(view archived version here)
Information about Page Insights
This includes information about how people use the Facebook Products, such as the types of content that they view or engage with, or the actions they take (see under “Things that you and others do and provide” in Facebook’s Data Policy), as well as information about the devices they use (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under “Device information” in Facebook’s Data Policy). Which information Facebook actually collects depends on whether and how people use the Facebook Products.
As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services called Page Insights to Page admins to help them understand how people interact with their Pages and the content associated with them. The processing of personal data for Page Insights might be subject to the joint controllership arrangement (Page Insights Controller Addendum) below.
Data processing for Page Insights
Page Insights are aggregated statistics that are created from certain events logged by Facebook servers when people interact with Pages and the content associated with them.
Such events are made up of varying data points such as the following depending on the specific event:
- An action. This includes actions like the following (you can see actions available for your Page in your Page’s Insights section):
- Viewing a Page, post, video, story or other content associated with a Page
- Interacting with a story
- Following or unfollowing a Page
- Liking or unliking a Page or post
- Recommending a Page in a post or comment
- Commenting on, sharing or reacting to a Page’s post (including the type of reaction)
- Hiding a Page's post or reporting it as spam
- Hovering over a link to a Page or a Page's name or profile picture to see a preview of the Page's content
- Clicking on the website, phone number, Get Directions button or other button on a Page
- Having a Page’s event on screen, responding to an event including type of reaction, clicking on a link for event tickets
- Starting a Messenger communication with the Page
- Viewing or clicking on items in Page’s shop
- Information about the action, the person taking the action, and the browser/app used for it such as the following:
- Date and time of action
- Country/City (estimated from IP address or imported from user profile for logged in users)
- Language code (from browser’s http header and/or language setting)
- Age/gender group (from user profile for logged in users only)
- Website previously visited (from browser’s http header)
- Whether the action was taken from a computer or mobile device (from browser’s user agent or app attributes)
- FB user ID (for logged in users only)
We determine whether people are logged in users of Facebook via cookies in accordance with our Cookies Policy. Only a few events can be triggered by people not logged in to Facebook. This includes visiting a Page or clicking on a photo or video in a post to view it.
Page admins do not have access to the personal data processed as part of events but only to the aggregated Page Insights. Events used to create Page Insights do not store IP addresses, cookie IDs or any other identifiers associated with people or their devices aside from a FB user ID for people logged in to Facebook.
The events logged by Facebook in order to create Page Insights are solely defined by Facebook and cannot be set, changed or otherwise be influenced by Page admins.
Page Insights Controller Addendum
Where an interaction of people with your Page and the content associated with it triggers the creation of an event for Page Insights which includes personal data for whose processing you (and/or any third party for whom you are creating or administering the Page) determine the means and purposes of the processing jointly with Facebook Ireland Limited, you acknowledge and agree on your own behalf (and as agent for and on behalf of any such other third party) that this Page Insights Controller Addendum ("Page Insights Addendum") applies:
- You and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland ("Facebook Ireland", “we” or “us”; together the “Parties”) acknowledge and agree to be joint controllers in accordance with Article 26 GDPR for the processing of such personal data in events for Page Insights (“Insights Data”). The joint controllership covers the creation of those events and their aggregation into Page Insights that are provided to Page admins. The Parties agree that for any other processing of personal data in connection with a Page and/or the content associated with it for which there is no joint determination of the purposes and means, Facebook Ireland and, as the case may be, you, remain separate and independent controllers.
- The processing of Insights Data is subject to the provisions of this Page Insights Addendum. They apply to all activities in the course of which Facebook Ireland, its employees or processor(s) process Insights Data.
- Facebook Ireland's and your responsibilities for compliance with the obligations under the GDPR with regard to the processing of Insights Data are determined as follows:
- Facebook Ireland: Facebook Ireland will ensure it has a legal basis for the processing of Insights Data which is set out in Facebook Ireland’s Data Policy (see under “What is our legal basis for processing data?”). Unless specified otherwise in this Page Insights Addendum, between you and Facebook Ireland, Facebook Ireland assumes the responsibility for compliance with the applicable obligations under the GDPR for the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 21 GDPR, Articles 33 and 34 GDPR). Facebook Ireland will implement appropriate technical and organisational measures to ensure the security of the processing in accordance with Article 32 GDPR. This does include the measures listed in the Annex below (as updated from time to time, for example to reflect technological developments). All employees of Facebook Ireland involved in the processing of Insights Data are bound by appropriate obligations to maintain the confidentiality of Insights Data.
- Page admins: You should ensure that you also have a legal basis for the processing of Insights Data. In addition to the information provided to data subjects by Facebook Ireland via the Information about Page Insights, you should identify your own legal basis including the legitimate interests you pursue, if applicable, the responsible data controller(s) on your side including their contact details as well as the contact details of the data protection officer(s) (Article 13(1)(a-d) GDPR), if any.
- Facebook Ireland will make the essence of this Page Insights Addendum available to data subjects (Article 26(2) GDPR). This is currently done via the Information about Page Insights data which can be accessed from all Pages.
- Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. You acknowledge and agree that only Facebook Ireland has the power to implement decisions about the processing of Insights Data. You also acknowledge and agree that the lead supervisory authority for the joint processing is the Irish Data Protection Commission (notwithstanding Article 55(2) GDPR, where applicable).
- This Page Insights Addendum does not grant you any right to request the disclosure of personal data of Facebook users that is processed in connection with Facebook Products, including for Page Insights that we provide to you.
- The Parties designate the communication channels referenced in the Information about Page Insights data or in any subsequent document as contact points for data subjects.
- If data subjects exercise their rights under the GDPR with regard to the processing of Insights Data against you (Article 26(3) GDPR), or you are contacted by a supervisory authority with regard to the processing of Insights Data, each a "Request", you will forward all relevant information regarding such Requests to us promptly but within a maximum of seven calendar days. For this purpose, you can submit this form. Facebook Ireland agrees to answer Requests from data subjects in accordance with our obligations under this Page Insights Addendum. You agree to take all reasonable endeavours in a timely manner to cooperate with us in answering any such Request. You are not authorised to act or answer on Facebook Ireland's behalf.
- If you use a Page, you agree that any claim, cause of action or dispute that you have against us, which arises out of or relates to this Page Insights Addendum, must be resolved exclusively in the courts of Ireland, that you irrevocably submit to the jurisdiction of the Irish courts for the purpose of litigating any such claim and that the laws of Ireland will govern this Page Insights Addendum, without regard to conflict of law provisions. If you are a consumer who habitually resides in a Member State of the European Union, only 4.4 of our Terms of Service applies.
- We may need to update this Page Insights Addendum from time to time. By continuing any use of Pages after any notification of an update to this Page Insights Addendum, you agree to be bound by it. If you do not agree to the updated Page Insights Addendum, please stop all use of Pages. If you are a consumer who habitually resides in a Member State of the European Union, only 4.1 of our Terms of Service applies.
- If any portion of this Page Insights Addendum is found to be unenforceable, the remaining portion will remain in full force and effect. If we fail to enforce any portion of this Page Insights Addendum, it will not be considered a waiver. Any amendment to or waiver of these terms requested by you must be made in writing and signed by us.
- This Page Insights Addendum applies only to the processing of personal data within the scope of Regulation (EU) 2016/679 ("GDPR"). "personal data", “processing”, “controller”, “processor”, “supervisory authority” and "data subject" in this Page Insights Addendum have the meanings set out in the GDPR.
“Applicable Products” includes Facebook Pages and Page Insights.
- Organization of Information SecurityFacebook has a designated security officer with overall responsibility for security in the organization. Facebook has personnel responsible for oversight of security of the Applicable Products.
- Physical and Environmental SecurityFacebook’s security measures include controls designed to provide reasonable assurance that physical access to data processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent, and control destruction due to environmental hazards. The controls include:
- Logging and auditing of physical access to the data processing facility by employees and contractors;
- Camera surveillance systems at the data processing facility;
- Systems that monitor and control the temperature and humidity for the computer equipment at the data processing facility;
- Power supply and backup generators at the data processing facility;
- Procedures for secure deletion and disposal of data, subject to the Applicable Product Terms; and
- Protocols requiring ID cards for entry to all Facebook facilities for all personnel working on the Applicable Products.
- Training. Facebook ensures that all personnel with access to Insights Data undergo security training.
- Screening and Background Checks. Facebook has a process for:
- verifying the identity of the personnel with access to Insights Data; and
- performing background checks, where legally permissible, on personnel working on or supporting aspects pertaining to the Applicable Products in accordance with Facebook standards.
- Personnel Security Breach. Facebook takes disciplinary action in the event of unauthorized access to Insights Data by Facebook personnel, including, where legally permissible, punishments up to and including termination.
- Security TestingFacebook performs regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
- Access Control
- Password Management. Facebook has established procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement, or temporary password;
- cryptographically protecting passwords when stored in computer systems or in transit over the network;
- altering default passwords from vendors;
- strong passwords relative to their intended use; and
- education on good password practices.
- Access Management. Facebook also controls and monitors its personnel’s access to its systems using the following:
- established procedures for changing and revoking access rights and user IDs, without undue delay;
- established procedures for reporting and revoking compromised access credentials (passwords, tokens etc.);
- maintaining appropriate security logs including where applicable with user ID and timestamp;
- synchronizing clocks with NTP; and
- logging the following minimum user access management events:
- Authorization changes;
- Failed and successful authentication and access attempts; and
- Read and write operations.
- Communications Security
- Network Security
- Facebook employs technology that is consistent with industry standards for network segregation.
- Remote network access to Facebook systems requires encrypted communication via secured protocols, and use of multi-factor authentication.
- Protection of Data in Transit. Facebook enforces use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
- Vulnerability ManagementFacebook institutes and maintains a vulnerability management program covering the Applicable Products that includes definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment, and patch deployment.
- Security Incident Management
- Facebook maintains a security incident response plan for monitoring, detecting, and handling possible security incidents affecting Insights Data. The security incident response plan at least includes definitions of roles and responsibility, communication, and post mortem reviews, including root cause analysis and remediation plans.
- Facebook monitors for any security breaches and malicious activity affecting Insights Data.