A website controller is responsible for the data of people visiting his site. This is the general rule contained in GDPR. According to a recent judgement of the Court of Justice of the European Union, a website controller who inserts a ‘plug-in’ on their website redirecting to a different site shall also be responsible for what happens to the web users data on the other, third party website.
As it occurred in the aforementioned case, a website inserted a plug-in redirecting visitors of the website to Facebook. Also, Facebook then processed their data right away, even when somebody only visited the website through the said plug-in that was inserted. The court found that both the controller of the first website, as well as Facebook, were responsible for the processing of the users’ data. The processing of user data by Facebook was found unlawful in this case.
This means that it is essential for people operating websites to inform their users about where and by whom their information is being processed, and further give users the option to opt out of or prevent the processing of their data.