Skip to content

Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V.: More Control, More Data Protection for Website Visitors? (C-40/17 Fashion ID)

Primož Gorkič


Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, Judgement of the Court of Justice of the European Union (Second Chamber) of 29 July 2019
A website operator is considered a (joint) controller of personal data (within the meaning of Article 2(d) of Directive 95/46 and current Article 4(7) of the General Data Protection Regulation) , when participating in the transmission of website visitors' personal data to a third party by embedding a social plug-in on its website. In this situation, it is necessary that the website operator and plug-in provider each demonstrate grounds for lawful processing of the visitor's data. Where processing is grounded on the legitimate interest of controllers, both the operator and the provider must pursue such interest. Where lawfulness is secured by obtaining the consent of the website’s visitors, the operator must obtain consent regarding those processing operations in respect of which it determines the purposes and means of data processing. The same applies to an operator's duty to provide proper information to data subjects.

Primož Gorkič, Associate Professor at the Faculty of Law, University of Ljubljana. For correspondence: <>.


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation