Workplace and its security certificates can be found on our Workplace security site.