We all know that a privacy policy is mandatory under many privacy laws. Even if you run your business only on Facebook – without a website – you need to have a privacy policy available for your customers to read.
Here’s what Facebook states on their Pages, Groups and Events Policies:
If you collect content and information directly from users, your Page, Group or Event must make it clear that you (and not Facebook) are collecting it, and must provide notice about and obtain user consent for your use of the content and information that you collect. Regardless of how you obtain content and information from users, you are responsible for securing all necessary permissions to reuse their content and information.
In order to be compliant, your policy must be up-to-date, understandable, unambiguous, and easily accessible. Also, it has to:
See this privacy policy created with our generator for an example of how these elements come together. Click on the button to open the document:
Privacy PolicyAs explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services called Page Insights to Page admins to help them understand how people interact with their Pages and the content associated with them.
Also, you should communicate your legal basis:
You should ensure that you also have a legal basis for the processing of Insights Data. In addition to the information provided to data subjects by Facebook Ireland via the Information about Page Insights, you should identify your own legal basis including the legitimate interests you pursue […]
The following is just an example of how you can phrase your custom clause related to the use of Facebook Insight. Remember to specify if yours is a Page, Group or Event.
Most importantly, if GDPR applies to your situation, do not forget to mention on which legal base you are relying on in order to process statistical data. You can rely on any of the 6 legal bases provided under the GDPR.
As stated in the Page Insights Controller Addendum, Facebook is taking on major responsibilities:
Unless specified otherwise in this Page Insights Addendum, between you and Facebook Ireland, Facebook Ireland assumes the responsibility for compliance with the applicable obligations under the GDPR for the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 21 GDPR, Articles 33 and 34 GDPR). Facebook Ireland will implement appropriate technical and organisational measures to ensure the security of the processing in accordance with Article 32 GDPR.
The processing of personal data for Page Insights might be subject to the joint controllership arrangement: basically, if you’re a Facebook Page admin, both you and Facebook are responsible for complying with the GDPR in relation to Facebook’s Page Insights service.
In any case, there is no need to add a joint controller statement, since Facebook takes care of this aspect:
Facebook Ireland will make the essence of this Page Insights Addendum available to data subjects (Article 26(2) GDPR). This is currently done via the Information about Page Insights data which can be accessed from all Pages.
If you need assistance with regard to a request in accordance with the Page Insights Controller Addendum, you can submit this form:
In fact, on the Page Insights Controller Addendum Facebook says:
The Parties designate the communication channels referenced in the Information about Page Insights data or in any subsequent document as contact points for data subjects.
And:
If data subjects exercise their rights under the GDPR with regard to the processing of Insights Data against you (Article 26(3) GDPR), or you are contacted by a supervisory authority with regard to the processing of Insights Data, each a “Request”, you will forward all relevant information regarding such Requests to us promptly but within a maximum of seven calendar days. For this purpose, you can submit this form. Facebook Ireland agrees to answer Requests from data subjects in accordance with our obligations under this Page Insights Addendum. You agree to take all reasonable endeavours in a timely manner to cooperate with us in answering any such Request. You are not authorised to act or answer on Facebook Ireland’s behalf.
Facebook allows you to link to your privacy policy on your page: click on About > Edit Privacy Policy to enter your privacy policy link.
Our Privacy and Cookie Policy Generator makes it easy to create a privacy policy (also) for Facebook pages: with hundreds of pre-crafted clauses, our generator lets you easily include all elements commonly required across many regions and third-party services, while applying the strictest standards by default – giving you the option to fully customize as needed.
All our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.