Plugged in – CJEU rules that website operators are acting as joint data controllers when using third party plugins

In a recent judgment, the European Court of Justice (“CJEU”) ruled that website operators who embed third party plugins into their websites should be classified as a joint data controller together with the plugin provider. In essence this means that all website providers who use this type of plugin should take joint responsibility with the plugin provider for complying with data protection requirements.

What are plugins and how do they work?

A plugin is a piece of software that acts as an add-on to a web browser giving it additional functionality. When an individual visits a website with an embedded third party plugin, their personal data collected via the website can be automatically transmitted to the third party provider of that plugin. The transmission of data can occur regardless of whether the website visitor has an account with the third party provider or directly clicks on a link, ‘like’ button or similar and so can take place without their knowledge, expectation or acceptance.

The CJEU ruling – general principles

The Court ruling outlines the following principles that will be applicable to website operators that utilise third party plugins or similar technologies:

• A website operator that embeds a third party plugin in its website will be acting as a joint controller.
• Where consent is identified as the lawful basis for the collection of personal data via a third party plugin, the website operator is responsible for obtaining that consent prior to any personal data being collected and/or transferred to the plugin provider. The website operator only needs to seek consent for the transfer of the personal data via the plugin.
• Where legitimate interest is identified as the lawful basis, both the website operator and plugin provider must undertake an assessment or balancing test to establish their individual legitimate interest for the processing activity.
• As a joint controller, the website operator must take responsibility for providing, at the time of collection of personal data via the plugin, information to the website visitor/data subject about how their personal data will be processed for this specific purpose.

Further, a website operator should not be considered a data controller in respect of any further processing that is undertaken by the plugin provider once the data has been transmitted to them. This is because it would be impossible for the website operator to determine the means and purposes of the on-going processing activities of that third party.

What does this ruling mean for website operators?

Organisations using website plugins must understand where and how they are using these technologies and review their contractual and auditing frameworks to ensure they reflect this decision.

Organisations, in accordance with Art 24 GDPR, must document their respective responsibilities. This will be particularly important for any organisations relying on consent for processing.