1. Home
  2. Case law
  3. European Union
  4. Court of Justice of the European Union
  5. CJEU delivered judgments
  6. CJEU – Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV – C-40/17
12 May. 2022
EDPB Annual Report 2021
28 Apr. 2022
EDPB Enforcement Cooperation Statement

CJEU – Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV – C-40/17

In this judgment, the Court had occasion to clarify the concept of a ‘controller of the processing of personal data’ as regards the embedding of a social plugin on a website.

In this case, Fashion ID, a German online clothing retailer, had embedded on its website the ‘Like’ social plugin from the social network Facebook. The act of embedding that plugin appears to have made it possible for Facebook Ireland to obtain the personal data of visitors to the Fashion ID website. That transmission of data appears to occur regardless of whether or not the visitor is aware of such an operation, is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button.

The Verbraucherzentrale NRW, a German public-service association tasked with safeguarding the interests of consumers, criticises Fashion ID for transmitting to Facebook Ireland personal data belonging to visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data. In the context of that dispute, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany) requested the Court to provide an interpretation of a number of provisions of Directive 95/46/EC.

The Court held, first, that the operator of a website, such as Fashion ID, can be considered to be a controller within the meaning of Article 2(d) of Directive 95/46/EC. That status is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue. By contrast, the Court states that it seems, at the outset, impossible that Fashion ID determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland following their transmission to the latter, with the result that Fashion ID cannot be considered to be a controller in respect of those operations within the meaning of Article 2(d) (paragraphs 76, 85, operative part 2).

Furthermore, the Court noted that it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46/EC, through those processing operations in order for those operations to be justified in respect of each of them (paragraph 97, operative part 3).

Lastly, the Court stated that the consent of the data subject, referred to in Article 2(h) and Article 7(a) of Directive 95/46/EC, must be obtained by the operator of a website only with regard to the operations involving the processing of personal data in respect of which that operator determines the purposes and means. In such a situation, the duty to inform laid down in Article 10 of that directive is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means (paragraph 106, operative part 4).

References

  • Case-law
  • SA
  • Legislation