The General Data Protection Regulation (GDPR) creates consistent data protection rules across the EU. The GDPR will become effective as of 25 May 2018 and applies to companies based in the EU, as well as to companies around the world who provide or offer goods or services, and who process data from or about people in the EU. While many of the principles of the GDPR build on current data protection rules in the EU, the GDPR has a wider scope, more prescriptive standards and substantial fines for compliance violations. For example, it requires companies to obtain a higher standard of consent from customers, where relevant, and broadens individuals’ rights with respect to accessing and porting their data.
At Facebook, preparations are well underway to ensure that our products and services comply with the GDPR. Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. Our team has been working to review and expand our tools to help people manage their privacy and understand their choices with respect to their personal data. We’re also expanding our Dublin-led data protection team to support these efforts, and will hire a data protection officer.
We are committed to transparency, control and accountability.
Businesses can continue to use Facebook platforms and solutions in the same way they do today, but just as they are responsible for compliance with the laws that apply to them today, companies are responsible for ensuring their own compliance with the GDPR.
In most cases, Facebook serves people and advertisers as a data controller. Businesses can be confident that Facebook takes its compliance with the GDPR very seriously. There are some key instances, listed below, in which Facebook may serve as a data processor. When Facebook acts as a data processor, businesses are responsible for ensuring that data they share with us complies with the GDPR.
Custom Audiences: When we match your CRM data to our user database and create a Custom Audience for your advertising campaigns, we are the data processor.
Measurement and analytics: We process data on your behalf in order to measure the performance and reach of your ad campaigns and provide insights about the people who use your services, and report back to you.
Workplace: Workplace Premium offerings allow you to collaborate with your colleagues using Facebook’s tools. We process personal data as a data processor in order to provide this service to you.
When Facebook provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors. This means that we’ll refresh any necessary contractual obligations to align with the GDPR.
When we appoint third parties to act as data processors on our behalf, we’ll also ensure that we have appropriate terms in place to comply with the GDPR and safeguard our data. And when we act as a data processor on an advertiser’s behalf, we will be relying on our advertisers’ legal basis as data controller.