If someone clicks on the Facebook "Like" button embedded in your business' website, you might take the view that responsibility for protecting that person's personal data lies solely with Facebook. That view would be wrong, according to a recent European Court of Justice decision.

In Fashion ID GmbH & Co. KG  v Verbraucherzentrale NRW eV, the ECJ ruled that a website operator can be a data controller jointly with Facebook and have joint liability in respect of collection and transmission of data by embedding Facebook's "Like" button in their page. 

Verbraucherzentrale claimed against Fashion ID for breaching personal data for using Facebook's Like button on its website. By doing so, Fashion ID transmitted and allowed Facebook to obtain personal data of the visitors to the site. This exposed Fashion ID to non-compliance with the GDPR, albeit their liability was limited to the collection and disclosure by transmission of the data at issue, and not subsequent processing of the data by Facebook.

It follows, then, that website operators would be responsible for either obtaining consent from site visitors or demonstrating a legitimate interest legal basis for collecting personal data.   The only sure-fire way of ensuring no breach of the GDPR would be to obtain express consent from site visitors.   

With this ruling likely to apply  to a variety of plug-ins such as Twitter, LinkedIn or use of cookies that collect and transmit personal data, it's worth taking the time to double-check your company's compliance with the GDPR related to embedded plug-ins or use cookies.