What Is Facebook Data Protection Regulation?


What Is The General Data Protection Regulation?

The General Data Protection Regulation (GDPR), which applies starting 25 May 2018, creates consistent data protection rules across Europe. It applies to companies who are based in the EU and global companies. Who process personal data about individuals in the EU.

While many of the principles build on current EU data protection rules. The GDPR has a wider scope. It also has more prescriptive standards and substantial fines. For example, it requires a higher standard of consent. For using some types of data and broadens individuals’ rights with respect to accessing and porting their data. It also establishes significant enforcement powers, allowing a company’s supervisory authority to seek fines of up to 4% of global annual revenue for certain violations.

Facebook’s Commitment & Preparation

Data protection is central to the Facebook companies. We comply with current EU data protection law and will comply with the GDPR. Our GDPR preparations ar well current, supported by the biggest cross-functional team in Facebook’s history. We’re also expanding our Dublin-led data protection team which is leading these efforts.

Facebook Committed To The Following:


Our Data Policy will remain the single consolidated place that maps out the ways in which we process people’s personal data, but we’ll also provide education through consent experiences for new and existing users, in-product notifications and consumer education campaigns.


We’ll continue to provide people with control over how their data is used. To build on this, we’re simplifying the design of our privacy settings in a new privacy center. We’ll also provide refreshers for people as they use Facebook – for example, reminders that pop up in News Feed about how to double-check your settings.


We are accountable for our practices and have Privacy Principles that explain how we think about privacy and data protection. We meet regularly with regulators, policymakers, privacy experts and academics from around the world to keep them apprised of our practices, get feedback and adapt as needed.

Information For Businesses:

Businesses who advertise with the Facebook companies can continue to use Facebook platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR. Then just as they are responsible for compliance with the laws that apply to them today. For more information about specific Facebook ad products.

  • Key legal bases
  • Facebook as data controller vs Data processor
  • Transfers
  • Advertiser Terms.

Key Legal Bases:

Under GDPR, there are a number of grounds to legitimize the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.

Basis Requirements and product implications

Contractual necessity

  • Data processed must be necessary for the Service and defined in the contract with the individual


  • Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
  • People have a right to withdraw consent, which must be brought to their attention
  • Must be from a person over the age of consent specified in that Member State, otherwise given by or authorized by a parent/guardian
  • Explicit consent is required for some processing (e.g., special categories of personal data)

Legitimate interests

  • If a business or a third party has legitimate interests that are not overridden by individuals’ rights or interests.
  • Processing must be paused if the objection is raised by an individual

Facebook as data controller vs Data processor

Data controller

You are the data controller when you decide the “purposes” and “means” of any processing of personal data.

  • Similar to what’s already in place for data protection law today. Data controllers will have to adopt compliance measures to cover how data is collected. What it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.

Data processor

You are the data processor when you process personal data on behalf of a data controller. Certain obligations currently apply to information processors, and controllers should bind them to sure written agreement commitments to confirm that knowledge is processed safely and lawfully.

While Facebook operates the majority of its services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties. When Facebook is processing data as a data processor acting on your behalf, your business needs to have your own legal basis to process and share the data with us. Examples include:

  • Custom Audiences When we match your CRM data to our user database and create a Custom Audience for your advertising campaigns, we are the data processor.
  • Measurement and analytics We process data on your behalf in order to measure the performance and reach of your ad campaigns and provide insights about the people who use your services and report back to you.
  • Workplace by Facebook Workplace Premium offering allows you to collaborate with your colleagues using Facebook’s tools. We process personal data as a data processor in order to provide this service to you.


As is the case today, any transfers of personal data outside of the EEA (European Economic Area) must meet certain legal requirements.

Privacy Shield

Facebook Inc. is certified under the Privacy Shield framework where we receive and process personal data from our advertisers in the EU in connection with certain products, including data file Custom Audiences, attribution check-up and certain offline conversion lift studies, and as further described in our Privacy Shield certification.

Advertiser Terms

However, where Facebook provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors. This means that, as relevant, we’ll refresh any necessary contractual obligations to align with the GDPR.

Where we appoint parties to act as a data processor on our behalf, we’ll also ensure that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data. And where we act as a data processor on an advertiser’s behalf. Then we will be relying on our advertiser’s legal basis as a data controller for our processing of such data.