[Profile picture of Ruben Verborgh]

Ruben Verborgh

Email: Contact the Data Protection Officer (DPO) #[case-number]

Facebook <case++[case-code]@support.facebook.com>
15 February 2019 at 18:53:57 GMT+1
Contact the Data Protection Officer (DPO) #[case-number]

Hi Ruben,

We refer to your request in accordance with Article 15 of the Data Protection Regulation 2016/679 (“GDPR”) which we received on 1/14/2019.

1. How can I access my personal data on Facebook?

As a Facebook user, you can access your Facebook user information, including photos, posts, reactions and comments, using the Access Your Information tool which allows you to view your account data at any time and in a single place. We’ve categorised this information by type so you can find what you’re looking for.

The Access Your Information tool is available in the “Your Facebook Information” section of the settings.

To view Your Facebook Information from a computer:

  1. Go to the top right of Facebook and click .
  2. Click Settings.
  3. Click Your Facebook Information.
  4. Go to the information you want to review and click View.

The Your Facebook Information section also includes tools and resources to help you manage, download and delete your information on Facebook.

2. What categories of personal data does Facebook collect about me? And where does the personal data come from?

The data categories that Facebook holds about you depend on how you use Facebook Products. These data categories and their sources are clearly set out in our Data Policy (accessible via https://www.facebook.com/policy.php) as follows:

3. How does Facebook use my personal data?

As set out in our Data Policy, Facebook uses the information held about its users to:

Facebook is a complex system, and we use various algorithms to ensure that you see the most engaging and relevant content. The precise details of these algorithms are confidential, and sharing them with would adversely affect our IP and trade secrets. In addition, while these algorithms help to customise the content you see on Facebook, they do not constitute the sole basis for any decision significantly affecting you (within the meaning of Article 15(1)(h) of the GDPR). As a result, we are not in a position to provide you the precise details of our algorithms.

However, we take pride in ensuring that our users understand how Facebook works, so we set out below a description of three of the main ways we make decisions that affect your Facebook experience: (i) the content that appears in your newsfeed; (ii) the ads that you receive on Facebook; and (iii) the apps we recommend to you.

4. How and with whom does Facebook share my personal data?

As explained in our Data Policy and subject to your right of access under Article 15(1)(c) GDPR (“recipients or categories of recipients to whom the personal data have been disclosed”), the categories of recipients and the ways in which your personal data is shared are as follows:

5. Where does Facebook transfer, store and process my personal data, and what safeguards does Facebook have in place with respect to this information?

We share information globally, and your information will be transferred or transmitted to, or stored and processed, in countries outside of where you live for purposes outlined in our Data Policy.

We have in place multiple safeguards to lawfully transfer personal data around the world. These data transfers are necessary to provide the services set forth in our Terms and Policies, and to globally operate and provide our Products to you. We utilize standard contract clauses and we rely on the European Commission’s adequacy decisions about certain countries, as applicable.

Specific information regarding the exact countries in which our servers are located and the technical and organisational measures we undertake to protect your data are outside the scope of a subject access request.

6. Data retention, account deactivation and deletion

We store data until it is no longer necessary to provide our services and Facebook Products, or until your account is deleted – whichever comes first. This is a case-by-case determination that depends on things like the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. For example, when you search for something on Facebook, you can access and delete that query from within your search history at any time, but the log of that search is deleted after 6 months. If you submit a copy of your government-issued ID for account verification purposes, we delete that copy 30 days after submission.

When you delete your account, we delete things you have posted, such as your photos and status updates, and you won’t be able to recover that information later. Information that others have shared about you isn’t part of your account and won’t be deleted. If you don’t want to delete your account but want to temporarily stop using the Products, you can deactivate your account instead.

7. Does Facebook make decisions about me solely on the basis of automated processing pursuant to Article 22 GDPR, and if so, what is the logic involved and significance associated with the processing?

We have not identified any processing in respect of your personal data which falls within the scope of Article 22(1) of the GDPR.

8. What security measures does Facebook have in place? Has my personal data ever been subject to an unauthorised or inadvertent disclosure by Facebook?

We use the information we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and promote safety and security on and off of Facebook Products. Specific measures we have undertaken to protect the integrity of our systems is outside the scope of a subject access request. Facebook complies with applicable data breach notification laws and will tell you if a notifiable breach takes place.

9. What are your rights provided under GDPR?

Under GDPR, you have the right to rectify and delete your personal data. You also have the right to object to, and restrict certain processing of, your personal data. This includes:

You also have a right to lodge a complaint with the Office of the Irish Data Protection Commission, which is Facebook’s lead supervisory authority (please see http://www.dataprotection.ie) or your local supervisory authority.

We hope the above is helpful. If you have any further questions or specific concerns please feel free to reach out to us.

Privacy Operations