Devoted fanpages embrace innovative strategy for BfDI
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published a guideline for a data protection-compliant operation of fan pages for public authorities on August 22, 2025. This move aims to establish clear guidelines for a data protection-compliant use of social media, particularly by public authorities.
In accordance with Article 5(1)(a) GDPR, users must be comprehensively informed about the data processing. The BfDI's guideline specifies the requirements for data processing under one's own responsibility. It is crucial that appropriate technical and organizational measures are implemented in accordance with Article 25 GDPR to protect users.
The operation of fan pages is currently tolerated under the aforementioned conditions and in consideration of the VG ruling. However, the court concludes that there is no joint responsibility, at least when the statistics function is deactivated. This deviates from the previous stance of the European Court of Justice and the Conference of Independent Data Protection Authorities.
The Administrative Court of Cologne ruled that the Federal Government can continue to operate its "Facebook-Fanpage" for public relations purposes. However, despite the ruling, the BfDI finds the reasoning of the court insufficient. The BfDI believes that the data protection-compliant use of social networks can only be regulated by a higher court decision or by a legal basis.
The court argues that there is a joint responsibility between the platform provider (Meta) and the page operator when operating a "Facebook-Fanpage". In response, the BfDI has appealed the decision. The BfDI communicates the recommendations as an interim solution that offers public authorities at least a certain degree of legal certainty temporarily.
Until a higher court decision or legal basis is established, public authorities need a legal framework or guidelines to enable them to operate a fanpage in a data protection-compliant manner. It is essential for public authorities to create clear guidelines for the use of social media to meet data protection requirements.
Social media may only be used as a parallel medium, and citizens must also be able to receive information via other channels. A data protection impact assessment should be carried out before a fan page goes live, and prior consultation with the supervisory authority may be necessary.
The BfDI's goal is to ensure a data protection-compliant operation of social media pages, particularly by public authorities. This ruling could provide page operators with some more legal certainty, offering a step towards a more secure data protection environment in the realm of social media.
