In conclusion, our memo concludes that parts of the NDPA's report are deficient and imprecise, especially with regard to its view on joint controllership when using Facebook Pages. Our view is that the joint controllership between Meta and page admins is defined in an adequate way in accordance with the legal requirements. This stands in contrast to what the NDPA publicly states.
For the collection and processing of personal data to generate "Page Insights", the page admin and Meta are joint controllers. But this does not mean – or require – that the division of responsibilities is equal. The above implies that, in our opinion, most organisations should be able to conclude that they may use Facebook Pages in compliance with the GDPR, but they must conduct their own assessments of legal basis for processing of personal data. We have also questioned the NDPA's emphasis on arguments of a more subjective "ethical" nature than mere legal arguments, which we believe are irrelevant in a legal assessment according to the GDPR.
Slides from our seminar are available on request. You are welcome to contact us should you have any questions.