Information about Page Insights
Data processing for Page Insights
Page Insights are aggregated statistics that are created from certain events logged by Meta servers when people interact with Pages and the content associated with them.
Such events are made up of varying data points such as the following depending on the specific event:
- An action. This includes actions like the following (you can see actions available for your Page in your Page’s Insights section):
- Viewing a Page, post, video, story or other content associated with a Page
- Interacting with a story
- Following or unfollowing a Page
- Liking or unliking a Page or post
- Recommending a Page in a post or comment
- Commenting on, sharing or reacting to a Page’s post (including the type of reaction)
- Hiding a Page's post or reporting it as spam
- Hovering over a link to a Page or a Page's name or profile picture to see a preview of the Page's content
- Clicking on the website, phone number, Get Directions button or other button on a Page
- Having a Page’s event on screen, responding to an event including type of reaction, clicking on a link for event tickets
- Starting a Messenger communication with the Page
- Viewing or clicking on items in Page’s shop
- Information about the action, the person taking the action, and the browser/app used for it such as the following:
- Date and time of action
- Country/City (estimated from IP address or imported from user profile for logged in users)
- Language code (from browser’s http header and/or language setting)
- Age/gender group (from user profile for logged in users only)
- Website previously visited (from browser’s http header)
- Whether the action was taken from a computer or mobile device (from browser’s user agent or app attributes)
- FB user ID (for logged in users only)
We determine whether people are logged in users of Meta via cookies in accordance with our Cookies Policy. Only a few events can be triggered by people not logged in to Meta. This includes visiting a Page or clicking on a photo or video in a post to view it.
Page admins do not have access to the personal data processed as part of events but only to the aggregated Page Insights. Events used to create Page Insights do not store IP addresses, cookie IDs or any other identifiers associated with people or their devices aside from a FB user ID for people logged in to Meta.
The events logged by Meta in order to create Page Insights are solely defined by Meta and cannot be set, changed or otherwise be influenced by Page admins.
Page Insights Controller Addendum
Where an interaction of people with your Page and the content associated with it triggers the creation of an event for Page Insights which includes personal data for whose processing you (and/or any third party for whom you are creating or administering the Page) determine the means and purposes of the processing jointly with Meta Platforms Ireland Limited, you acknowledge and agree on your own behalf (and as agent for and on behalf of any such other third party) that this Page Insights Controller Addendum ("Page Insights Addendum") applies:
- You and Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4 Ireland ("Meta Ireland", “we” or “us”; together the “Parties”) acknowledge and agree to be joint controllers in accordance with Article 26 GDPR for the processing of such personal data in events for Page Insights (“Insights Data”). The joint controllership covers the creation of those events and their aggregation into Page Insights that are provided to Page admins. The Parties agree that for any other processing of personal data in connection with a Page and/or the content associated with it for which there is no joint determination of the purposes and means, Meta Ireland and, as the case may be, you, remain separate and independent controllers.
- The processing of Insights Data is subject to the provisions of this Page Insights Addendum. They apply to all activities in the course of which Meta Ireland, its employees or processor(s) process Insights Data.
- Meta Ireland's and your responsibilities for compliance with the obligations under the GDPR with regard to the processing of Insights Data are determined as follows:
- Page admins: You should ensure that you also have a legal basis for the processing of Insights Data. In addition to the information provided to data subjects by Meta Ireland via the Information about Page Insights, you should identify your own legal basis including the legitimate interests you pursue, if applicable, the responsible data controller(s) on your side including their contact details as well as the contact details of the data protection officer(s) (Article 13(1)(a-d) GDPR), if any.
- Meta Ireland will make the essence of this Page Insights Addendum available to data subjects (Article 26(2) GDPR). This is currently done via the Information about Page Insights data which can be accessed from all Pages.
- Meta Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. You acknowledge and agree that only Meta Ireland has the power to implement decisions about the processing of Insights Data. You also acknowledge and agree that the lead supervisory authority for the joint processing is the Irish Data Protection Commission (notwithstanding Article 55(2) GDPR, where applicable).
- This Page Insights Addendum does not grant you any right to request the disclosure of personal data of Meta users that is processed in connection with Meta Products, including for Page Insights that we provide to you.
- The Parties designate the communication channels referenced in the Information about Page Insights data or in any subsequent document as contact points for data subjects.
- If data subjects exercise their rights under the GDPR with regard to the processing of Insights Data against you (Article 26(3) GDPR), or you are contacted by a supervisory authority with regard to the processing of Insights Data, each a "Request", you will forward all relevant information regarding such Requests to us promptly but within a maximum of seven calendar days. For this purpose, you can submit this form. Meta Ireland agrees to answer Requests from data subjects in accordance with our obligations under this Page Insights Addendum. You agree to take all reasonable endeavours in a timely manner to cooperate with us in answering any such Request. You are not authorised to act or answer on Meta Ireland's behalf.
- If you use a Page, you agree that any claim, cause of action or dispute that you have against us, which arises out of or relates to this Page Insights Addendum, must be resolved exclusively in the courts of Ireland, that you irrevocably submit to the jurisdiction of the Irish courts for the purpose of litigating any such claim and that the laws of Ireland will govern this Page Insights Addendum, without regard to conflict of law provisions. If you are a consumer who habitually resides in a Member State of the European Union, only 4.4 of our Terms of Service applies.
- We may need to update this Page Insights Addendum from time to time. By continuing any use of Pages after any notification of an update to this Page Insights Addendum, you agree to be bound by it. If you do not agree to the updated Page Insights Addendum, please stop all use of Pages. If you are a consumer who habitually resides in a Member State of the European Union, only 4.1 of our Terms of Service applies.
- If any portion of this Page Insights Addendum is found to be unenforceable, the remaining portion will remain in full force and effect. If we fail to enforce any portion of this Page Insights Addendum, it will not be considered a waiver. Any amendment to or waiver of these terms requested by you must be made in writing and signed by us.
- This Page Insights Addendum applies only to the processing of personal data within the scope of Regulation (EU) 2016/679 ("GDPR"). "personal data", “processing”, “controller”, “processor”, “supervisory authority” and "data subject" in this Page Insights Addendum have the meanings set out in the GDPR.
“Applicable Products” includes Meta Pages and Page Insights.
- Organization of Information SecurityMeta has a designated security officer with overall responsibility for security in the organization. Meta has personnel responsible for oversight of security of the Applicable Products.
- Physical and Environmental SecurityMeta’s security measures include controls designed to provide reasonable assurance that physical access to data processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent, and control destruction due to environmental hazards. The controls include:
- Logging and auditing of physical access to the data processing facility by employees and contractors;
- Camera surveillance systems at the data processing facility;
- Systems that monitor and control the temperature and humidity for the computer equipment at the data processing facility;
- Power supply and backup generators at the data processing facility;
- Procedures for secure deletion and disposal of data, subject to the Applicable Product Terms; and
- Protocols requiring ID cards for entry to all Meta facilities for all personnel working on the Applicable Products.
- Training. Meta ensures that all personnel with access to Insights Data undergo security training.
- Screening and Background Checks. Meta has a process for:
- verifying the identity of the personnel with access to Insights Data; and
- performing background checks, where legally permissible, on personnel working on or supporting aspects pertaining to the Applicable Products in accordance with Meta standards.
- Personnel Security Breach. Meta takes disciplinary action in the event of unauthorized access to Insights Data by Meta personnel, including, where legally permissible, punishments up to and including termination.
- Security TestingMeta performs regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
- Access Control
- Password Management. Meta has established procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement, or temporary password;
- cryptographically protecting passwords when stored in computer systems or in transit over the network;
- altering default passwords from vendors;
- strong passwords relative to their intended use; and
- education on good password practices.
- Access Management. Meta also controls and monitors its personnel’s access to its systems using the following:
- established procedures for changing and revoking access rights and user IDs, without undue delay;
- established procedures for reporting and revoking compromised access credentials (passwords, tokens etc.);
- maintaining appropriate security logs including where applicable with user ID and timestamp;
- synchronizing clocks with NTP; and
- logging the following minimum user access management events:
- Authorization changes;
- Failed and successful authentication and access attempts; and
- Read and write operations.
- Communications Security
- Network Security
- Meta employs technology that is consistent with industry standards for network segregation.
- Remote network access to Meta systems requires encrypted communication via secured protocols, and use of multi-factor authentication.
- Protection of Data in Transit. Meta enforces use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
- Vulnerability ManagementMeta institutes and maintains a vulnerability management program covering the Applicable Products that includes definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment, and patch deployment.
- Security Incident Management
- Meta maintains a security incident response plan for monitoring, detecting, and handling possible security incidents affecting Insights Data. The security incident response plan at least includes definitions of roles and responsibility, communication, and post mortem reviews, including root cause analysis and remediation plans.
- Meta monitors for any security breaches and malicious activity affecting Insights Data.
Effective Date: April 25, 2023