According to the definition of GDPR, data controller refers to the person who (alone or jointly with others) determines the purposes and means of the processing of personal data. It is therefore remarkable that the Court of Justice of the European Union announced a verdict in June on the legal state of Facebook fan page administrators.

Facebook provides fan page admins with attendance information of the page. Since this information is anonymized statistical data, we would think that admins do not process personal data. The local court in Germany found also that in these cases the purposes and means of the processing are determined by Facebook, therefore, administrators shall not be construed as controllers.

The Court of Justice of the European Union reached to an opposing position, pointing out that administrators take part in describing the purposes and means of the processing of personal data by setting the scope of data subjects using certain parameters to reach target audience, i.e. the scope of data subjects whose data will be processed by Facebook upon visiting the fan page. According to the Court, the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page.

It is important to point out that it is not required to perform any data processing activity to become a data controller, and the obligations of the controllers (such as provision of information) shall be fulfilled in these cases as well. Based on the ruling it is clear: obligations of controllers still apply for website owners who use analytical services that provide anonymized data based on their preferences.