If someone clicks on the Facebook "Like" button embedded in your business' website, you might take the view that responsibility for protecting that person's personal data lies solely with Facebook. That view would be wrong, according to a recent European Court of Justice decision.
In Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, the ECJ ruled that a website operator can be a data controller jointly with Facebook and have joint liability in respect of collection and transmission of data by embedding Facebook's "Like" button in their page.
Verbraucherzentrale claimed against Fashion ID for breaching personal data for using Facebook's Like button on its website. By doing so, Fashion ID transmitted and allowed Facebook to obtain personal data of the visitors to the site. This exposed Fashion ID to non-compliance with the GDPR, albeit their liability was limited to the collection and disclosure by transmission of the data at issue, and not subsequent processing of the data by Facebook.
It follows, then, that website operators would be responsible for either obtaining consent from site visitors or demonstrating a legitimate interest legal basis for collecting personal data. The only sure-fire way of ensuring no breach of the GDPR would be to obtain express consent from site visitors.
the operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.