Joint responsibility for the integration of third-party content on the website

von Nadja-Maria

The European Court of Justice (ECJ) pronounced its judgment on July 29, 2019 in the case C-40/17 (Fashion ID). After the decision of the ECJ on the joint responsibility of the service provider Facebook and the fan page operator, the ECJ developed its case law on joint responsibility in the “Fashion ID” case; this time with far-reaching consequences for almost every website operator. The ECJ ruled that the concept of responsibility should be interpreted broadly and that both the integrator and the third-party provider could be responsible for the integration of third-party content. There is then a joint responsibility according to Art. 26 GDPR, which is limited to the extent that the person responsible actually decides on the purposes and means of data processing.

1. General information on third-party content

By integrating third-party content (e.g. plug-ins, iframes, advertising banners, videos or the Facebook Like button), website operators can quickly and easily add functionality and content to their website. As soon as a person visits a website that contains third-party content, data is collected and transmitted to the third-party provider (e.g. Google, Facebook, Twitter). This data mainly consists of the IP address of the visitor’s computer and technical information from the browser used. This is technically unavoidable as the content data is loaded directly onto the third-party server.

2. Joint responsibility of the integrator and the third party provider

According to Art. 26 GDPR, joint responsibility exists if two or more controllers jointly determine the purposes and means of processing. According to the decisions of the ECJ on third-party content, the integrator and the third-party provider can jointly responsible within the meaning of the Art. 26 GDPR, if the integrator enables the third party provider to improve his advertising system and himself pursues the purpose of receiving statistics that enable him to better control his offer. The joint responsibility only ends when the person involved no longer has any influence on the data processing.

3. Effects on data protection

The integration of third-party content on the website is problematic under data protection law. Therefore, all third-party content integrated into your own website must be checked to see whether personal data is being transferred to a third-party provider and who decides to what extent on the purposes and means of data processing. According to the GDPR, the following consequences arise:

  • A contract according to Art. 26 GDPR must be concluded between the jointly responsible parties for the collection and transmission.
  • The data subjects are to be fully informed about the type and scope of the joint processing in accordance with Art. 13, 14 GDPR.
  • An explicit and informed consent of the website visitor concerned is absolutely necessary if information is stored or read out on the website visitor’s device in order to refer to Art. 6 Para. 1 S. 1 lit. a GDPR.
  • Website operators and plug-in providers must provide an effective possibility of objection or revocation.


Aigner business solutions GmbH will be happy to support you with the data protection-compliant integration of third-party content on your website. Contact us for this.


Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.