For consideration: When submitting targeted advertisements through Facebook, you must comply with section 3 of the Marketing Act (traders must practice good marketing practices with due regard to consumers, traders and general social interests). It says DCO. If you still violate the rules, should Facebook notify you according to the data protection rules?
This may be the consequence of the following regulatory terms in the Danish Data Protection Agency standard for data processing agreements:
The data processor shall immediately notify the data controller if, in his opinion, an instruction is in breach of this Regulation or data protection provisions of other EU or national law.
If Facebook does not use the Danish Data Protection Agency's standard, then the data processor's notification obligation by unlawful instruction should nevertheless be part of the data processor agreement, as the reporting obligation is regulated, as mentioned in Article 28 (3, second paragraph).
The duty to notify then includes instructions contrary to "data protection provisions of the national law of the Member States".
According to the legal remarks, section 3 of the Marketing Act protects “the consumer's personal integrity” and “privacy”. So section 3 of the Marketing Act also deals with data protection, right?
If Facebook is a data processor here, and section 3 of the Marketing Act is also about data protection, Facebook should probably judge the Consumer Ombudsman in advance and notify the advertiser of the possible violation.
If Facebook is instead responsible for data, Facebook must probably be equated with the person who violates section 3. of the Marketing Act. This is probably not a position that Facebook wants. So, rather be a data processor in this context.
And now that we're up and running E-Commerce Act Section 16 (1) also included. There is something about responsibility for the content on its website:
A service provider is not responsible for the storage of information or for the content of the stored information when the storage is done at the request of a service provider who provided the information and if the service provider
1) have no knowledge of the illegal or injurious activity or information and, as far as claims for damages are concerned, have no knowledge of the circumstances or circumstances in which the injurious activity or information appears; or
(2) from the time the service provider becomes aware as referred to in paragraph 1, immediately takes steps to remove the information or prevent access to it;.
It's a bit messy. But the starting point is actually that you are responsible for the content that is on your website. Then you can be exempt from liability under certain conditions.
In this case, Facebook, according to the wording, is exempt from liability only if they did not know the illegal content (the illegal marketing) or if they did not take steps (in time) to remove or prevent access. And that's an assessment case after all.
In any case, the last thing is probably not written about the connection between the data protection rules, the e-commerce law and the marketing law. They can carry it along to the canteen in Valby, where both the Data Inspectorate and the Consumer Ombudsman are located on Carl Jacobsens Vej.
They may start by discussing whether and, if so, to what extent Article 28 (3, second subparagraph), which explicitly refers to Article 28 (2h) on supervision, must be clearly understood as set out in the Danish Data Protection Agency's standard and reproduced above.