client alert facebook


Facebook Custom Audiences

Is your social media presence compliant with data protection regulations?

Clarification by the Bavarian State Office for Data Protection Supervision and the Bavarian High Court of Administration Court (“BayVGH”): The use of Facebook Audiences without effective consent represents a violation of data protection provisions.


Facebook has long developed from a social network into the world’s largest advertising network. Facebook Custom Audiences is just one of the many advertising tools the company offers. Simply speaking, Custom Audiences allows to match existing customer data with other data of existing Facebook users. That way, companies can define and target specific target audiences (i.e. custom audiences) for their social media marketing campaigns.

The decisive aspect under data protection law is that personal data is transferred to third parties in the course of this process. As the Bavarian High Court of Administration has now confirmed in its latest ruling on the issue, such transfer of personal data is only permissible if the data subjects concerned have effectively consented to it.

In addition, the Court clarified that the involvement of Facebook is not a case of data processing by a data processor.

Since according to the Court it is Facebook alone who– based on the user data available only to Facebook – effectively determines which customers are targeted, the network does not only process data on instructions of the controller, thus lacking an essential element of data processing on behalf of a controller.

What to do now?

In light of the current decision of the Court, social media presences should be reviewed critically for their data protection compliance. In that context, it must especially be ensured that users are sufficiently informed about how their data is processed, that the relevant consents are obtained where necessary and that data processing agreements have been concluded to the extent necessary.

What to do now

Under the GDPR, the importance of data protection law has significantly increased. Still, it is not too late to start with GDPR implementation. Those who nonetheless do not act now are taking a high risk.

After initially being overloaded by a number of inquiries, supervisory authorities are now taking the offensive and begin targeted investigation measures – there are still enough open complaints from competitors and data subject to choose from.

So even if your organization will not be perfectly prepared until an investigation by the supervisory authority: Being able to prove that measures towards GDPR compliance have been taken may already have a significant effect on the amount of possible fines.

Our Services

Put your data protection organization to the test with our Privacy Impairment Check – objectively and independently.

Within short time, we provide a quick overview of the relevant regulatory requirements and the maturity of your privacy organization.

Our Privacy Impairment Check is modularized and can be tailored to your specific requirements:

Privacy Impairment Test

Your added value

The results of our Privacy Impairment Check provide clarity on how well your organization currently tackles major data protection risks for your company.

Ideally, your data protection organization is already up to date with relevant legal requirements and we can confirm the data protection compliance of the analyzed business procedures.

Even better if your business could actually profit from the opportunities data protection already offers today. If not, our Privacy Impairment Check will support you in discovering and exploiting the full potential of your data for active use in your business.

Where our Privacy Impairment Check indicates the need for optimization of your data protection organization, we are ready to assist with the design and implementation of any measures necessary – customized to your specific needs and requirements.

Excellently positioned for you

Our team of highly-specialized legal professionals provides you with comprehensive advice in the field of data protection and data security.

Our legal services provide support with the identification, analysis and evaluation of existing legal documentation and internal procedures dealing with personal data as well as with their optimization.

We also provide advice on the implementation of information and data management systems compliant with relevant legal provisions, the development and launch of products, as well as internal or external investigation procedures on an ad hoc basis, e.g. following a data breach. In addition, we represent companies before supervisory authorities as courts.

As legal advisors, we work closely with Deloitte's technology and business process experts in numerous interdisciplinary projects and have the necessary experience to provide holistic and integrated solutions to even the most complex legal issues.

Did we spark your interest? Contact us anytime!

Key Facts
  • The Bavarian Administrative Court clarifies: Facebook Custom Audiences requires effective consent of data subjects.
  • Put your data protection organization to the test with our Privacy Impairment Check, objectively and independently.
  • We review and evaluate data protection compliance for all relevant business areas and processes in your company.
  • We help you to take advantage of the opportunities that data protection presents for your business activities today.

Did you find this useful?