EDPB - Binding Decision 5/2022 - 'Whatsapp'
EDPB - Whatsapp Ireland Limited - Decision 5/2022 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 56 GDPR Article 58 GDPR Article 60 GDPR Article 65 GDPR Article 77 GDPR Article 79 GDPR Article 83 GDPR |
Type: | Other |
Outcome: | n/a |
Started: | 19.08.2022 |
Decided: | 05.12.2022 |
Published: | 25.01.2023 |
Fine: | n/a |
Parties: | German Whatsapp user (represented by noyb - European Centre for Digital Rights) Whatsapp Ireland Limited |
National Case Number/Name: | Whatsapp Ireland Limited - Decision 5/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | LR |
Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision finding Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful.
English Summary
Facts
In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy. In accordance with the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data they undertook. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account. A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”. Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives. Secondly, the use of the Whatsapp service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid. Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing. Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction. The BfDI referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR. Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “the legitimization of the processing at issue in this inquiry falls under Article 6(1)(b) GDPR [necessary for the performance of a contract] and therefore an assessment under Article 6(1)(b) only is required”. (DPC Preliminary Draft Decision, para 3.4)
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Six DPAs (DE, FI, FR, IT, NL, NO) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 19 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 12 January 2023, published on 19 January 2023.
Holding
Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision. Please note: in order to explain the issues addressed in the decision, it is necessary to explain the proposals in the DPC’s Draft Decision, in order to provide the context for the EDPB decision.
Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis The second issue concerns whether Whsatsapp IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”. When issuing its Draft Decision, the DPC firstly sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis. Summarising the DPC’s position on the question of scope, they asserted that their inquiry must be limited to the processing of personal data for “service improvements” and “security”. In doing so, the DPC elected not to conduct an investigation into the processing of sensitive categories of data, as well as data processed for the purposes of: behavioural advertising; providing metrics to third parties; and marketing. Responding to this proposal, the EDPB stated as follows: “The inquiry underpinning this decision ought to have included an examination of ‘the legal basis for [Whatsapp’s] processing operations for the purposes of behavioural advertising, the potential processing of special categories of personal data, applicable legal basis for provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, as well as the processing of personal data for the purposes of marketing’” (218) Accordingly, the EDPB directed the DPC to commence a new inquiry into whether Whatsapp processes data in the ways described (222). The DPC did not conduct this inquiry as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion of the issue of scope, and the EDPB’s directions regarding a further investigation, please see “Issue 3 – On the Further Investigation” below. Addressing second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it” (DPC - 3.27). However, the DPC added that “necessity is to be determined by reference to the particular contract” (DPC - 3.27) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (DPC - 3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the actual bargain which has been struck between the parties” (DPC - 3.30). The DPC stated “it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms” (DPC - 3.42). Accordingly, the Draft Decision “proposed to conclude, in the Draft Decision, that I was therefore satisfied that WhatsApp was, in principle, entitled to rely on Article 6(1)(b) GDPR for processing personal data” (DPC - 3.50). However, when issuing its Binding Decision, with regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows: “The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake." (100) "The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model.” (101) "The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR. " (102) “[i]t is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance” (105) "the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR." (110) Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose” (109). Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service” (111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” in DPC Decision IN-18-5-6), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “one of the parties (in this case a data subject) [has not been] provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis” (117). The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of Article 6(1)(b) GDPR: “[T]here is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of Article 6(1)(b) GDPR, pursuant to the interpretation by the [DPC], nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject." (119) “This precedent could encourage other economic operators to use the contractual performance legal basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects” (120). In light of all of the above, the EDPB directed the following: “processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it" (121). "Whatsapp IE has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on Article 6(1)(b) GDPR. Whatsapp IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (122). Accordingly, the EDPB instructed the DPC to alter “Finding 2” of its Draft Decision to include a finding that Whatsapp IE was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data in this context, and to find an infringement of Article 6(1) GDPR based on the shortcomings the EDPB has identified (122). Issue 2 – On the Potential Infringement of the Principles of Fairness, Purpose Limitation and Data Minimisation During the course of the Article 60 GDPR consultation period, the Italian DPA raised two objections to the DPC’s Draft Decision. The Italian DPA asserted that the Draft Decision should be amended to include a separate finding of an infringement of the Article 5(1)(a) GDPR principle of fairness, and infringements of the Article 5(1)(b) and (c) GDPR principles of purpose limitation and data minimisation.
Potential infringement of principles of purpose limitation and data minimisation: The Italian DPA explained that the fact that Whatsapp IE’s multifarious processing practices involving personal data are grounded in Article 6(1)(b) GDPR entails an infringement of the principles of purpose limitation and data minimisation. This is because the purposes must have been specified and communicated to data subjects. In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned. In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it includes justifications concerning why and how issuing a decision with the changes proposed in the objection is needed and how the change could lead to a different conclusion. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR.
Potential infringement of the principle of fairness: The objection raised by the Italian DPA sought an additional finding of an infringement of the principle of fairness in Article 5(1)(a) GDPR. In its Draft Decision, the DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing” (DPC - 5.1). The matter was referred to the EDPB, which determined the objection raised by the Italian DPA to be both relevant and reasoned in accordance with Article 4(24) GDPR, and stated as follows: “Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject” (143) "the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too" (147). "the concept of fairness stems from the EU Charter… [it] underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (148). “Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjectsare protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the [DPC]’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ IN addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter” (150). “Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights” (154, 156). Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (157).
Issue 3 – On the Further Investigation As discussed in “Issue 1” above, the DPC reached certain conclusions on the scope of their inquiry, and limits their analysis to personal data processing for the purposes of “service improvements” and “security”. In their draft Decision, the DPC explained that that their analysis will be based only on the Whatsapp Terms of Service, and not the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (DPC 3.4 – 3.5). The DPC then takes issue with the generality, or vagueness of the complaint, which – in their view – does not identify “specific processing operations by reference to an identifiable body of data with any clarity of precision” (DPC - 3.6). Furthermore, the complainant was not entitled to request that the DPC “conduct an assessment of all processing operations carried out by Whatsapp” (DPC - 3.6). After stating that “the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising” (DPC - 3.7), the DPC explains that their draft decision proposed an assessment of whether Whatsapp IE can rely on Article 6(1)(b) GDPR for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising” (DPC - 3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “providing metrics to third parties”, the DPC states later in the decision that “any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to Article 6(1)(b) GDPR” (DPC - 3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “any clear delineation between these two forms of processing was artificial” (DPC - 3.33). As a result, the DPC restricted the scope of their inquiry to “regular improvements and maintaining standards of security”.
During the Article 60 GDPR consultation period, 3 DPAs (FI, FR, IT) raised objections to the conclusions reached by the DPC in the Draft Decision. The objections requested that the DPC further investigate matters of behavioural advertising, special categories of personal data, the provision of metrics to third parties, including companies belonging to the same group, and marketing. (168 – see also 169 – 174). In response, the DPC stated that it does not propose to “follow” the objections raised, and the matter was referred to the EDPB.
Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, and found the objections raised both relevant and reasoned in accordance with Article 4(24) GDPR. Regarding specifically the question of special categories of personal data, the EDPB notes that the GDPR and case law pay close attention to the processing of such data, and that the complaint expressly requests the DPC to investigate Whatsapp IE’s processing operations in this area (215). The EDPB outlines the risk of the DPC’s failure to address the issue of special categories of personal data including: the use of this data to build intimate profiles of users; the failure to recognise it as a special category of personal data; ignoring the role of consent in the processing; setting a precedent of ambiguity and transparency which could be followed by other controllers (see 217). They also assert that the DPC “did not handle the complaint with all due diligence” and that the lack of any further investigation into processing for behavioural advertising, of special categories of personal data, provision of metrics to third parties, exchange with affiliated companies, and processing for the purposes of marketing, was an omission (218). Taking into account the limited scope of the inquiry and lack of assessment by the DPC, the EDPB decided that the DPC “shall carry out an investigation into Whatsapp IE’s processing operations in its service to determine if it processes special categories of data” and to investigate the processing for all of the above purposes in order to determine if Whatsapp IE complied with its obligations under the GDPR. The EDPB also instructs the DPC to issue a new Draft Decision, based on the results of that investigation and the findings (222).
It is worthy to note, at this stage, that the DPC did not conduct this further investigation as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion, please see DPC (Ireland) – Whatsapp Ireland Limited – IN – 18-5-6 (discussion of “Issue 2”).
Issue 4 – On Corrective Measures Other than Additional Fines In its Draft Decision, the DPC did not find any infringement of Article 6(1)(b) GDPR and so was not in a position to consider the application of its corrective powers as provided for in Article 59(2) GDPR. The DPC did consider that Whatsapp IE had infringed its transparency obligations under the GDPR, however, they had dealt with this issue in a previous own-volition inquiry and imposed an administrative fine and order to bring processing into compliance.
Following the DPC’s finding, as directed by the EDPB, that Whatsapp had infringed Article 6(1)(b), a number of objections were raised to the lack of corrective measures in the Draft Decision. Most notably, the Finnish DPA stated that the DPC should find an infringement of Article 6(1)(b) GDPR and, as a consequence, the DPCA should use its corrective powers to at least order Whatsapp IE to bring its processing operations into compliance with Article 6(1) GDPR. Also, the DPC should consider the imposition of an administrative fine. After reviewing the merits of the objection, the EDPB instructed the DPC “to include in its final decision an order for WhatsApp IE to bring its processing of personal data for the purposes of service improvement and security features in the context of its Terms of Service into compliance with Article 6(1) GDPR” (274).
Issue 5 – On the imposition of the administrative fine During the Article 60 GDPR consultation period, four DPAs (FR, NO, DE, IT) objected to the failure of the DPC to take action with respect to one or more specific infringements and asked the DPC to impose an administrative fine. After considering the objections in light of Article 4(24) GDPR and the factors outlined in Article 83(2) GDPR the EDPB instructed the DPC to impose an administrative fine for the infringement of Article 6(1) GDPR (314) and, in doing so, to take into account the infringement of the principle of fairness in Article 5(1)(a) GDPR (320).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
BindingDecision5/2022onthedisputesubmittedby the Irish SAregardingWhatsAppIrelandLimited(Art.65GDPR) Adopted on 5December 2022 AdoptedTABLEOFCONTENTS 1 Summaryofthe dispute...................................................................................................5 2 The Right togoodadministration......................................................................................8 3 Conditionsfor adopting a binding decision .........................................................................9 3.1 Objection(s)expressedby CSA(s)inrelationtoa draft decision.......................................9 3.2 The LSA does not follow the relevantandreasoned objections totheDraftDecision or isof the opinionthat the objectionsare not relevant or reasoned..................................................10 3.3 Admissibilityofthe case..........................................................................................10 3.4 Structure ofthe binding decision..............................................................................11 4 Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis .....11 4.1 Analysisbythe LSA inthe Draft Decision....................................................................11 4.2 Summaryofthe objectionsraisedbythe CSAs............................................................14 4.3 Positionofthe LSA onthe objections ........................................................................19 4.4 Analysisofthe EDPB...............................................................................................21 4.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................21 4.4.2 Assessment onthe merits.................................................................................24 5 Onthe potentialadditionalinfringement of theprinciples of fairness, purpose limitationand data minimisation................................................................................................................32 5.1 Analysisbythe LSA inthe Draft Decision....................................................................32 5.2 Summaryofthe objectionsraisedbythe CSAs............................................................33 5.3 Positionofthe LSA onthe objections ........................................................................33 5.4 Analysisofthe EDPB...............................................................................................34 5.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................34 5.4.2 Assessment ofthe merits.................................................................................35 6 Onthe further investigation...........................................................................................39 6.1.1 Analysisbythe LSA inthe Draft Decision.............................................................39 6.1.2 Summaryofthe objectionsraisedbythe CSAs.....................................................41 6.1.3 Positionofthe LSA onthe objections .................................................................43 6.1.4 Analysisofthe EDPB........................................................................................44 7 Oncorrective measuresother thanadministrative fines.....................................................51 7.1 Analysisbythe IE SA inthe Draft Decision..................................................................51 7.2 Summaryofthe objectionsraisedbythe CSAs............................................................51 7.3 Positionofthe IE SA onthe objections ......................................................................52 7.4 Analysisofthe EDPB...............................................................................................52 7.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................52 Adopted 2 7.4.2 Assessment onthe merits.................................................................................54 8 Onthe impositionofanadministrative fine ......................................................................59 8.1 Analysisbythe LSA inthe Draft Decision....................................................................59 8.2 Summaryofthe objectionsraisedbythe CSAs............................................................59 8.3 Positionofthe LSA onthe objections ........................................................................60 8.4 Analysisofthe EDPB...............................................................................................60 8.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................60 8.4.2 Assessment onthe merits.................................................................................62 9 Binding Decision...........................................................................................................66 10 Finalremarks............................................................................................................68 TheEuropeanDataProtectionBoard Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European Parliamentandof theCouncil of 27 April2016 on theprotectionof naturalpersons withregardtothe processing of personaldataandonthe freemovement of suchdata,andrepealing Directive95/46/EC (hereinafter“GDPR”) 1, HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37 thereof,asamended 2 by theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 , 3 HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) , Whereas: (1) The main role of the European Data Protection Board (hereinafter the “EDPB”) is to ensure the consistent applicationofthe GDPRthroughout the EEA.Tothis effect,it follows from Article60 GDPR that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory authoritiesconcerned(hereinafter“CSAs”)inanendeavour toreachconsensus, thatthe LSA andCSAs shall exchange all relevant information with each other, and that the LSA shall, without delay, communicate the relevant information on the matter tothe other CSAs. The LSA shall without delay submit adraft decision tothe other CSAs for their opinion and takedue account oftheir views. (2)Where anyofthe CSAs expressed a reasonedandrelevantobjection (“RRO”)on thedraft decision inaccordancewithArticle4(24)andArticle 60(4)GDPRandthe LSA does not intendtofollow the RRO or considers that the objection is not reasoned and relevant, the LSA shall submit this matter tothe consistency mechanism referredtoinArticle 63 GDPR. (3)Pursuant toArticle65(1)(a)GDPR,theEDPBshallissue abinding decisionconcerningallthematters whichare thesubject of theRROs,in particularwhetherthere isaninfringement of theGDPR. 1OJL119,4.5.2016,p.1. 2References to “MemberStates”madethroughout this decision should beunderstood as references to “EEA MemberStates”. 3EDPBRoP,adoptedon25May2018,aslastmodifiedandadoptedon6April2022. Adopted 3(4) The binding decision ofthe EDPBshall be adopted bya two-thirds majorityofthe members ofthe EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB RoP, within one monthafterthe Chairandthe competentsupervisory authorityhave decidedthatthefile is complete. The deadline maybe extendedby a further month, taking into account the complexity ofthe subject matter upon decision of the Chair on own initiative or at the request of at least one third of the membersof theEDPB. (5)InaccordancewithArticle 65(3)GDPR,if,inspite of suchanextension, theEDPBhasnot beenable to adopt a decision within the timeframe, it shall do so within two weeksfollowing the expiration of the extensionby a simple majorityof itsmembers. (6) Inaccordance withArticle11(6) EDPBRoP,only the English textof the decision is authenticasit is the languageofthe EDPBadoptionprocedure. Adopted 4 HAS ADOPTED THE FOLLOWING BINDING DECISION 1 SUMMARYOF THE DISPUTE 1. This document contains a binding decision adopted by the EDPB in accordance with Article65(1)(a) GDPR.Thedecision concerns thedispute arisenfollowing a draftdecision (hereinafter “DraftDecision”)issuedby theIrishsupervisory authority(“DataProtectionCommission", hereinafter the “IESA”,alsoreferredtointhisdocument asthe LSA)andthe subsequent objections expressedby six CSAs,namely the GermanFederal Commissioner for DataProtectionand Freedom of Information (“Der Bundesbeauftragter für den Datenschutz und die Informationsfreiheit”) hereinafter the “the German Federal SA” or the “DE SA”, the Finnish supervisory authority (“Tietosuojavaltuutetun toimisto”), hereinafter the “FI SA”, the French supervisory authority (“Commission Nationale de l'Informatique et des Libertés”), hereinafter the “FR SA”, the Italiansupervisory authority (“Garante per la protezione dei dati personali”), hereinafter the “IT SA”, the supervisory authority of the Netherlands(“AutoriteitPersoonsgegevens”),hereinafterthe“NL SA” andthe Norwegiansupervisory authority(“Datatilsynet”),hereinafterthe“NOSA”. 2. The Draft Decision relates to a “complaint-based inquiry”, which was commenced by the IE SA, regardingacomplaint originally submittedtothe Hamburgsupervisory authority(“DerHamburgische Beauftragte für Datenschutz und Informationsfreiheit”), hereinafter “the DE HH SA“. The case was subsequently referred to the DE SA, being the relevant supervisory authority, to decide whether WhatsApp Ireland Limited (hereinafter, “WhatsApp IE”), an online instant messaging platform, complies withitsobligations under the GDPR. 3. The complaint was lodged on 25 May2018 by a data subject who requested the non-profit noyb – “EuropeanCenter for DigitalRights” (hereinafter “NOYB”)torepresent her under Article80(1) GDPR (both hereinafter referredto as the “Complainant”). It concerned the lawfulness of WhatsApp IE’s processing ofpersonal data(hereinafter“WhatsAppservices”),specificallydata processing onfoot of the Complainant’s acceptance ofits Termsof Service (and purportedly her acceptance of its Privacy Policy), andthe transparencyof information provided by WhatsApp IEtothe Complainant about that processing. The Complainant alleged a violation of the right to data protection and especially a violationof“Articles4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR” 4,byarguingthat the controller relied on a “forced consent”5. The complaint requested to investigate andto impose 7 correctivemeasures .“Inthealternative,shouldtheSupervisoryAuthoritynotinterprettheseelements asconsent”,theComplainanttakestheposition thatthecontrollerhasnolegalbasisfortheprocessing operations “which are not a core element ofthe instant-messaging service and /or in the interest of the user (such as advertisement, sponsored content, sharing of information within a group of 4 5Complaint,paragraph2.2.5. Complaint,paragraphs1.3and2.2.5. 6Within its request to investigate, theComplainant requested that a full investigationbemadeto determine “whichprocessingoperationsthecontrollerengagesin,inrelationtothepersonaldataofthedatasubject”,“for which purpose they are performed”, “on which legal basis foreach specificprocessingoperationthe controller relies on”,andtoacquire“acopyofanyrecordsofprocessingactivities”.TheComplainantalsorequested“that theresults ofthisinvestigation[be]madeavailableto[her]”.Complaint,paragraph3.1. 7 Morespecifically, thecomplaint requested in paragraph3.2 that thecompetent SA“prohibits all processing operations that are based on aninvalid consent of the data subject”, and inparagraph3.3 that an“effective, proportionateanddissuasivefine”beimposed. Adopted 5 companies analysis and improvement of the controller’s products etc.)”, “since these elements are clearlynot a relevantcontractualobligationsand no otheroption underArticle6 oftheGDPRseemsto apply inthissituation”. 4. Uponreceiptofthecomplaint on31May2018,the IESAqualified theactivitiesfallingwithinthescope ofthe aforementionedcomplaintascross-border processing pursuant Article4(23)GDPR.Asthemain establishment ofWhatsApp IE (asdefined in Article4(16) GDPR)wasfound tobe in Ireland,the IE SA was identified as being the LSA, within the meaning of the GDPR, in respect of the cross-border processing carriedout by thatcompany . 5. The following table presents a summary timeline of the events part of the procedure leading to the submission of the mattertothe consistency mechanism: 25 May2018 The complaint waslodgedwiththe DEHHSA. The DE-HH SA passed the complaint, for reasons of competence, to the DE SA. On 31 May2018, the complaint was passed by the DE SA tothe IESA. 20 August 2018 The IE SA commenced the inquiry (hereinafter the “inquiry”) and requestedinformation from WhatsAppIE. Itsscope andlegalbasisweresetoutinthe NoticeofCommencement of Inquiry that was sent to the Complainant and WhatsApp IE by letterson20 August2018. On 11 March 2019, WhatsApp IE provided replies to preliminary queries by the IE SA. Procedural issues, including allegation of bias were raised by the Complainant by correspondence on 3 December 2018, and subsequent lettersfrom 29 February 2019, 19 April 2019 and 24 February 2020, as well as a phone call on 1 April 2019, that wereaddressed by theIE SA. 20 May2020 The IE SA prepared a Draft Inquiry Report against WhatsApp IE regardingitsprocessing activitieswithinthe scope of theinquiry. The IESA invited the Complainant and WhatsAppIE tomake submissions inrelationtosuch draftreport. 22 June 2020 WhatsApp IEprovided itssubmissions in relationtothe DraftInquiry Report. 23 September 2020 The Complainant’s submissions dated 4 September 2020 were provided tothe IESA by the DESA. 18 January2021 The Complainant and WhatsApp IE, as well as the IE SA’s decision maker,were furnished witha copy ofthe IESA’sFinal InquiryReport, outlining the Investigator’s views, as to whether WhatsApp IE complied withitsobligationunder theGDPR. 6 and7 April 2021 The IESA commencedthedecision-making stage. 23 December2021 The IE SA issued a preliminary draft decision (hereinafter “the Preliminary Draft Decision”) against WhatsApp IE, regarding its processing activitieswithin thescope of theinquiry. 8Complaint,paragraph1.3. 9ScheduletoDraftDecision,paragraphs2.11to2.17(CompetenceoftheCommission)(p.10-12). Adopted 6 Itwas communicatedon the same dayto the Complainant to enable them to make observations. The IE SA further attempted to communicate the Preliminary Draft Decision to WhatsApp IE on this same date, to enable it to exercise its right to be heard. Having subsequently discovered that an IT systems’ failure prevented the Preliminary Draft Decision from reaching WhatsApp IE, the IE SA shared againthe Preliminary Draft DecisionwithWhatsApp IE on 20 January2022. December 2021 – Further exchangesof correspondence took place betweenthe IE SA February2022 and the Complainant, addressing translationissues, the scope of the complaint, as well as allegationsthat the complete documents had not beenprovided. 17 February2022 WhatsApp IEprovided submissions on the PreliminaryDraftDecision tothe IESA. 25 February2022 The IE SA communicated with Complainant’s’ legal representatives, confirming thatifnofurthercorrespondence wasreceivedby1March 2022, theIE SA would proceed onthe basis that theComplainant did not wish tomake submissions. Nosubmissions werereceived. 1 April2022 The IE SA sharedits Draft Decisionwiththe CSAs inaccordance with Article60(3) GDPR. Several CSAs (DE SA, FI SA, FR SA, IT SA, NL SA, and NO SA) raised objections in accordancewithArticle60(4)GDPR. 1 July 2022 The IE SA issued a Composite Response setting out its replies to the objections raised and shared it with the CSAs (hereinafter, “CompositeResponse”). The IE SA requested that the CSAs consider the responses and proposals outlined in the Composite Response and confirm whether theyaddressed theconcerns underlying the objections raised. 1 to11 July 2022 In light of the proposals in the Composite Response, further exchanges took place between the IE SA and the CSAs. During the 10 11 exchanges, severalCSAs (among which the NL SA , the DE SA , the FI SA12and the NO SA ) confirmed tothe IE SA that itscompromise proposals were not sufficient and they intended to maintain their objections. On8July 2022,WhatsAppIEwasinformedofthe upcoming triggering ofthe Article65 GDPRprocedure,andwasinvitedtoexerciseitsright to be heardin respect of all the materialthat the IE SA proposed to 10ResponseofNLSAtoIESACompositeResponseMemorandumdated7July2022. 11 12ResponseofDESAto IESACompositeResponseMemorandumdated8July2022. ResponseofFI SAtoIESACompositeResponseMemorandumdated8July2022. 13ResponseofNOSAtoIESACompositeResponseMemorandumdated11July2022. Adopted 7 refer tothe EDPB andon 17 August 2022 WhatsApp IEprovided its submissions (hereinafterthe “WhatsAppIEArticle65 Submissions”). 19 August 2022 The IE SA referredthe matterto the EDPBin accordancewithArticle 60(4)GDPR,therebyinitiatingthedisputeresolutionprocedureunder Article65(1)(a) GDPR. 6. Following the submission by the LSA ofthis mattertothe EDPBinaccordancewithArticle 60(4)GDPR in the Internal Market Information system (hereinafter, “IMI”) 15 on 19 August 2022, the EDPB Secretariatassessedthecompleteness ofthe file on behalfofthe Chair inline withArticle 11(2)ofthe EDPBRoP. 7. The EDPBSecretariatcontactedtheIESAon 23September 2022,asking for clarificationsin relationto some documents not provided whilst mentioned in Article 11.7 of the EDPB RoP, but mentioned in other documents. Onthe samedate,the IE SA providedthe informationrequestedandconfirmedthe completeness ofthe file. 8. A matter of particular importance that was scrutinized by the EDPB Secretariat wasthe right to be heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights(hereinafter the “EU Charter”).Furtherdetailson thisare provided inSection 2 ofthis Binding Decision. 9. On 7 October 2022, after the Chair confirmed the completeness of the file, the EDPB Secretariat circulatedthe file totheEDPBmembers. 10. The Chair decided,in compliancewithArticle65(3)GDPRinconjunction withArticle11(4)of theEDPB RoP, toextendthe default timeline for adoption of one month by a further month on account of the complexityof the subject-matter. 2 THE RIGHT TOGOOD ADMINISTRATION 11. The EDPB is subject to EU Charter , in particular Article 41 (the right to good administration). This is alsoreflectedinArticle11(1)EDPBRoP.FurtherdetailswereprovidedintheEDPBGuidelinesonArticle 16 65(1)(a)GDPR . 12. The EDPB’sbindingdecision “shall bereasonedand addressed tothelead supervisoryauthorityand all the supervisory authoritiesconcerned and binding on them” (Article 65(2) GDPR). It is not aiming to address directly any third party. However, asa precautionary measure to address the possible need for the EDPB to offer the right to be heard at the EDPB level to WhatsApp IE, the EDPB assessed if WhatsAppIE wasofferedthe opportunitytoexercise itsright tobe heardin relationtothe procedure led by the LSA and the subject-matter of the dispute to be resolved by the EDPB. In particular, the EDPBassessed if allthe documents containing the mattersof factsandlaw received andused by the EDPBtotakeitsdecision inthis procedure have alreadybeenshared previously withWhatsApp IE. 14The objections, the CompositeResponse, including the IE SA’s assessment of the relevant and reasoned objections,aswellastherepliesoftheCSAs. 15 TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17 EDPBRoP. 16SeeEDPBGuidelines3/2021ontheapplicationofArticle65(1)(a)GDPR,adoptedon13April2021(versionfor publicconsultation)(hereinafter,“GuidelinesonArticle65(1)(a),paragraphs94-108. Adopted 813. The EDPB notes that WhatsApp IE has received the opportunity to exercise its right to be heard regardingallthe documents containing the mattersoffactsandof law considered by the EDPBinthe contextofthisdecisionandprovideditswrittenobservations 17,whichhave beensharedwiththeEDPB 18 by theLSA . 14. Considering that WhatsApp IE hasbeen alreadyheard by the IE SA on all mattersoffacts andof law addressed by the EDPB in its binding decision, the EDPB is satisfied that Article 41 of the EU Charter hasbeen respected. 15. TheEDPBconsiders thattheComplainant isnot likelytobe adverselyaffectedbythisbinding decision, andconsequently does not meetthe conditions tobe granteda right tobe heard bythe EDPBin line withArticle 41 of the EU Charter,applicable case law,andArticle 11 of the EDPB RoP.This is without prejudice to any right to be heard or other related rights the Complainant may have before the competent nationalsupervisory authority(/-ies). 3 CONDITIONSFOR ADOPTING A BINDINGDECISION 16. The generalconditions for the adoptionof abinding decision by theEDPBareset forthinArticle 60(4) andArticle 65(1)(a)GDPR 1. 3.1 Objection(s) expressed by CSA(s) in relationto a draft decision 17. The EDPBnotes thatseveralCSAs raisedobjections to theDraftDecision via IMI.Theobjections were raisedpursuant toArticle 60(4)GDPR. 18. More specifically, objections were raisedbyCSAs in relationtothe following matters: • whetherthe LSA should have found aninfringement for lackof appropriatelegalbasis; • the potentialadditionalinfringement ofthe principles offairness, purpose limitationanddata minimisation; • on possible further investigation; • correctivemeasuresother thanfines; • the imposition of anadministrativefine. 19. Eachof the objections wassubmittedwithinthe deadline provided byArticle 60(4)GDPR. 1WhatsAppIE’sSubmissionsinrelationtotheDraftInquiryReport,dated22June2020.WhatsAppIE’sResponse to Preliminary Draft Decision, dated 17February 2022.WhatsAppIE Article65 Submissions, dated 717August 2022. 18IN-18-5-6Memo for Secretariat (Referral of objections to theEDPB pursuant to Article60(4) and65(1)(a) 19PR),19August2022. According to Article65(1)(a) GDPR, theEDPB will issuea binding decisionwhen a supervisory authority has raisedarelevantandreasonedobjectiontoadraftdecisionoftheLSAandtheLSAhasnotfollowedtheobjection ortheLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned. Adopted 9 3.2 TheLSAdoes not follow therelevantandreasoned objections to the DraftDecision or isof the opinion that the objections arenot relevant or reasoned 20. On 1 July 2022,the IESA provided to the CSAs an analysis of the objections raised by the CSAs in the Composite Response. 21. The IE SA concluded that it would not follow the objections, andin addition, underlined that some of them arenot inits view “relevant”and/or “reasoned”; withinthe meaning of Article4(24) GDPRand, otherwise,for the reasonsset out in the Composite Response and below 20. 3.3 Admissibility of the case 22. The caseatissue fulfils, primafacie,alltheelementslistedbyArticle65(1)(a)GDPR,since severalCSAs raisedobjectionstoadraftdecision oftheLSA withinthedeadline provided byArticle60(4)GDPR,and the LSA has not followed objections or rejected them, for being in its views, as not relevant or reasoned. 23. The EDPB takesnote of WhatsApp IE’sposition that the EDPB should suspend the current Article 65 GDPRdispute resolution due topending preliminaryruling proceedings before the Court of Justice of the EU (hereinafter, “CJEU”) 21. WhatsAppIE refersin particular tocases C-252/21 22 and C-446/21 .3 Following itsassessment, theEDPBdecidestocontinue itsproceedingsonthisArticle65 GDPRdispute resolution, as there is no explicit legalbasis for a stay of the dispute resolution procedure in EU law, 24 nor are existing CJEU rulings on the matterconclusive for the situation of the EDPB .Also, the EDPB takesintoconsiderationthe datasubjects’right tohave their complaintshandledwithina ‘reasonable period’ (Article 57(1)(f) GDPR),andto have their case handled withina reasonable time by EU bodies (Article41oftheEUCharter).Moreover,ultimatelythereareremediesavailabletotheaffectedparties in case of a discrepancy betweenthe EDPB binding decision and CJEU rulings in the aforementioned 25 cases . 24. Considering the above, in particularthatthe conditions of Article 65(1)(a) GDPRare met,the EDPBis competent to adopt a binding decision, which shall concernall the matterswhich are the subject of 20 21CompositeResponse,paragraphs36,74,78and80. WhatsAppIE'sArticle65Submissions,paragraph2.11. 22Requestfora preliminaryrulingof22April2021,MetaPlatformsandOthers,C-252/21. 23Requestfora preliminaryrulingof20July2021,Schrems,C-446/21. 24Judgment of theCJEU of 28 February1991, Delimitis, C-234/89, EU:C:1991:91;Judgment of theCJEU of 14 December2000,Masterfoods,C-344/98,EU:C:2000:689.Thesecasesconcernedproceedingsbeforethenational courts,wherethepartiesfacedtheriskofbeingconfrontedwithaconflictingdecisionofthenationaljudgethat couldbeseenasdefactonullifyingtheCommissiondecision–a powerwhichisretainedbytheCJEU.Thecurrent disputeresolution procedureconcerns theadoption of anadministrativedecision, which canbesubject to full judicialreview. 25In caseanaction forannulment is brought against theEDPB decision(s) andfoundadmissible, theGeneral Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU were to deliver any judgment in the time between the adoptionof the EDPB’s Article65 decisionand the adoptionoftheIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakes followingtheEDPB'sbindingdecision-iftheCJEU’srulingsgivescausetodoso-inaccordancewiththeprinciple of cooperationas elaborated by the CJEU in its judgment of 12 January2004, Kühne&Heitz NV, C-453/00, EU:C:2004:17). Adopted 10 the relevantandreasonedobjection(s), (i.e.whetherthereis aninfringement ofthe GDPRor whether the envisagedactioninrelationtothe controller or processor complieswiththe GDPR ). 26 25. TheEDPBrecallsthatitscurrentbinding decision iswithoutanyprejudice toanyassessments theEDPB may be called upon tomake in other cases, including with the same parties, taking into account the contentsof therelevant draftdecision and theobjections raised bythe CSA(s). 3.4 Structure of the binding decision 26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24) GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection 27. 27. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the EDPBdoes not take anyposition onthe merit of anysubstantialissues raisedby thatobjection in this specific case.TheEDPBwillanalyse themeritsofthesubstantialissues raisedbyallobjectionsit deems tobe relevant andreasoned 28. 4 ON WHETHER THE LSA SHOULD HAVE FOUND AN INFRINGEMENT FOR LACK OF APPROPRIATE LEGAL BASIS 4.1 Analysis by the LSA inthe DraftDecision 28. The IESA concludes that theGDPR,thecase law andtheEDPB Guidelinesrelevant for the case donot preclude WhatsApp IEfrom relying on Article6(1)(b) GDPRasa legalbasis for the processing of users’ data necessary for the provision of its service, including through the improvement of the existing service andthe maintenanceofsecurity standards 29.Finding 2 of the DraftDecisionreads “Ifind the Complainant’scaseisnotmade outthattheGDPRdoesnotpermitthereliancebyWhatsApp on6(1)(b) GDPRinthe context ofitsoffering ofTermsofService.” Inaddition, the IE SA considersthe Guidelines 31 of the EDPB on processing for online services based on Article 6(1)(b) GDPR as being “not strictly binding, nonetheless instructive in considering thisissue”32. 29. The IE SA understands the Complainant’s allegationsas : firstly, the Complainant wasgiven a binary choice: i.e. to either accept the Terms of Service and the associated Privacy Policy by selecting the 26 Article65(1)(a) in fine GDPR. SomeCSAs raised comments and not perse objections, which were, therefore, nottakenintoaccountbytheEDPB. 27EDPB Guidelines 9/2020on theconcept of relevant andreasoned objection, version 2 adopted on 9 March 2021(hereinafter“GuidelinesonRRO”).Theywereadoptedon9March2021,afterthecommencementofthe inquirybytheIESArelatingtothisparticularcase. 2SeeEDPBGuidelinesonArticle65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjection raised,whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsofthe objectioninthebindingdecision”). 29DraftDecision,paragraphs4.49and4.50. 30DraftDecision,Finding2,p.32. 31EDPB Guidelines2/2019ontheprocessingofpersonaldata underArticle6(1)(b)GDPRinthecontextofthe provision of onlineservices to data subjects, version 2, adopted on 8 October 2019 (hereinafter “Guidelines 2/2019onArticle6(1)(b)GDPR”). 32DraftDecision,paragraph4.22. 33 DraftDecision,paragraph2.19. Adopted 11 “accept”button, or cease using the service ; secondthat there wasa lackofclarityonwhichspecific 35 legal basis WhatsApp IE relies on for each processing operation ;and the Complainant’s concern on WhatsApp IE’srelianceon Article6(1)(b) GDPRtodeliver itsTermsof Service 36. 30. While the IESA acknowledgesthattheEDPBconsidersin itsGuidelines2/2019 onArticle 6(1)(b)GDPR that, as a general rule, processing for the provision of new services, is not necessary for the performance ofa contractfor online service under Article6(1)(b) GDPR,inthis particularcase,having regardtothe specific termsof thecontractandthenatureofthe service providedandagreeduponby the parties,theIESA concludesthatWhatsApp IEmayinprinciple relyonArticle6(1)(b) GDPRaslegal basis of the processing of users’ data necessary for the provision of its service, including throughthe improvement of the existing service and the maintenance of securitystandards 3. In addition, the IE SA considers that“issues ofinterpretationandvalidityof nationalcontractlaware notdirectlywithin” their competence 3. 31. The IE SA disagrees with what it describes as a “veryrestrictive view on when processing should be deemedto be “necessary” for the performance ofa contract” proposed by the Complainant and the EDPB 39. The IE SA concludes that “core functions” cannot, however, be considered in isolation from the meaning of “performance”, the meaning of “necessity” as set out in the Draft Decision, and the 40 content ofthe specific contractinquestion . The IESA considers thatArticle6(1)(b) GDPRcannot be interpreted as requiring that it is impossible to perform the contract without the data processing 41 operationsin question . 32. The IE SA finds it important tohave regardnot just to the concept of whatis “necessary”, but also to the concept of “performance” of the contract. According tothe IE SA, a contract is performed when each party discharges their contractualobligations as has been agreedby reference to the bargain struckbetweenthe parties.While theIESA agreesthatthemereinclusion of atermina contractdoes not necessarily meanthatit is necessarytoperform theparticularcontract,itstresses out thatregard must be hadfor what is necessaryfor the performance of the specific contractfreelyenteredintoby 42 the parties . 33. Therefore,the IE SA notesthat,the inclusion of a term,which does not relatetothe core function of the contractcouldnot be considered necessaryfor itsperformance . 43 34. For thepurposes ofidentifying the“core”functions ofthe contractbetweenWhatsAppIEanditsusers, the IE SA points out that the Complainant does not specify withany greatprecision the extentof the processing (or indeed the processing operation(s)) thatthe Complainant believes tonot be necessary to perform the Terms of Service). The Complainant has however made some specific submissions arguing processing for service improvement, security, “exchange of data with affiliated companies” and that the processing of special categoriesof personal data is not necessary in order to fulfil the 34DraftDecision,paragraph2.8. 35 DraftDecision,paragraph2.9. 36DraftDecision,paragraphs2.9and4.9. 37DraftDecision,paragraph4.49. 38DraftDecision,paragraphs3.13,4.11,4.22,4.39and4.44. 39 40DraftDecision,paragraph4.39and4.41. DraftDecision,paragraph4.29. 41DraftDecision,paragraphs4.47,4.49and4.50. 42DraftDecision,paragraph4.23. 43DraftDecision,paragraph4.30. Adopted 12 “corefunction” of amessagingandcallingservice suchasthe WhatsAppservices.Asa result,theDraft 44 Decisionfocuses onthese processing operations . 45 35. Although according to Guidelines 2/2019 on Article 6(1)(b) GDPR , processing cannot be rendered lawful by Article 6(1)(b) GDPR “simply because processing is necessary for the controller’s wider business model”, the IE SA considers that having regardtothe specific termsof the contract andthe nature of the service provided and agreedupon by the parties, WhatsApp IEmay in principle relyon Article 6(1)(b) GDPRas a legalbasis of the processing of users’ datanecessary for the provision of its service, including services for improvements andsecurityfeatures,insofar asthis forms acore partof the service offeredtoandacceptedbyusers 46. 36. Moreover, as described by the IE SA, a distinguishing feature of the WhatsApp IE’sservice is that it regularlymonitorsitsserviceinordertoensureit functionswell(asdistinct from theEDPB’sreluctance expressedinitsGuidelines2/2019 onArticle6(1)(b) GDPRwithusing datatobringabout new services) andmaintainscertainsecurity andabuse standards. Therefore,the IESA concludes thatthe provision of thisform of service is partof thesubstance andfundamentalobject of thecontract. 37. The IE SA considers thatthis information is both clearlyset out and publicly available, hence it would be difficult to argue that this is not part of the mutual expectations of a prospective user and of WhatsApp IE. Moreover, the IE SA states that the service is advertised as being one that has these features, and so any reasonable user would expect and understand that this was part of the 47 agreement,evenifusers would prefer the marketwouldoffer them betteralternativechoices . 38. Basedonthe foregoing, the IESA reachesthe conclusion thatnothing inGuidelines 2/2019 on Article 6(1)(b) GDPR prevents WhatsApp IE, in principle, from relying on Article 6(1)(b) GDPR for these 48 purposes . 39. The IESA thusconcludes thatWhatsAppIEmayinprinciple relyonArticle6(1)(b) GDPRasalegalbasis ofthe processing ofusers’ datanecessaryon foot of theacceptanceofthe Termsof Service,including 49 for regularimprovements andmaintaining standardsofsecurity . 40. The IE SA clarifies that, having regard to the scope of the complaint and its inquiry, the above conclusion cannot be construed as an indication that allprocessing operations carriedout on users’ personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR 5. 41. The IE SA also notes that other provisions of the GDPR, suchas those on transparency, act tostrictly regulatethe manner in whichthe WhatsApp IEservices are to be delivered and the information that should be giventousers, anddecides toaddressit separatelyin itsDraftDecision 51. 42. Inaseparatefinding ofitsDraftDecision ,the IESA reiteratesthatina previousinquiryon WhatsApp IE,aninfringement of the GDPRwas found asto itscompliance withArticle 12(1)and Article 13(1)(c) 44 DraftDecision,paragraph4.32. 45Guidelines2/2019onArticle6(1)(b)GDPR,paragraph36. 46DraftDecision,paragraph4.41. 47DraftDecision,paragraph4.42. 48 49DraftDecision,paragraph4.42. DraftDecision,paragraphs4.47and4.49. 50DraftDecision,paragraph4.50. 51DraftDecision,paragraph4.47. 52DraftDecision,p.37,Finding3. Adopted 13 GDPR for processing on foot of Article 6(1)(b) GDPR . The IE recalls the general requirement of transparencyunder Article5(a)GDPR 54,anditspreviousdecisionandtheassociatedfindings, including 55 the imposition of a fine andanorder toWhatsApp IEtobring itsPrivacyPolicy intocompliance . 4.2 Summary of the objections raised by the CSAs 43. The DESA,FI SA, FRSA, NLSA andNOSA objecttoFinding2 oftheDraft Decisionandthe assessment leading up to it. They consider that the IE SA should have found an infringement of Article 6(1) GDPR 56,inline withtheEDPB’sinterpretationof thisprovision . 57 44. Inthe DESA’sview,contrarytotheIESA’ssubmissions intheDraftDecision,WhatsAppIEcannotrely on Article 6(1)(b) GDPR or any other legalbases ofArticle 6(1) GDPR for the processingofa user’s data. According to the DE SA, this constitutes a breach of the principle of lawfulness under Article 5(1)(a) and Article 6(1) GDPR. The DE SA is of the opinion also that the IE SA failed to impose an appropriate correctivemeasure in order toremedy these infringements. The DESA puts forwardthe following argumentsin support of the above allegations. 45. First, the DE SA does not share the understanding of the IE SA regarding the binding nature ofthe Guidelines2/2019onArticle 6(1)(b) GDPR.TheDESA agreesthatguidelinesare not legallybinding in the same way as legalprovisions are. It recalls however that they are instrumental for establishing uniform application of EU law according toArticle 70(1)(e) GDPR,aswellas for ensuring a consistent and highlevel of protectionfor naturalpersons in the light of recital10 GDPR.The DESA claims that therelevantandbinding natureofguidelinesfor allsupervisory authoritiesassuchcannotbe disputed. 46. Second, the DE SA disputes theIE SA’sallegationsthat,onthe one hand, theGDPR doesnotprohibit WhatsApp IE to rely onArticle 6(1)(b)GDPR in connection with itsoffer of Terms of Service and, on the other hand, that the LSA is not competent to assess the validity ofcontracts, respectivelythe validity ofthe Termsof Service or individual clauses. Inthisregard,theDE SA notes thatthe IESA has full competenceaccording toArticle57(1)(a) GDPRtoassess the validity ofcontracts. 47. Moreover,asstatedinthe Guidelines 2/2019 onArticle6(1)(b) GDPR,avalidcontractisa prerequisite for controllers to base their processing operations on Article 6(1)(b) GDPR. Onthat background, the DESA points out thatinordertomonitor the applicationofArticle6(1)(b) GDPR,asrequiredby Article 57(1)(a)GDPR,theIEAmustalso verify thevalidityofthe contractWhatsAppIEisrelying upon. The DESA addsthataccording toArticle5(2)GDPR,WhatsAppIEmust alsoprove that sucha contracthas come intoexistence,meaningthatanofferandcorrespondingacceptanceofacontractisdeclaredby the parties. Inother words, it must be apparent tothe contractualpartner that theyare not giving a (revocable) consent, but are concluding a contract. If this is not the case, the DE SA considers, as opposed tothe IE SA 58,thatWhatsApp IEcannot relyonthe right tochoose its ownlegalbasis. 53IE SA’s decision of 20 August 2021 in inquiryreferenceIN-18-12-2(hereinafter“the IE SA’s Decision on WhatsApp IE’s Transparency”), adopted following EDPB Binding decision1/2021on thedisputearisen onthe draft decision of the IE SA regarding WhatsApp IE under Article65(1)(a) GDPR (hereinafter “EDPB Binding Decision1/2021”). 54 DraftDecision,paragraph5.8. 55DraftDecision,paragraph5.9. 56DESA’s Objection,pp.1-8;FI SA’s Objection,pp.2-8;NLSA’s Objection,pp.3-7;NOSA‘s Objection,pp.1-5, FRSA’s Objection,p.9. 57Guidelines2/2019onArticle6(1)(b)GDPR. 58 DraftDecision,Issue3. Adopted 1448. Third, theDE SA objectstothe IESA’sfinding 59 thatthenecessityoftheprocessingisdeterminednot by what is necessary to fulfil the objectives of “a social network“ in a general sense, but what is necessarytofulfil thecore functionsoftheparticularcontractbetweenWhatsAppIEanditsusers. Those core functions do not encompass the improvements to an existing service and maintaining certain security and abuse standards. The DE SA stresses out that first WhatsApp IE is not a social networkbut a messaging service and thatfrom the perspective of anaveragedatasubject, it is not a distinguishing characteristic of the WhatsApp IE services to improve their service constantly or maintain certain security standards. Therefore, according to Guidelines 2/2019 on Article 6(1)(b) GDPR 60, such processing cannot be rendered lawful by Article 6(1)(b) GDPR simply because the processing is necessary for the controller’s wider business model. Only the data processing that are actually necessary for the corresponding contractualpurpose – the operation of the WhatsApp IE Services–canbe justifiedonthebasis ofArticle6(1)(b)GDPR.Inaddition,pursuanttoArticle 32GDPR, WhatsAppIEhastheobligationtoimplementdatasecuritymeasuresregardlessofthecontentofthe contract,sothose measures arenot tobe considered asanessentialelement ofthe contract. 49. The DE SA reiteratesthat Guidelines 2/2019 on Article 6(1)(b) GDPR explicitly limit the controller’s possibility to expand the categories of personaldata or types of processing operations that are necessary for the performance of the contract. Based on this, the DE SA concludes that the interpretationof Article 6(1)(b) GDPR givenin the DraftDecision would allow for bypassingthedata protectionprinciples,inparticulartherequirementsforavalidconsent,usingtheTermsofServices. 50. Finally, withregardtothe allegationinthe DraftDecisionthat theComplainantdidnotspecify“with 61 any great precision” which processingoperationsshe believes to be unlawful , the DE SA argues, referring to Article 77 GDPR, that the Complainant has no obligation todo so. The DE SA takes into account also that the only source of information about WhatsApp IE’s processing operations is the publicly available documents that are non-transparent 62. In the DE SA’s view, it is the duty of WhatsApp IE to prove compliance in accordance with Article 5(2) GDPR. As a whole, the DE SA concludes that the processing described or indicated in the Terms of Service cannot be (fully) based onArticle 6(1)(b)GDPR.Moreover,theDESA considers thatthereisno othervalid legalbasisevident. 51. The FI SAobjects tothe IE SA’sfinding 63 thatWhatsApp IE canrelyon Article 6(1)(b) GDPRfor allthe processing operations set out in the Terms of Service, such as service improvements and security purposes.Whenitcomestothe serviceimprovementsandsecuritypurposesofprocessing, the FI SA 64 refersattheoutsettoGuidelines2/2019 onArticle6(1)(b) GDPR inordertojustifyitsallegationthat the processing of data for those purposes is not necessary for performing the key aspects of the contractandfor this reasonit cannotbe basedon Article6(1)(b) GDPR. 52. The FI SA contests the LSA’s statement that the legal concept of“core” processingfalls out of the interpretationofGDPR 6.Inthisrespectthe FI SA finds thatthe rationalebehind Article6(1)(b) GDPR is that it provides a legalbasis for situations where processing of personal data willlogically need to takeplace only inthe course of the provisions ofa contractualservice.Furthermore,in relationtothe IE SA’sallegationthat thenecessityofprocessingistobe determinedbyreferencetothe particular 59DraftDecision,paragraph4.29. 60 Guidelines2/2019onArticle6(1)(b)GDPR,paragraph37. 61DraftDecision,paragraph4.32. 62DraftDecision,Issue3. 63DraftDecision,Finding2,p.32. 64Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25. 65 DraftDecision,paragraph4.11. Adopted 15 contract,theFISAhighlightsthatthecontroller cannot include inthe contracteverythingtheywishto be legitimizedunderArticle6(1)(b)GDPR,withouthavingfor exampletoensure thatthedatasubject’s consent was obtained or to carry out balancing tests between their legitimate interests and the interestsofthe datasubjects. 53. Inaddition, referringtoGuidelines 2/2019 on Article6(1)(b) GDPR 66,theFI SA reachesthe conclusion that neither WhatsApp IE, nor the IE SA in its Draft Decision have properly and objectively reasoned how theprocessing ofpersonaldatawasnecessaryalsofromtheuser´sperspectiveandnotonlyfrom thecontroller’sside. TheFISA conteststheIESA’sstatementsthat,ingeneral,areasonableuserwould be well-informed about the processing coveredby the contract 67, andthat in the specific case the user is informed about the processing of personal data for service improvements and security purposes, therefore this processing is part of the mutual expectations of a prospective user and WhatsApp IE 68.Inaddition, while the FI SA admits thatservice improvements andsecuritymight be a valid part of the WhatsApp IE services, it is of the opinion that processing for those purposes is not necessaryfor providing such services, astheWhatsAppIEservicescouldbedeliveredintheabsence ofprocessingofsuch personaldata.Inaddition, theFI SA maintainsthatthe saidprocessing activities are notnecessaryfortheperformanceofthecontract. 54. Next, while the FI SA agreesthatthere is nohierarchybetweenlegalbases, it points out thatit is the responsibility of the controller toassess which legal basis is appropriate for the specific processing. 69 WhenitcomestotheIESA’sargumentthatEDPBguidelinesarenotstrictlybinding theFISArecalls that the GDPR itself refers to the EDPB guidelines in its Article 70(1)(e) and therefore stresses the importanceof the commonposition of supervisory authorities.The FI SA alsohighlights thattheEDPB shall ensure the consistent applicationof the GDPRas laiddown in Article 70(1)GDPR andenshrined inrecital10 GDPR. 55. The FR SAobjects tothe conclusions in Part4 of theDraftDecision, inparticular points4.47 and4.49, that WhatsApp IE has not failed to fulfil its obligations under Article 6 GDPR, and, in addition, that WhatsApp IEis not required torelyon the legalbasis of consent (Article 6(1)(a)GDPR).At the outset, the FR SA finds questionable the position adoptedby the IE SA on WhatsApp IE’sreliance on Article 6(1)(b)GDPRforprocessing operationsrelatedtoservice improvements.The FRSA notesinthisregard that the Draft Decision does not define what service improvement processing covers and does not provide enoughelementsonthe categoriesofdatausedforservice improvement purpose,whichdoes not allow topronounce on the applicable legalbasis for the processing inquestion. Therefore,the FR SA requests that the IE SA completes its Draft Decision on this point, by providing more specific information and evidence. According tothe FR SA, the main reason ofthe users’ registrationto the WhatsAppservicesisnottheuseoftheirdatatoimprovethemessagingservice.IntheFRSA’sview, the factthat WhatsAppIE'sprocessing operationsfor service improvement purpose arebased onthe legalbasis of the contract,andthatit is acceptedbya simple validationof theTermsof Service,is not compliant withthe applicable provisions. 56. The FR SA considers that only thelegalbasesof legitimateinterestandconsent canbe considered for processing operations relatedto service improvement purpose among those listed in Article6 GDPR. Nevertheless, the FR SA submits that at first analysis, neither the conditions for the application of consent, nor theconditions for theapplicationof legitimateinterestseemtobe metandWhatsApp IE 66 Guidelines2/2019on6(1)(b)GDPR,paragraphs32,48and49. 67DraftDecision,paragraph4.36. 68DraftDecision,paragraph4.42. 69DraftDecision,paragraph4.22. Adopted 16 could not use it for the implementation of the processing operations in connection with service improvements. Inconclusion, since theIESA doesnot define whatiscoveredbythe processing ofdata for service improvement purpose and theconditions ofimplementation,it is not easyfor the FR SA to have a firm position on this point andso, onthe legalbasis thatapplies for the processing. The FR SA suggeststhattheIE SA should provide more specific evidence initsDraftDecisionregardingthisissue, inordertoassessiftheprocessing can,or cannot,bebasedonthelegalbasisofthelegitimateinterest. The FR SA statesthat inreaching the conclusion for lackof breachof Article 6(1) GDPRthe LSA erred inits assessment of the factsof the case. 57. The NLSAfirst observes thatthe IE SA failedtoinclude sufficient analysis, evidence andresearchinits Draft Decision on what the purposes of processing selected are, and how data are used, making it difficult to apply Article 6 GDPR70. The NL SA then questions the validity of the contract between WhatsApp IE and users, and the NL SA argues that, as a result, grounding the processing on Article 6(1)(b) would be impossible . The NL SA presents the following arguments. First, in the NL SA’s 72 opinion, theTermsofServiceandthePrivacyPolicyare lengthyandunclear .Next,theNLSA notes thatas a generalrule, bothpartiesmust be awareof the substance of a contract,inorder towillingly enter into it, and considers that ”the established serious lack of transparency on behalf of the controller,thereforeleadstoareasonabledoubt whetherdatasubjectshaveindeedbeenable toenter 73 into a contractwiththecontrollerbothwillingly and sufficiently informed” .TheNL SA compounds its doubts on the validity of the contract by arguing that WhatsApp IE presents a completely one-sided dealwhereby an individual data subject has no influence on anyof the terms 74. The NL SA therefore considers that WhatsApp IE’s statement that it relies on Article 6(1)(b) GDPR for the WhatsApp services, in combination withdocuments withgeneraldescriptions of the services provided, and the IESA’sreference tothe controller’sright tochoose itsownlegalbasistoprocess data,are insufficient toacceptthatthe performanceof acontractcanbe used asalegalbasis. Last,due toalack ofinsight in the processing operations and the potentialprocessing of children’s personaldata or special categories of personaldata, the NL SA has serious doubts on the validity of such a contract when 75 children areinvolved . 58. Furtherto theforegoing,theNL SA also raises anobjection withregardto the IESA’s approachin its DraftDecision’sFinding 2.The NLSA deemsthe approachtakentobecontradictory,giventhefactthe IEAdoes not wish toenterinto analysis ofcontractlaw,while atthe same timecertainconceptsfrom contract law are presented, such as “performance” of a contract 76. The NL SA argues there is a contradictionintheidea thataclearcontractispresent,whiletherearesignificant transparencyissues atthesame time.TheNL SA notesthatwithoutenteringintothespecifics ofcontractlaw,regardmust be had tothe generalrule that both partiesmust be aware ofthe substance of a contract aswell as the obligations of both partiesto the contract, inorder to willingly enter into such contract7. Inthe NL SA’s view, the established serious lack of transparency on behalf of the controller gives rise to 78 reasonable doubt inthis regard . 70 NLSA’s Objection,paragraph5. 71NLSA’s Objection,paragraph10. 72NLSA’s Objection,paragraph8. 73NLSA’s Objection,paragraph12. 74 75NLSA’s Objection,paragraph10. NLSA’s Objection,paragraph10. 76NLSA’s Objection,paragraph11. 77NLSA’s Objection,paragraph12. 78DraftDecision,p.31. Adopted 1759. Adding to that, the NL SA also notes that a relevant step is to assess whether the concrete data processing activities that are based on the contract, are actually necessary for performing the key aspectsofthe agreement 79. TheNLSAarguesthattheIESA hasnot interpretedtheterm“necessary” in Article 6(1)(b) GDPR in line with the EDPB guidance, such as Guideline 2/2019 on Article 6(1)(b) GDPR, on this provision 80. The NL SA adds that the IE SA also did not include any substantive investigationinto what datasubjects have understood to be the core of the service theyhave signed up to and whether they meant to give their consent for the processing of personal data or whether they intended toconclude an agreement withthe controller 81. Inthe NL SA’sview, the IE SA did not conduct a proper assessment on whether allprocessing operations could be based on a contractand if not, what other legalbasis could be applicable82. The NL SA disagreeswith the IE SA´s finding that the criterionof necessitylaiddown inArticle 6(1)(b) GDPRisindirectlyimpactedbydomestic contract law,since thiscriterionhasanindependent meaningin case lawandin different EDPBguidelines 8. 60. The NOSAcontestsinessence the IESA’sfinding thatWhatsAppIEcanrelyonArticle 6(1)(b)GDPRas alegalbasisfor processing inthecontextofserviceimprovementsandsecurityfeaturesandproposes imposing respective corrective measures. The NO SA questions whether the processing ofpersonal datafor the purposesofserviceimprovementsandsecurityfeaturesisgenuinelynecessaryforthe performance of the contract in question. According to the NO SA, the Draft Decision enables controllers to artificially expand what can fall under Article 6(1)(b) GDPR. In support of the above objection, the NOSA advancesthe following arguments. 61. First, the NOSA disagrees withthe IE SA’sposition that any processing ofpersonaldata includedin contractualtermswouldautomaticallybelawfulifframedin a particularmanner.Inthat context,in theNOSA’sview,it isnot the legislationwhichsetsthe boundariesfor lawfulness under Article5(1)(a) GDPR, but instead the individual contract, which makes the IE SA’s interpretationof Article 6(1)(b) GDPR incompatible withArticle 8 of the EU Charter. Second, the NO SA suggests that Article 6(1)(b) GDPR should be interpreted in light of its wording, purpose and context. The NO SA considers that therewould alwaysneedtobe anin concretoassessment ofwhat isnecessaryfor the performance of the particularcontractoverall, on a case-by-case basis. The NOSA is of the opinion that the rationale behind the first alternative of Article 6(1)(b) GDPR is to provide a legal basis for situations where processing of personal data will logically need to take place in the course of the provision of a contractualservice.Inthis sense, the NOSA claimsthat processingofpersonaldataforthepurposes of service improvements and security features as described in the Draft Decision is not a logical preconditionforthemessagingservicethatWhatsAppIEentails.Third,theNOSA believesthattheI E SA’s interpretation ofArticle 6(1)(b) GDPR has the effect of undermining or circumventing the otherlegalbasesofArticle 6(1) GDPR. 62. Withsuch interpretation,the NOSA finds it hardtoforesee whenconsent under Article 6(1)(a)GDPR would be reliedupon asa legalbasis. The same appliestosituations invoking Article 9 GDPR. TheNO SAsuggeststhattherewouldbenouseofthelegalbasisunderArticle6(1)(a)and(f)GDPR,because for the controller is much more convenient to rely on Article 6(1)(b) GDPR. Fourth, according to the NO SA, Article 7(4) GDPR entails that, if processing ofpersonaldata is in fact necessary for the performanceofa contract,thenaconsentcanbeconsideredfreelygivenevenifthedatasubjectis excluded from a service should they decline to give consent. The NO SA considers that under the 79NLSA’s Objection,paragraph13. 80 81NLSA’s Objection,paragraph16. NLSA’s Objection,paragraph13. 82NLSA’s Objection,paragraph33. 83NLSA’s Objection,paragraph16. Adopted 18 interpretationput forwardbythe IE SA, generallyalmost allprocessing ofpersonaldata bynon-public entitiescould be framed asbeing necessaryfor the performance of a contract,alsoin the contextof Article 7(4) GDPR. The NO SA alleges that this would render Article 7(4) GDPR meaningless and withouteffect in practice,asit wouldneverbeinvoked. Thiswould, inthe NOSA’sview, render the take-it-or-leave-itconsents permissible. 63. The NOSA submits thatthislower standardfor validconsent wouldinparticularbe problematic when consent serves asa basis for processing ofspecial categoryofpersonal datapursuant toArticle9(2)(a) GDPR,orasa Chapter V GDPRexemptionpursuant toArticle 49(1)(a)GDPR. 64. Moreover, the NO SA advances the argument that data subjects may be de facto dependent on certain services and in lack of realistic alternatives to them, in particular due to network effects, therefore they will generallyhave little opportunity to negotiate standardised terms of service. This createsa take-it-or-leave-itsituation andanuneven playing field. The NO SA comesto theconclusion thatif rejectingthe contractualtermsis necessary inorder toprotectoneself from harm,so that one is subsequently excludedfrom the service, participatingindiscussions, corresponding withothersand receiving information becomes significantly more difficult. As a result, this interpretation could also adverselyaffectdatasubjects’freedomofexpressionandinformation. 4.3 Position of the LSA on the objections 65. The IESA considers thatthe objectionsabove are not relevant and/or not reasonedfor the purpose of Article60(4) GDPRanddecidesnot tofollow them 84. 66. With regardtothe objections of the DE SA, FI SA, FR SA, NL SA andNO SA concerning WhatsApp IE’s possible reliance onArticle6(1)(b) GDPRasthe applicable basisfor personaldataprocessing, the IESA is ofthe opinion thatanassessment of the corefunctions ofthe contractinrequired. 67. The IE SA acknowledges that there are different views on how the “core” elements of the Terms of Service areassessed,however itconsiders thatitdoesnotadopt amerelyformalapproachwithregard to Article 6(1)(b) GDPR that reliesonly on the textualcontent of the Termsof Service. Moreover, it considers thatanassessment of the core functions of the contract(not merely onthe writtenterms) is required,pursuant toArticle6(1)(b) GDPRandthe requirementfor thenecessity test 8. 68. The IE SA considers that WhatsApp IE has not sought to make the WhatsApp services contingent on the Complainant’s consent to the Termsof Service. Moreover, it does not consider that the test for contractual necessity under Article 6(1)(b) GDPR would be reduced to an assessment of written contractualterms, without reference tothe fundamentalpurpose of the contract.The DraftDecision does not take the view that all written contractualterms are necessary for the performance of a contract,thusthe risks describedin thisregardarenot relevant 8. 69. TheIESA notesthatArticle6(1)(b)GDPRlegitimisesprocessing whichisnecessaryfor theperformance of a contract (i.e. an agreement which serves the mutual interests of the parties). In addition, it is considered that a reasonable user would have had sufficient understanding thatthe service included the use of metricsfor improvement.Accordingly, theIE SA disagreeswiththeinterpretationof “core” contractual purposes, as suggested by the CSAs, and considers that the Terms of Service properly 84 CompositeResponse,paragraphs44,45,46,48,49,72and73. 85CompositeResponse,paragraphs47-48. 86CompositeResponse,paragraph50. Adopted 19 reflectsthe agreemententeredintobythe Complainant,nor does therestrictiveinterpretationreflect the purpose ofArticle 6(1)(b) GDPR .87 70. The IE SA statesthatthe guidelines arenot binding on supervisory authorities, however, theyshould be takeninto account.However,the IE SA’sposition is thatthe EDPBhas not been provided withthe legal power to mandate that certain categories of processing must be based on consent, to the exclusion of any other legal bases for processing. The IE SA’s view is that such a power is properly exercised from time to time by the EU legislator, in the form of specific legislative measures. In particular,itisnotedthatGuidelines2/2019 onArticle6(1)(b) GDPRcontainverygeneralobservations tothe effect thatpersonal data should not be used “generally”for service improvement pursuant to Article 6(1)(b) GDPR. The IE SA considers that under these guidelines, processing for service improvement is not prohibited, pursuant toArticle 6 (1)(b) GDPR,so long asit falls within the core or 88 essentialaspectsof the service . 71. The IE SA recallsin this regardthat the Draft Decision also assesses the core functions of WhatsApp IE’sTermsof Service 89.TheDraftDecisionnotesthatanyapplicationofthe principle of necessitymust be specific to the agreement entered into between the parties. The Draft Decision states that processing should be regardedasnecessaryfor theperformance ofa contractbetweenthe controller and the datasubject if it is necessary toperform the clearlyunderstood objectives of a contract.The Draft Decision also statesthat in order to understand the mutual understanding of a contract, it is necessary to have regard to the specific content of the agreement itself. Having conducted an assessment of thecore or fundamentalaspectsof WhatsAppIE’sTermsof Service, the DraftDecision concludes that the nature of the service being offered on this occasion specifically included regular service improvement including dealing withabuse,asanaspectof theagreementbetweenWhatsApp IEandits users. 72. The IE SA clarifies that in reaching the above conclusion, it had regardto the expectations of users basedonthe specificcontentoftheTermsofService.TheIE concludesonthisbasisthattheprocessing should be regardedasnecessary for the performance of WhatsApp IE’sTermsof Service. Moreover, the IESA adopts theposition thatthemutualexpectationsofthe partiesastothe performance ofthe contract should consider the expectationsand interestsof both parties, as reflectedin the contract 90 itself . 73. The IE SA considers that the EU legislator did not limit the provision of Article 6(1)(b) GDPR only to processing which is strictlynecessaryfor the delivery of goods andservices toa data subject, nor are the contractualinterestsofthe controller disregardedbythisprovision. Inthis regard,theIE SA notes thatcontractsmayincludeaspectsofperformance,whichareoptionalorcontingent.IntheIEA’sview, Article 6(1)(b) GDPR is not limited to aspects of contractual performance which are expressly mandatoryandunconditional obligationsof the parties.Accordingly,the IESA isnot satisfiedthatthe abilityto opt-out of any particularprocessing must logically be construed asconclusive evidence that such processing isnot necessarytoperform a contract.TheIE SA submits that theexercise of options by a datasubject inthe context ofa contractdoes not necessarilyundermine the agreemententered into, or the necessity of processing while suchoptions are engaged.TheIE SA refersto the CJEU case C-524/06 91 in support of its finding that necessity in the context of Article 6(1)(b) GDPR cannot be 87CompositeResponse,paragraph59. 88 89CompositeResponse,paragraphs66–69. DraftDecision,paragraph4.30. 90CompositeResponse,paragraph58. 91Judgmentof18December2008,HeinzHuberv.BundesrepublikDeutschland,C-524-06,EU:C:2008:724. Adopted 20 assessed by reference tohypothetical alternativeforms of the WhatsApp IEservices, asthe CJEU has heldin thatcasethatprocessing whichexceedsthe most minimallevelof processing possible, maybe regardedasnecessary, where it rendersa lawful objective “more effective”.The IE SA statesthat it is not the role of supervisory authoritiestoimpose specific business models oncontrollers. 74. The IESA,taking intoaccountthe specific factsofthiscase,considers thatWhatsApp IEasacontroller hasnotattemptedtoartificiallyincludeprocessing whichisnotnecessaryfor thefundamentalpurpose of its services. The IE SA considers that Guidelines 2/2019 on Article 6(1)(b) GDPR confirm the legal position, which is that service improvement processing pursuant to Article 6(1)(b) GDPR is not prohibited perse, aslong asit falls withinthe coreor essentialaspectsofthe service. 4.4 Analysis of the EDPB 4.4.1 Assessment of whether theobjections were relevant and reasoned 75. The objections raised by the DE SA, FI SA, FR SA, NL SA, and NO SA concern “whether there is an 92 infringementoftheGDPR” .Additionally,theDESA andNOSA’sobjections alsoconcern“whetherthe actionenvisagedinthe DraftDecisioncomplieswith the GDPR” 9. 76. The EDPBtakesnote of WhatsApp IE’sview thatnot a single objection put forwardby the CSAs meets 94 the threshold of Article 4(24) GDPR . From a generalstandpoint, WhatsApp IE argues that “to the extent Objectionsrelate to matterswhich are outside of the Defined Scope of Inquiry, as identified in the Draft Decision, they fail to satisfy the requirements of Article 4(24) GDPR and as such are not “relevant and reasoned”.” 95. Contrary toWhatsApp IE’sposition on relevance , objections canhave bearing on the “specific legal and factualcontent ofthe Draft Decision”,despite not aligning withthe scope of the inquiry as defined by an IE SA. Furthermore, the EDPB does not accept WhatsApp IE’s narrowingthe scope ofthe ”reasoned”criteriontoargumentsonissues thathave beeninvestigatedor addressed inthe inquiry 97,asno such limitationcanbe readinArticle 4(24)GDPR . 98 77. Contraryto WhatsApp IE’sargument that CSAsmay not object tothe scope of the inquiry as decided by the IE SA, the EDPB does not share this reading of Article 65 GDPR. Furthermore, this possibility is explicitlystatedinthe RROGuidelines, especiallyregardingcomplaint-basedinvestigations 99. 92GuidelinesonRRO,paragraph24. 93GuidelinesonRRO,paragraph32. 94WhatsAppIE’s Article65Submissions,Annex1,p.75-120. 95WhatsAppIE’sArticle65Submissions,paragraph3.3. 96 WhatsAppIEcitestheGuidelinesonRRO,whichstatethat“[a]nobjectionshouldonlybeconsideredrelevant if it relatesto thespecificlegalandfactualcontentoftheDraftDecision”(paragraph14)todrawtheconclusion that any objection raising matters outsidethescopeof theinquiryis not relevant. SeeWhatsApp's Article65 Submissions, paragraph 3.3. TheEDPB notes that paragraph14 of theGuidelines on RRO draws a distinction between relevant objections and “abstract or broad concerns or remarks” on the one hand and “minor disagreements”ontheother.Moreover,thisparagraphshouldbereadinconjunctionwithparagraph27ofthe Guidelines onRRO. 97WhatsAppIE’sArticle65Submissions,paragraph3.3. 98 99GuidelinesonRRO,paragraph16-19. GuidelinesonRRO,paragraph27:“Forinstance,iftheinvestigationcarriedoutbytheLSAunjustifiablyfailsto coversomeoftheissuesraisedbythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevant and reasoned objectionmaybe raised basedon the failure of the LSA to properly handle the complaint and to safeguardtherightsofthedatasubject.” Adopted 2178. WhatsApp IE also states that “were the EDPB to expand the scope of the Inquiry as set by the DPCat this stage, in the manner proposedin the Objections, this could not be reconciled with the procedural requirements of Irish or European Union (“EU”) law, and would infringe WhatsApp IE’s legitimate expectations,righttofairproceduresand dueprocess(including theright tobeheard),and rightsofthe 100 defence” . Despite claiming it is “clear”, WhatsApp IE does not demonstrate in which manner its procedural rights would be breached, just by the mere fact that the EDPB finds specific objections admissible. This isespeciallyquestionable, since admissibility determinesthe competenceofthe EDPB, but not the outcome of the dispute betweenthe LSA and the CSAs. Likewise, WhatsApp IE does not explainhow the mere actof considering the meritsof admissible objections inevitablyandirreparably 101 breachestheproceduralrightscitedby WhatsAppIE .AcceptingWhatsAppIE’sinterpretationwould severely limit the EDPB’s possibility to resolve disputes arising in the one-stop-shop, and thus undermine the consistent applicationoftheGDPR.Theobjectionsofthe DESA,FI SA,FR SA,NLSA, and NO SA on the finding of an infringement all have a direct connection with the Draft Decision as they refer toa specific part of the latter,whichis Finding 2. Allof those objections concern “whetherthere is an infringement of the GDPR” as they argue that the IE SA should have found an infringement of Article 6 GDPR 102or Article 6(1)(b) GDPR. As the IE SA considered that Article 6(1)(b) GDPR was not breached, the objections entaila need for a change of the IESA’sDraft Decisionleading to a different conclusion. Consequently, the EDPB finds that the DE SA, FI SA, FR SA, NL SA, and NO SA’s objections relatingtothe infringement ofArticle 6 or Article6(1)(b) GDPRrelevant. 79. The part of the DE SA’s objection arguing that the IE SA should find an infringement of Article 5(1)(a) GDPRand impose the erasure of unlawfully processed personal dataand the banof the processing of data,andthepartof the NOSA’sobjectionarguingthatthe IE SA should order WhatsAppIE to“delete personal data” and “impose an administrative fine” are linked to the IE SA’s Finding 2 of the Draft DecisionwithregardtoArticle6(1)(b)GDPR.Therefore,theyaredirectlyconnectedwiththe substance of the Draft Decision and, if followed, would lead to a different conclusion, namely a change in this Finding. Thus, the EDPB considers that these parts of the DE SA and NO SA’s objections are also relevant. 80. The objections of the DE SA, FI SA, FR SA, NL SA, and NO SA all include arguments on legal/factual mistakesinthe DraftDecisionthatrequire amending.More specifically, these CSAsprovide arguments tochallenge the DraftDecision’s consideration thatWhatsApp IEcanrely on Article6(1)(b) GDPRasa lawfulbasis for personal dataprocessing asspecified inthe TermsofService 10.The IESA held thatthe GDPR permits the reliance, by WhatsApp IE, on Article 6(1)(b) GDPR in the context of its offering of 104 Termsof Service including of users’ data in relationtoimprovement of the existing service and the maintenanceof securitystandards 105. This view is challengedin broad termsas wellasin detail.Some oftheCSAsprovide argumentschallengingthevalidityofthecontractonwhichtheuseofArticle6(1)(b) GDPRasalegalbasis depends, andwhich theIESA accepts 10.Someof theCSAs express thatofArticle 100WhatsAppIE’sArticle65Submissions,paragraph3.13. 101TheEDPBfailstoseehow,forinstance,declaringanobjectionadmissiblebutrejectingitonthemeritscould impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase. 102As specifiedintheobjectionsoftheDESA,FRSAandNLSA. 103DraftDecision,paragraph4. 104DraftDecision,paragraph4.50. 105DraftDecision,paragraph4.49. 106 DESA’s Objection,pp.3-4;FI SA’s Objection,paragraphs21-24;NLSA’s Objection,paragraph26. Adopted 22 6(1)(b) GDPRas a legalbasis cannot be reliedupon regardingthe purpose of service improvements 107 108 andstandardsof security . 81. Some CSAs 109recall,while referringtothe termsof Guidelines 2/2019 on Article 6(1)(b) GDPR 110,that it is the fundamentaland mutuallyunderstood – by the partiesof the contract– contractualpurpose, which justifies that the processing is necessary. This purpose is not only based on the controller’s perspective but also on a reasonable data subject’s perspective when entering into the contract and thus on “the mutualperspectivesand expectationsofthe parties to the contract”. The FR SA and the NO SA 111disagree with the Draft Decisionin that the purposes of service improvement are described in the Draft Decision in very broad and vague terms, are not a logical precondition for the actual contractualserviceofWhatsAppIEandarenotthemainreasonofauser’sregistrationtotheWhatsApp services. The FI SA adds that most users, including the Complainant, are likely unaware of this processing ofpersonal datainthe context ofthe WhatsAppIE services 112. 82. The DESA,FI SA, FRSA, NLSA, andNOSA’sobjections alsoidentify risksposedby theDraftDecisionas drafted in the current manner, in particular the interpretationof Article 6(1)(b) GDPR that could be 113 invoked by anycontroller for anyprocessing would undermine or bypass data protectionprinciples , would lower the threshold for legality of data processing 114 and thus endanger the rights of data 115 subjects within the EEA . As anexample, the NOSA highlights that ”if it is possible to frame almost any processing of personal data in contractualterms such that it automatically becomes lawful, as would be the result pursuant to the [Draft Decision], data subjects would in realityhave no control of their personal data” 116, while “the FI SA stresses that this would create a significant risk that the 117 principle oflawfulness and fairness is circumvented” . 83. WhatsAppIEcontends thatintermsof risk, theobjections must ”demonstratethelikelihood ofa direct negative impact of a certain significance of the Draft Decision on fundamental rights and freedoms 118 under the EU Charter and not just any data subject rights” . WhatsApp IE thus adds a condition to Article4(24) GDPR,whichis not supported by theGDPR 119. 84. Considering the objections of the CSAs andthe argumentsbrought forwardby WhatsAppIE,the EDPB finds the objections of the DE SA, FI SA, FR SA, NL SA andNO SAs on the finding of aninfringement of Article6 or Article6(1)(b) GDPRreasoned. 107FI SA’s Objection,paragraphs21-24;FRSA’s Objection,paragraphs8-16;NOSA’s Objection,pp.7-8. 108 FI SA’s Objection, paragraph 31;theDE SA’s Objectionmentions that securitymeasures arenot part of the contractbuta legalobligationunderArticle32GPDR,p.5. 109DE SA’s Objection,p.5;FI SA’s Objection,paragraph31;FRSA’s Objection,paragraph10;NOSA’s Objection, p.6. 110 111Guidelines2/2019onArticle6(1)(b)GDPR,paragraphs32and33. FRSA’s Objection,paragraphs13-14;NOSA’s objection,pp.3-4. 112FI SA’s Objection,paragraph22. 113DESA’s Objection,pp.7-8. 114 115NLSA’s Objection,paragraphs28-29. FRSA’s Objection,paragraphs50-51. 116NOSA’s Objection,p.8. 117FI SA’s oObjection,paragraph33. 118 119WhatsAppIE’sArticle65Submissions,Annex1,p.73. Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons and in particulartheirright to protection of personal data”, whichdirectlystems from Article8(1) of theEU Charter. Therefore, thereis noreason to draw a distinction between thedata subject rights protected by the GDPRandthefundamentalrightsprotectedundertheEUCharterwheninterpretingArticle4(24)GDPR. Adopted 2385. As regardsthe partsof the DE SA andNO SA’sobjections requesting the finding of aninfringement of Article 5(1)(a) GDPR and specific corrective measures under Article 58 GDPR for the infringement of Article6(1)(b) GDPR,theEDPBconsidersthatthesepartsofthe objectionsdonot sufficiently elaborate the legalor factualargumentsthat would justify a change inthe Draft Decisionleading to the finding of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective measures mentioned above.Likewise, the significance of the risk for data subjects, which stemsfrom the IE SA’s Draft Decision not to conclude on the infringement of Article 5(1)(a) GDPR and not to impose the requestedcorrectivemeasures, is not sufficiently demonstrated. 86. Considering the above, the EDPBfinds thatthe objections of the DESA, FI SA, FR SA, NL SA andNO SA on the finding of an infringement of Article 6 or Article 6(1)(b) GDPR are relevant and reasoned in accordancewithArticle4(24) GDPR. 87. However, the parts of the DE SA and NO SA’s objections concerning the additional infringement of Article5(1)(a)GDPRandthe imposition ofspecific correctivemeasuresarenot “reasoned”anddonot meetthe threshold of Article4(24)GDPR. 4.4.2 Assessment on the merits 88. Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB shall take a binding decision concerning all the matterswhich are the subject of the relevant and reasonedobjections,inparticularwhether thereis aninfringement ofthe GDPR. 89. Based on the documents transmittedby the IE SA, the EDPB understands that the purposes of the processing operationscoveredbythese objections arethefollowing: (i)service improvements,and(ii) “safety and security”. In its Terms of Service, WhatsApp IE refers to its own definition of safety and securityasfollows: "We worktoprotectthe safetyand securityofWhatsApp byappropriatelydealing with abusive people and activity and violations of our Terms. We prohibit misuse of our Services, harmfulconducttowardsothers,andviolationsofourTermsand policies,andaddresssituationswhere wemaybe able to helpsupport or protectourcommunity.We develop automatedsystemstoimprove our ability to detect and remove abusive people and activity that may harm our communityand the safety and securityof our Services. Ifwe learn of people or activitylike this, we will take appropriate actionbyremoving such people or activityor contacting law enforcement.Weshare information with otheraffiliatedcompanieswhenwelearnofmisuseorharmfulconductbysomeoneusing our Services." 90. As a preliminary remark, the EDPB notes, as observed by the NL SA, that the purposes are vague, especially the one on “safetyand security”, mentioned by WhatsApp IE in its Terms of Service. The EDPB understands from the short description provided under the relevant section of WhatsApp IE's TermsofService thatitrefersto“misuse” ofWhatsAppservices, “harmfulconduct”,andactivitiesthat would violate WhatsApp IE’s Terms of Service. In its Draft Decision, the IE SA considered that the Complainant did not identify particular processing operations withany degreeof specificity, and that complaints should in generalhave a reasonable degreeof specificity, and,hence addressed the issue of Article 6(1)(b) GDPR in principle. In doing so, the Draft Decision refers to various terms: “abusive activity”(which is referredtoin WhatsAppIE’sTermsofService) 120, “fraud”121and“security”without further description122(which is referred to in WhatsApp IE’s Terms of Service), which do not bring clarity and/or more specificity on this purpose. Based on these elements, and considering that WhatsApp IE’sTermsof Service refer to another purpose of processing than the security carriedout 12DraftDecision,paragraphs4.36,4.41,4.42. 12DraftDecision,paragraphs4.38and4.49. 12DraftDecision,paragraphs4.40,4.42,4.47,4.49. Adopted 24 bytechnicalandorganisationalmeasuresinorder tosecure the processing ofpersonaldata,networks and services or processing to which WhatsApp IE is entitled or obliged under other legal provisions (e.g.technicaland organisationalmeasuresapplied toprotectpersonal data,for instance asrequired under Article 32 GDPR 123), the EDPB is excluding “IT Security” from its assessment of the merits hereinafter. On a similar note, the EDPB highlights that when the purpose of the processing is “IT Security”, for instance in the meaning of Article 32 GDPR, the purpose of the processing has to be clearlyandspecifically identifiedby the controller124. 125 91. TheEDPBconsidersthattheobjections found tobe relevantandreasonedinthissubsection require an assessment of whether the Draft Decision needs to be changed insofar as it rejects the Complainant’sclaimthatthe GDPRdoesnot permitWhatsAppIE’srelianceonArticle 6(1)(b)GDPRfor the processing operationsset out initsTermsof Service. Whenassessing the meritsof the objections raised,the EDPBalsotakesintoaccount WhatsAppIE’sposition onthe objections anditssubmissions. 92. The CSAs seek in essence to establish whether Article 6(1)(b) GDPR could serve as a valid legal basis for the processing of personal data at issue, namely for service improvements andsecurity features, inthe specific case andtoestablishwhether thereis aninfringement ofArticle 6(1)GDPR. 93. The CJEU hasfound thatsofar asconcernstheprinciples relatingtolawfulnessof processing, Article6 GDPRsets out an exhaustive and restrictivelist of the cases inwhich processing of personal datacan be regardedaslawful. Thus, in order to be considered lawful, processing must fall within one of the 126 casesprovided for in Article6 GDPR andit isthe controller’sobligationtoprovide andtobe able to prove that thecorrectlegalbasis isapplied for the respective processing. 94. The EDPB considers that there is sufficient information in the file for it to decide whether the IE SA needstochangeitsDraftDecisioninsofar asit rejectsthe Complainant’sclaimthatthe GDPRdoesnot permit WhatsApp IE’sreliance on Article 6(1)(b) GDPR toprocess personal data in the context of its offering of itsTermsofService. 95. As described above, in Section 4.3, the IE SA concludes in Finding 2 of its Draft Decision that the Complainant’s case is not made out that the GDPR does not permit the reliance by WhatsApp IE on Article 6(1)(b) GDPR in the context of the latter offering its Terms of Service. Neither Article 6(1)(b) GDPRnoranyother provision oftheGDPRprecludesWhatsAppIEfrom relyingon Article6(1)(b)GDPR as a legal basis to deliver a service, including the improvement of the existing service and the 127 maintenance of security standards insofar as that forms a core part of the service . The IE SA considers that, having regard to the specific terms of the contract and the nature of the service provided andagreeduponby theparties,WhatsAppIE mayin principle relyonArticle 6(1)(b)GDPRas a legalbasis of the processing of users’ data necessaryfor the provision of its WhatsApp services, on foot of the Complainant’s acceptance of the Terms of Service 12. The IE SA considers that this 123WhatsAppIEmayalsofallunderlegaldutiestoprotectthesecurityofitsnetworksandservices,asrequired by other laws. Seefor instanceArticle40of theEuropeanElectronicCommunications Codeestablished under Directive(EU)2018/1972oftheEuropeanParliamentandoftheCouncilof11December2018. 124SeeGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16. 125 Objections concerning the issue on the applicability of Article 6(1)(b) GDPR for purposes of service improvementandsecurityfeatureswereraisedbytheDESA, FI SA,FR SA,NL SA, andNOSA. 126Judgment of 11December 2019, Asociaţia de Proprietari bloc M5A-ScaraA,C-708/18,EU:C:2019:1064, paragraphs37and38. 127DraftDecision,paragraph4.49. 128 DraftDecision,paragraph4.50. Adopted 25 information is clearly set out, publicly available and understandable by any reasonable user 12. 130 WhatsApp IEsupports the IESA’sconclusion . 96. To assess the IE SA and WhatsApp IE’sclaims, the EDPB considers it necessary to recallthe general objectives that the GDPR pursues, which must guide itsinterpretation, together withthe wording of itsprovisions and itsnormative context 131. 97. The GDPR develops the fundamental right tothe protectionof personal data found in Article 8(1) of the EU Charter and Article 16(1) of the Treaty on the Functioning of the EU, which constitute EU primarylaw 132.As the CJEU clarified, ”anEU act must be interpreted,asfar as possible, in sucha way as not to affect itsvalidity andin conformitywith primarylaw as a whole and, in particular, with the provisions of the Charter. Thus, if the wording of secondaryEU legislation is open to more than one interpretation,preferenceshouldbe given to theinterpretationwhichrendersthe provision consistent withprimarylaw ratherthanto the interpretationwhich leadsto its being incompatible with primary law” 133.Inview of rapidtechnologicaldevelopments andincreases in the scale of datacollection and sharing, the GDPR createsa strong andmore coherent data protectionframeworkin the EU, backed by strong enforcement,and built on the principle thatnaturalpersons should have control over their 134 own personal data . Byensuring a consistent, homogenous and equivalent high level of protection throughout the EU, the GDPR seeks to ensure the free movement of personal data within the EU 135. The GDPR acknowledges that the right to data protection needs to be balanced against other fundamentalrightsandfreedoms, such asthe freedom toconduct a business, in accordancewiththe 136 principle of proportionality andhas these considerations integratedintoits provisions. The GDPR, pursuant toEU primarylaw,treatspersonal dataasafundamentalrightinherent todata subjectsand 137 their dignity, and not as a commodity, they cantradeawaythrougha contract .The CJEU provided additionalinterpretativeguidanceby assertingthatthe fundamentalrightsofdata subjectstoprivacy andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests 138. 98. The principle of lawfulness under Article 5(1)(a) and Article 6 GDPR is one of the main safeguardsto theprotectionofpersonaldata.Itfollowsarestrictiveapproachwherebyacontroller mayonlyprocess the personal data of individuals if it is able to rely on one of the basis found in the exhaustive and restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR 139. 99. Theprinciple oflawfulness goeshandinhandwiththe principlesoffairnessandtransparencyinArticle 5(1)(a) GDPR.Theprinciple of fairness includes, interalia, recognising the reasonable expectationsof 129 DraftDecision,paragraph4.42. 130WhatsAppIE’sArticle65Submission,paragraphs5.47. 13Judgmentof1August2022,Vyriausiojitarnybinėsetikoskomisija,C-184/20,),EU:C:2022:601,paragraph121. 132 133Recitals1and2GDPR. Judgment of 21 June 2022, Liguedes droits humains v. Conseil des ministres, C-817/19, , EU:C:2022:491, paragraph86;andjudgment of 2February2021,Consob, C-481/19, EU:C:2021:84, paragraph50and thecase- lawcited. 134Article1(1)(2)andrecital6and7GDPR. 135Article1(3)andrecitals9,10and13GDPR. 136Recital4GDPR. 137 138Guidelines2/2019onArticle6(1)(b)GDPR,paragraph54. Judgmentof13May2014,GoogleSpainSL,C-131/12,EU:C:2014:317,paragraphs97and99. 139Judgment of 11 December 2019, TK v Asociaţia de Proprietari blocM5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph37. Adopted 26 datasubjects, considering possible adverse consequences aprocessing mayhave onthem,andhaving 140 regardtothe relationshipandpotentialeffectsof imbalancebetweenthem andthe controller . 100.The EDPBagreeswiththe IE SA and WhatsAppIE thatthere isno hierarchybetweenArticle6(1) legal bases 14. However, this does not mean that a controller, as WhatsApp IE in the present case, has absolute discretion tochoose the legalbasis that suits better itscommercialinterests. The controller may only rely on one of the legal bases established under Article 6 GDPR if it is appropriate for the 142 processing in question . A specific legalbasis willbe appropriateinsofar as the processing canmeet its requirements set by the GDPR 143andfulfil the objective of the GDPR toprotect the fundamental rightsandfreedomsof naturalpersons andin particulartheir righttothe protectionof personaldata. Alegalbasiswillnot beappropriateifitsapplicationtoaspecific processing defeatsthispracticaleffect “effetutile”pursuedby theGDPRanditsArticle5(1)(a)andArticle6 GDPR 144.Thesecriteriastemfrom the contentof theGDPR 145 andthe interpretationfavourable totherightsofdatasubjects tobe given theretodescribed inparagraph97 above. 101.The GDPR makesWhatsApp IE, asthe controller for the processing at stake, directly responsible for complying withthe GDPR’sprinciples,including theprocessing of datainalawful, fairandtransparent manner, and any obligations derived therefrom 14. This obligation applies even where the practical applicationofGDPRprinciples suchasthose of Article5(1)(a)andArticle(5)(2)GDPRare inconvenient or runcounter tothe commercialinterestsofWhatsApp IE.The controller isalsoobligedtobe able to demonstratethatitmeetstheseprinciplesandanyobligationsderivedtherefrom,suchasthatitmeets the specific conditions applicable toeachlegalbasis 147.More specifically, this condition to be able to relyonArticle 6(1)(b)GDPRasalegalbasistoprocess thedatasubject’sdataimplies thata controller, in line withitsaccountability obligationsunder Article 5(2) GDPR,hastobe able todemonstrate that 148 (a)a contractexistsand(b) the contractisvalidpursuant toapplicable nationalcontractlaws . 102.The EDPB agrees that supervisory authorities do not have, under the GDPR, a broad and general competence incontractualmatters.However,theEDPB considers thatthe supervisory tasks, thatthe GDPR bestows on supervisory authorities, imply a limited competence to assess a contract’sgeneral 140 See, recital39GDPRandGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12. 141DraftDecision,paragraph2.9,andWhatsAppIE'sArticle65Submission,paragraph8.34. 14As mentionedinGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationoftheappropriate lawfulbasisistiedtotheprinciplesoffairnessandpurposelimitation.Itwillbedifficultforcontrollerstocomply withtheseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposes oftheprocessing,oriftheprocessing of personal data goes beyondwhat is necessaryfor thespecified purposes. SeealsoSection 5 below on the potentialadditionalinfringementoftheprinciplesoffairness,purposelimitationanddataminimisation. 143Judgmentof11December2019,TK v Asociaţiade Proprietari blocM5A -ScaraA,C-708/18,EU:C:2019:1064, paragraph37. 144 Judgment of 18 December 2008, Heinz Huber v. BundesrepublikDeutschland, C-524-06, EU:C:2008:724, paragraph52 on the concept of necessitybeing interpreted in a manner that fully reflects theobjectiveof Directive95/46/EC.Ontheimportanceofconsideringthepracticaleffect(“effetutile”)soughtbyEUlawinits interpretation,seealsoforinstance:judgmentof21June2022,Liguedesdroitshumainsv.Conseildesministres, C-817/19,EU:C:2022:491,paragraph195;andjudgmentof17September2002,MuñozandSuperiorFruiticola, C-253/00,EU:C:2002:497,paragraph30. 145Article1(1)(2)and(5)GDPR. 146Article5(2)GDPR“Principleofaccountability”ofcontrollers;seealsoOpinionoftheAdvocateGeneralof20 147tember2022,MetaPlatformse.a.,C-252/21,,EU:C:2022:704,paragraph52. Guidelines2/2019onArticle6(1)(b)GDPR,paragraph26. 14EDPBBindingdecision2/2022onthedisputearisenonthedraftdecisionoftheIESAregardingMetaPlatforms Ireland Limited (Instagram) under Article65(1)(a) GDPR, adopted on 28July2022(hereinafter“EDPB Binding decision2/2022”),paragraph84. Adopted 27 validity insofar as this is relevant to the fulfilment of their tasks under the GDPR49. Otherwise, the supervisory authoritiesswouldsee theirmonitoringandenforcementtaskunder Article57(1)(a)GDPR limitedto actions,such asverifying whether the processing at stake is necessaryfor the performance ofa contract(Article6(1)(b)GDPR),andwhetheracontractwithaprocessor under Article28(3)GDPR anddataimporter under Article 46(2)GDPRincludes appropriate safeguardspursuant totheGDPR. 103.The DESA andNL SA 150arguethatthe validityof thecontractfor theWhatsApp servicesbetweenthe latterandtheComplainant isquestionable giventheserioustransparencyissues inrelationtothelegal basis reliedon 15. Incontract law, as a generalrule, both parties must be aware of the substance of the contractandof the obligationsof both partiestothe contractinorder towillingly enter intosuch contract. 104.Notwithstanding the possible invalidity of the contract,the EDPBrefers toits previous interpretative 152 guidanceon thismatter toprovide below itsanalysis onwhetherthe processing for the purposes of service improvement and securityfeatures 153is objectively necessary for WhatsApp IE to provide its services tousers based onitsTermsof Service andthe natureof theservices. 105.The EDPBrecalls 154that for the assessment of necessity under Article 6(1)(b) GDPR,”[i]t is important to determine the exact rationale ofthe contract, i.e. itssubstance and fundamental objective, asit is against this that it will be testedwhetherthe data processing is necessaryfor itsperformance” 155.As the EDPBhaspreviously stated,regardshould be giventothe particular aim,purpose, or objective of the serviceand, for applicabilityofArticle6(1)(b) GDPR,itisrequiredthat the processing isobjectively necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject 156. 106.Moreover, the EDPBnotes thatthe controller should be able tojustify the necessity of itsprocessing byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose. Thisdependsnot only onthe controller’sperspective,but alsoonareasonable datasubject’sperspective whenenteringinto the contract 15. 107.The IESA accepts“that,as a generalrule,theEPDB considersthat processing for the provision ofnew 158 services[…]would not benecessaryfor theperformanceofa contractfor online services” .However, the IESA considers that inthis particularcase,having regardtothe specific termsof the contractand the natureofthe services provided andagreeduponby theparties,WhatsApp IEmayinprinciple rely on Article 6(1)b) GDPR toprocess the user’s data necessary for the provision of its service, including throughthe improvement ofthe existing service andthe maintenanceof securitystandards. 108.Inparticular,theIESA viewsservice improvement toanexisting service and“a commitmenttouphold certainstandards relating to abuse, etc.” asa “core” element of the contract betweenWhatsApp IE 149EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs9and13. 150DESA’s Objection,p.3;NLSA’s Objection,paragraph10. 151DraftDecision,paragraph5.9. 152 Guidelines2/2019onArticle6(1)(b)GDPR. 153Fortheterm security,seeparagraph90ofthisbindingdecision. 154EDPBBindingdecision2/2022,paragraph89. 155Article29WorkingPartyOpinion06/2014onthenotionoflegitimateinterestsofthedata controllerunder Article7 Directive95/46/EC, WP217, adopted on 9 April 2014(hereinafter, “WP29Opinion 06/2014on the notionoflegitimateinterests”),p.17. 156Guidelines2/2019onArticle6(1)(b)GDPR,paragraph30. 157EDPBBindingdecision2/2022,paragraph90. 158DraftDecision,paragraph4.49. Adopted 28 and the users159. In support of this consideration, the IE SA refersto the information provided in the WhatsApp Terms of Service under the headings: “Ways To Improve Our Services.” and “Safety And Security.”160The IESA considers thatit is clearthatthe WhatsApp servicesare advertised(andwidely understood) asones thatrequires updatesandimprovement andso, thatanyreasonable user would “be well-informed that this is precisely the nature of the service being offered by WhatsApp and containedwithinthe contract” 161. 109.The EDPBis of the opinion that WhatsAppIE is under the legaldutyto assess whetherthe processing of all its users data is necessary for the purpose of service improvements or if there are alternative, less intrusive waysto pursue thispurpose (e.g.insteadof relying on allusers' data for the purpose of service improvements, rely on a pool of users, who voluntarily agreed, by providing consent, to the processing oftheir personaldata for thispurpose). 110.On this issue, the EDPBrecallsthatthe concept of necessity hasits own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument,in thiscase,the GDPR 162.Accordingly,theconceptofnecessity under Article6(1)(b) GDPR cannot be interpreted in a way that undermines this provision and the GDPR’sgeneralobjective of protectingthe righttothe protectionof personaldata 163orcontradictsArticle8 ofthe EU Charter.On the processing of data in the WhatsApp services, Advocate General Rantos supports a strict interpretationofArticle6(1)(b) GDPRamongother legalbasis, particularlytoavoidanycircumvention of therequirement for consent 16. 111.The EDPB finds that an average user cannot fully grasp what is meant by processing for service improvement andsecurityfeatures,beawareofitsconsequences andimpactontheirrightstoprivacy and data protection, and reasonably expect it solely based on WhatsApp IE’s Terms of Service. Advocate General Rantos expresses similar doubts where he states, in relation to Facebook behavioural advertising practices, “According to the case-law of the Court of Justice, the processing must be objectivelynecessaryfor the performance ofthe contract in the sense that there must be no realistic,lessintrusivealternatives,takingintoaccountthereasonableexpectationsofthedatasubject. Italso concernsthe factthat,wherethecontractconsists ofseveralseparateservicesor elementsofa service that can be performed independentlyofone another, the applicabilityof Article 6(1)(b) of the GDPRshould beassessed in thecontextofeach ofthose servicesseparately” 165andaddsin afootnote that“Moreover,althoughmerelyreferencingormentioningdataprocessingina contractisnotenough to bring theprocessing in question within thescope ofArticle 6(1)(b) of theGDPR,processing maybe 15DraftDecision,paragraph4.41. 160 161raftDecision,paragraphs4.34and4.35. DraftDecision,paragraph4.36. 16Seeparagraphs103-105aboveontheprinciplesguidingtheinterpretationoftheGDPRandisprovisions.The CJEU alsostatedinHuberthat”whatisatissueis aconcept[necessity]whichhasitsownindependentmeaning inCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthatDirective, [Directive 95/46], as laid down in Article 1(1) thereof”. Judgment of 18 December 2008, Heinz Huber v BundesrepublikDeutschland,C-524/06,EU:C:2008:724,paragraph52. 16Article1(2)GDPR. 164Opinion of theAdvocateGeneral of 20 September 2022, Meta Platforms e.a., C-252/21), EU:C:2022:704, paragraph§51. TheEDPB refers to theAdvocateGeneral’s Opinion in its Binding Decision as anauthoritative sourceof interpretationto underlinetheEDPB’s reasoning on theprocessing of data in theFacebook service, withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonCases C-252/21andC- 446/21. 16OpinionoftheAdvocateGeneralof20September2022,MetaPlatformse.a.,C-252/21,EU:C:2022:704, paragraph54. Adopted 29 objectively necessary even if not specifically mentioned in the contract, without prejudice to the 166 controller’stransparencyobligations” . 167 112.The EDPB provides in its guidance assessing what is “necessary” involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the processing is not “necessary”. Article6(1)(b) GDPRdoes not cover processing which is useful but not objectively necessary for performing the contractualservice or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes. While the possibility of improvements of services mayroutinely be included in contractual terms,suchprocessing usually cannotbe regardedasbeingobjectively necessaryfor theperformance of thecontractwiththe user 168. 113.When analysing the performance of a contract asa legalbasis, the necessity requirement has to be interpreted strictly. As stated earlier by the Article 29 Working Party (hereinafter “WP29”) 169, this “provision must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject bythecontroller” 17. 114.Concerning the processing of service improvement, the EDPB finds that a reasonable user cannot expectthattheir personaldatais being processedfor service improvement simply because WhatsApp IE briefly refers to this processing in its Terms of Service (which both WhatsApp IE and the IE SA consider asconstitutingthe entiretyofthe contract),orbecause ofthe argumentthat“on the basisof the cont[r]act and wider circumstances, that a reasonable user would have had sufficient understanding that the service included the use of metrics for improvement” to which the IE SA refers171. 172 115.Inaddition,the IESA alreadydecided thatWhatsApp IEinfringeditstransparencyobligationsunder Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR by not clearly informing the Complainant and other users of the WhatsApp IEservices’ specific processing operations, the personal dataprocessed in them, the specific purposes they serve, and the legal basis on which each of the processing operations relies, as the IE SA concludes in its Draft Decision 173. The EDPB considers that this fundamentalfailureof WhatsAppIEtocomplywithitstransparencyobligationscontradictsthe IESA’s finding174thatWhatsAppIE’suserscouldreasonablyexpectservice improvementandsecurityfeatures asbeing necessaryfor theperformance of theircontract. 166Ibid,footnote165. 167 Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25. 168Guidelines2/2019onArticle6(1)(b)GDPR,paragraph49. 169The WP 29 - the predecessorof theEDPB - was established underArticle29 of Directive95/46/EC of the EuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtothe processingofpersonaldataandonthefreemovementofsuchdata (“Directive95/46/EC”)andhada role,inter alia,tocontributetouniformapplicationofnationalmeasuresadoptedundertheDirective.Manyofsubstantive principlesandprovisionsoftheGDPRalreadyexistedintheDirective95/46/EC,suchastheoneatstakeinthis Bindingdecision,thusWP29guidanceinthisrespectisrelevantfortheinterpretationoftheGDPR. 170 171P29Opinion06/2014onthenotionoflegitimateinterests,p.16. CompositeResponse,paragraph59. 172DraftDecision,paragraph5.9. 173DraftDecision,paragraph5.9andFinding3. 174DraftDecision,paragraph4.42. Adopted 30116.As regardssecurity, the lackof clarityofthe Terms ofService makesit even hardtounderstand what arethe different purposes pursued andprocessing carriedout 175. 117.The EDPB recallsthat “controllersshould make sure to avoid any confusion as to what the applicable legalbasis is” and thatthis is “particularlyrelevantwhere theappropriate legalbasis is Article6(1)(b) GDPRandacontractregardingonline servicesis enteredintobydata subjects”,because “[d]epending on the circumstances, data subjects may erroneously get the impression that they are giving their 176 consent in line with Article 6(1)(a) GDPR when signing a contract or accepting terms of service” . Article 6(1)(b) GDPR requires the existence of a contract, its validity, and the processing being necessaryto perform it.These conditions cannot be metwhere one of the parties(inthis case a data subject) is not provided with sufficient information to know that they are signing a contract, the processing of personaldata thatit involves, for which specific purposes andon which legalbasis, and how this processing is necessary to perform the services delivered. For the purposes of service improvement and security features, WhatsApp IE has not relied on any other legalbasis to process personal data. These transparencyrequirements are not only an additional and separate obligation, but also anindispensable andconstitutive partofthe legalbasis. 118.Given that the main purpose for which a user uses the WhatsApp services is to communicate with others,andthatWhatsAppIEconditions theirusetotheuser’sacceptanceofacontractandtheservice improvement andsecurity 177 featurestheyinclude, the EDPB cannot see how a user would have the possibility of opting out of a particularprocessing which is part of the contract.Thus, WhatsApp IEis accountable toprove thatthe legalbasis applied for the processing at hand is validand the failure to demonstratethis proves thatArticle6(1) GDPRisnot the applicable legalbasis. 119.The EDPB agreeswiththe DE SA, FI SA, FR SA, NL SA and NO SA 178that there is a risk that the Draft Decision’s failure to establish WhatsApp IE’s infringement of Article 6(1)(b) GDPR, pursuant to its interpretationby the IE SA, nullifies this provision and makes theoretically lawful any collection and reuseofpersonaldatainconnectionwiththeperformanceofacontractwithadatasubject.WhatsApp IEcurrentlyleaves the Complainant and other users ofthe WhatsApp services witha “takeit or leave it” choice. They may either contract away their right to freely determine the processing of their personal dataand submit toits processing for service improvements or security features,which they canneither expect, nor fully understand based on the insufficient information WhatsApp IE provides to them. Alternatively, they may decline accepting WhatsApp IE’s Terms of Service and thus be excludedfrom aservice thatenablesthem tocommunicatewithmillions ofusers. 120.This precedent could encourage other economic operators touse the contractualperformance legal basisofArticle6(1)(b)GDPRforalltheirprocessing ofpersonaldata.Therewouldbe theriskthatsome controllers argue some connection betweenthe processing of the personal data of their consumers andthe contracttocollect,retainandprocess asmuch personaldatafrom theirusers aspossible and advance their economic interests at the expense of the safeguards for data subjects. Some of the safeguardsfrom which datasubjects would be deprived due toaninappropriate use of Article6(1)(b) GDPR as legal basis, instead of others such as consent under Article 6(1)(a) GDPR and legitimate interest under Article 6(1)(f) GDPR, are the possibility to specifically consent to certain processing 175Forthemeaningoftheterm“security”,seeparagraph90above. 17EDPBBindingDecision01/2021,paragraph214,andGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph20. 177Forthemeaningoftheterm“security”,seeparagraph90above. 178 DESA’s Objections–p.6,paragraph2andp.8,paragraph1;FI SA’s Objections–p.7,paragraphs32and33; FR SA’s Objections –paragraph 14;NL SA’s Objections – paragraphs 8 and 28; NO SA’s Objections – p. 4, paragraph3. Adopted 31 operations andnot toothersand tothe further processing of their personal data(Article 6(4)GDPR); their freedom towithdrawconsent (Article 7 GDPR);theirright tobe forgotten(Article17 GDPR);and the balancing exercise of the legitimate interests of the controller against their interests or fundamentalrightsandfreedoms(Article 6(1)(f) GDPR). 121.The EDPBthusconcurs withthe objections of theDE SA, FI SA,FR SA, NL SA and NOSA 179toFinding 2 180 of the DraftDecisionin thatthe processing for the purposes of service improvements andsecurity featuresperformed by WhatsApp IE are objectively not necessary for the performance of WhatsApp IE’sallegedcontractwithitsusers andare not anessentialor core element ofsuch contract. 122.Inconclusion, the EDPB decides that WhatsApp IE has inappropriatelyrelied on Article 6(1)(b) GDPR to process the Complainant’s personal data for the purpose of service improvement and security 181 featuresin the context of itsTermsof Service andtherefore lacks a legalbasis toprocess these data. The EDPBwasnot requiredtoexamine whether dataprocessing for such purposes could be basedon other legal bases because the controller relied solely on Article 6 (1) (b) GDPR. WhatsApp IE has consequently infringed Article 6(1) GDPR byunlawfully processing personal data. The EDPB instructs the IE SA to alter its Finding 2 of its Draft Decision which concludes that WhatsApp IE may rely on Article6(1)(b) GDPRinthecontext ofitsoffering ofTermsofService andtoinclude aninfringement of Article6(1) GDPRbasedon theshortcomings thatthe EDPBhasidentified. 5 ON THE POTENTIAL ADDITIONAL INFRINGEMENT OF THE PRINCIPLES OF FAIRNESS, PURPOSE LIMITATION AND DATA MINIMISATION 5.1 Analysis by the LSA inthe DraftDecision 123.Inlight oftheaforementionedinquiry’s scope,the DraftDecisionmentionsArticle5(1)GDPRinseveral 182 passages . As for the fairness principle, the inquiry consists of reference to the unfair processing pointedout bythe Complainant 183.Regardingthepurpose limitationanddataminimisationprinciples, there are no other references as the ones mentioned above. The Draft Decision makes several references toArticle 5(1)(a) GDPR andthe principle of transparency 184. However, the Draft Decision does not address whether Article 5(1)(a) GDPR regarding fairness principle or Article 5(1)(b) and (c) GDPR have been infringed. In its Draft Decision, the IE SA mentions its Decision on WhatsApp IE’s Transparency, which made findings to the effect that transparency obligations were infringed. Therefore,the IESA concludes, that“The inquiry in question focused on the same issues raised in the herein Complaint insofar as transparencyis concerned (although was much broader in scope). Given theseissues have alreadybeen investigated and adjudicated on bythe Commission, I provisionallyfind 185 thatthe transparencyissues raised in this Complaint have alreadybeenaddressed.” 179 DE SA’s Objections–p.5, paragraphs3and4;;FI SA’s Objections –p.6,paragraph24;FRSA’s Objections– p. 7,paragraph38;NLSA’s Objections–paragraph26;NOSA’s Objections-p.8. 18Forthemeaningoftheterm“security”,seeparagraph90above. 18Forthemeaningoftheterm“security”,seeparagraph90above. 18See, forexample,DraftDecision,Section5,paragraphs5.1,5.7and5.8. 183 184omplaint,paragraphs2.3.1.and2.3.2. DraftDecision,Section5,paragraphs5.8and5.9. 18DraftDecision,Section5,paragraphs5.9and5.10. Adopted 32 5.2 Summary of the objections raised by the CSAs 124.The ITSAraisesanobjectionarguing that the Draft Decisionshouldbe amendedtoinclude findingsof aninfringement ofArticle 5(1)(a)GDPRinrelationtothe fairness principle. Thisobjection claimsthat, even though there is the IE SA’s Decision on WhatsApp IE’s Transparency, which incorporates the principle set out in the EDPB’sBinding Decision 1/2021 and where an infringement of transparency principle wastobe found, theinfringementregardingtothefairnessprinciple should beseparatefrom transparency.The IT SA elaboratesthatreferringtoArticle 6(1)(b) GDPRshould not be found tobe in line withthe fairness principle, asusers arefactuallyunable tograsphow their personal datais being used byWhatsApp IE 18. 125.The IT SA raises another objection stating that the Draft Decision should be amended to include findings of infringement of Article 5(1)(b) and (c) GDPR. The IT SA is of the view that the fact that WhatsApp IE’s “(multifarious) processing activities involving personal data are grounded in Article 187 6(1)(b) GDPR entails an infringement ofpurpose limitation and data minimization principles” . The IT SA states that the IE SA has failed to investigate compliance with Article 5(1)(b) and (c) GDPR. Further,the ITSA statesthatallthe purposes of the processing of personal dataperformedunder the terms of Article 6(1)(b) GDPR must be specified and communicated to data subjects. As such, the service thatWhatsApp IEoffers pursues severalpurposes, thereforethe applicabilityof Article6(1)(b) GDPR should be assessed separately in the context of each service. The IT SA elaborates that the purposes provided tousers areinadequate andhave no connectiontothe processing activities. 5.3 Position of the LSA on the objections 126.The final position of the IE SA is that of not following these objections. in its Composite Response, concerning allobjections, the IESA notesthatthe objections onthe fairness principle inArticle 5(1)(a) 188 GDPRarenotinthescope oftheunderlying complaint .Furthermore,theIESAstatesthatthiswould procedurallyconstrain theIE SA’sabilitytoadopt itsfinal decision 18. 127.Inaddition, the IE SA statesthatit would also risk breaching the controller’srightto afair procedure, as the controller was not afforded a right to be heardon such matter. The IE SA highlights the legal consequences thatwouldflow from makingmaterialchangesconcerning infringementsoutside ofthe complaint andDraftDecision,namelythelikelihood thatWhatsAppIEwouldsucceedinarguingbefore the Irish courts that it has been denied an opportunity to be heard on additional and extraneous findings thatare adverse toit 190. 128.The IE SA further considers that the objection raised by the IT SA with regard to the possible infringementofArticle5(1)(b) and(c)GDPRis not relevantandreasoned,since itwould nothave been appropriate toundertake anopen-ended assessment of allprocessing operations bythe controller in 191 order to handle the complaint . This would have resulted in a disproportionate and open-ended examinationoftheprocessing carriedoutbyWhatsAppIE.Therefore,itwasmoreimportanttoresolve 192 the fundamentaldispute regardingtheinterpretationof Article6(1)GDPRfirst . 186ITSA’s Objection,paragraph3,pages8-10. 187 ITSA’s Objection,page6. 188CompositeResponse,paragraphs28and29. 189Ibid.,paragraph29. 190CompositeResponse,paragraphs28to32. 191ITSA’s Objection,paragraph2. 192 CompositeResponse,paragraph25. Adopted 33 5.4 Analysis of the EDPB 5.4.1 Assessment of whether theobjections were relevant and reasoned 129.The ITSA’sobjection concerns “whetherthereis aninfringement ofthe GDPR” 193. 130.The EDPB takesnote that WhatsApp IE agreeswiththe IE SA’s conclusion in its Composite Response thattheobjectionfrom theITSA aboutfinding aninfringementofArticle5(1)(a)GDPRalsowithregard to non-conformity with respect to the fairness principle is not relevant. In addition, WhatsApp IE submits that the objection does not meet the “reasoned” threshold asit is not basedon anydetailed factualor legalreasoningandfailstoaddressthe significanceofthe allegedriskstofundamentalrights 194 posed by the DraftDecision . According to WhatsAppIE,“it would be inappropriate for the EDPBto direct the [IE SA] to make any findings in respect of Article 5(1)(a) (fairness of lawfulness) in its final 195 decisionin theInquiryincircumstanceswherethisis outside theDefinedScope of Inquiry.” 131.Inaddition tothe above mentioned,the Complainant doesnote: “Evenifa trainedlawyerreadsallthe textthatthecontrollerprovides,he/shecanonlyguesswhatdataisprocessed,forwhich exactpurpose and on which legalbasis. This is inherentlynon-transparent and unfair within the meaning of Articles 5(1)(a) and 13(c).This approachthereforestandsin clearcontrast to informed consent or any form of 196 “plainlanguage” or even “easytounderstand” requirements(Recital39).” 132.WhatsApp IE also affirms that compliance with Article 5(1)(a) GDPR is distinct from compliance with Article 6(1) GDPR and must be separately assessed before any finding of infringement could be 197 made . 133.The EDPBrecallsthatanobjectioncould goasfarasidentifying gapsinthe draft decisionjustifying the need for further investigation by the IE SA, for example in situations where the investigation carried out by the IE SA unjustifiably fails to cover some of the issues raised by the Complainant 198. In this regard, the EDPB observes that, in the complaint, the Complainant alleges that the information provided inWhatsApp IE’sPrivacyPolicy “isinherentlynon-transparent and unfair within themeaning of Articles5(1)(a) and 13(c)”99.Thisis alsonoted bythe IESA 200. 134.Aspreviously mentioned,the EDPBnotesthatthefirst objection ofthe ITSA concerns “whetherthere is aninfringement of the GDPR”asit arguesthat the IE SA should have found aninfringement of the fairnessprinciple under Article5(1)(a)GDPR.Assuchobjectiondemonstratesthat,iffollowed, itwould leadtoa different conclusion astowhetherthereis aninfringement ofthe GDPRornot, the objection is tobe considered as“relevant” 201. 135.Inaddition,this objectionisalso consideredtobe “reasoned”sinceitputsforwardseveralfactualand legalargumentsfor the proposed changeinlegalassessment. The additionalinfringement stemsfrom 193 GuidelinesonRRO,paragraph24. 194WhatsAppIE’sArticle65Submissions,pp.107-109. 195Ibid.,p.31. 196Complaint,paragraph2.3.1. 197 198WhatsAppIE’sArticle65Submissionsparagraph.4.25. GuidelinesonRRO,paragraph27. 199Complaint,p.14. 200DraftDecision,paragraph5.7. 201GuidelinesonRRO,paragraph13. Adopted 34 202 the scope and findings of the Draft Decision, which also mentions Article 5(1)(a) GDPR , and the overarchingnature ofArticle 5(1)(a)GDPR. 136.Additionally, the EDPBfindsthattheobjection oftheITSA clearlydemonstratesthesignificance ofthe risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects, since it would create a dangerous precedent that would jeopardize the effective protectionof data subjects andthus entailflawedcorrective actions. 137.The EDPBconsiders the objection on Article 5(1)(a) GDPRtobe adequatelyreasonedand recallsthat the assessment of merits of the objection is made separately, after it has been established that the objection satisfies therequirementsof Article4(24) GDPR 203. 138.Although the second objection of the IT SA, relating to the additional infringements of the purpose limitationprinciple under Article5(1)(b)GDPRandthedataminimisationprinciple under Article5(1)(c) GDPR, is relevant and includes justifications concerning why and how issuing a decision with the changesproposed in theobjection isneededandhow the changewould leadtoadifferent conclusion in the Draft Decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left unchanged,would presentrisks for the fundamentalrightsandfreedomsof datasubjects. Inaddition, the EDPB notesthat the IT SA’s objection does not explicitly elaborate why such a risk is substantial and plausible204. Therefore, the EDPB concludes that this particular objection of the IT SA does not provide a cleardemonstrationof therisks as specificallyrequired byArticle 4(24)GDPR. 5.4.2 Assessment of the merits 139.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the matterswhich arethe subject of the relevant andreasoned objections, in particularwhether thereis aninfringement ofthe GDPR. 140.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires anassessment of whether the DraftDecision needs tobe changedinsofar as it contains nofinding of infringement of the fairness principle under Article 5(1)(a) GDPR. When assessing the merits of the objection raised, the EDPB also takes into account WhatsApp IE’sposition on the objection and its submissions, focussed on arguingthattheITSA objectionis not relevantandreasoned,ratherthanon the content. 141.Beforeproceedingwiththeassessment ofthemerits,theEDPBrecallsthatthebasic principlesrelating 205 to processing listed in Article 5 GDPR can, assuch, be infringed . This is apparent from the text of Article 83(5)(a) GDPR which subjects the infringement of the basic principles for processing to administrative finesof upto20 000 000 EUR,or inthe caseof anundertaking,ofup to4% ofthe total worldwide annual turnover ofthe preceding financialyear,whichever ishigher. 142.Atfirst,theEDPBnotesthattheconceptoffairnessisnotdefined assuchintheGDPR.However,recital 39 GDPRprovidessome elementsastoitsmeaning andeffect inthe context ofprocessing ofpersonal 202TheObjectionreferstoparagraph5.7oftheDraftDecision. 203GuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised,whether the objectionmeetstherequirementsofArticle 4(24)GDPRand,ifso,addressthemerits ofthe objectioninthe bindingdecision.”). 204 205GuidelinesonRRO,paragraph37. Bindingdecision1/2021,paragraph191. Adopted 35 data.Animportantaspect oftheprinciple offairnessunder Article5(1)GDPR,whichis linkedtorecital 39, isthatdata subjectsshould be able todetermine in advancewhat thescope andconsequences of the processing entails andthattheyshould not be takenby surprise ata laterpoint about theways in whichtheir personal datahave beenused 20. 143.Fairness isanoverarching principle, whichrequires thatpersonaldatashall not be processed in away that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject. Measuresand safeguardsimplementing the principle of fairness also support the rightsand freedoms of data subjects, specifically the right toinformation (transparency), the right tointervene (access, erasure, data portability, rectification) and the right to limit the processing (right not to be subject to automated individual decision-making and non-discrimination of data subjects in such 207 processing) . 144.The principles offairandtransparentprocessing requirethatthe data subject shall be informedofthe existence ofthe processing operationanditspurposes. Thecontroller should provide the datasubject withany further information necessarytoensure fair and transparentprocessing taking intoaccount the specific circumstances and context in which the personal data are processed. Furthermore, the datasubjectshould be informedoftheexistenceofprofiling andtheconsequences ofsuchprofiling 208. 145.The EDPB underlines that the principles of fairness, lawfulness and transparency, allthree enshrined in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that every controller should respect when processing personal data. The link between these principles is evident from a number of GDPR provisions: recitals 39 and 42, Article 6(2) and Article 6(3)(b) GDPR refer tolawful andfairprocessing, while recitals60 and71 GDPR,aswellasArticle 13(2),Article 14(2) andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing. 146.The IT SA statesthat “theinfringement of Article 5(1)(a) GDPRshould be found by the LSA in thecase at hand by having also regard to the more general fairness principle, which entails separate requirementsfromthose relating specificallyto transparency.” 209 147.Thereis nodispute thatinitsDecision onWhatsAppIE’sTransparency,theIESA found a breachofthe transparency principle, but the EDPB considers that the principle of fairness has an independent meaning and stresses that an assessment of WhatsApp IE’s compliance with the principle of transparencydoesnot automaticallyruleout theneedfor anassessment ofWhatsAppIE’scompliance withthe principle of fairness too. 148.The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter 21. TheEDPBhasalreadyprovidedsome elementsastothe meaningandeffect ofthe principle offairness in the context of processing personal data. For example, the EDPB has previously opined in its GuidelinesonDataProtectionbyDesignandbyDefaultthat“Fairnessisan overarchingprinciplewhich requires that personal data should not be processed in a way that is unjustifiably detrimental, 206WP29GuidelinesontransparencyunderRegulation2016/679,paragraph10. 207 EDPB Guidelines 4/2019on Article25 Data Protectionby Design and byDefault, Version 2, Adopted on 20 October2020,hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”). 208Recital60GDPR. 209ITSA’s Objection,paragraph3,p.9. 210Article8 of theEU Charter states as follows:“1. Everyone has the right to the protection of personal data concerninghimorher.2.Suchdatamustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsent ofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded). Adopted 36 unlawfully discriminatory, unexpectedor misleading to the data subject” 21. Among the key fairness elements that controllers should consider in this regard, the EDPB mentions autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of deception, ethical and truthful processing 21. These elements are particularlyrelevant in the case at hand. The principle of fairness under Article 5(1)(a) GDPR underpins the entire data protection framework and seeks to address power asymmetriesbetweencontrollersand datasubjects in order tocancelout the negativeeffects of suchasymmetriesandensure the effectiveexercise of datasubjects’ rights. 149.The EDPB has previously explained that “the principle of fairness includes, inter alia, recognising the reasonable expectationsof the data subjects, considering possible adverse consequences processing may have on them,and having regardto therelationship and potentialeffectsofimbalance between them andthe controller” 213.The EDPB recallsthat a fair balance must be struck between,on the one hand, the commercialinterests of controllers and, on the other hand, the rightsand expectations of datasubjectsunderthe GDPR 21.Akeyaspectofcompliancewiththeprinciple offairnessunderArticle 5(1)(a) GDPR refers to pursuing “power balance” as a “key objective of the controller-data subject 215 relationship” , especially in the context of online services provided without monetary payment, where users are often not aware of the ways and extent to which their personal data is being 216 processed . Consequently, if data subjects are not enabled to determine what is done with their personal data,thisis incontrast withthe elementof “autonomy” of datasubjects astothe controlof 217 the processing of their personaldata . 150.Considering the constantlyincreasing economic value of personaldatain thedigitalenvironment, itis particularly important to ensure that data subjects are protected from any form of abuse and deception, intentionalor not, whichwould result inthe unjustified loss of controlover theirpersonal data.Compliance byproviders ofonline servicesacting ascontrollerswith allthreeof the cumulative requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being provided and the characteristics of their users, serves as a shield from the danger of abuse and deception, especially in situations of power asymmetries. Therefore, the EDPB disagreeswith the IE SA’s finding that assessing WhatsApp IE’scompliance with the principle of fairness “would therefore not only represent a significant departure from the scope of inquiry, as formulated, but it would also risk breaching thecontroller’sright to a fair procedure,asregardsanymatterwhich was neverput to 211EDPB 4/2019 Guidelines on Article25, Data Protectionby Design andby Default, version2, adopted on20 October2022,(hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”)paragraph69. 212GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70. 213 GuidelinesonArticle65(1)(a),paragraph12. 214Onthebalancebetweenthedifferentinterestsatstakeseeforexample:Judgmentof12December2013,X, C-486/12,EU:C:2013:836;Judgmentof7May2009,CollegevanburgemeesterenwethoudersvanRotterdamv M. E. E. Rijkeboer,C-553/07,EU:C:2009:293; Judgmentof9November2010injoinedcases,VolkerundMarkus ScheckeGbR,C-92/09,andHartmutEifert,C-93/09,vLandHessen,EU:C:2010:662. 215 GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70. 216On“onlineservices”,seeGuidelines1/2019onArticle6(1)(b)GDPR,paragraphs3-5. 217GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.Accordingtothis elementoffairness, “data subjects shouldbe granted the highest degree of autonomy possible to determine the use made of their personaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”. Adopted 37 the complainant duringthe courseof inquiry.” 218Inaddition, it isimportant tonote that WhatsAppIE 219 hasbeen heardon the objections andthereforesubmitted writtensubmissions onthis matter . 151.The EDPB haspreviously emphasised that the identification of the appropriate lawful basis is tied to the principles offairness andpurpose limitation 220.Inthis regard,theITSA rightlyobserves thatwhile finding a breachof transparencyrelatestothe way in which information has been provided to users via thetermsofservice andthe PrivacyPolicy, compliance withthe principle offairness alsorelatesto ‘how the controlleraddressed thelawfulness of theprocessing activitiesin connection with its calling and messaging service’ 22.Thus, the EDPB considers that anassessment of compliance by WhatsApp IE withthe principle of fairness requiresalso anassessment of the consequences thatthe choice and presentation of the legalbasis entail for the WhatsApp services’ users. Inaddition, that assessment cannot be made in the abstract, but has to take into account the specificities of the particular messaging service and of the processing of personal datacarriedout, namelyfor purposes relatedto 222 improvements ofthe messaging service . 152.The EDPB notes that in this particular case, the Complainant was forced to consent to the Terms of Service andthe PrivacyPolicy 223 andthisclearlyimpactsthe reasonableexpectationsofWhatsApp IE’s users byconfusing them onwhether clicking the ”Accept”buttonresultsin givingtheir consent tothe processing oftheirpersonaldata.TheEDPBnotesinthisregardthatoneoftheelementsofcompliance with the principle of fairness is avoiding deception (i.e. providing information “in an objective and neutralway, avoiding anydeceptiveor manipulative language or design” 224). 153.As the IESA itselfnotes, the Complainant arguesthatWhatsApp IEreliedon ”forcedconsent” for the processing simply because it did in fact believe that the controller was relying on the legalbasis of consent for thatprocessing 225. TheComplainant presentsthescreenshot, aimingtodemonstratethat, 226 “thedatasubject was presentedwith an easyclick to quickly consent,and to returnto the service.” TheEDPBkeepsinmind thatinthecomplaint,thiswasexplainedinthecontextofarguingthatconsent wasforced. Therefore,theEDPBsharestheITSA’sconcernthatWhatsAppIEmisrepresentedthe legal basis of the processing and that WhatsApp IE’s users are left ”in the dark” as to the possible connections between the purposes sought, the applicable legal basis and the relevant processing activities27. This being said, the EDPB considers that the processing by WhatsApp IE cannot be 228 regardedasethicaland truthful because it is confusing with regardtothe type of data processed, 218 CompositeResponse,paragraph30. 219WhatsAppIE’sArticle65Submissions,Category1f:“TheDPCshouldalsomakefindingsthatWhatsApp IrelandinfringedthefairnessprincipleunderArticle5(1)(a)GDPR/lawfulnessprincipleunderArticle5(1)(a) GDPR“,p. 31. 220 Guidelines1/2019onArticle6(1)(b)GDPR,paragraph1. 221ITSA’s Objection,p.9. 222DraftDecision,paragraph4.40. 223Seeparagraph3above. 224 GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70. 225DraftDecision,paragraph5.7. 226Complaint,p.5. 227ITSA’s Objection,p.9. 228 GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70,wheretheEDPBexplainsthat“ethical” means that“Thecontrollershouldseetheprocessing’swiderimpactonindividuals’rightsand dignity“and“truthful”meansthat“Thecontrollermustmakeavailableinformationabouthowtheyprocess personaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”. Adopted 38 the legalbasis used and the purposes of the processing, which ultimatelyrestrictsthe WhatsApp IE’s users’ possibility toexercise their datasubjects’ rights. 154.Considering the seriousness of WhatsAppIE’smisrepresentationonthe legalbasis reliedonidentified in the currentBinding decision 22, the EDPBagreeswiththe ITSA thatWhatsApp IE haspresentedits service toitsusers inamisleading manner 230,whichadverselyaffectstheircontrolover theprocessing of theirpersonal dataandthe exercise oftheir datasubjects' rights. 155.This isallthe more supported bythe fact thatthecircumstancesof the present caseasdemonstrated above 231andtheinfringement ofArticle6(1)(b)GDPR 232furtherintensifytheimbalancednatureofthe relationship betweenWhatsApp IEanditsusers brought up bythe ITSA’sobjection. 156.The combination of factors, such asthe unbalancedrelationship betweenWhatsApp IE andits users, combined with the “take it or leave it” situation that they are facing due to the lack of alternative services in the market and the lack of options allowing them to adjust or opt out from a particular processing under their contract with WhatsApp IE, systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights under Chapter IIIGDPR. 157.Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of fairnessunder Article5(1)(a)GDPRbyWhatsAppIEandtoadoptthe appropriatecorrectivemeasures, byaddressing,but withoutbeinglimitedto,thequestionofanadministrativefine forthisinfringement asprovided for in Section8 of thisBinding decision. 6 ON THE FURTHERINVESTIGATION 6.1.1 Analysis bythe LSA in the Draft Decision 158.Accordingtotheclaim 233madeinthecomplaint,datasubjectshaveto“agreeto”WhatsAppIE’sTerms of Service andPrivacyPolicy atthe timeof the update thatwasmadetothe documents inApril 2018. The IESA considers thatitis necessarytorecognise the difference betweenagreeingtoacontractand providing consent to personal data processing specifically for the purposes of complying with the 234 GDPR.The IESA elaborates that WhatsAppIE does not rely on consent in order to process dataon foot of the Terms of Service, nor it is legally requiredto do so, thus reliance on Article 7 GDPR is not applicable, regarding the subject matter of the complaint and will not be a subject to further consideration. 159.InitsDraftDecision,the IESA concludes thatargumentsonthe applicabilityof Article6(1)(b) GDPRas a legalbasis for data processing to facilitate (behavioural) advertising “are not relevant to the within inquiry”235,giventhe absence of references,relatedtoadvertising or sponsored content inWhatsApp IE’sTermsofService, andthe absence ofevidence thatsuch processing takesplace. 229See, paragraph117above. 230 ITSAObjection,page9. 231DraftDecision,paragraphs148-153. 232DraftDecision,paragraphs117and122. 233DraftDecision,paragraph3.11. 234DraftDecision,paragraph3.19. 235 DraftDecision,paragraph4.8. Adopted 39160.Another considerationmadebythe IESAis relatedtothedataprocessing relatedto“exchangeofdata withaffiliatedcompanies” andthe processing ofspecialcategoriesof data,namely: 1) The IE SA considers that there is no evidence 236for the assertion that WhatsApp IE is processing data that facilitates the inferring of special categories of personal data, pertainingtoreligious views,sexualorientation, politicalviewsandhealthstatus.Further, asstated,noevidence ispresentedin thisregardatall, thusa conclusion is madethat the processing ofspecialcategoriesofdatapursuanttoArticle9GDPR,doesnot fallwithinthe scope ofthe complaint andis thusirrelevant. 2) In its Draft Decision, the IE SA notes that a distinguished feature of WhatsApp IE is the regular monitoring of its service, in order to ensure its well-functioning, as well as maintaining a security 237and abuse standards (both being part of the substance and fundamentalobject ofthe contract).Thus,WhatsAppIEcould relyonArticle 6(1)(b)GDPR 238 asalegalbasisfor such processing inprinciple. Further ,theIESA considers thatitis not for an authoritysuch as it, tasked withthe enforcement of data protectionlaw, to make assessments as to what will or will not make the performance of a contract possible or impossible. Instead,the generalprinciples set out in the GDPRandexplainedby theEDPB in the Guidance must be applied. These principles should be applied on a case-by-case basis, and should be afforded more weight than generalised examples provided in the Guidance,which arehelpful andinstructive but arebyno meansabsolute or conclusive. 3) TheIESA statesthatitisclearfromthe TermsofService 239that“anysharing with affiliated companies forms part of the general “improvements” that are carried out pursuant to Article6(1)(b) GDPR”and“sharing of WhatsApp user data toMetaCompanies takesplace on a controller to processor basis only, there does not need to be a distinct legal basis supporting it(or assessment ofthisissue in theInquiry)”.Moreover,initsview,thereisnot an explicit prohibition envisagedin Guidelines 2/2019 on Article 6(1)(b) GDPR relatedto the processing ofpersonal datathatis necessarytofulfil acontractualterm thatcommits to improving the functionality, efficiency, etc. of an existing service. Further, the IE SA statesthatthecoreoftheservice,asoutlinedinthespecific contractwiththedatasubject, clearlyincludes thoseservices. Initsview,theprocessing isnecessarytodeliver theservice offered(as set out inthe TermsofService). 161.The IESA supports the conclusions made above by referencetothe following: 162.The IE SA 240 begins by pointing out that it is important todistinguish betweenagreeing toa contract thatmight involve personaldataprocessing, andthe provision ofconsent topersonaldataprocessing specifically for legitimisingthe saiddataprocessing under the GDPR.Itshouldalsobe notedthatthere are differences betweenthe legalbases for processing under Article 6(1)(a)and (b) GDPR.The IE SA continues thatin many such casesinvolving a contract betweena consumer and anorganisation,the lawfulbasis for processing ofpersonal datais“the necessityfor theperformance of acontract”under Article6(1)(b) GDPR. 23DraftDecision,paragraph4.33;DraftDecisionSchedule,paragraphs3.29,3.30and3.31. 237 238orthemeaningofthetermsecurity,seeparagraph90ofthisbindingdecision. DraftDecision,paragraph4.45 23DraftDecision,paragraph4.33,aswellasparagraphs4.36to4.43. 24DraftDecision,paragraphs3.11to3.17. Adopted 40163.The IESA statesthatthe GDPRdoesnot set out anyform ofhierarchyoflawfulbases thatcanbe used for processing personal data, whether by reference to the categoriesof personal data or otherwise. Moreover, Article 7 GDPR(as relied on by the Complainant) concerns the conditions for consent and is relevant when considerations are made regarding whether particular criteria are met, in order to ensure thatthe consent is lawful.The aforementionedprovision isnot indicative of whichlawfulbasis the controller has to rely on, but instead assists the latter to determine whether the conditions of validityaremet.Therefore,theIESA thusconsiders thatArticle7GDPRisnot applicable tothe subject matterraisedbythe Complainant. 164.The IE SA considers that no evidence waspresented whatsoever by the Complainant that WhatsApp IE processes personal data for the purpose of advertising and that it relies on Article6(1)(b) GDPRto 241 do so . Inaddition, the IE SA takes note that WhatsApp IE’sTerms of Service are not similar to the examplesof situations, citedin the complaint, where Article6(1)(b) GDPRdoes not apply, namely for advertising andsponsored consent. The IESA concludes thatargumentsrelatedtothe applicabilityof Article6(1)(b) GDPRfor dataprocessing thatfacilitatesadvertising,arenot relevant. 165.In addition, as outlined in the Schedule to the Draft Decision 242, the assertions about WhatsApp IE’s alleged ability to infer religious views, sexual orientation, political views and health status are not 243 backedwithanyevidence onthe Complainant’spart.The IESA concludes thatthereis noevidence thatWhatsApp IEprocesses specialcategoriesof personal dataatall, thus the question ofprocessing such datadoes not fallwithinthe scope ofthe inquiry atall. 244 166.Moreover, according to the IE SA, it is evident from the Terms of Service that any sharing with affiliatedcompaniesforms partofthegeneral“improvements”thatarecarriedoutpursuanttoArticle 6(1)(b) GDPR,andso in realityanycleardelineation betweenthese twoforms ofprocessing would be artificial. It needs to be pointed out that one aspect of the aforementioned sharing is the possible receptionofmessages for the purposes of directmarketingand, in particular,“anoffer for something 245 thatmight interest” therespective user. 246 167.The Complainant, however, argues that such improvements and security features, as referenced, and the associated sharing of data with other Meta Companies (then Facebook Companies), is not necessaryin order to deliver a messaging service, andthat simply placing these termsin the contract does not make them necessary. Although those statementsmight be true, according to the IE SA it does not follow that fulfilling these termsis not necessaryin order tofulfil the specific contract with WhatsAppIE.TheIESAaddsthattodothat,tousethelanguageoftheEDPB,itisnecessarytoconsider “thenatureof theservicebeing offered to thedata subject”. 6.1.2 Summary ofthe objections raised bythe CSAs 168.TheFISA,FR SAandITSAobjecttotheconclusions reachedbythe IESAinitsDraftDecision,requesting the IE SA tofurther investigatethe mattersof behavioural advertising,special categoriesof personal data, the provision of metrics tothird parties, including to companies belonging to the same group, andmarketing. 241 DraftDecision,paragraph4.8. 242ScheduletoDraftDecision,paragraphs3.29and3.30. 243ScheduletoDraftDecision,paragraph4.33. 244DraftDecision,paragraphs4.33and4.41. 245 246DraftDecision,paragraph2.11(“WaysToImproveOurServices”). DraftDecision,paragraph4.36. Adopted 41169.On behaviouraladvertising,inthe FR SA’sview 24, the Draft Decisiondoesnot include an analysisfor the applicable legalbasis for the processing of personal data,relatedto behaviouraladvertising, asit considers thatneither the Complainant, nor WhatsAppIE’sgeneralTermsandConditions provide any evidence that personal data are processed for that purpose. It also notes that this exclusion is not justified byother elementssuchasinvestigationreportsor thesending ofquestionnaires bythe IESA. 248 Moreover,the FRSA is ofanopinion thatthe IESA should have carriedout aninvestigationin order to verify whether or not the WhatsApp IE processes personal data for the purposes of behavioural advertising. 249 170.Onspecialcategoriesofpersonaldata,theFRSAargues thattheDraftDecisiondoesnot pronounce on the lawfulness ground that is applicable with regard to the processing of special categoriesof personal data, even though the complaint does. In addition, together with examining whether the conditions are met in the present case for the processing of special categories of personal data pursuant toArticle 9(2)GDPR,the IE SA shouldhave carriedout the investigationsnecessary, inorder toverifywhether such processing is actuallytaking place. 171.The IT SA opines 250that the processing of special categoriesof personal data relating to users that participate in chatswith business users relying on a third-partyprovider (which might be WhatsApp IE’s controlling company Meta) should have been identified as a specific processing activity to be assessed and evaluated separately by the IE SA. In addition, the IT SA considers that no in-depth assessment has beencarriedout in this regard,but insteadthatthe IE SA simply endorses WhatsApp IE’sstatementthatallcommunications areencrypted. 172.On theprovisionofmetrics tothirdparties,includingtoaffiliated companies,theFR SA arguesthat the Draft Decision251 does not pronounce on the applicable legalbasis for such processing, despite mentioned initially in the complaint. It continues that the IE SA has not defined which activities are coveredunder such processing. Therefore,the FR SA requests theIE SA tocomplete itsDraftDecision in thisregard.Inaddition, the FR SA requests thatthe conditions for theapplicationof the other legal basesmentioned inArticle6 GDPR,namelyconsent, contractandlegitimateinterestareexamined,as well. Hence,theFR SA considers, thatWhatsAppIE cannot relyonthe aforementionedlegalbasesfor processing for the purposes provision ofmetricstothirdparties. 173.The IT SA notes 252 that the arguments put forward by the IE SA regarding the joint assessment of processing for service improvement purposes and the exchange of data withaffiliated companies, is neither convincing, nor exhaustive. The IT SA is of the view that the IE SA should have identified and separately assessed the processing activities in question without “pooling” them into the service improvement category.Moreover,theexact wording usedinWhatsAppIE’sTermsofService includes “affiliatedcompanies”,“partners”and “service providers”, whichare,inthe IT SA’sview, unspecified, meaning that the exchange of personal data betweenthem could “hardly fall within the intra-group communications between WhatsApp and the other Meta companies and could be legitimised as a controller-processorrelationship.”TheIT SA arguesthattheIE SA couldhave identified andseparately assessed the legalbasis for the said exchangeof datawithpartnersandthird-partyservice providers. In addition, in the light of the complaint, the IT SA notes that data are exchanged with affiliated 247 FRSA’s Objection,paragraph6. 248FRSA’s Objection,paragraph7. 249FRSA’s Objection,paragraph33. 250ITSA’s Objection,paragraph3.a. 251 252FRSA’s Objection,paragraphs35to45. ITSA’s Objection,paragraph3.b. Adopted 42 companies not only for service improvement purposes, but also for unspecified ones, relatedtothe management and provision of the WhatsApp services. The IT SA stresses on the need for further investigationon thismatter. 174.On marketing, the FI SA takes note 253that the Draft Decisioncontains conclusions that WhatsAppIE may rely on Article 6(1)(b) GDPR as a legal basis in the context of its Terms of Service and, more precisely, for the processing for the purposes set out there, including marketing. Further, the FI SA opines that anassessment is needed inorder to determinewhether WhatsApp IEhasa relevant legal 254 basisfor processing personaldataformarketingpurposes .TheFISA arguesthat,providedthatthere is anindication in WhatsApp IE’sTerms ofService thata user might receive marketing messages,the IESA should have carriedout aninvestigationinthis regard 25. 6.1.3 Position ofthe LSA on theobjections 175.The IESA statesthatit does not propose to“follow” 256the objections raisedby the CSAs. 176.Inthe lightof thesuggestionsmade bysome ofthe CSAs 257thatthe scope ofthe inquiry oughttohave considered additional factual matters, such as behavioural advertising, the IE SA notes that a complaint-based inquiry has been conducted. The IE SA considers thata requirement, from a CSA, to amendthe DraftDecision in order toinclude findings of infringement(s) thatfall outside ofthe scope ofthe complaint wouldconstrainitsabilitytoadopt itsfinaldecision. Moreover,theIE SA stressesout thatWhatsAppIEhasalreadybeeninformed aboutthe scope ofthe complaint.The IESA notes, inthis regard,thattherighttobe heardisexercisedinresponse toaparticularizedallegationofwrongdoing, and WhatsApp IE was not informed of an allegation of infringement relating to these additional 258 matters . In the IE SA’s opinion, an amendment would prevent the controller’s right to a fair procedure andhinder itsrighttobe heard. 177.With regardtothe processing of special categoriesofpersonal dataand the assessment made bythe IE SA, the latter concludes that the reference to such processing by WhatsApp IE must be read asan element ofthe Complainant’sfundamentalallegation(i.e.thatthe agreementtothe TermsofService was a form of GDPR consent to processing of personal data, including consent to the processing of special categories of data). In circumstances, where the scope of the inquiry has addressed the fundamental issue of principle on which the complaint depends, the IE SA is satisfied that it is not necessary to also conduct an indiscriminate and open-ended assessment of the processing by WhatsApp IEthatmayotherwise fallwithinthe scope ofArticle 9 GDPR. 178.Moreover,regardingthe statementsmade by the FR SA 259,the IESA contends thatit isunclear of the basis on which the former makes its assumptions, and adds that the matter has already been considered inthe Schedule tothe DraftDecision. 179.Inaddition, having conductedanassessment ofthe core functions of WhatsAppIE’sTermsof Service, the IE SA concludes that the nature of the WhatsApp services offered includes regular service improvement asanaspectoftheagreementconcludedbetweenWhatsAppIEandtherespectiveuser, 25FI SA’s Objection,paragraph3. 254 FI SA’s Objection,paragraph9. 25FI SA’s Objection,paragraph10. 25CompositeResponse,paragraph36. 25CompositeResponse,paragraphs28to30. 25CompositeResponse,paragraphs30-35. 259 CompositeResponse,paragraph34(“NoconsiderationofArticle9GDPRispresentintheDraftDecision.”). Adopted 43 thus the basis of the processing is to be regarded as necessary for the performance of the contract260.However,theIESA further notes 261, contractsmay include aspectsof performance which are optional or contingent. For example, most of the processing carried out by WhatsApp IE, which relatestocommunicationbetweenusersisoptionalforusers, asauser isnot obligedtosendmessages to other users (for example). Such processing is nevertheless directly linked to the core “messaging service” function; it would appear to be uncontroversial that such processing is necessary for the performanceofthe TermsofService,asatype ofmutuallyexpectedprocessing. Atthesame time,this processing is optional and not indispensable, and the Terms of Service can otherwise be performed without any messages being sent by a user. According to the IE SA, this reflectsthe fact the Article 6(1)(b) GDPRisnot limitedtoaspectsofcontractualperformance whichareexpressly mandatoryand unconditional obligations ofthe parties. 180.Regardingtheissue 262relatedtoWhatsAppIE’scontrollership anditsrelationshipwiththeother Meta companies, andthedegreeof investigationcarriedout, theIE SA contendsthatit “hasnothing further to addinthis regard”. 6.1.4 Analysis ofthe EDPB 6.1.4.1 Assessmentof whethertheobjectionswererelevantandreasoned 181.In this section, the EDPB considers whether the objections raised by the FI SA, FR SA and IT SA, regardingtheneed for a further investigation,meetthe threshold ofArticle 4(24)GDPR. 182.WhatsApp IEconsiders thatthe objections made bythe aforementionedCSAs are without merit. 183.Inessence, WhatsApp IEarguesthatthe FR SA’sobjection raises concernswith regardtobehavioural advertising that are not connected to any factual content and do not have any merit, because, as confirmed before to the IE SA, WhatsApp IE does not engage in such processing 263. Moreover, WhatsAppIEconsiders 264thattheIESA appropriatelyaddressedthismatterinitsDraftDecision,given the vague nature of the complaint, the misconceptions regardingWhatsApp services, and the lackof evidence that such processing istaking place.WhatsApp IE thatno factualor legalargumentsare put forwardbythe FR SA. 184.Furthermore,the EDPBtakesnote ofWhatsAppIE’spositiononthe objection raisedby theFR SA with regard to the processing of special categories of data, according to which they are based on a “misunderstanding of the Defined Scope of Inquiry”, aswell as the nature of the service offered and they “fail to take into account the investigations conducted by the [IE SA]”5. Further, WhatsApp IE emphasises thatitdoesnot processspecialcategoriesofdatainthe course ofproviding the WhatsApp services. Moreover, it is of the view66that the FR SA does not acknowledge that the processing in question has already been addressed by the IE SA in its Draft Decision, concluding that there is no 26CompositeResponse,paragraphs57and59. 261 CompositeResponse,paragraph61. 26CompositeResponse,paragraphs84and85. 26WhatsAppIE’sArticle.65Submissions,paragraph4.27. 26WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a. 26WhatsAppIE’sArticle65Submissions,paragraph4.3. 266 WhatsAppIE’sArticle65Submissions,Section1.a,paragraph6.g. Adopted 44 evidence that it wastaking place and that it is irrelevant to the complaint and the inquiry. Thus, for WhatsApp IE,theFR SA’sobjection raisedis neitherrelevant,nor reasoned 267. 185.With regard to the FR SA’s objection 268 regarding the legal basis for provisions of metrics to third parties and the need for a further investigation, WhatsApp IE states that it does not rely on Article 6(1)(b) GDPRasa legalbasis for theprocessing. Further, the processing for metricspurposesis carried out ona controller-to-processor basisinorder toassist WhatsApp IEinprocessing whatforms part“of thegeneral‘improvements’”.WhatsAppIEaddsthatthereisnorequirementpresent tohave adistinct legalbasis for such sharing. Itstatesthat“theprovision of the WhatsApp Service doesnot involve any sharing ofEU WhatsAppusers’ personaldata with otherMetaCompanies on a controllerto controller 269 basis”. Furthermore, WhatsAppIE arguesthatthe IT SA’sobjection on the investigationof further sharing carriedout byWhatsAppIEwith“unspecifiedpartnersand serviceproviders” isnot relevantto the issues investigatedby the IESA, nor does it have connectionto thesubstance of the complaint or the DraftDecision. Moreover,WhatsApp IEconsiders thatit is not clear what“exchangeofdata” was referred to by the IT SA and its relevance to the inquiry. Thus, WhatsApp IE opines that the IT SA’s objection should be rejected. 270 186.Finally, withregardtotheFISA’sobjection ,WhatsAppIEarguesthattheFISA’sstatement,regarding therelianceonArticle6(1)(b)GDPRforprocessingfor marketingpurposesisirrelevantandfallsoutside of thedefined scope ofthe inquiry. Further,WhatsApp IEpoints out thatthe specific referencetothe Terms of Service is misunderstood, as it is relatedtopotential marketing messagesthat users might receive from businesses thatuse the servicesoffered by WhatsAppIE.Finally, WhatsAppIE considers thatsince businesses use WhatsAppBusiness API for exchangingmessages(withtheir owntermsand privacypolicies), it isnot thecontroller in respectof those processing operations. *** 187.As regardsthe objection of the FR SA, arguingthatthe IESA did not analyse theapplicable legalbasis for the processing of personaldatarelatedtobehaviouraladvertising,the EDPBestablishesthatit has a direct connectionwith theDraftDecision. The EDPBconsiders thatthe FR SA’s objection is relevant and, if followed, would lead to a different conclusion. It includes arguments on factual and legal mistakes in the IE SA’s Draft Decisionthat require amendments, for which it is considered reasoned. More specifically, the FR SA’sobjection allegesthatthe IESA should have carriedout aninvestigation inorder toverifywhetheror not WhatsAppIEprocessespersonal datafor the purposesofbehavioural advertising. 188.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the position of the IE SA would incur a risk for the fundamental rightsand freedoms of data subjects, as well as the possibility that a controller could use the legal basis of the contract toprocess its users' data for targeted advertising purpose. The FR SA stresses out that such processing would be particularlymassive andintrusive, thus thatit is not inline withtheprovisions ofthe GDPR. 189.The EDPBconsidersthattheobjections raisedbythe FRSA andthe ITSA withregardtothe processing of special categoriesof personal data have a direct connection withthe Draft Decision, as theyrefer (1) to the lack of conclusions with regardto the lawful ground applicable to the processing of such data,and(2)the rejectionof theComplainant’sargumentofthe processing ofsuchdata byWhatsApp 267 WhatsAppIE’sArticle65Submissions,paragraph4.3. 268WhatsAppIE’sArticle65Submissions,paragraphs4.15to4.16. 269WhatsAppIE’sArticle65Submissions,paragraph4.17. 270WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b. Adopted 45 IE.Bothare found tobe relevantand,if followed would leadtoa different conclusion since the IE SA would have tocarry out further investigations in order to establish whether WhatsApp IE processes special categoriesof personal data,and if so, whether this is done in compliance withthe conditions set forthin Article9 GDPR. 190.The EDPB notes that both objections argue on factualand legalmistakes in the Draft Decision that wouldrequire amendments,thustheyarebothreasoned.According totheFRSA, theIESA’sreasoning is not consistent, as the latter has not considered the matter related to the lawful ground for the processing of specialcategoriesofpersonal data,norevaluateditscompliance withArticle 9(2)GDPR, thustheIESA shallcarryout thenecessaryinvestigations.Asfor theITSA’sarguments,theEDPBnotes that no in-depth assessment was conducted by the IE SA regarding the allegations made by the Complainant that WhatsApp IE processes special categories of personal data, and instead simply endorsed WhatsAppIE’sargumentthatallcommunications are encrypted. 191.Inthe Draft Decision, the EDPB identifies, aspreviously asserted by the FR SA and the IT SA, risks for the fundamental rights and freedoms of the data subjects, with concrete examples of targetedand behaviouraladvertising given,thatwouldhinder the users’ abilitytohave controlover theirdata,thus the FR SA’sandITSA’sobjections areconsidered reasoned. 192.Taking into account the objection raised by the FR SA concerning the legal basis for the provision of metrics to third parties, the EDPB considers that it has a direct connection to the Draft Decision, because it reflects on the fact that the IE SA does not define what the processing for provision of metrics to third parties covers, and does not pronounce itself on the legalbasis applicable to such processing (including sharing between companies within the same group), even though initially mentioned in the latter. The objection is relevant, because if it were followed, different conclusions wouldbe reachedregardingtheconditions under whichWhatsAppIEcollectsconsent ofdata subjects for the processing oftheir personal datafor provision ofmetricstothirdparties. 193.TheEDPBnotesthattheFRSA putsforwardargumentsregardingfactualandlegalmistakesthatrelate to the legalbasis applicable to the provisions of metrics to third parties, and regarding the lack of definition of what the aforementioned processing entails. For these reasons, the FR SA’s objection is considered reasoned. 194.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the DraftDecisionwould be detrimentalfor the fundamentalrightsandfreedoms of datasubjects, asthe only informationprovided bythe IESA doesnot amount toany assessment. 195.An objection is raised by the IT SA with regard to the exchange of personal data with affiliated companies. The EDPBis of the view that it hasa directconnection to the DraftDecision, asthe latter only coverstwopurposes ofprocessing, namelythisofservice improvement andsecurity, outof those raisedby the Complainant, hence lacks anassessment ofthe exchangeof databetweenWhatsApp IE and its affiliated companies. The EDPB considers the IT SA’s objection to be relevant, because, if followed, itwould leadtodifferentconclusions intheDraftDecision,regardingtheassessment related tothe core functions ofthe contractandthe exchangeofdata withaffiliatedcompanies. 196.Asregardstothe risks posedtothe fundamentalrightsandfreedoms ofdatasubjects, the EDPBtakes note of the IT SA’s remarks that if the Draft Decision is left unchanged, it would lead to a severe infringement of the users’ right to self-determine the processing of their sensitive personal data, as alsorelatedtothe exchangeofdatawithaffiliatedcompaniesand, thus, it wouldprevent the usersto have controlover their data. Adopted 46197.The EDPB notes that the IT SA’s objection includes clarifications and argumentson factualand legal mistakes,namelythe failure oftheIESA toconduct investigationswithregardtothe exchangeofdata with affiliatedcompanies not only for service improvement purposes, but also for unspecified ones, relatedtothe managementandtheoverallprovision of theservice. 198.Finally, the EDPB considers that the objection raised by the FI SA, with regardto the processing of personal data for the purposes of marketing, has a direct connection with the Draft Decision, as it reflects on the fact that the IE SA concludes that there is no evidence of processing related to marketing. The FI SA’s objection is considered relevant, as if followed it would lead to a different conclusion regardingthelegalbasis,namelythisofArticle6(1)(b) GDPRforprocessing ofpersonaldata for marketingpurposes. 199.The FI SA putsforwardargumentsregardingthe factualandlegalmistakesmade bythe IESA, relating to the legalbasis for processing of personal data and the possibility for the respective WhatsApp IE users toreceivemarketingmessages. For these reasons, the FI SA’sobjection isconsidered reasoned. 200.Asregardstotherisks posed bytheDraftDecisiontothefundamentalrightsandfreedomsofthe data subjects, the EDPB takes note of the FI SA’s remarkthat it would incur a risk for data subjects and, more precisely, theirunawarenessofthe processing and, asa consequence, their subsequent inability to have control over the processing of their personal data. Moreover, the EDPB considers that this could leadtoundermining their fundamentalrightof protectionoftheir personal data. 6.1.4.2 Assessmenton themerits 201.Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB shall take a binding decision concerning all the matters which are the subject of the relevant and reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR. 202.The EDPBconsiders thatthe objections found to be relevantandreasonedinthis subsection require anassessment of whethertheDraftDecisionneedstobe changed,astheyconclude thatthe IESA has not carried out a enough investigation as to the applicable legalbasis for WhatsApp IE’sprocessing operations(a) for the purposes of behaviouraladvertising, (b)involving specialcategoriesofpersonal data pursuant to Article 9 GDPR,(c) for provision of metricstothird partiesand (d) for the exchange of data withaffiliated companies for the purposes of service improvements and (e) for the purposes of marketing. When assessing the merits of the objections raised, the EDPB also takes into account WhatsApp IE’sposition on theobjections. 203.In its submissions, WhatsApp IE supports the conclusions made by the IE SA that no further investigationis neededasregardsthe aforementionedissues raised. 204.Withregardtobehaviouraladvertising,WhatsAppIEstatesthatit doesnot engageinsuchprocessing, whichfact wassubsequently “appropriatelyaddressed” 271bythe IESA inits DraftDecision. 205.As for the specialcategoriesof personal data 272,WhatsApp IEcontends that it does not process such data in the course of providing the WhatsApp IE services. Moreover, the processing in question has alreadybeen addressedby the IESA in itsDraft Decision, concluding thatthere is no evidence thatit is takingplace andthatit is irrelevanttothe complaint andthe inquiry. 271WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a,aswellasparagraph4.27idem. 272WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.g. Adopted 47206.Moreover, WhatsApp IE argues that it does not rely on Article 6(1)(b) GDPR as a legal basis for processing for the provision of metricstothirdparties 273.Further, such processing is carriedout ona controller-to-processor basis in order to assist WhatsApp IE in processing that forms part “of the generalimprovements”.WhatsApp IEadds that there is no requirement tohave a distinct legalbasis for such sharing.It statesthat“theprovision of the WhatsApp Servicedoesnot involve any sharing of EU WhatsApp users’ personal data with other Meta Companies on a controller to controller basis”. Furthermore,WhatsAppIEopines thatthematteroffurther sharing 274 with“unspecified partnersand service providers” is not relevant tothe issues investigatedby the IE SA, nor does it have connection tothe substance of thecomplaint or the DraftDecision. 207.Finally, withregardtothe processing for the purposes ofdirectmarketing,WhatsAppIEargues 275that it is irrelevantandfalls outside of the definedscope of theinquiry. 208.The IE SA argues 276that it would have been infeasible, hypothetical, and contraryto the complaint within the meaning of Article 77 GDPR to undertake an assessment of all discrete processing operationsassociatedgenerallywiththeWhatsAppIE’sTermsofService,including whetherWhatsApp IE processes special categoriesof personal data in this context andwhether the sharing of data with third partiesspecifically is lawful, as wellas the additional mattersconcerning WhatsApp IE,in order toconclude aninvestigationofthecomplaint.Inrelationtotheprocessing ofArticle9GDPRcategories ofpersonal data,theIESA considers thattheinquiry hasaddressed thefundamentalissue ofprinciple on which the complaint depends, and this makes it unnecessary to conduct an indiscriminate and open-ended assessment of processing falling within the scope of this Article or the ePrivacy 277 Directive . 209.Moreover, the IE SA considers that there is no evidence for the assertion that WhatsApp IE is processing personaldata,thatfacilitatestheinferringofspecialcategoriesofpersonaldata,pertaining toreligiousviews, sexualorientation,politicalviews andhealthstatus. Further,asstated,noevidence is presentedinthis regardatall,thus aconclusion is madethatthe processing ofspecial categoriesof personal data,pursuanttoArticle 9 GDPRconsent does not fallwithinthe scope ofthe complaint and is thus irrelevant. The Complainant considers the agreement tothe Privacy Policy and the Termsof Service to be anallegedconsent todata processing operations designated in those documents. This also includes the aforementioned data processing operations and the respective purposes, thus the EDPBconsiders thatthose processing operations arewithinthe scope ofthe complaint. 210.Inaddition andtaking into account the previous paragraph, the IE SA 278warns the CSAs on the legal risks derived from asking throughthe objections toexpandthe materialscope ofthe inquiry and thus cover infringementsoutside ofthe complaint (namelythe processing ofspecialcategoriesofpersonal data, question of location data, factual investigations into the presence of behavioural advertising, sharing withthird parties)and the Draft Decisionthat the IE SA has not investigated(pursuant to its own decision to limit the scope of the inquiry) and put to WhatsApp IE as an allegation of wrongdoing 279. 273 WhatsAppIE’sArticle65Submissions,paragraphs4.15and4.16. 27WhatsAppIE’sArticle65Submissions,paragraph4.17. 27WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b. 27CompositeResponse,paragraph22. 27CompositeResponse,paragraph27. 278 CompositeResponse,paragraph28. 27CompositeResponse,paragraphs29and31. Adopted 48211.The EDPB notes that the complaint reiterates the confusion of WhatsApp IE’susers over whether it processes personal data for the purposes of behavioural advertising, which of the users’ special categoriesof personal data are processed and for which purposes, the provision of metrics to third parties and the exchange of data with affiliated companies and on which basis, as well as for the processing ofpersonal datafor the purposes of marketing. 212.WhatsApp IE’s Terms of Service note in general terms “WhatsApp works with partners, service providers, andaffiliated companiesto help us provide ways for you to connectwith their services.We use the information we receive from them to help operate, provide, and improve our Services”; “WhatsApp uses theinformation it has and also works with partners,service providers, and affiliated companiesto do this” andinthe matterofsharing datawithaffiliatedcompanies: “Weare partof the Facebook Companies. As part of the Facebook Companies, WhatsApp receivesinformation from, and sharesinformationwith, theFacebookCompanies asdescribed in WhatsApp's PrivacyPolicy”. 213.The Terms of Service make up the entire agreement, and include a reference to two separate documents: WhatsApp IE’sPrivacy Policy and to the Meta Companies. WhatsApp IE’sPrivacy Policy statesthat“The typesof information we receiveand collect depend on how you use our Services.We require certainofYour Account Information in accordance with our Termsto deliver our Servicesand without this we will not be able to provide our Services to you.” With regardto sharing information with third parties, the Privacy Policy states that “You share your information as you use and communicate through our Services, and we share your information to help us operate, provide, improve,understand,customiseandsupport ourServices”.Further,thedocumentitselfdoes notmake any referenceswhatsoever for the processing of data for the purposes of behavioural advertising, or the processing of specialcategoriesofdatapursuant toArticle 9 GDPR. Asfor the provisionofmetrics to third parties and the exchange of data with affiliated companies, as well as the processing of personal data for the purposes of marketing, the Privacy Policy does not elaborate further on that matter. 214.The CJEU assertedrecentlythatthe purpose ofArticle 9(1)GDPRis toensure anenhancedprotection of data subjects for processing, which, because of a particular sensitivity of the personal data processed, is liable to constitute a particularly serious interference with the fundamental rights to respect for private life and tothe protection of personal data, guaranteedbyArticles7 and 8 of the Charter 28. The CJEU adopts a wide interpretationof the terms“special categoriesof personal data” and “sensitive data” that includes data liable indirectly to reveal sensitive information concerning a 281 natural person . Advocate General Rantos reiterates the importance for the protection of data subjects of Article9 GDPRand applies thesame interpretationtothe potentialdataprocessing inthe WhatsAppservices for behaviouraladvertising bystatingthat“the prohibition on processing sensitive personaldatamayinclude theprocessing ofdatacarriedoutbyanoperatorofanonline socialnetwork consisting inthecollection ofa user’sdatawhenhe or she visits otherwebsitesor apps or enterssuch dataintothem, thelinking of such datatotheuser accounton the socialnetworkandthe use ofsuch data,providedthatthe informationprocessed, considered inisolation or aggregated,makeit possible toprofile users on thebasis ofthe categoriesthatemergefrom the listing inthatprovision oftypesof sensitive personaldata.” 28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022), ECLI:EU:C:2022:601,§126. 28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022), ECLI:EU:C:2022:601,§127. Adopted 49215.Therefore, the GDPR and the case-law pay especial attention to the processing or the potential processing ofspecialcategoriesof personaldataunder Article9 GDPRtoensure the protectionofthe data subjects. Inthis connection, the Complainant allegesin its complaint, among others, a violation of Article9 GDPRandexpressly requeststhe IESA toinvestigate WhatsAppIE’sprocessing operations covered by this provision. In a subsequent submission on the preliminary Draft Decision, the Complainant criticises the scope that the IE SA decided to give to the complaint and its lack of investigation of WhatsApp IE’s processing activities and alleges that the IE SA failed to give due consideration toprocessing under Article9 GDPRandother casesin whichit relieson consent. 216.In the present case, the IE SA did not carry out any investigation, regarding (a) the legal basis for WhatsApp IE’sprocessing operations for the purposes of behavioural advertising, (b) the applicable legal basis for processing special categories of personal data, pursuant to Article 9 GDPR, (c) the applicable legal basis for provision of metrics to third parties and (d) the exchange of data with affiliatedcompaniesfor thepurposes of serviceimprovements and(e)theprocessing of personaldata for the marketingpurposes. The IE SA categoricallyconcludes thatno further investigation is needed withregardtothese issues. 217.Byfailingtoinvestigate,furthertothecomplaint,the processing of specialcategoriesofpersonaldata byWhatsApp IE,theIESA leavesunaddressed the risks thisprocessing poses for the Complainant and for WhatsAppIE’susers in general.First,there is the risk thatthe Complainant’s specialcategoriesof personal data are potentially processed by WhatsApp IE to build intimate profiles of them for the purposes ofbehaviouraladvertisingwithoutalegalbasisandina mannernotcompliant withtheGDPR and inparticular the strict requirementsof Articles 7 and Article9(2) GDPR.Second, thereis also the riskthatWhatsApp IEdoesnot consider certaincategoriesofpersonal dataitpotentiallyprocesses, as specialor sensitive categoriesofpersonaldatain line withtheGDPRandthe CJEU case-lawandtreats them accordingly. Third, the Complainant and other WhatsApp IE’susers, whose sensitive data are potentiallyprocessed may be deprived of certainspecialsafeguardsderived from the use of consent, such asthe possibility tospecifically consent tocertainprocessing operations andnot toothersandto the further processing of personal data under Article 6(4) GDPR; the freedom to withdraw consent, pursuant toArticle 7 GDPR, andthe subsequent right tobe forgotten. Fourth, given the size andthe number of users of WhatsApp IE in the social media market, leaving unaddressed the current ambiguity in the processing of special categories of personal data, and its limited transparency of WhatsAppIEvis-à-vis datasubjects,mayseta precedentforcontrollerstooperateinthesamemanner andcreatelegaluncertainty,hampering thefree flow ofpersonal datawithinthe EU. 218.The EDPB further considers, also in view of these risks tothe Complainant and WhatsApp IE’susers, thatthe IE SA did not handle the complaint withalldue diligence.The EDPBconsiders the lackof any further investigation intothe legalbasis for WhatsApp IE’sprocessing operations for the purposes of behavioural advertising, the potential processing of special categories of personal data, applicable legalbasis for provision of metricstothirdpartiesandthe exchangeofdata withaffiliatedcompanies for the purposes of service improvements, aswellasthe processing of personal datafor the purposes ofmarketingasanomission, and– in thepresent case – finds itrelevant thattheComplainant alleged infringementsof Article9 in the complaint. 219.The EDPBcontendsthatinthepresent case,theIE SA should have verifiedonthe basisof thecontract and the data processing actuallycarried out on which legalbases eachdata processing operation in question relies. 220.The EDPB also highlights that byhaving excessively limited the scope of its inquiry despite the scope ofthecomplaint inthiscross-border case andsystematicallyconsidering themajorityofthe objections Adopted 50 raisedby the CSAs not relevantand reasonedandthus denying their formaladmissibility, the IE SA as LSA in thiscase, constrains the capacityof CSAs to actand tackle the risks todata subjects in sincere and effective cooperation. As ruled by the CJEU, the SA must exercise its competence within a framework of close cooperation with other supervisory authorities concerned and cannot “eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned”. The limited scope that the IE SA gave tothe inquiry also impairs the EDPB’scapacityto conclude on the matter pursuant to Article 65 GDPR and thus ensure a consistent application of EU data protection law, despite the fact that the complaint covered these aspects and was introduced more thanfour yearsago. 221.Asa result ofthelimitedscope ofthe inquiryandlackofassessment bythe IESA inthe DraftDecision, the EDPBdoes not have sufficient factualevidence on WhatsApp IE’sprocessing operationstoenable it to make a finding on any possible infringement by WhatsApp IE of its obligations under Article 9 GDPRandother relevantGDPRprovisions. 222.The EDPB decides that the IE SA shall carry out an investigation into WhatsApp IE’s processing operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article 9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.Basedonthe resultsof thatinvestigationandthe findings, the IE SA shall issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR. 7 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES 7.1 Analysis by the IESA in the DraftDecision 223.According tothe DraftDecision,the IE SAconcludes thatthe Complainant’scase is not made out that the GDPR does not permit the reliance by WhatsApp IE on Article 6(1)(b) GDPR in the context of its offering of Termsof Service 282. Therefore, without finding any infringement of this legalbasis, the IE SA wasnot ina position to consider the applicationof its correctivepowers as provided for in Article 58(2)GDPR. 224.Regardingthe provision of necessary information relatingtoWhatsApp IE’slegalbasis for processing pursuant to acceptance of the Terms of Service and whether the information set out was in a transparent manner, the IE SA recalled that it found infringements in this regard in a previous own- volition inquiry andexerciseda number of corrective powersin response, including anadministrative fine andanorder tobring theWhatsApp IE’sPrivacyPolicy intocompliance 283. 7.2 Summary of the objections raised by the CSAs 225.The NO SA objects to the IE SA’s finding by stating that WhatsApp IE cannot rely on Article 6(1)(b) 284 GDPR asa legalbasis for processing in the context of service improvements andsecurity features . As a consequence resulting from the finding of such infringement, the NO SA requests the IE SA to exercise corrective powers under Article 58(2) GDPR accordingly, byordering WhatsApp IE todelete 282DraftDecision,Issue2. 283DraftDecision,paragraph5.9andlastrowofthetableinp.38. 284NOSAObjection,p.1,Introductoryremarks,paragraph3. Adopted 51 personal data that has been unlawfully processed under the erroneous assumption that it could be based on Article 6(1)(b) GDPR unless those data were also collected for other purposes with a valid legal basis, and by imposing an administrative fine against WhatsApp IE for unlawfully processing personal data in the context of service improvements and security features, erroneously relying on 285 Article6(1)(b) GDPR,asthatlegalbasis wasnot applicable in thiscase . 226.The DE SAs object to the IE SA’s finding by stating that the IE SA should find that WhatsApp IE has breachedthe Article5(1)(a)andArticle6(1)GDPR.Asa consequence resulting from the finding ofsuch infringements, the DE SAs request the IE SA to impose a temporary or definitive limitation of the respectiveprocessing without legalbasisinaccordancewithArticle58(2)(f)GDPR,namely,theerasure of unlawfully processed personal dataand the banof the processing ofdata untila valid legalbasis is inplace 28. 227.The FI SA objectsto the IESA’s finding by statingthatthe IE SA should find aninfringement of Article 6(1)GDPR,notablybecause the FI SA isof the opinion thatWhatsAppIE cannot relyon Article6(1)(b) GDPR for all the processing operations set out in the Terms of Service, such as marketing, service 287 improvements and security purposes . As a consequence resulting from the finding of such infringement,the FISA requests theIESA tomakeuse ofitscorrectivepower accordingly,pursuant to Article 58(2)GDPR 288.Inorder to doso, the FI SA is of the opinion that the IESA should at least order WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR withrespect to the processing of marketing,service improvements and securityfor which WhatsApp IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83 GDPR 289. 7.3 Position of the IESA on the objections 228.The IE SA is of the opinion that since it does not follow the objections raised on the infringements matters, it results that the IE SA does not follow the related objections on the corrective measures either290.The IESA also does not consider the objections tobe relevantand/or reasoned. 7.4 Analysis of the EDPB 7.4.1 Assessment of whether theobjections were relevant and reasoned 229.The objections raised by the NO SA, DE SAs and FI SA concern “whether the action envisaged in the DraftDecision complieswith theGDPR” 291. 230.As statedand analysed above in Subsection 4.4.1,the EDPBfinds the NO SA and DESA objections on 292 the subject of correctivemeasurespursuant toArticle58(2)GDPRrelevantbut not reasoned . 231.Regarding the FI SA’s objection, WhatsApp IE considers it not relevant because it is based on an objection pertaining to a mistaken allegationof infringement of Article 6(1) GDPR 293andwhich does 285NOSAObjection,p.8-9,EnvisagedoutcomeoftheRRO,secondbulletpoint. 286DESAObjection,p.8,d.Envisagedresultoftheobjection. 287FI SAObjection,paragraph36. 288FI SAObjection,paragraph36. 289 FI SAObjection,paragraph36. 290WhatsAppIE'sArticle65Submissions,paragraph80. 291EDPBGuidelinesonRRO,paragraph32. 292Paragraphs75,80,86and87above. 293WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph3. Adopted 52 not satisfy the thresholds andlacksof merit 294.The EDPBdoesnot follow WhatsAppIE’sposition asit analyses andconcludes in Subsection 4.4.1 above that the objection of the FI SA on the finding of an infringement ofArticle6 GDPRor more specifically Article6(1)(b) GDPR,onwhichthe FI SA request of correctivemeasuresis based, isrelevant andreasoned. 232.The FI SA’sobjection arguingthat the IESA should, inapplication ofArticle 58(2)GDPR,atleast order WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR withrespect to the processing of marketing,service improvements and securityfor which WhatsApp IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83 GDPR, is linked to the IE SA’s Finding 2 of its Draft Decision with regard to Article 6(1)(b) GDPR. Therefore, the FI SA objection is directly connected with the substance of the Draft Decision and if followed, would lead to a different conclusion, namely a change of this Finding 2 as well as the imposition of correctivemeasures. 233.Thus, the EDPBconsiders thatthe FI SAobjection isrelevant. 234.Interms of argumentsclarifying why the amendment of the Draft Decision requestedby the FI SA is proposed, the FI SA firstly arguesthatif theIE SA does not make use of itscorrective powers, thereis a dangerthat WhatsAppIE continuestounlawfullyprocesspersonaldata onthe foot ofArticle 6(1)(b) GDPR for processing operations such as marketing, service improvements and security, and that WhatsApp IEcontinues toundermine or bypass dataprotectionprinciples 295. 235.Secondly, the FI SA argues that because WhatsApp IE cannot rely on Article 6(1)(b) GDPR for all processing operations set out in its Terms of Service, this inevitably leads to the conclusion that correctivepowersmust beexercisedinorder tobring theprocessing operationsofWhatsApp IEinline withthe GDPR 296. 236.Thirdly, the FI SA relies on the ruling of the CJEU C-311/18 Schrems II 297to argue that when an infringement is found, the supervisory authoritymust take appropriateactionin order toremedyany findingsofinadequacyandthereforetheFISA isoftheopinionthattheIESAmust exerciseappropriate andnecessarycorrective powers 298. 237.Finally, according to the FI SA, the IE SA must exercise appropriate and necessary corrective powers andmust take intoaccount the nature andseverity ofthe abovementioned infringement since the FI SA is of theopinion thatthis infringementcannot be consider asminor 299. 238.Intermsofthe significance of the risks posed by the DraftDecision,the FI SA arguesthatthe absence of appropriate and necessary corrective powers would amount toa dangerousprecedent, sending a deceiving message to the market and to data subjects, and would also endanger the fundamental rightsandfreedomsof datasubjects whose personal dataareandwillbe processedby the WhatsApp IE300. 239.In addition, the FI SA argues that if WhatsApp IE could continue torely on Article 6(1)(b) GDPR, the datasubjects wouldnot have the possibility tocontrolthe processing of theirpersonal data,whilethe righttomonitor theprocessing of personaldatais animportantprinciple of theGDPR. 301 294WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph4. 295FI SAObjection,paragraph37. 296FI SAObjection,paragraph40. 297 C-311/18SchremsII,paragraph111. 298FI SAObjection,paragraphs41-42. 299FI SAObjection,paragraphs42-43. 300FI SAObjection,paragraph45. 301FI SAObjection,paragraph45. Adopted 53240.The FI SA ends its argumentationbystatingthat theDraft Decisionaffectsallthe data subjectswithin the EEA.Therefore,the consequences of not making use of the correctivepowers pursuant to Article 58(2)GDPRarevast 302. 241.WhatsApp IE considers that the FI SA objection cannot satisfy the significance of risk threshold, as it does not set out how theDraftDecision wouldpose a directand significant risktofundamentalrights andfreedoms, because it is basedon a misunderstanding ofthe DraftDecisionand the definedscope ofinquiry303. WhatsApp IEalsoconsiders thatcontrarytothe FI SA statement,theGDPRprovidesdata subjectswitharangeofcontrolsandrightsover theirpersonal dataregardlessofthelegalbasesrelied on and therefore the Draft Decision does not pose a risk to data subjects’ fundamental rights and freedom 304.Moreover,WhatsApp IEconsiders thatthe FISA statementthattheDraftDecisionaffects all the data subjects within the EEA and that therefore, the consequences of not making use of the correctivepowers pursuant toArticle 58(2)GDPRare vast,is based on unsubstantiatedconcerns and unsupported by anyfactsor legalreasoning or anything which wasinvestigatedinthe inquiry 30. 242.Considering WhatsApp IE’s arguments, the EDPB understands that WhatsApp IE is challenging the substance oftheFISA objectioninsteadofchallengingitsabilitytoclearlydemonstratethesignificance 306 of the risks posed by the Draft Decision .Therefore, the EDPB considers these arguments not applicable toassess whether theFI SA’sobjection is reasoned. 243.Asthe FI SA objection clearlydemonstrateswhyanamendment ofthe DraftDecisionis proposed and how this amendment would lead to a different conclusion as to whether the envisaged action in relationto WhatsApp IE complies with the GDPR, it clearlydemonstrates a sound and substantiated reasoning andthe significance of therisks posed bythe DraftDecision. 244.Therefore,the EDPBconsiders the FI SAobjectiontobe reasoned. 245.Considering the FI SA objection and the arguments brought forward by WhatsApp IE, the EDPB considers thatthe FI SAobjection requesting corrective measurestobe imposed accordingto Article 58(2)GDPRis relevantandreasonedpursuanttoArticle4(24)GDPR. 7.4.2 Assessment on the merits Preliminarymatters 246.The EDPB considers that the FI SA objection found to be relevant and reasoned in Subsection 7.4.1 requiresanassessment ofwhetherthe DraftDecisionneedstobe changedinrespectofthe corrective measuresproposed. More specifically, the EDPBneeds toassess whether the IE SA should impose an order on WhatsApp IE to bring its processing operations in compliance with the provisions of Article 6(1)GDPRwithrespect tothe processing for marketing,service improvements andsecurityfor which WhatsApp IE reliedupon Article 6(1)(b) GDPRand consider imposing an administrative fine pursuant toArticle83 GDPR,inapplicationof Article58(2) GDPR. 247.Any issue concerning theimposition ofadministrativefinesis coveredbelow in Section8. 248.Concerning the issue ofimposing correctivemeasuresin respectof theallegedinfringement of Article 6(1)(b) GDPR for processing personal data for marketing purposeraisedbythe FI SA and which was not partofthescope oftheinquiry 307, it isappropriatetorefertotheEDPBconclusion asstatedabove 30FI SAObjection,paragraph46. 30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph5. 30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph6. 305 306hatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph7. GuidelinesonRRO,paragraph18. 30DraftDecision,paragraph4.8. Adopted 54 in Subsection 6.1.4.2,whichnotably statesthat the IE SA is instructed tolaunch aninvestigation into WhatsApp IE’sprocessing operations in its service in order to determine ifit processes personal data for marketing purposes and in order to determine if it complies with the relevant obligations under the GDPR. In this situation where the possibility for WhatsApp IE to rely on Article 6(1)(b) GDPR for processing personal data for marketing purpose has not been investigated, there is no ground to further proceed in the assessment of the merits of the FI SA’s objection requesting to impose corrective measures for processing personal data for marketing purpose by unlawfully relying on Article6(1)(b) GDPR. 249.Conversely, concerning the issue of imposing corrective measures in respect of the alleged infringement of Article 6(1) GDPRfor processing for otherpurposesstatedinthe FI SA’s objection, it isappropriatetorefertotheEDPBconclusionasstatedabove inSubsection4.4.2,whichnotablystates thatWhatsAppIEhasinfringedArticle 6(1)GDPR byunlawfullyprocessing the Complainant’spersonal data, in particular by inappropriately relying on Article 6(1)(b) GDPR to process the Complainant’s 308 personaldatafor thepurposes of service improvement andsecurity featuresprocessing operations inthe context ofits Termsof Service.As a consequence, the EDPBfurtherproceedintheassessment ofthemeritsofthese partsoftheFI SA objection 309andanalyseswhetheranordertobringprocessing intocompliance should be imposed. 250.When assessing the merits of the objection raised, the EDPB also takes into account WhatsApp IE’s position on the objectionand itssubmissions andthe findings inthis Binding Decision. 251.It is alsoimportant to clarifythe EDPB’sviews in respect of itscompetence,incontrast to WhatsApp IE’s argument, which considers the EDPB is not competent to direct the IE SA to adopt specific 310 correctivemeasures . 252.WhatsAppIEstates“Thisis clearfromthe objectionoftheFinnish SA, whichacknowledgesthatit isfor the IE SA alone to decide which corrective measures are appropriate and necessary, citing Case C- 311/18 (SchremsII),para 112” 311. 253.The EDPB finds that WhatsApp IE misunderstands the FI SA objection when it argues that it does acknowledge that it is for the IE SA alone to decide which corrective measures are appropriate and necessary, by citing paragraph112 of the Judgement of the CJEU of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18, ECLI:EU:C:2020:559 , (hereinafter ‘C-311/18 Schrems II'). In fact, the FI SA does no such thing: in its objection “The FI SA refersto the ruling of the CJEU C-311/18 whereit was stated that if a supervisory authoritytakes the viewthataninfringementwasfound, therespectivesupervisoryauthoritymusttakeappropriateaction 312 inorder to remedyanyfindings ofinadequacy” inorder tosupport itsconclusion, whichstatesthat because “WhatsApp cannot relyon Article 6(1)(b) for all processing operationsset out in itsTermsof Service. Thisinevitably leads into the conclusion that corrective powersmust be exercised in order to 313 bringthe processing operationsof WhatsApp in line with theGDPR” .Thus,this statementby the FI SA seems tosimply strengthenthe needfor appropriatecorrectivemeasures tobe imposed. 254.Moreover,WhatsAppIEconsiders theIESAhassole discretiontodeterminetheappropriatecorrective measuresin theevent of afinding of infringement 31. 30Seeparagraph90ofthisBindingDecision. 309 FI SAObjection,paragraph36. 31WhatsAppIE'sArticle65Submissions,paragraphs8.6to8.11. 31WhatsAppIE'sArticle65Submissions,paragraph8.9. 31FI SAObjection,paragraph41. 31FI SAObjection,paragraph40. 314 WhatsAppIE'sArticle65Submissions,paragraphs8.12to8.14. Adopted 55255.WhatsApp IE considers that where a Draft Decision does not find an infringement and therefore proposes nocorrective measures,there cannot be a dispute oncorrective measureswithin thescope of Article 65 GDPR. WhatsAppIE arguesthat “should the EDPB find an infringement of Article 6(1)(b) GDPR, the appropriate course is for it to refer the matter back to the DPC, as IE SA, to determine whether to impose any appropriate corrective measuresand, if so, what those corrective measures should be. Were the EDPB to do otherwise and direct the DPC to make a specific order in the terms 315 proposed by certainObjections, it would exceeditscompetenceunderArticle65GDPR” . 256.WhatsAppIE’sstatesthatitis “a matterfortheLSA to determinewhich(ifany) correctivemeasuresto orderandto ensurethat anyordercomplieswith allapplicable proceduralsafeguards, includingthose provided for under national law, and is issued in accordance with due process and in circumstances 316 wherethecontrollerhas beenaffordedaright to be heard” . 257.WhatsApp IE also argues that “In the context of an inquiry relating to cross-border processing, the powerto determinewhichmeasuresareappropriateto exerciseundertheGDPRisa matterwithinthe 317 sole competenceoftheDPCasIESA—nottheEDPB” .WhileWhatsAppIEacknowledgesthat“Article 65(1) GDPRallowsthe EDPBto consider reasoned objectionsconcerningwhethercorrectivemeasures envisaged by the IE SA comply with the GDPR”, it argues “it does not empower the EDPB to issue prescriptive instructions as to which (if any) of the corrective powers under Article 58 ought to be 318 exercised” .WhatsAppIE adds that“As noted in the EDPBGuidelines03/2021 on the application of Article65(1)(a) GDPR(‘Article65Guidelines’),atmost,the EDPBcan‘instructtheIESA tore-assess the envisaged action and change the draft decision in accordance with the binding decision of the 319 EDPB’” . 258.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one- stop-shop mechanism andof the sharedcompetencesof the CSAs. While the EDPBagreesthat the IE SA does act as ‘sole interlocutor’ of the controller or processor0, this should not be understood as meaning it has ‘sole competence’ in a situation where the GDPR requires supervisory authorities to cooperatepursuant toArticle60 GDPRtoachieve aconsistent interpretationofthe Regulation 321.The fact that the IE SA will be the authority that can ultimately exercise the corrective powers listed in Article58(2) GDPRcannotneither limit the role of the CSAs withinthe cooperationprocedure nor the one of the EDPBinthe consistency procedure 322. 259.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions the action(s) envisaged by the Draft Decision towards the controller or processor, or the absence thereof. More specifically, when raising anobjection on the existing or missing corrective measure in the DraftDecision, the CSA should indicatewhich actionit believes wouldbe appropriate for theIE SA toundertake andinclude inthe finaldecision. 260.Asmentioned above,aside from the question ofadministrativefines tackledbelow inSection8, theFI SA calls on the IE SA touse its corrective powers under Article 58(2) GDPR, by imposing an order on 31WhatsAppIE'sArticle65Submissions,paragraph8.11. 31WhatsAppIE'sArticle65Submissions,paragraph8.13. 31WhatsAppIE'sArticle65Submissions,paragraph8.14. 31WhatsAppIE'sArticle65Submissions,paragraph8.14. 319 WhatsAppIE'sArticle65Submissions,paragraph8.14. 32Article56(6)GDPR. 32SeeArticle51(2),Article60,Article61(1)GDPRandtheJudgementoftheCJEUof15June2021,Facebook IrelandLtdandOthersvGegevensbeschermingsautoriteit,CaseC-645/19,ECLI:EU:C:2021:483,(hereinafter‘C- 645/19FacebookIrelandLtdandOthers’),paragraphs53,63,68,72. 322 Articles63and65GDPR. Adopted 56 WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR with respect to the processing of service improvements and security for which WhatsApp IE relied upon Article6(1)(b) GDPR. WhatsApp IE’spositiononthe objectionsand itssubmissions 261.WhatsAppIEconsidersthat“Anycorrectivemeasuresshould be exercisedina manner consistentwith theprinciplesofproportionality” and“should not go beyond whatisnecessarytoachieve theobjective 323 ofensuring compliancewith theGDPR”,inparticularinaccordancewithRecital129 GDPR . 262.In addition, WhatsApp IE argues that “the EDPB cannot direct, nor can the DPCimpose, a corrective orderthat wouldbe prescriptiveinspecifying a legalbasis on which WhatsApp Irelandmust rely” 32. 263.Moreover,WhatsAppIE statesthat“WhatsApp Irelandcan onlybe orderedtobring itsprocessing into compliance by ensuring it has a valid legal basis for processing and must be afforded discretion as to 325 how it achievessuchcompliance” . 264.Finally, WhatsAppIEarguesthat“Thereisno basis for theimposition ofadministrative fines” 326and“it would be inappropriate, disproportionate, and unnecessary to impose an administrative fine” 32, as further developed byWhatsApp IEin Section8. EDPB’sassessment on themerits 265.In assessing the appropriate corrective measures to be applied, Article 58(2)(d) GDPR lists the following correctivemeasure: “order the controller or processor to bring processing operationsinto compliance with the provisions ofthis Regulation,whereappropriate,ina specifiedmanner and within a specified period”. 266.According to recital 129 GDPR, every corrective measure applied by a supervisory authority under Article58(2)GDPRshouldbe “appropriate,necessaryandproportionateinviewofensuringcompliance withthe Regulation”in light ofthe circumstancesof eachindividual case.This highlightsthe need for the corrective measures and any exercise of powers by supervisory authorities to be tailoredto the specific case. Recital129 GDPR also provides that each measure should “respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken”. The measures chosen should provide consideration to ensuring that theydo not create “superfluous costs” and“excessiveinconveniences”for the persons concernedinlight of theobjective pursued. 267.Recital148 GDPR shows the duty for supervisory authoritiestoimpose correctivemeasures that are proportionate tothe seriousness ofthe infringement. 268.TheEDPB recallsthatalthoughthe supervisory authoritymust determinewhich actionis appropriate andnecessary andtake into considerationall the circumstancesof the processing ofpersonal data in question in that determination, the supervisory authority is nevertheless required to execute its 328 responsibility for ensuring thatthe GDPRisfully enforcedwithalldue diligence . 323 WhatsAppIE'sArticle65Submissions,paragraph8.15. 32WhatsAppIE'sArticle65Submissions,paragraph8.33. 32WhatsAppIE'sArticle65Submissions,paragraph8.34. 32C‑311/18SchremsII,paragraph112. 32C‑311/18SchremsII,paragraph112. 328 C‑311/18SchremsII,paragraph112. Adopted 57269.The EDPB agreeswith the FI SA that “the infringement cannot be consider as minor” 329. The EDPB reiteratesthat lawfulness of processing is one of the fundamental pillars of the data protectionlaw andconsiders thatprocessing ofpersonaldatawithoutanappropriatelegalbasis isaclear andserious violation of the data subjects’ fundamental right to data protection. In addition, the infringement in the present case concernsa highnumber of datasubjects 330and alargeamount of personaldata. 270.Indeed,theEDPBagreeswiththeFISAthat“IftheIESAdoesnotmakeuse oftheirrespectivecorrective powers, there is danger that WhatsApp continuesto unlawfully process personal data on the foot of Article 6(1)(b) GDPR” for service improvement and security processing operations 331and “there isa danger that WhatsApp continuesto undermine or bypass” data protection principles 332. In addition, failure toadopt anycorrectivemeasureinthis case“would amountto a dangerousprecedent,sending adeceivingmessage to themarket andto data subjects,and would endangerthe fundamentalrights andfreedomsofdatasubjectswhose personaldata are and willbe processed bythecontroller”. 333 271.As aconsequence, the EDPBfinds it appropriateforanordertobringprocessingintocomplianceto be imposed in this case (without prejudice to the additional conclusions in respect of the imposition of administrativefines available below in Section8). 272.According to the EDPB, the deadline for compliance with the order should be reasonable and proportionate,inlight ofthe potentialfor harmstothe datasubject rightsandtheresourcesavailable tothe controller toachievecompliance 334. 273.Finally, the EDPB recallsthat non-compliance withan order issued by a supervisory authority canbe relevantbothin termsofit being subject toadministrativefines upto20.000.000eurosor,in thecase of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financial year in line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of administrative fines.335Inaddition, the investigative powersof supervisory authoritiesallow them to order the provision of all the information necessary for the performance of their tasks including the verificationof compliance withone of theirorders 336. 274.Inlightoftheabove,theEDPBinstructstheIESAtoincludeinitsfinaldecisionanorderforWhatsApp IE to bring its processing ofpersonaldata for the purposes ofservice improvement and security 329FI SAObjection,paragraph43. 330 FI SAObjection,paragraph46:“thedraftdecisionaffectsallthedatasubjectswithintheEEA.Therefore,the consequencesofnotmakinguseofthecorrectivepowerspursuanttoArticle58(2)GDPRarevast ”. 331FI SAObjection,paragraph37. 332FI SAObjection,paragraph37. 333FI SAObjection,paragraph45. 334 TheEDPBrecallsitsBindingDecision1/2021adoptedon28July2021wheretheEDPBwascalledtoresolvea dispute pursuant to Article 65 GDPR concerning, among others, the appropriateness of the deadline for compliancesuggested inthedraft decision at stake. After highlighting therelevanceof Recitals 129 as well as 148 GDPR for theimposition of correctivemeasures, theEDPB took intoaccount thenumber of data subjects affected and theimportanceof theinterest of affected data subjects in seeing therelevant provisions of the GDPR complied with ina short timeframe. WhiletheEDPB also tooknoteof thechallenges highlighted by the controller,itfoundinthatcasethatacomplianceorderwithathreemonths’timeframecouldnotbeconsidered disproportionateconsidering the infringement as well as the type of organization, its sizeand the means (includinginteraliafinancialresourcesbutalsolegalexpertise)availabletoit.Consequently,theEDPBinstructed theLSAto amendthedraftdecisionbyreducingthedeadlineforcompliancefromsixmonthstothreemonths. EDPBBindingDecision1/2021,paragraphs254-263. 335Article83(2)(i)GDPR. 336Article58(1)GDPR. Adopted 58 featuresin thecontextofits TermsofServiceinto compliancewith Article 6(1) GDPRin accordance withthe conclusion reachedbythe EDPB 337withina specified periodof time 33. 8 ON THE IMPOSITION OFAN ADMINISTRATIVEFINE 8.1 Analysis by the LSA inthe DraftDecision 275.TheIESA asLSAdoes notfind anyinfringementintheDraftDecision,thusnocorrectivemeasuresand, in particular,noadministrativefine areforeseen. TheIE SA points out thatinthe own-volition inquiry in relation toWhatsApp IE’sPrivacyPolicy (deemed as “WhatsApp TransparencyDecision” by the IE SA)corrective measuresandamongthem anadministrativefine areincluded 33. Moreover,asfurther clarified by the IE SA, no further examination or the issuance of further determinationis needed, as the issues raisedin the latterareconsistent withthe present case. 8.2 Summary of the objections raised by the CSAs 276.The FR SA, NOSA, DE SA and IT SA object to the IE SA’sfailure to take actionwith respect to one or more specific infringements they deem should have been found and ask the IE SA to impose an administrativefineasa result of these infringements. 277.The FR SA objects to the absence of an administrative fine by the IESA in its Draft Decision. Since a breachofArticle 6 GDPRhasbeencommittedin the opinion of theFR SA, whichin light ofthe serious character of this infringement should result in the imposition of an administrative fine. If further breaches were to be identified with regard to the processing related to behavioural advertising, provision ofmetricstothirdpartiesandwiththeprocessing ofspecialcategoriesofpersonaldata,they 340 should be takenintoaccount bythe IESA when defining the amount ofthe administrativefine . The FR SA therefore asksthe IE SA toimpose anadministrativefine. 278.The NO SA and DE SA also argue that the IE SA should take concrete corrective measures against WhatsApp IE in relation to the additional infringement of Article 6(1) GDPR or Article 6(1)(b) GDPR, including toimpose anadministrativefine 341. 279.The IT SA arguesthatthere should be anadministrative fine following the finding of aninfringement 342 343 ofArticle5(1)(a)GDPR ,andofArticle5(1)(b) and(c)GDPR .TheITSAarguesthatWhatsAppIEhas failedtocomplywiththe generalprinciple offairness under Article5(1)(a)GDPR,which,inthe view of the IT SA, entails separate requirements from those relating specifically to transparency. Moreover, the IT SA statesthat there is an additional infringement of points (b) and(c) of Article 5(1) GDPR on account of WhatsApp IE’s failure to comply with the purpose limitation and data minimisation principles. TheIT SA asks for a fine tobe issued for those additionalinfringements. 337As establishedaboveinSubsection4.4.2. 338 Seeabovefootnote334onparagraph272. 339DraftDecision,paragraph5.9. 340FRSAObjection,paragraph53. 341NOSAObjection,p.9;DESAObjection,p.8. 342ITSAObjection,p.10. 343 ITSAObjection,p.8. Adopted 59280.Inaddition, theEDPBconsidersthe FISA’srequesttoconsider theimposition ofanadministrativefine, assummarised above inSubsection 7.2,not asa separateobjection but ratherasa possible outcome of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR 34. 8.3 Position of the LSA on the objections 281.TheIESA notesinitsComposite Response thatitis satisfiedthatthescope oftheinquiry isappropriate andno question of aninfringement ofthese provisions arisesfrom the complaint, thereforethe IE SA would not exercise itscorrectivepowers andwould not follow therespective objections 345. 8.4 Analysis of the EDPB 8.4.1 Assessment of whether theobjections were relevant and reasoned The objections raisedby theFR SA, NOSA, DESA andITSA concern“whethertheactionenvisaged in theDraft Decisioncomplieswith theGDPR” 346. 282.Inaddition tothe primaryargument levelled against allCSA’s objections 347as wellas the arguments against the objections regarding Article 6(1) GDPR of these CSAs, WhatsApp IE provides additional arguments on why it considers these not to be relevant and/or reasoned. In a general manner, WhatsApp IEarguesthatin anyevent, thereis no basis for a finding that theyinfringedArticle 6(1), 9 and/or 5 GDPR because the actualprocessing hasnot been investigatedor assessed in the course of 348 theinquiry bytheIESA .Moreover,WhatsAppIEopines thattheimposition ofanadministrativefine with respect to new findings of infringements would violate its right to be heard and rights of the defence 34. Furthermore, WhatsApp IE points out that the power to impose an administrative fine under the GDPR lies within the sole competence of the IE SA and that the EDPB does not have the power to consider objections solely challenging the amount of a fine or the possible instruction to 350 impose a fine . 283.WhatsApp IEisof the view thatthe FR SA’sobjection cannotbe consideredrelevant because theyare dependent on another objection, which WhatsApp IE deems “anincorrect allegationof infringement of Article 6(1)(b) GDPR”351. WhatsAppIE alsodoes not consider the FR SAs objection to be reasoned enoughwithregardstothe powertoimpose administrativefineslying withtheLSA andconsiders that the FR SAs objection“fails tospecify anydirect,substantial, or plausible risks thatcould be prevented by applying Article 83(3)GDPR” 352.RegardingtheDESA and NOSA objections tothe imposition of an administrative fine, WhatsApp IE does not provide arguments against the “relevant and reasoned” threshold apartfrom the generalpositions alreadyreflected. 344 FI SAObjection,paragraph43to46. 34CompositeResponse,paragraph78. 34GuidelinesonRRO,paragraph32. 34WhatsAppIE’sarguesthattheseare“matters[…]outsidetheDefinedScopeofInquiryand,assuch,these ObjectionsarenotrelevantanddonotmeettherequirementsofArticle4(24).Accordingly,theEDPBisnot competenttoenter intothesubstantiveconsiderationofthesubjectmattersoftheseObjectionsortopurport to directtheDPCtofindadditionalinfringementsoftheGDPR”(WhatsApp’sArticle65Submissions,paragraph 7.3).TheEDPBdoes notsharethisunderstanding,asexplainedabove.SeeSection4.4.1. 348 349hatsAppIE’sArticle65Submissions,paragraph7.5. WhatsAppIE’sArticle65Submissions,paragraph7.4. 35WhatsApp'sIE’sArticle65Submissions,paragraph7.9. 35WhatsAppIE'sArticle65Submissions,Annex1,p.82. 35WhatsAppIE'sArticle65Submissions,Annex1,p.82-83. Adopted 60284.It is in the EDPB’sunderstanding that the FR SA disagrees with a specific part of the IE SA’s Draft Decision, namely the lackof anadministrative fine regardingthe breachof Article6 GDPR.TheFR SA adds that if additional breacheswere tobe found after anyfurther investigations by the IE SA, they should be taken into account when assessing the fine and its amount 35. In consequence, the EDPB considers the objection tobe relevant. 285.The FRSA further arguesthatthe lackofanadministrative fine isincontradictionwiththe seriousness of the issues at hand, the nature ofthe processing and the size ofthe controller 35. Inthe view of the FR SA, not imposing a fine would clearlybe detrimentaltothe rights,freedoms andguaranteesofthe data subjects andwould also lead toreduce the authorities' coercive power and, consequently, their ability to ensure effective compliance with the protection of the personal data of European residents355. Therefore,the EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate the significance ofthe risks posed by the DraftDecision. *** 286.The EDPBrecallsthatthe NO andDESAarguethat WhatsAppIE maynot relyon Article6(1)(b) GDPR for the specified data processing and the IE SA should exercise its corrective powers and impose an administrative fine356. If followed, these objections would lead to a different conclusion as to the possible imposition ofanadministrativefine. Inconsequence, theEDPBconsiders theobjections tobe relevantandto be reflections upon how the IE SA intheir view should 'give full effect tothe binding direction(s) asset out in the EDPB’sdecision 357. The EDPB finds that the objection is concrete in the changeproposed. However,it takesnote thatthe NOandDE SA’sassessment ofthe risks of the draft decision relatetothe IESAs interpretationofArticle6(1)(b) GDPRandnot sufficiently tothe lackofan imposition ofanadministrative fine. Therefore,the EDPBdoesnot consider this aspectof the NOand DE SAs objections tomeet the requirements of Article 4(24) GDPR andare therefore not sufficiently reasoned 358. 287.Takingintoaccounttheaforementioned,theEDPBconsidersthattheobjectionoftheFRSA requesting the imposition of anadministrativefine is relevantandreasonedpursuanttoArticle4(24) GDPR. 288.With respect tothe objection raisedby the ITSA concerning the imposition of anadministrative fine for the allegedinfringement ofthe fairnessprinciple enshrined inArticle5(1)(a), theEDPBfinds thatit stands in connection with the substance of the Draft Decision, as it concerns the imposition of a corrective measure for an additional infringement, which would be found as a consequence of incorporating the finding put forward by the objection. Clearly, the decision on the merits of the demandtotake correctivemeasuresfor aproposed additionalinfringement isaffectedby theEDPB’s decision on whethertoinstruct the IESA toinclude anadditionalinfringement. 289.If followed, the IT SA’s objection sets out how it would lead to a different conclusion in terms of corrective measures imposed 359. Therefore, the EDPB finds the objections raised by the IT SA to be relevant. 353FRSAObjection,paragraph53. 354 355FRSAObjection,paragraph56. FRSAObjection,paragraph56-57. 356NOSAObjection,p.8-9;DESAobjection,p.8. 357GuidelinesonArticle65(1)(a)GDPR,paragraph50. 358SeealsoSection4.4.1ofthisBindingDecision. 359 ITSAObjection,p.8-10. Adopted 61290.WhatsApp IE argues the IT SA’s objection is insufficiently detailed, adding that it is not possible to identify the legalargumentsthe IT SA wishes toput forward in respect of the fine 360.The EDPB finds thatthe ITSA adequatelyargueswhytheypropose amending the DraftDecisionandhow thisleadsto a different conclusion in termsofadministrative fine imposed 361. 291.WhatsAppIEarguestheobjection oftheITSA failstodemonstratetheriskposed bytheDraftDecision as required and, in doing so, WhatsApp IE dismisses the concerns articulated by the IT SA on the 362 precedent thedraft decision sets . 292.The EDPBfindsthatthe ITSA articulatesanadverse effectonthe rightsandfreedomsofdata subjects if the DraftDecisionis left unchanged, byreferring toa failure toguaranteea highlevelof protection 363 inthe EU for the rightsandinterestsofthe individuals . 293.Therefore,the EDPBconsidersthe IT SA’sobjectionconcerning the impositionof afine for the alleged additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned. *** 294.The EDPB recallsitsanalysis of whether the objection raised by the IT SA in respect of the proposed allegedadditionalinfringements of Article 5(1)(b) GDPRand 5(1)(c) GDPRmeetsthe threshold set by Article 4(24) GDPR (see Section 5.4.1 above). In light of the conclusion that such objection is not relevantand reasoned,the EDPBdoes not needtofurther examine thislinked objection. 295.Furthermore, with regardto the FI SA’s objection the EDPB recalls the analysis made in Subsection 7.4.1andin 8.2of thisBinding Decision. 8.4.2 Assessment on the merits 296.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether the envisagedactioninrelationtothe controller or processor complies withtheGDPR. 297.Regarding the processing of purposes or of data categoriesraisedby the FR SA and which were not part of the scope of the inquiry, it is appropriate to refer to the EDPB conclusion as statedabove in subsection 6.1.4.2,wheretheIE SA is instructedtolaunchfurther investigations. 298.Regarding the FI SA’s objection as mentioned in Subsection 8.2 and analysed in Section 7, the EDPB againrecallsthat it only takesnote ofit, asit is not deemeda separateobjection but rather apossible outcome of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR. 299.Whenassessing themeritsofall theobjections raised,theEDPBalsotakesintoaccount WhatsAppIE’s position on the objectionand itssubmissions. 300.WhatsAppIE considers thatthe LSA hassole discretiontoimpose anadministrativefine. WhatsApp IE argues that in the context of a matter relating to cross-border processing, the power to impose an 360WhatsAppIE'sArticle65Submissions,Annex1,p.108-109. 361TheITSAargues thatthefindingofsuchinfringement“shouldresultintotheimpositionoftherelevant administrativefineasperArticle83(5)(a)GDPR”,addingtherequirementthateachfineshouldbe proportionateanddissuasiveandarguingthegravityoftheinfringement,seeITSAObjection,p.10. 362 363WhatsAppIE'sArticle65Submissions,Annex1,p.109. ITSAObjection,p.10. Adopted 62 administrativefine under theGDPRlieswithinthesole competenceofthe LSA andnot the CSAsor the EDPB. Furthermore, WhatsApp IE arguesthat the GDPR does not confer any power on the EDPB to consider objections solely challengingthe amountof afine, andthe EDPBmaynot giveinstructions as towhethera fine ought tobe imposed, or as toits amount 364. 301.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one- stop-shop mechanism and of the shared competencesof the CSAs. The EDPBresponds to WhatsApp IE’sargumentthattheLSAhassole discretiontodetermine theappropriatecorrectivemeasuresinthe event ofa finding ofinfringement above (see Section7, paragraph258-259). 302.While the EDPB agreesthat the LSA does act as “sole interlocutor” of the controller or processor 365, this should not be understood as meaning it has “sole competence” in a situation where the GDPR requires SAs to cooperate pursuant to Article 60 GDPR to achieve a consistent interpretationof the Regulation 36. The fact that the LSA will be the authority that can ultimately exercise the corrective powerslistedin Article58(2)GDPRcannotlimit the role ofthe CSAswithinthe cooperationprocedure or the one of the EDPBinthe consistency procedure 36. 303.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions the action(s) envisaged by the Draft Decision vis-a-vis the controller/processor, or the absence thereof368.More specifically, whenraising anobjection on the existing or missing corrective measure – suchasanadministrativefine – intheDraftDecision,theCSA should indicate whichactionit believes would be appropriatefor theLSA toundertakeandinclude in thefinal decision 369. 8.4.2.1.1 Assessment of whetheranadministrativefine should be imposedfor the infringementof Article6(1) GDPR 304.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires anassessment of whether the DraftDecisionneeds tobe changedin respect tothe lackof corrective measures proposed. More specifically, the EDPB needs to assess the request to impose an administrative fine for the infringements that are ought to be found by the LSA according to this Binding Decision.The EDPBrecallsitsconclusion inthisBinding Decisiononthe infringementof Article 6(1)GDPR 370. 305.The EDPBconcurs that the decision to impose anadministrative fine needs tobe takenona case-by- case basisin lightof thecircumstancesandis not anautomaticone 371. However,theEDPBrecallsthat 36WhatsAppIE'sArticle65Submissions,paragraph7.9. 365 Article56(6)GDPR. 36SeeGDPRArt.51(2),60,61(1),andC-645/19FacebookIrelandLtdandOthers, paragraphs53,63,68,72. 36Article63and65GDPR. 368GuidelinesonRRO,paragraph7.Objectionsmayrelatetobothexistingormissingelementsinthedraft decision. 36GuidelinesonRRO,paragraphs29and33. 37SeeSection4.4.2ofthisBindingDecision. 37WP29GuidelinesonAdministrativefines,p.6(“Likeallcorrectivemeasuresingeneral,administrativefines shouldadequatelyrespondtothenature,gravityandconsequences ofthebreach,andsupervisoryauthorities mustassessallthefacts ofthecaseina mannerthatisconsistentandobjectivelyjustified.Theassessmentof whatis effective,proportionalanddissuasiveineachcasewillhavetoalsoreflecttheobjectivepursuedbythe correctivemeasurechosen,thatiseithertore-establishcompliancewiththerules,ortopunishunlawful behavior(orboth)”),p.7(“TheRegulationrequiresassessmentofeachcaseindividually”;“Finesarean Adopted 63 when a violation of the Regulation has been established, competent supervisory authorities are required to react appropriatelytoremedy this infringement in accordance with the means provided to them by Article 58(2) GDPR 372, which includes the possible imposition of an administrative fine 373 pursuant toArticle 58(2)(i) GDPR . 306.Indeed, asalreadymentioned the consistency mechanism mayalso be used to promote a consistent applicationofadministrativefines 374: wherearelevantandreasonedobjectionidentifiesshortcomings in the reasoning leading tothe imposition of the fine atstake (or naturallythe lackof one), the EDPB can instruct the LSA to engage in a new assessment of the need for a fine or the calculation of a 375 proposed fine . 307.The EDPBagainwantstorecallthat althoughthe supervisory authoritymust determine whichaction is appropriate and necessary and take into consideration all the circumstances of the processing of personal datain question inthat determination,the supervisory authorityis nevertheless requiredto executeits responsibility for ensuring that the GDPRis fully enforced withalldue diligence 376.Recital 148 shows theduty for supervisory authoritiesto impose correctivemeasuresthat areproportionate tothe seriousness ofthe infringement 377. 308.With respect tothe imposition of anadministrative fine, the EDPBrecallsthe requirements of Article 83(1)GDPR,aswellasthatdue account must be giventothe elementsof Article83(2) GDPR. 309.Asalreadyestablished theEDPBconsiders the lawfulnessofprocessingtobe one ofthe fundamental pillars of the data protection law and that processing of personal data without an appropriate legal basis is aclear andserious violation of the datasubjects’ fundamentalright todataprotection 378.The 379 EDPBthereforeagreeswiththe FR SA in considering the identified breachasserious . Furthermore, the EDPB takes the view that the infringement at issue relates to the processing of personal dataof asignificant numberofpeopleina cross-borderscopeandthattheimpact onthem hastobe considered 38. 310.The EDPB underlines that the specific circumstances of the case have to be reflected. Such circumstances not only refer to the specific elements of the infringement, but also those of the controller or processor whocommittedthe infringement,namelyitssize andfinancial position 381. importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisory authoritiesareencouragedtousea consideredandbalancedapproachintheiruseofcorrectivemeasures,in ordertoachievebothaneffectiveanddissuasiveaswellasa proportionatereactiontothebreach.Thepointis to notqualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousethem insuchawaywhichwoulddevaluetheireffectivenessasa tool.”). 372 373C-311/18SchremsII,paragraph111. SeealsoFI SAObjection,paragraph43. 374Recital150GDPR. 375GuidelinesonRRO,paragraph34. 376C-311/18SchremsII,paragraph112. 377 Recital 148GDPR states, forinstance:“in a caseof a minor infringement or if thefinelikely to beimposed wouldconstitutea disproportionateburdentoa natural person,a reprimandmaybeissuedinsteadofa fine”. TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective measures in general and for the choiceof the combination of correctivemeasures that is appropriateand proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256. 378Article8(2),EUCharter. 379FRSAObjection,paragraph56. 380SeeGuidelinesoncalculationoffines,paragraph54. 381 OnturnoverseeGuidelinesoncalculationoffines,paragraph49;alsoFRSAobjection,paragraph56. Adopted 64311.Though the damageis verydifficult toexpress in termsof a monetaryvalue, it remains the case that data subjects have been faced with data processing that should not have occurred (by relying inappropriately on Article 6(1)(b) GDPR as a legal basis as established in section 4.4.2). The data processing in question entails decisions about information that data subjects are exposed to or excluded from receiving.The EDPB recallsthat non-materialdamageis explicitly regardedas relevant in recital75 GDPR and that such damage may result from situations “where data subjects might be deprivedof their rights and freedomsor prevented from exercising controlover their personal data”. Giventhe nature andgravityof the infringement ofArticle 6(1)GDPR,arisk of damagecausedtodata subjects is, insuch circumstances,consubstantial withthe finding of the infringementitself. 312.In the light of the nature and gravity of the infringement pursuant to Article 83(2)(a) GDPR as identified inthe paragraphsabove, inthe view of theEDPBthe combination ofthe mentionedfactors alreadyclearlytipthe balance infavourofimposinganadministrativefine. 313.For conduct infringing data protection rules, the GDPR does not provide for a minimum fine. Rather, the GDPR only provides for maximum amounts in Article 83(4)–(6) GDPR, in which several different typesof conduct aregrouped together.Afine canultimatelyonly be calculatedbyweighing upallthe elementsexpressly identified in Article83(2)(a)–(j) GDPR,relevanttothe case andany other relevant elements, even if not explicitly listed in the said provisions (as Article 83(2)(k) GDPR requires togive due regardto any other applicable factor). Finally, the final amount of the fine resulting from this assessment must be effective, proportionate and dissuasive in each individual case (Article 83(1) GDPR).Anyfine imposedmust sufficiently takeintoaccountallofthese parameters,whilstatthesame time not exceedingthe legalmaximum provided for inArticle 83(4)–(6)GDPR 382. 314.Inlight ofthe above, the EDPBinstructstheIESAtoimposeanadministrativefine, remaining inline with the criteria provided for by Article 83(2) GDPR and ensuring it is effective, proportionate and dissuasive in line with Article 83(1) GDPR, in accordance withthe conclusions reached by the EDPB, namelythe identified infringementof Article6(1) GDPR. 8.4.2.1.2 Assessment of whetheranadministrativefine should be imposedfor the infringementof the fairnessprinciple under Article5(1)(a)GDPR 315.The EDPB recalls its conclusion in this Binding Decision on the infringement by WhatsApp IE of the fairness principle under Article 5(1)(a) GDPR383 and that the objection raised by the IT SA, which is found to be relevant and reasoned, requested the IE SA to exercise its power to impose an administrative fine38. 316.The EDPB takesnote of WhatsApp IE’sview that the IT SA objection is not relevant and reasoned 385 and also notes that WhatsApp IE takes that view that inappropriate, clearly disproportionate, and unnecessary toimpose anadministrative fine 386. 382SeeGuidelinesoncalculationoffines,paragraph16. 383Section5.4.2ofthisBindingDecision. 384Paragraphs289-293ofthisBindingDecision. 385 386Paragraph138ofthisBindingDecision. WhatsAppIE'sArticle65Submissions,Annex1,p.109. Adopted 65317.The EDPBagainrecallsthat the decisiontoimpose anadministrative fine needs tobe takenon acase- 387 by-case basis in light of the circumstances andis not anautomatic one and the specificities of the case have tobe takeninto account. 318.As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically linked totheprinciples of lawfulness andtransparencyunder thesame provision, hasanindependent 388 meaning . 319.Considering the EDPB’s findings in Section 5.4.2 that WhatsApp IE has not complied with key requirementsof the principle of fairness, the EDPB reiteratesitsview that WhatsApp IEhas infringed the principle of fairness under Article 5(1)(a) GDPR and agreeswith the IT SA that this infringement should be adequately taken into account by the IE SA in the calculation of the amount of the administrative fine tobe imposed following the conclusion ofthis inquiry. 320.Therefore, the EDPB instructsthe IE SA to take intoaccount the infringement by WhatsApp IE of the fairnessprinciple enshrinedinArticle5(1)(a)GDPRasestablishedabove whendeterminingthe fine for the violation of Article 6(1) GDPR asinstructed above. If, however, the IE SA considers an additional fine for the breachofthe principle offairness isanappropriatecorrectivemeasure,theEDPBrequests the IE SA toinclude this in its final decision. Inanycase, the IE SA must take into account the criteria providedfor byArticle83(2)GDPRandensuringit iseffective,proportionateanddissuasive inline with Article83(1) GDPR. 9 BINDINGDECISION 321.Inlight of the above andin accordancewiththe taskof the EDPBunder Article70(1)(t) GDPRtoissue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision in accordancewithArticle65(1)(a) GDPR. 322.The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in accordancewithArticle65(2) GDPR. 323. On the objections concerning whether the LSA should have found an infringement for lack of appropriatelegalbasis 1. The EDPB decidesthat the objections of the DE SA, FI SA, FR SA, NL SA and NO SA regarding WhatsApp relianceon Article6(1)(b) GDPR,meettherequirementsof Article4(24) GDPR. 2. The EDPB decides that WhatsApp IE has inappropriately relied on Article 6(1)(b) GDPR to process the Complainant’spersonal data for the purpose of service improvement and securityin the contextofitsTermsofService andthereforelacksalegalbasis toprocess thesedata.WhatsAppIEhas consequently infringed Article6(1)GDPRby unlawfully processing personal data. 3. The EDPB instructsthe IE SA to alter its Finding 2 of its Draft Decision, which concludes that WhatsAppIEmayrelyonArticle6(1)(b) inthecontextofitsoffering ofTermsofService,andtoinclude aninfringement ofArticle6(1)GDPR,onthebasisoftheconclusion reachedbytheEDPBinthisBinding Decision. 387Seeaboveparagraph305ofthisBindingDecision. 388Seeparagraph147-149ofthisBindingDecision. Adopted 66324.Onthe objectionsconcerningthepotentialadditionalinfringement oftheprinciple offairness 4. The EDPB decides thatthe objection of the IT SA regardingthe infringement by WhatsApp IE of theprinciple of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR. 5. The EDPB instructs the IE SA to find in its final decision an additional infringement of the principle offairness under Article 5(1)(a)GDPRbyWhatsApp IE. 325. On the objection concerning the potential additional infringement of the principles of purpose limitationand dataminimisation 6. OntheobjectionbytheITSAconcerningthe possible additionalinfringementsoftheprinciples of purpose limitationanddataminimisation under Article5(1)(b) and(c) GDPR,theEDPBdecides this objection does not meetthe requirementsofArticle 4(24)GDPR. 326. Onthe objectionsconcerningthepotentialneedfor furtherinvestigation: 7. The EDPB decides that the objections of the IT SA, FR SA and FI SA regarding the lack of investigationof WhatsApp’sprocessing operationsin itsservice ofspecial categoriesofpersonal data (Article 9 GDPR), of data processed for the purposes of behavioural advertising, for marketing purposes, aswellasfortheprovision ofmetricstothirdpartiesandtheexchangeofdatawithaffiliated companies for the purposes of service improvements, meetthe requirementsof Article4(24)GDPR. 8. The EDPB decides that the IE SA shall carry out an investigation into WhatsApp’s processing operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article 9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.Basedon the results of thatinvestigationandthe findings theIE SA shall issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR. 327. On correctivemeasuresotherthan administrative fines 9. TheEDPBdecidesthattheobjectionoftheFI SArequesting correctivemeasurestobe imposed incompliance withtheArticle 58(2)GDPRmeetthe requirementsof Article4(24)GDPR. 10.On the objections by the DE and NO SAs requesting corrective measures to be imposed in compliance with the Article 58(2) GDPR, the EDPB decides that these objections do not meet the requirementsof Article4(24)GDPR. 11.The EDPB instructsthe IESA to include in its finaldecision anorder for WhatsApp IEto bring its processing of personal data for the purposes of service improvement and security featuresin the context of its Terms of Service into compliance with Article 6(1) GDPR in accordance with the conclusion reachedby theEDPB 389withina specified periodof time 39. 328.Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis 12.The EDPB decides that the objections of the FR SA regarding the imposition of an administrative fine for the infringement of Article 6(1) GDPRmeetsthe requirements of Article 4(24) GDPR. 38As establishedaboveinSubsection4.4.2. 39Seeabovefootnote334onparagraph272. Adopted 67 13.The EDPB decidesthat the relevant partsof the objections of the NO and DE SAs specifically relatingto anadministrative fine for the lackof legalbasis donot meet the threshold of Article 4(24) GDPR. 14.The EDPBinstructsthe IESA tocover theadditional infringement ofArticle 6(1)GDPRwithan administrative fine, which is effective, proportionate and dissuasive in accordance withArticle 83(1) GDPR. In determining the fine amount, the IE SA must give due regardto all the applicable factors listedinArticle 83(2)GDPR,inparticularthenatureandgravityofthe infringementandthe number of datasubjects affected. 329. On theobjectionconcerningtheimpositionofan administrativefinefor theinfringementofthefairness principle underArticle5(1)(a) GDPR 15.The EDPBdecidesthattheobjection ofthe ITSA regardingthe impositionofanadministrative fine for the infringementof Article5(1)(a) GDPRmeetsthe requirementsof Article4(24)GDPR. 16.The EDPB instructs the IE SA to take into account the infringement by WhatsApp IE of the fairness principle enshrined in Article 5(1)(a) GDPR when determining the fine for the violation of Article6(1)GDPRasinstructedabove.If,however,theIESA considers anadditionalfine for thebreach oftheprinciple of fairnessisanappropriatecorrectivemeasure,theEDPBrequeststheIESA toinclude thisinitsfinaldecision. Inanycase,theIESA must takeintoaccountthe criteriaprovidedforby Article 83(2)GDPRandensuring it iseffective,proportionate and dissuasive in line withArticle 83(1)GDPR. 330. On the objection concerning the imposition of an administrative fine for the infringement of Article 5(1)(b) and (c) GDPR 17.The EDPB decides that it does not need to examine the objection of the IT SA regarding the imposition of anadministrative fine for the infringement of Article5(1)(b) and(c)GDPR. 10 FINAL REMARKS 331.This Binding Decisionis addressedtothe IESA andthe CSAs. The IE SA shall adopt itsfinaldecision on the basis ofthis binding decision pursuant toArticle65(6) GDPR. 332.Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the EDPBdoes not take anyposition on the meritof anysubstantial issues raised bythese objections. The EDPBreiteratesthat itscurrent decisioniswithout anyprejudice toanyassessments the EDPBmaybe calledupon tomake in other cases, including with the same parties, taking into account the contents of therelevant draftdecision and theobjections raised bythe CSAs. 333.According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding Decision without undue delay and at the latest by one month after the EDPB has notified its Binding Decision. 334.The IE SA shall inform the EDPBof the date when its finaldecision is notified to the controller or the processor 391. This Binding Decision will be made public pursuant to Article 65(5) GDPR without delay 392 afterthe IESA hasnotified itsfinaldecision tothe controller . 391Article65(6)GDPR. 392Article65(5)and(6)GDPR. Adopted 68 393 335.The IESA willcommunicate its finaldecision to theBoard .Pursuant to Article70(1)(y) GDPR,theIE SA’s final decision communicated tothe EDPB willbe included in the registerof decisions which have beensubject totheconsistency mechanism. For the EuropeanDataProtectionBoard The Chair (Andrea Jelinek) 39Article60(7)GDPR. Adopted 69