For consideration: When submitting targeted advertisements through Facebook, you must comply with section 3 of the Marketing Act (traders must practice good marketing practices with due regard to consumers, traders and general social interests). It says DCO. If you still violate the rules, should Facebook notify you according to the data protection rules?
This may be the consequence of the following regulatory conditions i Datatilsynets standard for data processing agreements:
The data processor shall immediately notify the data controller if, in his opinion, an instruction is in breach of this Regulation or data protection provisions of other EU or national law.
If Facebook does not use Datatilsynets standard, the condition on the data processor's obligation to notify in case of illegal instructions should still be part of the data processing agreement, since the obligation to notify, as mentioned, is determined by regulation, cf. Article 28(3, second paragraph).
The duty to notify then includes instructions contrary to "data protection provisions of the national law of the Member States".
According to the legal remarks, section 3 of the Marketing Act protects “the consumer's personal integrity” and “privacy”. So section 3 of the Marketing Act also deals with data protection, right?
If Facebook is a data processor here, and section 3 of the Marketing Act is also about data protection, Facebook should probably judge the Consumer Ombudsman in advance and notify the advertiser of the possible violation.
If Facebook is instead responsible for data, Facebook must probably be equated with the person who violates section 3. of the Marketing Act. This is probably not a position that Facebook wants. So, rather be a data processor in this context.
And now that we're up and running E-Commerce Act Section 16 (1) also included. There is something about responsibility for the content on its website:
A service provider is not responsible for the storage of information or for the content of the stored information when the storage is done at the request of a service provider who provided the information and if the service provider
1) have no knowledge of the illegal or injurious activity or information and, as far as claims for damages are concerned, have no knowledge of the circumstances or circumstances in which the injurious activity or information appears; or
(2) from the time the service provider becomes aware as referred to in paragraph 1, immediately takes steps to remove the information or prevent access to it;.
It's a bit messy. But the starting point is actually that you are responsible for the content that is on your website. Then you can be exempt from liability under certain conditions.
In this case, Facebook, according to the wording, is exempt from liability only if they did not know the illegal content (the illegal marketing) or if they did not take steps (in time) to remove or prevent access. And that's an assessment case after all.
In any case, the last thing has probably not been written about the connection between the data protection rules, the e-commerce law and the marketing law. After all, they can take it with them to the canteen in Valby, where both Datatilsynet and the Consumer Ombudsman are based on Carl Jacobsens Vej.
They may appropriately begin by discussing whether and, if so, to what extent Article 28(3, second paragraph), which implicitly refers to Article 28(2h) on supervision, should in fact be understood as laid down in Datatilsynets standard and as reproduced above.