What admins and operators of Facebook pages need to consider

Facebook pages can complement business websites and are often used as an alternative to the corporate website for SMB’s (small and medium businesses). In general, facebook pages are used explicitly for business purposes.
 
Meta Platforms, as the operator of facebook page service, processes user data to place precisely tailored ads on behalf of companies, associations, political parties, etc. This includes the processing of personal data.
 
Joint responsibility
Since admins and operators of facebook pages can perform user analyses by using the so-called “Insights” function, there is a joint responsibility of the fan page and platform operator about processing personal data according to the ECJ.
 
Both parties are obliged to comply with the GDPR, which is why a joint controller agreement (Art. 26 GDPR) must be concluded. Unfortunately, the current addendum provided by Meta Platforms does not meet these requirements. This means that responsible facebook page operators cannot ensure which data processing takes place in detail and whether data is transferred to non-European countries. 
 
Switching off as a last resort?
Facebook page admins or operators must ensure or prove the legal conformity of the responsible data transfer (according to the German data protection conference resolution).
 
In cooperation with Meta Platforms, it must be ensured that users are informed about the processing of their personal data when creating and operating the facebook page. Furthermore, it’s necessary to process data on an effective legal basis. Both parties must specify in a joint controller agreement (art. 26 GDPR) how compliance is achieved. 
 
If this is not possible, the only option left to the responsible facebook page operator is to deactivate the corresponding page account, as the operation is otherwise unlawful.
 
Since the supervisory authorities have been pointing out the problem for years, there are no transition periods according to GDPR. The decision applies equally to companies and public institutions. The supervisory authorities focus on the latter due to their role model function.
 
Are fines possible?
Fines can be imposed on non-public companies in the event of non-compliance. This is not possible for public institutions according to German law, but they must comply with the law. In addition, data subjects can assert claims for damages (art. 82 GDPR) against the responsible parties.