EDPB - Binding Decision 5/2022 - 'Whatsapp'
From GDPRhub
| EDPB - Whatsapp Ireland Limited - Decision 5/2022 | |
|---|---|
 | |
| Authority: | EDPB |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 56 GDPR Article 58 GDPR Article 60 GDPR Article 65 GDPR Article 77 GDPR Article 79 GDPR Article 83 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 19.08.2022 |
| Decided: | 05.12.2022 |
| Published: | 25.01.2023 |
| Fine: | n/a |
| Parties: | German Whatsapp user (represented by noyb - European Centre for Digital Rights) Whatsapp Ireland Limited |
| National Case Number/Name: | Whatsapp Ireland Limited - Decision 5/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | LR |
Following a referral under the Article 60 GDPR procedure, on a case initiated by noyb, the EDPB issued a binding decision finding Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful.
English Summary
Facts
In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy.
In accordance with the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data they undertook. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account.
A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.
Firstly, there existed a clear imbalance of power between the controller and the data subject. This was likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly had a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject was left with no other realistic alternatives.
Secondly, the use of the Whatsapp service was conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the controller seeks to rely was invalid.
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.
The BfDI referred the case to the Irish DPA (DPC) under Article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.
Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “the legitimization of the processing at issue in this inquiry falls under Article 6(1)(b) GDPR [necessary for the performance of a contract] and therefore an assessment under Article 6(1)(b) only is required”. (DPC Preliminary Draft Decision, para 3.4)
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Six DPAs (DE, FI, FR, IT, NL, NO) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 19 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 12 January 2023, published on 19 January 2023.
Holding
Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision.
Please note: in order to explain the issues addressed in the decision, it is necessary to explain the proposals in the DPC’s Draft Decision, in order to provide the context for the EDPB decision.
Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis
The first issue concerns whether Whatsapp IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”. When issuing its Draft Decision, the DPC firstly sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis.
Summarising the DPC’s position on the question of scope, they asserted that their inquiry must be limited to the processing of personal data for “service improvements” and “security”. In doing so, the DPC elected not to conduct an investigation into the processing of sensitive categories of data, as well as data processed for the purposes of: behavioural advertising; providing metrics to third parties; and marketing.
Responding to this proposal, the EDPB disagreed with the DPC's conclusions regarding the scope of the inquiry, and directed the DPC to commence a new inquiry into the Whatsapp's processing of special categories of personal data, and their processing for the purposes of: behavioural advertising; marketing; and providing metrics to third parties (222). The DPC did not conduct this inquiry as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion of the issue of scope, and the EDPB’s directions regarding a further investigation, please see “Issue 3 – On the Further Investigation” below.
Addressing the second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it” (DPC - 3.27).
However, the DPC added that “necessity is to be determined by reference to the particular contract” (DPC - 3.27) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (DPC - 3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the actual bargain which has been struck between the parties” (DPC - 3.30). The DPC stated “it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms” (DPC - 3.42). Accordingly, the Draft Decision “proposed to conclude... that WhatsApp was, in principle, entitled to rely on Article 6(1)(b) GDPR for processing personal data” (DPC - 3.50).
In response, when issuing its Binding Decision with regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:
“The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (100).
"The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model” (101).
"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR" (102).
“...it is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance” (105).
"the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (110).
Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose” (109).
Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service” (111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” in DPC Decision IN-18-5-6), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “one of the parties (in this case a data subject) [has not been] provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis” (117).
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of Article 6(1)(b) GDPR:
“...there is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of Article 6(1)(b) GDPR, pursuant to the interpretation by the [DPC], nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject" (119). “This precedent could encourage other economic operators to use the contractual performance legal basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects” (120).
In light of all of the above, the EDPB directed the following:
“processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it" (121). "Whatsapp IE has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on Article 6(1)(b) GDPR. Whatsapp IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (122).
Accordingly, the EDPB instructed the DPC to alter “Finding 2” of its Draft Decision to include a finding that Whatsapp IE was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data in this context, and to find an infringement of Article 6(1) GDPR based on the shortcomings the EDPB has identified (122).
Issue 2 – On the Potential Infringement of the Principles of Fairness, Purpose Limitation and Data Minimisation
During the course of the Article 60 GDPR consultation period, the Italian DPA raised two objections to the DPC’s Draft Decision. The Italian DPA asserted that the Draft Decision should be amended to include a separate finding of an infringement of the Article 5(1)(a) GDPR principle of fairness, and infringements of the Article 5(1)(b) and (c) GDPR principles of purpose limitation and data minimisation.
Potential infringement of principles of purpose limitation and data minimisation:
The Italian DPA explained that the fact that Whatsapp IE’s multifarious processing practices involving personal data are grounded in Article 6(1)(b) GDPR entails an infringement of the principles of purpose limitation and data minimisation. This is because the purposes must have been specified and communicated to data subjects. In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.
In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it includes justifications concerning why and how issuing a decision with the changes proposed in the objection is needed and how the change could lead to a different conclusion. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR.
Potential infringement of the principle of fairness:
The objection raised by the Italian DPA sought an additional finding of an infringement of the principle of fairness in Article 5(1)(a) GDPR. In its Draft Decision, the DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing” (DPC - 5.1). The matter was referred to the EDPB, which determined the objection raised by the Italian DPA to be both relevant and reasoned in accordance with Article 4(24) GDPR, and stated as follows:
“Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject” (143).
"...the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too" (147).
"the concept of fairness stems from the EU Charter… [it] underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (148).
“Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjectsare protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the [DPC]’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ In addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter” (150).
“Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights” (154, 156).
Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (157).
Issue 3 – On the Further Investigation
As discussed in “Issue 1” above, the DPC reached certain conclusions on the scope of their inquiry, limiting their analysis to personal data processing for the purposes of “service improvements” and “security”. In their draft Decision, the DPC explained that that their analysis will be based only on the Whatsapp Terms of Service, and not the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (DPC 3.4 – 3.5). The DPC then takes issue with the generality, or vagueness, of the complaint which – in their view – does not identify “specific processing operations by reference to an identifiable body of data with any clarity of precision” (DPC - 3.6). Furthermore, according to the DPC, the complainant was not entitled to request that the DPC “conduct an assessment of all processing operations carried out by Whatsapp” (DPC - 3.6). After stating that “the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising” (DPC - 3.7), the DPC explains that their Draft Decision proposed an assessment of whether Whatsapp IE can rely on Article 6(1)(b) GDPR for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising” (DPC - 3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “providing metrics to third parties”, the DPC states later in the decision that “any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to Article 6(1)(b) GDPR” (DPC - 3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “any clear delineation between these two forms of processing was artificial” (DPC - 3.33). As a result, the DPC restricted the scope of their inquiry to “regular improvements and maintaining standards of security”.
During the Article 60 GDPR consultation period, 3 DPAs (FI, FR, IT) raised objections to the conclusions reached by the DPC in the Draft Decision. The objections requested that the DPC further investigate matters of behavioural advertising, special categories of personal data, the provision of metrics to third parties, including companies belonging to the same group, and marketing. (168 – see also 169 – 174). In response, the DPC stated that it does not propose to “follow” the objections raised, and the matter was referred to the EDPB.
Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, and found the objections raised both relevant and reasoned in accordance with Article 4(24) GDPR. Regarding specifically the question of special categories of personal data, the EDPB notes that the GDPR and case law pay close attention to the processing of such data, and that the complaint expressly requests the DPC to investigate Whatsapp IE’s processing operations in this area (215). The EDPB outlines the risk of the DPC’s failure to address the issue of special categories of personal data including: the use of this data to build intimate profiles of users; the failure to recognise it as a special category of personal data; ignoring the role of consent in the processing; and setting a precedent of ambiguity and transparency which could be followed by other controllers (see 217). They also assert that the DPC “did not handle the complaint with all due diligence” and that the lack of any further investigation into processing for behavioural advertising, of special categories of personal data, provision of metrics to third parties, exchange with affiliated companies, and processing for the purposes of marketing, was an omission (218). Taking into account the limited scope of the inquiry and lack of assessment by the DPC, the EDPB decided that the DPC “shall carry out an investigation into Whatsapp IE’s processing operations in its service to determine if it processes special categories of data” and to investigate the processing for all of the above purposes in order to determine if Whatsapp IE complied with its obligations under the GDPR. The EDPB also instructs the DPC to issue a new Draft Decision, based on the results of that investigation and the findings (222).
It is worthy to note, at this stage, that the DPC did not conduct this further investigation as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion, please see DPC (Ireland) – Whatsapp Ireland Limited – IN-8-5-6 (discussion of “Issue 2”).
Issue 4 – On Corrective Measures Other than Additional Fines
In its Draft Decision, the DPC did not find any infringement of Article 6(1)(b) GDPR and so was not in a position to consider the application of its corrective powers as provided for in Article 59(2) GDPR. The DPC did consider that Whatsapp IE had infringed its transparency obligations under the GDPR, however, they had dealt with this issue in a previous own-volition inquiry and imposed an administrative fine and order to bring processing into compliance.
A number of objections were raised to the lack of corrective measures in the Draft Decision to address the infringement of Article 6(1) GDPR. Most notably, the Finnish DPA stated that the DPC should use its corrective powers to at least order Whatsapp IE to bring its processing operations into compliance with Article 6(1) GDPR. Also, the DPC should consider the imposition of an administrative fine.
After reviewing the merits of the objection, the EDPB instructed the DPC “to include in its final decision an order for WhatsApp IE to bring its processing of personal data for the purposes of service improvement and security features in the context of its Terms of Service into compliance with Article 6(1) GDPR” (274).
Issue 5 – On the imposition of the administrative fine
During the Article 60 GDPR consultation period, four DPAs (FR, NO, DE, IT) objected to the failure of the DPC to take action with respect to one or more specific infringements and asked the DPC to impose an administrative fine. After considering the objections in light of Article 4(24) GDPR and the factors outlined in Article 83(2) GDPR the EDPB instructed the DPC to impose an administrative fine for the infringement of Article 6(1) GDPR (314) and, in doing so, to take into account the infringement of the principle of fairness in Article 5(1)(a) GDPR (320).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
BindingDecision5/2022onthedisputesubmittedby the
Irish SAregardingWhatsAppIrelandLimited(Art.65GDPR)
Adopted on 5December 2022
AdoptedTABLEOFCONTENTS
1 Summaryofthe dispute...................................................................................................5
2 The Right togoodadministration......................................................................................8
3 Conditionsfor adopting a binding decision .........................................................................9
3.1 Objection(s)expressedby CSA(s)inrelationtoa draft decision.......................................9
3.2 The LSA does not follow the relevantandreasoned objections totheDraftDecision or isof
the opinionthat the objectionsare not relevant or reasoned..................................................10
3.3 Admissibilityofthe case..........................................................................................10
3.4 Structure ofthe binding decision..............................................................................11
4 Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis .....11
4.1 Analysisbythe LSA inthe Draft Decision....................................................................11
4.2 Summaryofthe objectionsraisedbythe CSAs............................................................14
4.3 Positionofthe LSA onthe objections ........................................................................19
4.4 Analysisofthe EDPB...............................................................................................21
4.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................21
4.4.2 Assessment onthe merits.................................................................................24
5 Onthe potentialadditionalinfringement of theprinciples of fairness, purpose limitationand
data minimisation................................................................................................................32
5.1 Analysisbythe LSA inthe Draft Decision....................................................................32
5.2 Summaryofthe objectionsraisedbythe CSAs............................................................33
5.3 Positionofthe LSA onthe objections ........................................................................33
5.4 Analysisofthe EDPB...............................................................................................34
5.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................34
5.4.2 Assessment ofthe merits.................................................................................35
6 Onthe further investigation...........................................................................................39
6.1.1 Analysisbythe LSA inthe Draft Decision.............................................................39
6.1.2 Summaryofthe objectionsraisedbythe CSAs.....................................................41
6.1.3 Positionofthe LSA onthe objections .................................................................43
6.1.4 Analysisofthe EDPB........................................................................................44
7 Oncorrective measuresother thanadministrative fines.....................................................51
7.1 Analysisbythe IE SA inthe Draft Decision..................................................................51
7.2 Summaryofthe objectionsraisedbythe CSAs............................................................51
7.3 Positionofthe IE SA onthe objections ......................................................................52
7.4 Analysisofthe EDPB...............................................................................................52
7.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................52
Adopted 2 7.4.2 Assessment onthe merits.................................................................................54
8 Onthe impositionofanadministrative fine ......................................................................59
8.1 Analysisbythe LSA inthe Draft Decision....................................................................59
8.2 Summaryofthe objectionsraisedbythe CSAs............................................................59
8.3 Positionofthe LSA onthe objections ........................................................................60
8.4 Analysisofthe EDPB...............................................................................................60
8.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................60
8.4.2 Assessment onthe merits.................................................................................62
9 Binding Decision...........................................................................................................66
10 Finalremarks............................................................................................................68
TheEuropeanDataProtectionBoard
Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European
Parliamentandof theCouncil of 27 April2016 on theprotectionof naturalpersons withregardtothe
processing of personaldataandonthe freemovement of suchdata,andrepealing Directive95/46/EC
(hereinafter“GDPR”) 1,
HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37 thereof,asamended
2
by theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 ,
3
HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) ,
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the “EDPB”) is to ensure the
consistent applicationofthe GDPRthroughout the EEA.Tothis effect,it follows from Article60 GDPR
that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory
authoritiesconcerned(hereinafter“CSAs”)inanendeavour toreachconsensus, thatthe LSA andCSAs
shall exchange all relevant information with each other, and that the LSA shall, without delay,
communicate the relevant information on the matter tothe other CSAs. The LSA shall without delay
submit adraft decision tothe other CSAs for their opinion and takedue account oftheir views.
(2)Where anyofthe CSAs expressed a reasonedandrelevantobjection (“RRO”)on thedraft decision
inaccordancewithArticle4(24)andArticle 60(4)GDPRandthe LSA does not intendtofollow the RRO
or considers that the objection is not reasoned and relevant, the LSA shall submit this matter tothe
consistency mechanism referredtoinArticle 63 GDPR.
(3)Pursuant toArticle65(1)(a)GDPR,theEDPBshallissue abinding decisionconcerningallthematters
whichare thesubject of theRROs,in particularwhetherthere isaninfringement of theGDPR.
1OJL119,4.5.2016,p.1.
2References to “MemberStates”madethroughout this decision should beunderstood as references to “EEA
MemberStates”.
3EDPBRoP,adoptedon25May2018,aslastmodifiedandadoptedon6April2022.
Adopted 3(4) The binding decision ofthe EDPBshall be adopted bya two-thirds majorityofthe members ofthe
EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB RoP, within one
monthafterthe Chairandthe competentsupervisory authorityhave decidedthatthefile is complete.
The deadline maybe extendedby a further month, taking into account the complexity ofthe subject
matter upon decision of the Chair on own initiative or at the request of at least one third of the
membersof theEDPB.
(5)InaccordancewithArticle 65(3)GDPR,if,inspite of suchanextension, theEDPBhasnot beenable
to adopt a decision within the timeframe, it shall do so within two weeksfollowing the expiration of
the extensionby a simple majorityof itsmembers.
(6) Inaccordance withArticle11(6) EDPBRoP,only the English textof the decision is authenticasit is
the languageofthe EDPBadoptionprocedure.
Adopted 4 HAS ADOPTED THE FOLLOWING BINDING DECISION
1 SUMMARYOF THE DISPUTE
1. This document contains a binding decision adopted by the EDPB in accordance with
Article65(1)(a) GDPR.Thedecision concerns thedispute arisenfollowing a draftdecision (hereinafter
“DraftDecision”)issuedby theIrishsupervisory authority(“DataProtectionCommission", hereinafter
the “IESA”,alsoreferredtointhisdocument asthe LSA)andthe subsequent objections expressedby
six CSAs,namely the GermanFederal Commissioner for DataProtectionand Freedom of Information
(“Der Bundesbeauftragter für den Datenschutz und die Informationsfreiheit”) hereinafter the “the
German Federal SA” or the “DE SA”, the Finnish supervisory authority (“Tietosuojavaltuutetun
toimisto”), hereinafter the “FI SA”, the French supervisory authority (“Commission Nationale de
l'Informatique et des Libertés”), hereinafter the “FR SA”, the Italiansupervisory authority (“Garante
per la protezione dei dati personali”), hereinafter the “IT SA”, the supervisory authority of the
Netherlands(“AutoriteitPersoonsgegevens”),hereinafterthe“NL SA” andthe Norwegiansupervisory
authority(“Datatilsynet”),hereinafterthe“NOSA”.
2. The Draft Decision relates to a “complaint-based inquiry”, which was commenced by the IE SA,
regardingacomplaint originally submittedtothe Hamburgsupervisory authority(“DerHamburgische
Beauftragte für Datenschutz und Informationsfreiheit”), hereinafter “the DE HH SA“. The case was
subsequently referred to the DE SA, being the relevant supervisory authority, to decide whether
WhatsApp Ireland Limited (hereinafter, “WhatsApp IE”), an online instant messaging platform,
complies withitsobligations under the GDPR.
3. The complaint was lodged on 25 May2018 by a data subject who requested the non-profit noyb –
“EuropeanCenter for DigitalRights” (hereinafter “NOYB”)torepresent her under Article80(1) GDPR
(both hereinafter referredto as the “Complainant”). It concerned the lawfulness of WhatsApp IE’s
processing ofpersonal data(hereinafter“WhatsAppservices”),specificallydata processing onfoot of
the Complainant’s acceptance ofits Termsof Service (and purportedly her acceptance of its Privacy
Policy), andthe transparencyof information provided by WhatsApp IEtothe Complainant about that
processing. The Complainant alleged a violation of the right to data protection and especially a
violationof“Articles4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR” 4,byarguingthat
the controller relied on a “forced consent”5. The complaint requested to investigate andto impose
7
correctivemeasures .“Inthealternative,shouldtheSupervisoryAuthoritynotinterprettheseelements
asconsent”,theComplainanttakestheposition thatthecontrollerhasnolegalbasisfortheprocessing
operations “which are not a core element ofthe instant-messaging service and /or in the interest of
the user (such as advertisement, sponsored content, sharing of information within a group of
4
5Complaint,paragraph2.2.5.
Complaint,paragraphs1.3and2.2.5.
6Within its request to investigate, theComplainant requested that a full investigationbemadeto determine
“whichprocessingoperationsthecontrollerengagesin,inrelationtothepersonaldataofthedatasubject”,“for
which purpose they are performed”, “on which legal basis foreach specificprocessingoperationthe controller
relies on”,andtoacquire“acopyofanyrecordsofprocessingactivities”.TheComplainantalsorequested“that
theresults ofthisinvestigation[be]madeavailableto[her]”.Complaint,paragraph3.1.
7
Morespecifically, thecomplaint requested in paragraph3.2 that thecompetent SA“prohibits all processing
operations that are based on aninvalid consent of the data subject”, and inparagraph3.3 that an“effective,
proportionateanddissuasivefine”beimposed.
Adopted 5 companies analysis and improvement of the controller’s products etc.)”, “since these elements are
clearlynot a relevantcontractualobligationsand no otheroption underArticle6 oftheGDPRseemsto
apply inthissituation”.
4. Uponreceiptofthecomplaint on31May2018,the IESAqualified theactivitiesfallingwithinthescope
ofthe aforementionedcomplaintascross-border processing pursuant Article4(23)GDPR.Asthemain
establishment ofWhatsApp IE (asdefined in Article4(16) GDPR)wasfound tobe in Ireland,the IE SA
was identified as being the LSA, within the meaning of the GDPR, in respect of the cross-border
processing carriedout by thatcompany .
5. The following table presents a summary timeline of the events part of the procedure leading to the
submission of the mattertothe consistency mechanism:
25 May2018 The complaint waslodgedwiththe DEHHSA.
The DE-HH SA passed the complaint, for reasons of competence, to
the DE SA. On 31 May2018, the complaint was passed by the DE SA
tothe IESA.
20 August 2018 The IE SA commenced the inquiry (hereinafter the “inquiry”) and
requestedinformation from WhatsAppIE.
Itsscope andlegalbasisweresetoutinthe NoticeofCommencement
of Inquiry that was sent to the Complainant and WhatsApp IE by
letterson20 August2018.
On 11 March 2019, WhatsApp IE provided replies to preliminary
queries by the IE SA. Procedural issues, including allegation of bias
were raised by the Complainant by correspondence on 3 December
2018, and subsequent lettersfrom 29 February 2019, 19 April 2019
and 24 February 2020, as well as a phone call on 1 April 2019, that
wereaddressed by theIE SA.
20 May2020 The IE SA prepared a Draft Inquiry Report against WhatsApp IE
regardingitsprocessing activitieswithinthe scope of theinquiry. The
IESA invited the Complainant and WhatsAppIE tomake submissions
inrelationtosuch draftreport.
22 June 2020 WhatsApp IEprovided itssubmissions in relationtothe DraftInquiry
Report.
23 September 2020 The Complainant’s submissions dated 4 September 2020 were
provided tothe IESA by the DESA.
18 January2021 The Complainant and WhatsApp IE, as well as the IE SA’s decision
maker,were furnished witha copy ofthe IESA’sFinal InquiryReport,
outlining the Investigator’s views, as to whether WhatsApp IE
complied withitsobligationunder theGDPR.
6 and7 April 2021 The IESA commencedthedecision-making stage.
23 December2021 The IE SA issued a preliminary draft decision (hereinafter “the
Preliminary Draft Decision”) against WhatsApp IE, regarding its
processing activitieswithin thescope of theinquiry.
8Complaint,paragraph1.3.
9ScheduletoDraftDecision,paragraphs2.11to2.17(CompetenceoftheCommission)(p.10-12).
Adopted 6 Itwas communicatedon the same dayto the Complainant to enable
them to make observations. The IE SA further attempted to
communicate the Preliminary Draft Decision to WhatsApp IE on this
same date, to enable it to exercise its right to be heard. Having
subsequently discovered that an IT systems’ failure prevented the
Preliminary Draft Decision from reaching WhatsApp IE, the IE SA
shared againthe Preliminary Draft DecisionwithWhatsApp IE on 20
January2022.
December 2021 – Further exchangesof correspondence took place betweenthe IE SA
February2022 and the Complainant, addressing translationissues, the scope of the
complaint, as well as allegationsthat the complete documents had
not beenprovided.
17 February2022 WhatsApp IEprovided submissions on the PreliminaryDraftDecision
tothe IESA.
25 February2022 The IE SA communicated with Complainant’s’ legal representatives,
confirming thatifnofurthercorrespondence wasreceivedby1March
2022, theIE SA would proceed onthe basis that theComplainant did
not wish tomake submissions. Nosubmissions werereceived.
1 April2022 The IE SA sharedits Draft Decisionwiththe CSAs inaccordance with
Article60(3) GDPR.
Several CSAs (DE SA, FI SA, FR SA, IT SA, NL SA, and NO SA) raised
objections in accordancewithArticle60(4)GDPR.
1 July 2022 The IE SA issued a Composite Response setting out its replies to the
objections raised and shared it with the CSAs (hereinafter,
“CompositeResponse”).
The IE SA requested that the CSAs consider the responses and
proposals outlined in the Composite Response and confirm whether
theyaddressed theconcerns underlying the objections raised.
1 to11 July 2022 In light of the proposals in the Composite Response, further
exchanges took place between the IE SA and the CSAs. During the
10 11
exchanges, severalCSAs (among which the NL SA , the DE SA , the
FI SA12and the NO SA ) confirmed tothe IE SA that itscompromise
proposals were not sufficient and they intended to maintain their
objections.
On8July 2022,WhatsAppIEwasinformedofthe upcoming triggering
ofthe Article65 GDPRprocedure,andwasinvitedtoexerciseitsright
to be heardin respect of all the materialthat the IE SA proposed to
10ResponseofNLSAtoIESACompositeResponseMemorandumdated7July2022.
11
12ResponseofDESAto IESACompositeResponseMemorandumdated8July2022.
ResponseofFI SAtoIESACompositeResponseMemorandumdated8July2022.
13ResponseofNOSAtoIESACompositeResponseMemorandumdated11July2022.
Adopted 7 refer tothe EDPB andon 17 August 2022 WhatsApp IEprovided its
submissions (hereinafterthe “WhatsAppIEArticle65 Submissions”).
19 August 2022 The IE SA referredthe matterto the EDPBin accordancewithArticle
60(4)GDPR,therebyinitiatingthedisputeresolutionprocedureunder
Article65(1)(a) GDPR.
6. Following the submission by the LSA ofthis mattertothe EDPBinaccordancewithArticle 60(4)GDPR
in the Internal Market Information system (hereinafter, “IMI”) 15 on 19 August 2022, the EDPB
Secretariatassessedthecompleteness ofthe file on behalfofthe Chair inline withArticle 11(2)ofthe
EDPBRoP.
7. The EDPBSecretariatcontactedtheIESAon 23September 2022,asking for clarificationsin relationto
some documents not provided whilst mentioned in Article 11.7 of the EDPB RoP, but mentioned in
other documents. Onthe samedate,the IE SA providedthe informationrequestedandconfirmedthe
completeness ofthe file.
8. A matter of particular importance that was scrutinized by the EDPB Secretariat wasthe right to be
heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights(hereinafter the “EU
Charter”).Furtherdetailson thisare provided inSection 2 ofthis Binding Decision.
9. On 7 October 2022, after the Chair confirmed the completeness of the file, the EDPB Secretariat
circulatedthe file totheEDPBmembers.
10. The Chair decided,in compliancewithArticle65(3)GDPRinconjunction withArticle11(4)of theEDPB
RoP, toextendthe default timeline for adoption of one month by a further month on account of the
complexityof the subject-matter.
2 THE RIGHT TOGOOD ADMINISTRATION
11. The EDPB is subject to EU Charter , in particular Article 41 (the right to good administration). This is
alsoreflectedinArticle11(1)EDPBRoP.FurtherdetailswereprovidedintheEDPBGuidelinesonArticle
16
65(1)(a)GDPR .
12. The EDPB’sbindingdecision “shall bereasonedand addressed tothelead supervisoryauthorityand all
the supervisory authoritiesconcerned and binding on them” (Article 65(2) GDPR). It is not aiming to
address directly any third party. However, asa precautionary measure to address the possible need
for the EDPB to offer the right to be heard at the EDPB level to WhatsApp IE, the EDPB assessed if
WhatsAppIE wasofferedthe opportunitytoexercise itsright tobe heardin relationtothe procedure
led by the LSA and the subject-matter of the dispute to be resolved by the EDPB. In particular, the
EDPBassessed if allthe documents containing the mattersof factsandlaw received andused by the
EDPBtotakeitsdecision inthis procedure have alreadybeenshared previously withWhatsApp IE.
14The objections, the CompositeResponse, including the IE SA’s assessment of the relevant and reasoned
objections,aswellastherepliesoftheCSAs.
15
TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17
EDPBRoP.
16SeeEDPBGuidelines3/2021ontheapplicationofArticle65(1)(a)GDPR,adoptedon13April2021(versionfor
publicconsultation)(hereinafter,“GuidelinesonArticle65(1)(a),paragraphs94-108.
Adopted 813. The EDPB notes that WhatsApp IE has received the opportunity to exercise its right to be heard
regardingallthe documents containing the mattersoffactsandof law considered by the EDPBinthe
contextofthisdecisionandprovideditswrittenobservations 17,whichhave beensharedwiththeEDPB
18
by theLSA .
14. Considering that WhatsApp IE hasbeen alreadyheard by the IE SA on all mattersoffacts andof law
addressed by the EDPB in its binding decision, the EDPB is satisfied that Article 41 of the EU Charter
hasbeen respected.
15. TheEDPBconsiders thattheComplainant isnot likelytobe adverselyaffectedbythisbinding decision,
andconsequently does not meetthe conditions tobe granteda right tobe heard bythe EDPBin line
withArticle 41 of the EU Charter,applicable case law,andArticle 11 of the EDPB RoP.This is without
prejudice to any right to be heard or other related rights the Complainant may have before the
competent nationalsupervisory authority(/-ies).
3 CONDITIONSFOR ADOPTING A BINDINGDECISION
16. The generalconditions for the adoptionof abinding decision by theEDPBareset forthinArticle 60(4)
andArticle 65(1)(a)GDPR 1.
3.1 Objection(s) expressed by CSA(s) in relationto a draft decision
17. The EDPBnotes thatseveralCSAs raisedobjections to theDraftDecision via IMI.Theobjections were
raisedpursuant toArticle 60(4)GDPR.
18. More specifically, objections were raisedbyCSAs in relationtothe following matters:
• whetherthe LSA should have found aninfringement for lackof appropriatelegalbasis;
• the potentialadditionalinfringement ofthe principles offairness, purpose limitationanddata
minimisation;
• on possible further investigation;
• correctivemeasuresother thanfines;
• the imposition of anadministrativefine.
19. Eachof the objections wassubmittedwithinthe deadline provided byArticle 60(4)GDPR.
1WhatsAppIE’sSubmissionsinrelationtotheDraftInquiryReport,dated22June2020.WhatsAppIE’sResponse
to Preliminary Draft Decision, dated 17February 2022.WhatsAppIE Article65 Submissions, dated 717August
2022.
18IN-18-5-6Memo for Secretariat (Referral of objections to theEDPB pursuant to Article60(4) and65(1)(a)
19PR),19August2022.
According to Article65(1)(a) GDPR, theEDPB will issuea binding decisionwhen a supervisory authority has
raisedarelevantandreasonedobjectiontoadraftdecisionoftheLSAandtheLSAhasnotfollowedtheobjection
ortheLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned.
Adopted 9 3.2 TheLSAdoes not follow therelevantandreasoned objections to the DraftDecision
or isof the opinion that the objections arenot relevant or reasoned
20. On 1 July 2022,the IESA provided to the CSAs an analysis of the objections raised by the CSAs in the
Composite Response.
21. The IE SA concluded that it would not follow the objections, andin addition, underlined that some of
them arenot inits view “relevant”and/or “reasoned”; withinthe meaning of Article4(24) GDPRand,
otherwise,for the reasonsset out in the Composite Response and below 20.
3.3 Admissibility of the case
22. The caseatissue fulfils, primafacie,alltheelementslistedbyArticle65(1)(a)GDPR,since severalCSAs
raisedobjectionstoadraftdecision oftheLSA withinthedeadline provided byArticle60(4)GDPR,and
the LSA has not followed objections or rejected them, for being in its views, as not relevant or
reasoned.
23. The EDPB takesnote of WhatsApp IE’sposition that the EDPB should suspend the current Article 65
GDPRdispute resolution due topending preliminaryruling proceedings before the Court of Justice of
the EU (hereinafter, “CJEU”) 21. WhatsAppIE refersin particular tocases C-252/21 22 and C-446/21 .3
Following itsassessment, theEDPBdecidestocontinue itsproceedingsonthisArticle65 GDPRdispute
resolution, as there is no explicit legalbasis for a stay of the dispute resolution procedure in EU law,
24
nor are existing CJEU rulings on the matterconclusive for the situation of the EDPB .Also, the EDPB
takesintoconsiderationthe datasubjects’right tohave their complaintshandledwithina ‘reasonable
period’ (Article 57(1)(f) GDPR),andto have their case handled withina reasonable time by EU bodies
(Article41oftheEUCharter).Moreover,ultimatelythereareremediesavailabletotheaffectedparties
in case of a discrepancy betweenthe EDPB binding decision and CJEU rulings in the aforementioned
25
cases .
24. Considering the above, in particularthatthe conditions of Article 65(1)(a) GDPRare met,the EDPBis
competent to adopt a binding decision, which shall concernall the matterswhich are the subject of
20
21CompositeResponse,paragraphs36,74,78and80.
WhatsAppIE'sArticle65Submissions,paragraph2.11.
22Requestfora preliminaryrulingof22April2021,MetaPlatformsandOthers,C-252/21.
23Requestfora preliminaryrulingof20July2021,Schrems,C-446/21.
24Judgment of theCJEU of 28 February1991, Delimitis, C-234/89, EU:C:1991:91;Judgment of theCJEU of 14
December2000,Masterfoods,C-344/98,EU:C:2000:689.Thesecasesconcernedproceedingsbeforethenational
courts,wherethepartiesfacedtheriskofbeingconfrontedwithaconflictingdecisionofthenationaljudgethat
couldbeseenasdefactonullifyingtheCommissiondecision–a powerwhichisretainedbytheCJEU.Thecurrent
disputeresolution procedureconcerns theadoption of anadministrativedecision, which canbesubject to full
judicialreview.
25In caseanaction forannulment is brought against theEDPB decision(s) andfoundadmissible, theGeneral
Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU
were to deliver any judgment in the time between the adoptionof the EDPB’s Article65 decisionand the
adoptionoftheIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakes
followingtheEDPB'sbindingdecision-iftheCJEU’srulingsgivescausetodoso-inaccordancewiththeprinciple
of cooperationas elaborated by the CJEU in its judgment of 12 January2004, Kühne&Heitz NV, C-453/00,
EU:C:2004:17).
Adopted 10 the relevantandreasonedobjection(s), (i.e.whetherthereis aninfringement ofthe GDPRor whether
the envisagedactioninrelationtothe controller or processor complieswiththe GDPR ). 26
25. TheEDPBrecallsthatitscurrentbinding decision iswithoutanyprejudice toanyassessments theEDPB
may be called upon tomake in other cases, including with the same parties, taking into account the
contentsof therelevant draftdecision and theobjections raised bythe CSA(s).
3.4 Structure of the binding decision
26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether
they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24)
GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection 27.
27. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the
EDPBdoes not take anyposition onthe merit of anysubstantialissues raisedby thatobjection in this
specific case.TheEDPBwillanalyse themeritsofthesubstantialissues raisedbyallobjectionsit deems
tobe relevant andreasoned 28.
4 ON WHETHER THE LSA SHOULD HAVE FOUND AN INFRINGEMENT
FOR LACK OF APPROPRIATE LEGAL BASIS
4.1 Analysis by the LSA inthe DraftDecision
28. The IESA concludes that theGDPR,thecase law andtheEDPB Guidelinesrelevant for the case donot
preclude WhatsApp IEfrom relying on Article6(1)(b) GDPRasa legalbasis for the processing of users’
data necessary for the provision of its service, including through the improvement of the existing
service andthe maintenanceofsecurity standards 29.Finding 2 of the DraftDecisionreads “Ifind the
Complainant’scaseisnotmade outthattheGDPRdoesnotpermitthereliancebyWhatsApp on6(1)(b)
GDPRinthe context ofitsoffering ofTermsofService.” Inaddition, the IE SA considersthe Guidelines
31
of the EDPB on processing for online services based on Article 6(1)(b) GDPR as being “not strictly
binding, nonetheless instructive in considering thisissue”32.
29. The IE SA understands the Complainant’s allegationsas : firstly, the Complainant wasgiven a binary
choice: i.e. to either accept the Terms of Service and the associated Privacy Policy by selecting the
26
Article65(1)(a) in fine GDPR. SomeCSAs raised comments and not perse objections, which were, therefore,
nottakenintoaccountbytheEDPB.
27EDPB Guidelines 9/2020on theconcept of relevant andreasoned objection, version 2 adopted on 9 March
2021(hereinafter“GuidelinesonRRO”).Theywereadoptedon9March2021,afterthecommencementofthe
inquirybytheIESArelatingtothisparticularcase.
2SeeEDPBGuidelinesonArticle65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjection
raised,whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsofthe
objectioninthebindingdecision”).
29DraftDecision,paragraphs4.49and4.50.
30DraftDecision,Finding2,p.32.
31EDPB Guidelines2/2019ontheprocessingofpersonaldata underArticle6(1)(b)GDPRinthecontextofthe
provision of onlineservices to data subjects, version 2, adopted on 8 October 2019 (hereinafter “Guidelines
2/2019onArticle6(1)(b)GDPR”).
32DraftDecision,paragraph4.22.
33
DraftDecision,paragraph2.19.
Adopted 11 “accept”button, or cease using the service ; secondthat there wasa lackofclarityonwhichspecific
35
legal basis WhatsApp IE relies on for each processing operation ;and the Complainant’s concern on
WhatsApp IE’srelianceon Article6(1)(b) GDPRtodeliver itsTermsof Service 36.
30. While the IESA acknowledgesthattheEDPBconsidersin itsGuidelines2/2019 onArticle 6(1)(b)GDPR
that, as a general rule, processing for the provision of new services, is not necessary for the
performance ofa contractfor online service under Article6(1)(b) GDPR,inthis particularcase,having
regardtothe specific termsof thecontractandthenatureofthe service providedandagreeduponby
the parties,theIESA concludesthatWhatsApp IEmayinprinciple relyonArticle6(1)(b) GDPRaslegal
basis of the processing of users’ data necessary for the provision of its service, including throughthe
improvement of the existing service and the maintenance of securitystandards 3. In addition, the IE
SA considers that“issues ofinterpretationandvalidityof nationalcontractlaware notdirectlywithin”
their competence 3.
31. The IE SA disagrees with what it describes as a “veryrestrictive view on when processing should be
deemedto be “necessary” for the performance ofa contract” proposed by the Complainant and the
EDPB 39. The IE SA concludes that “core functions” cannot, however, be considered in isolation from
the meaning of “performance”, the meaning of “necessity” as set out in the Draft Decision, and the
40
content ofthe specific contractinquestion . The IESA considers thatArticle6(1)(b) GDPRcannot be
interpreted as requiring that it is impossible to perform the contract without the data processing
41
operationsin question .
32. The IE SA finds it important tohave regardnot just to the concept of whatis “necessary”, but also to
the concept of “performance” of the contract. According tothe IE SA, a contract is performed when
each party discharges their contractualobligations as has been agreedby reference to the bargain
struckbetweenthe parties.While theIESA agreesthatthemereinclusion of atermina contractdoes
not necessarily meanthatit is necessarytoperform theparticularcontract,itstresses out thatregard
must be hadfor what is necessaryfor the performance of the specific contractfreelyenteredintoby
42
the parties .
33. Therefore,the IE SA notesthat,the inclusion of a term,which does not relatetothe core function of
the contractcouldnot be considered necessaryfor itsperformance . 43
34. For thepurposes ofidentifying the“core”functions ofthe contractbetweenWhatsAppIEanditsusers,
the IE SA points out that the Complainant does not specify withany greatprecision the extentof the
processing (or indeed the processing operation(s)) thatthe Complainant believes tonot be necessary
to perform the Terms of Service). The Complainant has however made some specific submissions
arguing processing for service improvement, security, “exchange of data with affiliated companies”
and that the processing of special categoriesof personal data is not necessary in order to fulfil the
34DraftDecision,paragraph2.8.
35
DraftDecision,paragraph2.9.
36DraftDecision,paragraphs2.9and4.9.
37DraftDecision,paragraph4.49.
38DraftDecision,paragraphs3.13,4.11,4.22,4.39and4.44.
39
40DraftDecision,paragraph4.39and4.41.
DraftDecision,paragraph4.29.
41DraftDecision,paragraphs4.47,4.49and4.50.
42DraftDecision,paragraph4.23.
43DraftDecision,paragraph4.30.
Adopted 12 “corefunction” of amessagingandcallingservice suchasthe WhatsAppservices.Asa result,theDraft
44
Decisionfocuses onthese processing operations .
45
35. Although according to Guidelines 2/2019 on Article 6(1)(b) GDPR , processing cannot be rendered
lawful by Article 6(1)(b) GDPR “simply because processing is necessary for the controller’s wider
business model”, the IE SA considers that having regardtothe specific termsof the contract andthe
nature of the service provided and agreedupon by the parties, WhatsApp IEmay in principle relyon
Article 6(1)(b) GDPRas a legalbasis of the processing of users’ datanecessary for the provision of its
service, including services for improvements andsecurityfeatures,insofar asthis forms acore partof
the service offeredtoandacceptedbyusers 46.
36. Moreover, as described by the IE SA, a distinguishing feature of the WhatsApp IE’sservice is that it
regularlymonitorsitsserviceinordertoensureit functionswell(asdistinct from theEDPB’sreluctance
expressedinitsGuidelines2/2019 onArticle6(1)(b) GDPRwithusing datatobringabout new services)
andmaintainscertainsecurity andabuse standards. Therefore,the IESA concludes thatthe provision
of thisform of service is partof thesubstance andfundamentalobject of thecontract.
37. The IE SA considers thatthis information is both clearlyset out and publicly available, hence it would
be difficult to argue that this is not part of the mutual expectations of a prospective user and of
WhatsApp IE. Moreover, the IE SA states that the service is advertised as being one that has these
features, and so any reasonable user would expect and understand that this was part of the
47
agreement,evenifusers would prefer the marketwouldoffer them betteralternativechoices .
38. Basedonthe foregoing, the IESA reachesthe conclusion thatnothing inGuidelines 2/2019 on Article
6(1)(b) GDPR prevents WhatsApp IE, in principle, from relying on Article 6(1)(b) GDPR for these
48
purposes .
39. The IESA thusconcludes thatWhatsAppIEmayinprinciple relyonArticle6(1)(b) GDPRasalegalbasis
ofthe processing ofusers’ datanecessaryon foot of theacceptanceofthe Termsof Service,including
49
for regularimprovements andmaintaining standardsofsecurity .
40. The IE SA clarifies that, having regard to the scope of the complaint and its inquiry, the above
conclusion cannot be construed as an indication that allprocessing operations carriedout on users’
personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR 5.
41. The IE SA also notes that other provisions of the GDPR, suchas those on transparency, act tostrictly
regulatethe manner in whichthe WhatsApp IEservices are to be delivered and the information that
should be giventousers, anddecides toaddressit separatelyin itsDraftDecision 51.
42. Inaseparatefinding ofitsDraftDecision ,the IESA reiteratesthatina previousinquiryon WhatsApp
IE,aninfringement of the GDPRwas found asto itscompliance withArticle 12(1)and Article 13(1)(c)
44
DraftDecision,paragraph4.32.
45Guidelines2/2019onArticle6(1)(b)GDPR,paragraph36.
46DraftDecision,paragraph4.41.
47DraftDecision,paragraph4.42.
48
49DraftDecision,paragraph4.42.
DraftDecision,paragraphs4.47and4.49.
50DraftDecision,paragraph4.50.
51DraftDecision,paragraph4.47.
52DraftDecision,p.37,Finding3.
Adopted 13 GDPR for processing on foot of Article 6(1)(b) GDPR . The IE recalls the general requirement of
transparencyunder Article5(a)GDPR 54,anditspreviousdecisionandtheassociatedfindings, including
55
the imposition of a fine andanorder toWhatsApp IEtobring itsPrivacyPolicy intocompliance .
4.2 Summary of the objections raised by the CSAs
43. The DESA,FI SA, FRSA, NLSA andNOSA objecttoFinding2 oftheDraft Decisionandthe assessment
leading up to it. They consider that the IE SA should have found an infringement of Article 6(1)
GDPR 56,inline withtheEDPB’sinterpretationof thisprovision . 57
44. Inthe DESA’sview,contrarytotheIESA’ssubmissions intheDraftDecision,WhatsAppIEcannotrely
on Article 6(1)(b) GDPR or any other legalbases ofArticle 6(1) GDPR for the processingofa user’s
data. According to the DE SA, this constitutes a breach of the principle of lawfulness under Article
5(1)(a) and Article 6(1) GDPR. The DE SA is of the opinion also that the IE SA failed to impose an
appropriate correctivemeasure in order toremedy these infringements. The DESA puts forwardthe
following argumentsin support of the above allegations.
45. First, the DE SA does not share the understanding of the IE SA regarding the binding nature ofthe
Guidelines2/2019onArticle 6(1)(b) GDPR.TheDESA agreesthatguidelinesare not legallybinding in
the same way as legalprovisions are. It recalls however that they are instrumental for establishing
uniform application of EU law according toArticle 70(1)(e) GDPR,aswellas for ensuring a consistent
and highlevel of protectionfor naturalpersons in the light of recital10 GDPR.The DESA claims that
therelevantandbinding natureofguidelinesfor allsupervisory authoritiesassuchcannotbe disputed.
46. Second, the DE SA disputes theIE SA’sallegationsthat,onthe one hand, theGDPR doesnotprohibit
WhatsApp IE to rely onArticle 6(1)(b)GDPR in connection with itsoffer of Terms of Service and, on
the other hand, that the LSA is not competent to assess the validity ofcontracts, respectivelythe
validity ofthe Termsof Service or individual clauses. Inthisregard,theDE SA notes thatthe IESA has
full competenceaccording toArticle57(1)(a) GDPRtoassess the validity ofcontracts.
47. Moreover,asstatedinthe Guidelines 2/2019 onArticle6(1)(b) GDPR,avalidcontractisa prerequisite
for controllers to base their processing operations on Article 6(1)(b) GDPR. Onthat background, the
DESA points out thatinordertomonitor the applicationofArticle6(1)(b) GDPR,asrequiredby Article
57(1)(a)GDPR,theIEAmustalso verify thevalidityofthe contractWhatsAppIEisrelying upon. The
DESA addsthataccording toArticle5(2)GDPR,WhatsAppIEmust alsoprove that sucha contracthas
come intoexistence,meaningthatanofferandcorrespondingacceptanceofacontractisdeclaredby
the parties. Inother words, it must be apparent tothe contractualpartner that theyare not giving a
(revocable) consent, but are concluding a contract. If this is not the case, the DE SA considers, as
opposed tothe IE SA 58,thatWhatsApp IEcannot relyonthe right tochoose its ownlegalbasis.
53IE SA’s decision of 20 August 2021 in inquiryreferenceIN-18-12-2(hereinafter“the IE SA’s Decision on
WhatsApp IE’s Transparency”), adopted following EDPB Binding decision1/2021on thedisputearisen onthe
draft decision of the IE SA regarding WhatsApp IE under Article65(1)(a) GDPR (hereinafter “EDPB Binding
Decision1/2021”).
54
DraftDecision,paragraph5.8.
55DraftDecision,paragraph5.9.
56DESA’s Objection,pp.1-8;FI SA’s Objection,pp.2-8;NLSA’s Objection,pp.3-7;NOSA‘s Objection,pp.1-5,
FRSA’s Objection,p.9.
57Guidelines2/2019onArticle6(1)(b)GDPR.
58
DraftDecision,Issue3.
Adopted 1448. Third, theDE SA objectstothe IESA’sfinding 59 thatthenecessityoftheprocessingisdeterminednot
by what is necessary to fulfil the objectives of “a social network“ in a general sense, but what is
necessarytofulfil thecore functionsoftheparticularcontractbetweenWhatsAppIEanditsusers.
Those core functions do not encompass the improvements to an existing service and maintaining
certain security and abuse standards. The DE SA stresses out that first WhatsApp IE is not a social
networkbut a messaging service and thatfrom the perspective of anaveragedatasubject, it is not a
distinguishing characteristic of the WhatsApp IE services to improve their service constantly or
maintain certain security standards. Therefore, according to Guidelines 2/2019 on Article 6(1)(b)
GDPR 60, such processing cannot be rendered lawful by Article 6(1)(b) GDPR simply because the
processing is necessary for the controller’s wider business model. Only the data processing that are
actually necessary for the corresponding contractualpurpose – the operation of the WhatsApp IE
Services–canbe justifiedonthebasis ofArticle6(1)(b)GDPR.Inaddition,pursuanttoArticle 32GDPR,
WhatsAppIEhastheobligationtoimplementdatasecuritymeasuresregardlessofthecontentofthe
contract,sothose measures arenot tobe considered asanessentialelement ofthe contract.
49. The DE SA reiteratesthat Guidelines 2/2019 on Article 6(1)(b) GDPR explicitly limit the controller’s
possibility to expand the categories of personaldata or types of processing operations that are
necessary for the performance of the contract. Based on this, the DE SA concludes that the
interpretationof Article 6(1)(b) GDPR givenin the DraftDecision would allow for bypassingthedata
protectionprinciples,inparticulartherequirementsforavalidconsent,usingtheTermsofServices.
50. Finally, withregardtothe allegationinthe DraftDecisionthat theComplainantdidnotspecify“with
61
any great precision” which processingoperationsshe believes to be unlawful , the DE SA argues,
referring to Article 77 GDPR, that the Complainant has no obligation todo so. The DE SA takes into
account also that the only source of information about WhatsApp IE’s processing operations is the
publicly available documents that are non-transparent 62. In the DE SA’s view, it is the duty of
WhatsApp IE to prove compliance in accordance with Article 5(2) GDPR. As a whole, the DE SA
concludes that the processing described or indicated in the Terms of Service cannot be (fully) based
onArticle 6(1)(b)GDPR.Moreover,theDESA considers thatthereisno othervalid legalbasisevident.
51. The FI SAobjects tothe IE SA’sfinding 63 thatWhatsApp IE canrelyon Article 6(1)(b) GDPRfor allthe
processing operations set out in the Terms of Service, such as service improvements and security
purposes.Whenitcomestothe serviceimprovementsandsecuritypurposesofprocessing, the FI SA
64
refersattheoutsettoGuidelines2/2019 onArticle6(1)(b) GDPR inordertojustifyitsallegationthat
the processing of data for those purposes is not necessary for performing the key aspects of the
contractandfor this reasonit cannotbe basedon Article6(1)(b) GDPR.
52. The FI SA contests the LSA’s statement that the legal concept of“core” processingfalls out of the
interpretationofGDPR 6.Inthisrespectthe FI SA finds thatthe rationalebehind Article6(1)(b) GDPR
is that it provides a legalbasis for situations where processing of personal data willlogically need to
takeplace only inthe course of the provisions ofa contractualservice.Furthermore,in relationtothe
IE SA’sallegationthat thenecessityofprocessingistobe determinedbyreferencetothe particular
59DraftDecision,paragraph4.29.
60
Guidelines2/2019onArticle6(1)(b)GDPR,paragraph37.
61DraftDecision,paragraph4.32.
62DraftDecision,Issue3.
63DraftDecision,Finding2,p.32.
64Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25.
65
DraftDecision,paragraph4.11.
Adopted 15 contract,theFISAhighlightsthatthecontroller cannot include inthe contracteverythingtheywishto
be legitimizedunderArticle6(1)(b)GDPR,withouthavingfor exampletoensure thatthedatasubject’s
consent was obtained or to carry out balancing tests between their legitimate interests and the
interestsofthe datasubjects.
53. Inaddition, referringtoGuidelines 2/2019 on Article6(1)(b) GDPR 66,theFI SA reachesthe conclusion
that neither WhatsApp IE, nor the IE SA in its Draft Decision have properly and objectively reasoned
how theprocessing ofpersonaldatawasnecessaryalsofromtheuser´sperspectiveandnotonlyfrom
thecontroller’sside. TheFISA conteststheIESA’sstatementsthat,ingeneral,areasonableuserwould
be well-informed about the processing coveredby the contract 67, andthat in the specific case the
user is informed about the processing of personal data for service improvements and security
purposes, therefore this processing is part of the mutual expectations of a prospective user and
WhatsApp IE 68.Inaddition, while the FI SA admits thatservice improvements andsecuritymight be a
valid part of the WhatsApp IE services, it is of the opinion that processing for those purposes is not
necessaryfor providing such services, astheWhatsAppIEservicescouldbedeliveredintheabsence
ofprocessingofsuch personaldata.Inaddition, theFI SA maintainsthatthe saidprocessing activities
are notnecessaryfortheperformanceofthecontract.
54. Next, while the FI SA agreesthatthere is nohierarchybetweenlegalbases, it points out thatit is the
responsibility of the controller toassess which legal basis is appropriate for the specific processing.
69
WhenitcomestotheIESA’sargumentthatEDPBguidelinesarenotstrictlybinding theFISArecalls
that the GDPR itself refers to the EDPB guidelines in its Article 70(1)(e) and therefore stresses the
importanceof the commonposition of supervisory authorities.The FI SA alsohighlights thattheEDPB
shall ensure the consistent applicationof the GDPRas laiddown in Article 70(1)GDPR andenshrined
inrecital10 GDPR.
55. The FR SAobjects tothe conclusions in Part4 of theDraftDecision, inparticular points4.47 and4.49,
that WhatsApp IE has not failed to fulfil its obligations under Article 6 GDPR, and, in addition, that
WhatsApp IEis not required torelyon the legalbasis of consent (Article 6(1)(a)GDPR).At the outset,
the FR SA finds questionable the position adoptedby the IE SA on WhatsApp IE’sreliance on Article
6(1)(b)GDPRforprocessing operationsrelatedtoservice improvements.The FRSA notesinthisregard
that the Draft Decision does not define what service improvement processing covers and does not
provide enoughelementsonthe categoriesofdatausedforservice improvement purpose,whichdoes
not allow topronounce on the applicable legalbasis for the processing inquestion. Therefore,the FR
SA requests that the IE SA completes its Draft Decision on this point, by providing more specific
information and evidence. According tothe FR SA, the main reason ofthe users’ registrationto the
WhatsAppservicesisnottheuseoftheirdatatoimprovethemessagingservice.IntheFRSA’sview,
the factthat WhatsAppIE'sprocessing operationsfor service improvement purpose arebased onthe
legalbasis of the contract,andthatit is acceptedbya simple validationof theTermsof Service,is not
compliant withthe applicable provisions.
56. The FR SA considers that only thelegalbasesof legitimateinterestandconsent canbe considered for
processing operations relatedto service improvement purpose among those listed in Article6 GDPR.
Nevertheless, the FR SA submits that at first analysis, neither the conditions for the application of
consent, nor theconditions for theapplicationof legitimateinterestseemtobe metandWhatsApp IE
66
Guidelines2/2019on6(1)(b)GDPR,paragraphs32,48and49.
67DraftDecision,paragraph4.36.
68DraftDecision,paragraph4.42.
69DraftDecision,paragraph4.22.
Adopted 16 could not use it for the implementation of the processing operations in connection with service
improvements. Inconclusion, since theIESA doesnot define whatiscoveredbythe processing ofdata
for service improvement purpose and theconditions ofimplementation,it is not easyfor the FR SA to
have a firm position on this point andso, onthe legalbasis thatapplies for the processing. The FR SA
suggeststhattheIE SA should provide more specific evidence initsDraftDecisionregardingthisissue,
inordertoassessiftheprocessing can,or cannot,bebasedonthelegalbasisofthelegitimateinterest.
The FR SA statesthat inreaching the conclusion for lackof breachof Article 6(1) GDPRthe LSA erred
inits assessment of the factsof the case.
57. The NLSAfirst observes thatthe IE SA failedtoinclude sufficient analysis, evidence andresearchinits
Draft Decision on what the purposes of processing selected are, and how data are used, making it
difficult to apply Article 6 GDPR70. The NL SA then questions the validity of the contract between
WhatsApp IE and users, and the NL SA argues that, as a result, grounding the processing on Article
6(1)(b) would be impossible . The NL SA presents the following arguments. First, in the NL SA’s
72
opinion, theTermsofServiceandthePrivacyPolicyare lengthyandunclear .Next,theNLSA notes
thatas a generalrule, bothpartiesmust be awareof the substance of a contract,inorder towillingly
enter into it, and considers that ”the established serious lack of transparency on behalf of the
controller,thereforeleadstoareasonabledoubt whetherdatasubjectshaveindeedbeenable toenter
73
into a contractwiththecontrollerbothwillingly and sufficiently informed” .TheNL SA compounds its
doubts on the validity of the contract by arguing that WhatsApp IE presents a completely one-sided
dealwhereby an individual data subject has no influence on anyof the terms 74. The NL SA therefore
considers that WhatsApp IE’s statement that it relies on Article 6(1)(b) GDPR for the WhatsApp
services, in combination withdocuments withgeneraldescriptions of the services provided, and the
IESA’sreference tothe controller’sright tochoose itsownlegalbasistoprocess data,are insufficient
toacceptthatthe performanceof acontractcanbe used asalegalbasis. Last,due toalack ofinsight
in the processing operations and the potentialprocessing of children’s personaldata or special
categories of personaldata, the NL SA has serious doubts on the validity of such a contract when
75
children areinvolved .
58. Furtherto theforegoing,theNL SA also raises anobjection withregardto the IESA’s approachin its
DraftDecision’sFinding 2.The NLSA deemsthe approachtakentobecontradictory,giventhefactthe
IEAdoes not wish toenterinto analysis ofcontractlaw,while atthe same timecertainconceptsfrom
contract law are presented, such as “performance” of a contract 76. The NL SA argues there is a
contradictionintheidea thataclearcontractispresent,whiletherearesignificant transparencyissues
atthesame time.TheNL SA notesthatwithoutenteringintothespecifics ofcontractlaw,regardmust
be had tothe generalrule that both partiesmust be aware ofthe substance of a contract aswell as
the obligations of both partiesto the contract, inorder to willingly enter into such contract7. Inthe
NL SA’s view, the established serious lack of transparency on behalf of the controller gives rise to
78
reasonable doubt inthis regard .
70
NLSA’s Objection,paragraph5.
71NLSA’s Objection,paragraph10.
72NLSA’s Objection,paragraph8.
73NLSA’s Objection,paragraph12.
74
75NLSA’s Objection,paragraph10.
NLSA’s Objection,paragraph10.
76NLSA’s Objection,paragraph11.
77NLSA’s Objection,paragraph12.
78DraftDecision,p.31.
Adopted 1759. Adding to that, the NL SA also notes that a relevant step is to assess whether the concrete data
processing activities that are based on the contract, are actually necessary for performing the key
aspectsofthe agreement 79. TheNLSAarguesthattheIESA hasnot interpretedtheterm“necessary”
in Article 6(1)(b) GDPR in line with the EDPB guidance, such as Guideline 2/2019 on Article 6(1)(b)
GDPR, on this provision 80. The NL SA adds that the IE SA also did not include any substantive
investigationinto what datasubjects have understood to be the core of the service theyhave signed
up to and whether they meant to give their consent for the processing of personal data or whether
they intended toconclude an agreement withthe controller 81. Inthe NL SA’sview, the IE SA did not
conduct a proper assessment on whether allprocessing operations could be based on a contractand
if not, what other legalbasis could be applicable82. The NL SA disagreeswith the IE SA´s finding that
the criterionof necessitylaiddown inArticle 6(1)(b) GDPRisindirectlyimpactedbydomestic contract
law,since thiscriterionhasanindependent meaningin case lawandin different EDPBguidelines 8.
60. The NOSAcontestsinessence the IESA’sfinding thatWhatsAppIEcanrelyonArticle 6(1)(b)GDPRas
alegalbasisfor processing inthecontextofserviceimprovementsandsecurityfeaturesandproposes
imposing respective corrective measures. The NO SA questions whether the processing ofpersonal
datafor the purposesofserviceimprovementsandsecurityfeaturesisgenuinelynecessaryforthe
performance of the contract in question. According to the NO SA, the Draft Decision enables
controllers to artificially expand what can fall under Article 6(1)(b) GDPR. In support of the above
objection, the NOSA advancesthe following arguments.
61. First, the NOSA disagrees withthe IE SA’sposition that any processing ofpersonaldata includedin
contractualtermswouldautomaticallybelawfulifframedin a particularmanner.Inthat context,in
theNOSA’sview,it isnot the legislationwhichsetsthe boundariesfor lawfulness under Article5(1)(a)
GDPR, but instead the individual contract, which makes the IE SA’s interpretationof Article 6(1)(b)
GDPR incompatible withArticle 8 of the EU Charter. Second, the NO SA suggests that Article 6(1)(b)
GDPR should be interpreted in light of its wording, purpose and context. The NO SA considers that
therewould alwaysneedtobe anin concretoassessment ofwhat isnecessaryfor the performance of
the particularcontractoverall, on a case-by-case basis. The NOSA is of the opinion that the rationale
behind the first alternative of Article 6(1)(b) GDPR is to provide a legal basis for situations where
processing of personal data will logically need to take place in the course of the provision of a
contractualservice.Inthis sense, the NOSA claimsthat processingofpersonaldataforthepurposes
of service improvements and security features as described in the Draft Decision is not a logical
preconditionforthemessagingservicethatWhatsAppIEentails.Third,theNOSA believesthattheI
E SA’s interpretation ofArticle 6(1)(b) GDPR has the effect of undermining or circumventing the
otherlegalbasesofArticle 6(1) GDPR.
62. Withsuch interpretation,the NOSA finds it hardtoforesee whenconsent under Article 6(1)(a)GDPR
would be reliedupon asa legalbasis. The same appliestosituations invoking Article 9 GDPR. TheNO
SAsuggeststhattherewouldbenouseofthelegalbasisunderArticle6(1)(a)and(f)GDPR,because
for the controller is much more convenient to rely on Article 6(1)(b) GDPR. Fourth, according to the
NO SA, Article 7(4) GDPR entails that, if processing ofpersonaldata is in fact necessary for the
performanceofa contract,thenaconsentcanbeconsideredfreelygivenevenifthedatasubjectis
excluded from a service should they decline to give consent. The NO SA considers that under the
79NLSA’s Objection,paragraph13.
80
81NLSA’s Objection,paragraph16.
NLSA’s Objection,paragraph13.
82NLSA’s Objection,paragraph33.
83NLSA’s Objection,paragraph16.
Adopted 18 interpretationput forwardbythe IE SA, generallyalmost allprocessing ofpersonaldata bynon-public
entitiescould be framed asbeing necessaryfor the performance of a contract,alsoin the contextof
Article 7(4) GDPR. The NO SA alleges that this would render Article 7(4) GDPR meaningless and
withouteffect in practice,asit wouldneverbeinvoked. Thiswould, inthe NOSA’sview, render the
take-it-or-leave-itconsents permissible.
63. The NOSA submits thatthislower standardfor validconsent wouldinparticularbe problematic when
consent serves asa basis for processing ofspecial categoryofpersonal datapursuant toArticle9(2)(a)
GDPR,orasa Chapter V GDPRexemptionpursuant toArticle 49(1)(a)GDPR.
64. Moreover, the NO SA advances the argument that data subjects may be de facto dependent on
certain services and in lack of realistic alternatives to them, in particular due to network effects,
therefore they will generallyhave little opportunity to negotiate standardised terms of service. This
createsa take-it-or-leave-itsituation andanuneven playing field. The NO SA comesto theconclusion
thatif rejectingthe contractualtermsis necessary inorder toprotectoneself from harm,so that one
is subsequently excludedfrom the service, participatingindiscussions, corresponding withothersand
receiving information becomes significantly more difficult. As a result, this interpretation could also
adverselyaffectdatasubjects’freedomofexpressionandinformation.
4.3 Position of the LSA on the objections
65. The IESA considers thatthe objectionsabove are not relevant and/or not reasonedfor the purpose of
Article60(4) GDPRanddecidesnot tofollow them 84.
66. With regardtothe objections of the DE SA, FI SA, FR SA, NL SA andNO SA concerning WhatsApp IE’s
possible reliance onArticle6(1)(b) GDPRasthe applicable basisfor personaldataprocessing, the IESA
is ofthe opinion thatanassessment of the corefunctions ofthe contractinrequired.
67. The IE SA acknowledges that there are different views on how the “core” elements of the Terms of
Service areassessed,however itconsiders thatitdoesnotadopt amerelyformalapproachwithregard
to Article 6(1)(b) GDPR that reliesonly on the textualcontent of the Termsof Service. Moreover, it
considers thatanassessment of the core functions of the contract(not merely onthe writtenterms)
is required,pursuant toArticle6(1)(b) GDPRandthe requirementfor thenecessity test 8.
68. The IE SA considers that WhatsApp IE has not sought to make the WhatsApp services contingent on
the Complainant’s consent to the Termsof Service. Moreover, it does not consider that the test for
contractual necessity under Article 6(1)(b) GDPR would be reduced to an assessment of written
contractualterms, without reference tothe fundamentalpurpose of the contract.The DraftDecision
does not take the view that all written contractualterms are necessary for the performance of a
contract,thusthe risks describedin thisregardarenot relevant 8.
69. TheIESA notesthatArticle6(1)(b)GDPRlegitimisesprocessing whichisnecessaryfor theperformance
of a contract (i.e. an agreement which serves the mutual interests of the parties). In addition, it is
considered that a reasonable user would have had sufficient understanding thatthe service included
the use of metricsfor improvement.Accordingly, theIE SA disagreeswiththeinterpretationof “core”
contractual purposes, as suggested by the CSAs, and considers that the Terms of Service properly
84
CompositeResponse,paragraphs44,45,46,48,49,72and73.
85CompositeResponse,paragraphs47-48.
86CompositeResponse,paragraph50.
Adopted 19 reflectsthe agreemententeredintobythe Complainant,nor does therestrictiveinterpretationreflect
the purpose ofArticle 6(1)(b) GDPR .87
70. The IE SA statesthatthe guidelines arenot binding on supervisory authorities, however, theyshould
be takeninto account.However,the IE SA’sposition is thatthe EDPBhas not been provided withthe
legal power to mandate that certain categories of processing must be based on consent, to the
exclusion of any other legal bases for processing. The IE SA’s view is that such a power is properly
exercised from time to time by the EU legislator, in the form of specific legislative measures. In
particular,itisnotedthatGuidelines2/2019 onArticle6(1)(b) GDPRcontainverygeneralobservations
tothe effect thatpersonal data should not be used “generally”for service improvement pursuant to
Article 6(1)(b) GDPR. The IE SA considers that under these guidelines, processing for service
improvement is not prohibited, pursuant toArticle 6 (1)(b) GDPR,so long asit falls within the core or
88
essentialaspectsof the service .
71. The IE SA recallsin this regardthat the Draft Decision also assesses the core functions of WhatsApp
IE’sTermsof Service 89.TheDraftDecisionnotesthatanyapplicationofthe principle of necessitymust
be specific to the agreement entered into between the parties. The Draft Decision states that
processing should be regardedasnecessaryfor theperformance ofa contractbetweenthe controller
and the datasubject if it is necessary toperform the clearlyunderstood objectives of a contract.The
Draft Decision also statesthat in order to understand the mutual understanding of a contract, it is
necessary to have regard to the specific content of the agreement itself. Having conducted an
assessment of thecore or fundamentalaspectsof WhatsAppIE’sTermsof Service, the DraftDecision
concludes that the nature of the service being offered on this occasion specifically included regular
service improvement including dealing withabuse,asanaspectof theagreementbetweenWhatsApp
IEandits users.
72. The IE SA clarifies that in reaching the above conclusion, it had regardto the expectations of users
basedonthe specificcontentoftheTermsofService.TheIE concludesonthisbasisthattheprocessing
should be regardedasnecessary for the performance of WhatsApp IE’sTermsof Service. Moreover,
the IESA adopts theposition thatthemutualexpectationsofthe partiesastothe performance ofthe
contract should consider the expectationsand interestsof both parties, as reflectedin the contract
90
itself .
73. The IE SA considers that the EU legislator did not limit the provision of Article 6(1)(b) GDPR only to
processing which is strictlynecessaryfor the delivery of goods andservices toa data subject, nor are
the contractualinterestsofthe controller disregardedbythisprovision. Inthis regard,theIE SA notes
thatcontractsmayincludeaspectsofperformance,whichareoptionalorcontingent.IntheIEA’sview,
Article 6(1)(b) GDPR is not limited to aspects of contractual performance which are expressly
mandatoryandunconditional obligationsof the parties.Accordingly,the IESA isnot satisfiedthatthe
abilityto opt-out of any particularprocessing must logically be construed asconclusive evidence that
such processing isnot necessarytoperform a contract.TheIE SA submits that theexercise of options
by a datasubject inthe context ofa contractdoes not necessarilyundermine the agreemententered
into, or the necessity of processing while suchoptions are engaged.TheIE SA refersto the CJEU case
C-524/06 91 in support of its finding that necessity in the context of Article 6(1)(b) GDPR cannot be
87CompositeResponse,paragraph59.
88
89CompositeResponse,paragraphs66–69.
DraftDecision,paragraph4.30.
90CompositeResponse,paragraph58.
91Judgmentof18December2008,HeinzHuberv.BundesrepublikDeutschland,C-524-06,EU:C:2008:724.
Adopted 20 assessed by reference tohypothetical alternativeforms of the WhatsApp IEservices, asthe CJEU has
heldin thatcasethatprocessing whichexceedsthe most minimallevelof processing possible, maybe
regardedasnecessary, where it rendersa lawful objective “more effective”.The IE SA statesthat it is
not the role of supervisory authoritiestoimpose specific business models oncontrollers.
74. The IESA,taking intoaccountthe specific factsofthiscase,considers thatWhatsApp IEasacontroller
hasnotattemptedtoartificiallyincludeprocessing whichisnotnecessaryfor thefundamentalpurpose
of its services. The IE SA considers that Guidelines 2/2019 on Article 6(1)(b) GDPR confirm the legal
position, which is that service improvement processing pursuant to Article 6(1)(b) GDPR is not
prohibited perse, aslong asit falls withinthe coreor essentialaspectsofthe service.
4.4 Analysis of the EDPB
4.4.1 Assessment of whether theobjections were relevant and reasoned
75. The objections raised by the DE SA, FI SA, FR SA, NL SA, and NO SA concern “whether there is an
92
infringementoftheGDPR” .Additionally,theDESA andNOSA’sobjections alsoconcern“whetherthe
actionenvisagedinthe DraftDecisioncomplieswith the GDPR” 9.
76. The EDPBtakesnote of WhatsApp IE’sview thatnot a single objection put forwardby the CSAs meets
94
the threshold of Article 4(24) GDPR . From a generalstandpoint, WhatsApp IE argues that “to the
extent Objectionsrelate to matterswhich are outside of the Defined Scope of Inquiry, as identified in
the Draft Decision, they fail to satisfy the requirements of Article 4(24) GDPR and as such are not
“relevant and reasoned”.” 95. Contrary toWhatsApp IE’sposition on relevance , objections canhave
bearing on the “specific legal and factualcontent ofthe Draft Decision”,despite not aligning withthe
scope of the inquiry as defined by an IE SA. Furthermore, the EDPB does not accept WhatsApp IE’s
narrowingthe scope ofthe ”reasoned”criteriontoargumentsonissues thathave beeninvestigatedor
addressed inthe inquiry 97,asno such limitationcanbe readinArticle 4(24)GDPR . 98
77. Contraryto WhatsApp IE’sargument that CSAsmay not object tothe scope of the inquiry as decided
by the IE SA, the EDPB does not share this reading of Article 65 GDPR. Furthermore, this possibility is
explicitlystatedinthe RROGuidelines, especiallyregardingcomplaint-basedinvestigations 99.
92GuidelinesonRRO,paragraph24.
93GuidelinesonRRO,paragraph32.
94WhatsAppIE’s Article65Submissions,Annex1,p.75-120.
95WhatsAppIE’sArticle65Submissions,paragraph3.3.
96
WhatsAppIEcitestheGuidelinesonRRO,whichstatethat“[a]nobjectionshouldonlybeconsideredrelevant
if it relatesto thespecificlegalandfactualcontentoftheDraftDecision”(paragraph14)todrawtheconclusion
that any objection raising matters outsidethescopeof theinquiryis not relevant. SeeWhatsApp's Article65
Submissions, paragraph 3.3. TheEDPB notes that paragraph14 of theGuidelines on RRO draws a distinction
between relevant objections and “abstract or broad concerns or remarks” on the one hand and “minor
disagreements”ontheother.Moreover,thisparagraphshouldbereadinconjunctionwithparagraph27ofthe
Guidelines onRRO.
97WhatsAppIE’sArticle65Submissions,paragraph3.3.
98
99GuidelinesonRRO,paragraph16-19.
GuidelinesonRRO,paragraph27:“Forinstance,iftheinvestigationcarriedoutbytheLSAunjustifiablyfailsto
coversomeoftheissuesraisedbythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevant
and reasoned objectionmaybe raised basedon the failure of the LSA to properly handle the complaint and to
safeguardtherightsofthedatasubject.”
Adopted 2178. WhatsApp IE also states that “were the EDPB to expand the scope of the Inquiry as set by the DPCat
this stage, in the manner proposedin the Objections, this could not be reconciled with the procedural
requirements of Irish or European Union (“EU”) law, and would infringe WhatsApp IE’s legitimate
expectations,righttofairproceduresand dueprocess(including theright tobeheard),and rightsofthe
100
defence” . Despite claiming it is “clear”, WhatsApp IE does not demonstrate in which manner its
procedural rights would be breached, just by the mere fact that the EDPB finds specific objections
admissible. This isespeciallyquestionable, since admissibility determinesthe competenceofthe EDPB,
but not the outcome of the dispute betweenthe LSA and the CSAs. Likewise, WhatsApp IE does not
explainhow the mere actof considering the meritsof admissible objections inevitablyandirreparably
101
breachestheproceduralrightscitedby WhatsAppIE .AcceptingWhatsAppIE’sinterpretationwould
severely limit the EDPB’s possibility to resolve disputes arising in the one-stop-shop, and thus
undermine the consistent applicationoftheGDPR.Theobjectionsofthe DESA,FI SA,FR SA,NLSA, and
NO SA on the finding of an infringement all have a direct connection with the Draft Decision as they
refer toa specific part of the latter,whichis Finding 2. Allof those objections concern “whetherthere
is an infringement of the GDPR” as they argue that the IE SA should have found an infringement of
Article 6 GDPR 102or Article 6(1)(b) GDPR. As the IE SA considered that Article 6(1)(b) GDPR was not
breached, the objections entaila need for a change of the IESA’sDraft Decisionleading to a different
conclusion. Consequently, the EDPB finds that the DE SA, FI SA, FR SA, NL SA, and NO SA’s objections
relatingtothe infringement ofArticle 6 or Article6(1)(b) GDPRrelevant.
79. The part of the DE SA’s objection arguing that the IE SA should find an infringement of Article 5(1)(a)
GDPRand impose the erasure of unlawfully processed personal dataand the banof the processing of
data,andthepartof the NOSA’sobjectionarguingthatthe IE SA should order WhatsAppIE to“delete
personal data” and “impose an administrative fine” are linked to the IE SA’s Finding 2 of the Draft
DecisionwithregardtoArticle6(1)(b)GDPR.Therefore,theyaredirectlyconnectedwiththe substance
of the Draft Decision and, if followed, would lead to a different conclusion, namely a change in this
Finding. Thus, the EDPB considers that these parts of the DE SA and NO SA’s objections are also
relevant.
80. The objections of the DE SA, FI SA, FR SA, NL SA, and NO SA all include arguments on legal/factual
mistakesinthe DraftDecisionthatrequire amending.More specifically, these CSAsprovide arguments
tochallenge the DraftDecision’s consideration thatWhatsApp IEcanrely on Article6(1)(b) GDPRasa
lawfulbasis for personal dataprocessing asspecified inthe TermsofService 10.The IESA held thatthe
GDPR permits the reliance, by WhatsApp IE, on Article 6(1)(b) GDPR in the context of its offering of
104
Termsof Service including of users’ data in relationtoimprovement of the existing service and the
maintenanceof securitystandards 105. This view is challengedin broad termsas wellasin detail.Some
oftheCSAsprovide argumentschallengingthevalidityofthecontractonwhichtheuseofArticle6(1)(b)
GDPRasalegalbasis depends, andwhich theIESA accepts 10.Someof theCSAs express thatofArticle
100WhatsAppIE’sArticle65Submissions,paragraph3.13.
101TheEDPBfailstoseehow,forinstance,declaringanobjectionadmissiblebutrejectingitonthemeritscould
impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase.
102As specifiedintheobjectionsoftheDESA,FRSAandNLSA.
103DraftDecision,paragraph4.
104DraftDecision,paragraph4.50.
105DraftDecision,paragraph4.49.
106
DESA’s Objection,pp.3-4;FI SA’s Objection,paragraphs21-24;NLSA’s Objection,paragraph26.
Adopted 22 6(1)(b) GDPRas a legalbasis cannot be reliedupon regardingthe purpose of service improvements 107
108
andstandardsof security .
81. Some CSAs 109recall,while referringtothe termsof Guidelines 2/2019 on Article 6(1)(b) GDPR 110,that
it is the fundamentaland mutuallyunderstood – by the partiesof the contract– contractualpurpose,
which justifies that the processing is necessary. This purpose is not only based on the controller’s
perspective but also on a reasonable data subject’s perspective when entering into the contract and
thus on “the mutualperspectivesand expectationsofthe parties to the contract”. The FR SA and the
NO SA 111disagree with the Draft Decisionin that the purposes of service improvement are described
in the Draft Decision in very broad and vague terms, are not a logical precondition for the actual
contractualserviceofWhatsAppIEandarenotthemainreasonofauser’sregistrationtotheWhatsApp
services. The FI SA adds that most users, including the Complainant, are likely unaware of this
processing ofpersonal datainthe context ofthe WhatsAppIE services 112.
82. The DESA,FI SA, FRSA, NLSA, andNOSA’sobjections alsoidentify risksposedby theDraftDecisionas
drafted in the current manner, in particular the interpretationof Article 6(1)(b) GDPR that could be
113
invoked by anycontroller for anyprocessing would undermine or bypass data protectionprinciples ,
would lower the threshold for legality of data processing 114 and thus endanger the rights of data
115
subjects within the EEA . As anexample, the NOSA highlights that ”if it is possible to frame almost
any processing of personal data in contractualterms such that it automatically becomes lawful, as
would be the result pursuant to the [Draft Decision], data subjects would in realityhave no control of
their personal data” 116, while “the FI SA stresses that this would create a significant risk that the
117
principle oflawfulness and fairness is circumvented” .
83. WhatsAppIEcontends thatintermsof risk, theobjections must ”demonstratethelikelihood ofa direct
negative impact of a certain significance of the Draft Decision on fundamental rights and freedoms
118
under the EU Charter and not just any data subject rights” . WhatsApp IE thus adds a condition to
Article4(24) GDPR,whichis not supported by theGDPR 119.
84. Considering the objections of the CSAs andthe argumentsbrought forwardby WhatsAppIE,the EDPB
finds the objections of the DE SA, FI SA, FR SA, NL SA andNO SAs on the finding of aninfringement of
Article6 or Article6(1)(b) GDPRreasoned.
107FI SA’s Objection,paragraphs21-24;FRSA’s Objection,paragraphs8-16;NOSA’s Objection,pp.7-8.
108
FI SA’s Objection, paragraph 31;theDE SA’s Objectionmentions that securitymeasures arenot part of the
contractbuta legalobligationunderArticle32GPDR,p.5.
109DE SA’s Objection,p.5;FI SA’s Objection,paragraph31;FRSA’s Objection,paragraph10;NOSA’s Objection,
p.6.
110
111Guidelines2/2019onArticle6(1)(b)GDPR,paragraphs32and33.
FRSA’s Objection,paragraphs13-14;NOSA’s objection,pp.3-4.
112FI SA’s Objection,paragraph22.
113DESA’s Objection,pp.7-8.
114
115NLSA’s Objection,paragraphs28-29.
FRSA’s Objection,paragraphs50-51.
116NOSA’s Objection,p.8.
117FI SA’s oObjection,paragraph33.
118
119WhatsAppIE’sArticle65Submissions,Annex1,p.73.
Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons
and in particulartheirright to protection of personal data”, whichdirectlystems from Article8(1) of theEU
Charter. Therefore, thereis noreason to draw a distinction between thedata subject rights protected by the
GDPRandthefundamentalrightsprotectedundertheEUCharterwheninterpretingArticle4(24)GDPR.
Adopted 2385. As regardsthe partsof the DE SA andNO SA’sobjections requesting the finding of aninfringement of
Article 5(1)(a) GDPR and specific corrective measures under Article 58 GDPR for the infringement of
Article6(1)(b) GDPR,theEDPBconsidersthatthesepartsofthe objectionsdonot sufficiently elaborate
the legalor factualargumentsthat would justify a change inthe Draft Decisionleading to the finding
of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective measures
mentioned above.Likewise, the significance of the risk for data subjects, which stemsfrom the IE SA’s
Draft Decision not to conclude on the infringement of Article 5(1)(a) GDPR and not to impose the
requestedcorrectivemeasures, is not sufficiently demonstrated.
86. Considering the above, the EDPBfinds thatthe objections of the DESA, FI SA, FR SA, NL SA andNO SA
on the finding of an infringement of Article 6 or Article 6(1)(b) GDPR are relevant and reasoned in
accordancewithArticle4(24) GDPR.
87. However, the parts of the DE SA and NO SA’s objections concerning the additional infringement of
Article5(1)(a)GDPRandthe imposition ofspecific correctivemeasuresarenot “reasoned”anddonot
meetthe threshold of Article4(24)GDPR.
4.4.2 Assessment on the merits
88. Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB
shall take a binding decision concerning all the matterswhich are the subject of the relevant and
reasonedobjections,inparticularwhether thereis aninfringement ofthe GDPR.
89. Based on the documents transmittedby the IE SA, the EDPB understands that the purposes of the
processing operationscoveredbythese objections arethefollowing: (i)service improvements,and(ii)
“safety and security”. In its Terms of Service, WhatsApp IE refers to its own definition of safety and
securityasfollows: "We worktoprotectthe safetyand securityofWhatsApp byappropriatelydealing
with abusive people and activity and violations of our Terms. We prohibit misuse of our Services,
harmfulconducttowardsothers,andviolationsofourTermsand policies,andaddresssituationswhere
wemaybe able to helpsupport or protectourcommunity.We develop automatedsystemstoimprove
our ability to detect and remove abusive people and activity that may harm our communityand the
safety and securityof our Services. Ifwe learn of people or activitylike this, we will take appropriate
actionbyremoving such people or activityor contacting law enforcement.Weshare information with
otheraffiliatedcompanieswhenwelearnofmisuseorharmfulconductbysomeoneusing our Services."
90. As a preliminary remark, the EDPB notes, as observed by the NL SA, that the purposes are vague,
especially the one on “safetyand security”, mentioned by WhatsApp IE in its Terms of Service. The
EDPB understands from the short description provided under the relevant section of WhatsApp IE's
TermsofService thatitrefersto“misuse” ofWhatsAppservices, “harmfulconduct”,andactivitiesthat
would violate WhatsApp IE’s Terms of Service. In its Draft Decision, the IE SA considered that the
Complainant did not identify particular processing operations withany degreeof specificity, and that
complaints should in generalhave a reasonable degreeof specificity, and,hence addressed the issue
of Article 6(1)(b) GDPR in principle. In doing so, the Draft Decision refers to various terms: “abusive
activity”(which is referredtoin WhatsAppIE’sTermsofService) 120, “fraud”121and“security”without
further description122(which is referred to in WhatsApp IE’s Terms of Service), which do not bring
clarity and/or more specificity on this purpose. Based on these elements, and considering that
WhatsApp IE’sTermsof Service refer to another purpose of processing than the security carriedout
12DraftDecision,paragraphs4.36,4.41,4.42.
12DraftDecision,paragraphs4.38and4.49.
12DraftDecision,paragraphs4.40,4.42,4.47,4.49.
Adopted 24 bytechnicalandorganisationalmeasuresinorder tosecure the processing ofpersonaldata,networks
and services or processing to which WhatsApp IE is entitled or obliged under other legal provisions
(e.g.technicaland organisationalmeasuresapplied toprotectpersonal data,for instance asrequired
under Article 32 GDPR 123), the EDPB is excluding “IT Security” from its assessment of the merits
hereinafter. On a similar note, the EDPB highlights that when the purpose of the processing is “IT
Security”, for instance in the meaning of Article 32 GDPR, the purpose of the processing has to be
clearlyandspecifically identifiedby the controller124.
125
91. TheEDPBconsidersthattheobjections found tobe relevantandreasonedinthissubsection require
an assessment of whether the Draft Decision needs to be changed insofar as it rejects the
Complainant’sclaimthatthe GDPRdoesnot permitWhatsAppIE’srelianceonArticle 6(1)(b)GDPRfor
the processing operationsset out initsTermsof Service. Whenassessing the meritsof the objections
raised,the EDPBalsotakesintoaccount WhatsAppIE’sposition onthe objections anditssubmissions.
92. The CSAs seek in essence to establish whether Article 6(1)(b) GDPR could serve as a valid legal basis
for the processing of personal data at issue, namely for service improvements andsecurity features,
inthe specific case andtoestablishwhether thereis aninfringement ofArticle 6(1)GDPR.
93. The CJEU hasfound thatsofar asconcernstheprinciples relatingtolawfulnessof processing, Article6
GDPRsets out an exhaustive and restrictivelist of the cases inwhich processing of personal datacan
be regardedaslawful. Thus, in order to be considered lawful, processing must fall within one of the
126
casesprovided for in Article6 GDPR andit isthe controller’sobligationtoprovide andtobe able to
prove that thecorrectlegalbasis isapplied for the respective processing.
94. The EDPB considers that there is sufficient information in the file for it to decide whether the IE SA
needstochangeitsDraftDecisioninsofar asit rejectsthe Complainant’sclaimthatthe GDPRdoesnot
permit WhatsApp IE’sreliance on Article 6(1)(b) GDPR toprocess personal data in the context of its
offering of itsTermsofService.
95. As described above, in Section 4.3, the IE SA concludes in Finding 2 of its Draft Decision that the
Complainant’s case is not made out that the GDPR does not permit the reliance by WhatsApp IE on
Article 6(1)(b) GDPR in the context of the latter offering its Terms of Service. Neither Article 6(1)(b)
GDPRnoranyother provision oftheGDPRprecludesWhatsAppIEfrom relyingon Article6(1)(b)GDPR
as a legal basis to deliver a service, including the improvement of the existing service and the
127
maintenance of security standards insofar as that forms a core part of the service . The IE SA
considers that, having regard to the specific terms of the contract and the nature of the service
provided andagreeduponby theparties,WhatsAppIE mayin principle relyonArticle 6(1)(b)GDPRas
a legalbasis of the processing of users’ data necessaryfor the provision of its WhatsApp services, on
foot of the Complainant’s acceptance of the Terms of Service 12. The IE SA considers that this
123WhatsAppIEmayalsofallunderlegaldutiestoprotectthesecurityofitsnetworksandservices,asrequired
by other laws. Seefor instanceArticle40of theEuropeanElectronicCommunications Codeestablished under
Directive(EU)2018/1972oftheEuropeanParliamentandoftheCouncilof11December2018.
124SeeGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16.
125
Objections concerning the issue on the applicability of Article 6(1)(b) GDPR for purposes of service
improvementandsecurityfeatureswereraisedbytheDESA, FI SA,FR SA,NL SA, andNOSA.
126Judgment of 11December 2019, Asociaţia de Proprietari bloc M5A-ScaraA,C-708/18,EU:C:2019:1064,
paragraphs37and38.
127DraftDecision,paragraph4.49.
128
DraftDecision,paragraph4.50.
Adopted 25 information is clearly set out, publicly available and understandable by any reasonable user 12.
130
WhatsApp IEsupports the IESA’sconclusion .
96. To assess the IE SA and WhatsApp IE’sclaims, the EDPB considers it necessary to recallthe general
objectives that the GDPR pursues, which must guide itsinterpretation, together withthe wording of
itsprovisions and itsnormative context 131.
97. The GDPR develops the fundamental right tothe protectionof personal data found in Article 8(1) of
the EU Charter and Article 16(1) of the Treaty on the Functioning of the EU, which constitute EU
primarylaw 132.As the CJEU clarified, ”anEU act must be interpreted,asfar as possible, in sucha way
as not to affect itsvalidity andin conformitywith primarylaw as a whole and, in particular, with the
provisions of the Charter. Thus, if the wording of secondaryEU legislation is open to more than one
interpretation,preferenceshouldbe given to theinterpretationwhichrendersthe provision consistent
withprimarylaw ratherthanto the interpretationwhich leadsto its being incompatible with primary
law” 133.Inview of rapidtechnologicaldevelopments andincreases in the scale of datacollection and
sharing, the GDPR createsa strong andmore coherent data protectionframeworkin the EU, backed
by strong enforcement,and built on the principle thatnaturalpersons should have control over their
134
own personal data . Byensuring a consistent, homogenous and equivalent high level of protection
throughout the EU, the GDPR seeks to ensure the free movement of personal data within the EU 135.
The GDPR acknowledges that the right to data protection needs to be balanced against other
fundamentalrightsandfreedoms, such asthe freedom toconduct a business, in accordancewiththe
136
principle of proportionality andhas these considerations integratedintoits provisions. The GDPR,
pursuant toEU primarylaw,treatspersonal dataasafundamentalrightinherent todata subjectsand
137
their dignity, and not as a commodity, they cantradeawaythrougha contract .The CJEU provided
additionalinterpretativeguidanceby assertingthatthe fundamentalrightsofdata subjectstoprivacy
andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests 138.
98. The principle of lawfulness under Article 5(1)(a) and Article 6 GDPR is one of the main safeguardsto
theprotectionofpersonaldata.Itfollowsarestrictiveapproachwherebyacontroller mayonlyprocess
the personal data of individuals if it is able to rely on one of the basis found in the exhaustive and
restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR 139.
99. Theprinciple oflawfulness goeshandinhandwiththe principlesoffairnessandtransparencyinArticle
5(1)(a) GDPR.Theprinciple of fairness includes, interalia, recognising the reasonable expectationsof
129
DraftDecision,paragraph4.42.
130WhatsAppIE’sArticle65Submission,paragraphs5.47.
13Judgmentof1August2022,Vyriausiojitarnybinėsetikoskomisija,C-184/20,),EU:C:2022:601,paragraph121.
132
133Recitals1and2GDPR.
Judgment of 21 June 2022, Liguedes droits humains v. Conseil des ministres, C-817/19, , EU:C:2022:491,
paragraph86;andjudgment of 2February2021,Consob, C-481/19, EU:C:2021:84, paragraph50and thecase-
lawcited.
134Article1(1)(2)andrecital6and7GDPR.
135Article1(3)andrecitals9,10and13GDPR.
136Recital4GDPR.
137
138Guidelines2/2019onArticle6(1)(b)GDPR,paragraph54.
Judgmentof13May2014,GoogleSpainSL,C-131/12,EU:C:2014:317,paragraphs97and99.
139Judgment of 11 December 2019, TK v Asociaţia de Proprietari blocM5A-ScaraA, C-708/18, EU:C:2019:1064,
paragraph37.
Adopted 26 datasubjects, considering possible adverse consequences aprocessing mayhave onthem,andhaving
140
regardtothe relationshipandpotentialeffectsof imbalancebetweenthem andthe controller .
100.The EDPBagreeswiththe IE SA and WhatsAppIE thatthere isno hierarchybetweenArticle6(1) legal
bases 14. However, this does not mean that a controller, as WhatsApp IE in the present case, has
absolute discretion tochoose the legalbasis that suits better itscommercialinterests. The controller
may only rely on one of the legal bases established under Article 6 GDPR if it is appropriate for the
142
processing in question . A specific legalbasis willbe appropriateinsofar as the processing canmeet
its requirements set by the GDPR 143andfulfil the objective of the GDPR toprotect the fundamental
rightsandfreedomsof naturalpersons andin particulartheir righttothe protectionof personaldata.
Alegalbasiswillnot beappropriateifitsapplicationtoaspecific processing defeatsthispracticaleffect
“effetutile”pursuedby theGDPRanditsArticle5(1)(a)andArticle6 GDPR 144.Thesecriteriastemfrom
the contentof theGDPR 145 andthe interpretationfavourable totherightsofdatasubjects tobe given
theretodescribed inparagraph97 above.
101.The GDPR makesWhatsApp IE, asthe controller for the processing at stake, directly responsible for
complying withthe GDPR’sprinciples,including theprocessing of datainalawful, fairandtransparent
manner, and any obligations derived therefrom 14. This obligation applies even where the practical
applicationofGDPRprinciples suchasthose of Article5(1)(a)andArticle(5)(2)GDPRare inconvenient
or runcounter tothe commercialinterestsofWhatsApp IE.The controller isalsoobligedtobe able to
demonstratethatitmeetstheseprinciplesandanyobligationsderivedtherefrom,suchasthatitmeets
the specific conditions applicable toeachlegalbasis 147.More specifically, this condition to be able to
relyonArticle 6(1)(b)GDPRasalegalbasistoprocess thedatasubject’sdataimplies thata controller,
in line withitsaccountability obligationsunder Article 5(2) GDPR,hastobe able todemonstrate that
148
(a)a contractexistsand(b) the contractisvalidpursuant toapplicable nationalcontractlaws .
102.The EDPB agrees that supervisory authorities do not have, under the GDPR, a broad and general
competence incontractualmatters.However,theEDPB considers thatthe supervisory tasks, thatthe
GDPR bestows on supervisory authorities, imply a limited competence to assess a contract’sgeneral
140
See, recital39GDPRandGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12.
141DraftDecision,paragraph2.9,andWhatsAppIE'sArticle65Submission,paragraph8.34.
14As mentionedinGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationoftheappropriate
lawfulbasisistiedtotheprinciplesoffairnessandpurposelimitation.Itwillbedifficultforcontrollerstocomply
withtheseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposes oftheprocessing,oriftheprocessing
of personal data goes beyondwhat is necessaryfor thespecified purposes. SeealsoSection 5 below on the
potentialadditionalinfringementoftheprinciplesoffairness,purposelimitationanddataminimisation.
143Judgmentof11December2019,TK v Asociaţiade Proprietari blocM5A -ScaraA,C-708/18,EU:C:2019:1064,
paragraph37.
144
Judgment of 18 December 2008, Heinz Huber v. BundesrepublikDeutschland, C-524-06, EU:C:2008:724,
paragraph52 on the concept of necessitybeing interpreted in a manner that fully reflects theobjectiveof
Directive95/46/EC.Ontheimportanceofconsideringthepracticaleffect(“effetutile”)soughtbyEUlawinits
interpretation,seealsoforinstance:judgmentof21June2022,Liguedesdroitshumainsv.Conseildesministres,
C-817/19,EU:C:2022:491,paragraph195;andjudgmentof17September2002,MuñozandSuperiorFruiticola,
C-253/00,EU:C:2002:497,paragraph30.
145Article1(1)(2)and(5)GDPR.
146Article5(2)GDPR“Principleofaccountability”ofcontrollers;seealsoOpinionoftheAdvocateGeneralof20
147tember2022,MetaPlatformse.a.,C-252/21,,EU:C:2022:704,paragraph52.
Guidelines2/2019onArticle6(1)(b)GDPR,paragraph26.
14EDPBBindingdecision2/2022onthedisputearisenonthedraftdecisionoftheIESAregardingMetaPlatforms
Ireland Limited (Instagram) under Article65(1)(a) GDPR, adopted on 28July2022(hereinafter“EDPB Binding
decision2/2022”),paragraph84.
Adopted 27 validity insofar as this is relevant to the fulfilment of their tasks under the GDPR49. Otherwise, the
supervisory authoritiesswouldsee theirmonitoringandenforcementtaskunder Article57(1)(a)GDPR
limitedto actions,such asverifying whether the processing at stake is necessaryfor the performance
ofa contract(Article6(1)(b)GDPR),andwhetheracontractwithaprocessor under Article28(3)GDPR
anddataimporter under Article 46(2)GDPRincludes appropriate safeguardspursuant totheGDPR.
103.The DESA andNL SA 150arguethatthe validityof thecontractfor theWhatsApp servicesbetweenthe
latterandtheComplainant isquestionable giventheserioustransparencyissues inrelationtothelegal
basis reliedon 15. Incontract law, as a generalrule, both parties must be aware of the substance of
the contractandof the obligationsof both partiestothe contractinorder towillingly enter intosuch
contract.
104.Notwithstanding the possible invalidity of the contract,the EDPBrefers toits previous interpretative
152
guidanceon thismatter toprovide below itsanalysis onwhetherthe processing for the purposes of
service improvement and securityfeatures 153is objectively necessary for WhatsApp IE to provide its
services tousers based onitsTermsof Service andthe natureof theservices.
105.The EDPBrecalls 154that for the assessment of necessity under Article 6(1)(b) GDPR,”[i]t is important
to determine the exact rationale ofthe contract, i.e. itssubstance and fundamental objective, asit is
against this that it will be testedwhetherthe data processing is necessaryfor itsperformance” 155.As
the EDPBhaspreviously stated,regardshould be giventothe particular aim,purpose, or objective of
the serviceand, for applicabilityofArticle6(1)(b) GDPR,itisrequiredthat the processing isobjectively
necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject 156.
106.Moreover, the EDPBnotes thatthe controller should be able tojustify the necessity of itsprocessing
byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose. Thisdependsnot only
onthe controller’sperspective,but alsoonareasonable datasubject’sperspective whenenteringinto
the contract 15.
107.The IESA accepts“that,as a generalrule,theEPDB considersthat processing for the provision ofnew
158
services[…]would not benecessaryfor theperformanceofa contractfor online services” .However,
the IESA considers that inthis particularcase,having regardtothe specific termsof the contractand
the natureofthe services provided andagreeduponby theparties,WhatsApp IEmayinprinciple rely
on Article 6(1)b) GDPR toprocess the user’s data necessary for the provision of its service, including
throughthe improvement ofthe existing service andthe maintenanceof securitystandards.
108.Inparticular,theIESA viewsservice improvement toanexisting service and“a commitmenttouphold
certainstandards relating to abuse, etc.” asa “core” element of the contract betweenWhatsApp IE
149EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs9and13.
150DESA’s Objection,p.3;NLSA’s Objection,paragraph10.
151DraftDecision,paragraph5.9.
152
Guidelines2/2019onArticle6(1)(b)GDPR.
153Fortheterm security,seeparagraph90ofthisbindingdecision.
154EDPBBindingdecision2/2022,paragraph89.
155Article29WorkingPartyOpinion06/2014onthenotionoflegitimateinterestsofthedata controllerunder
Article7 Directive95/46/EC, WP217, adopted on 9 April 2014(hereinafter, “WP29Opinion 06/2014on the
notionoflegitimateinterests”),p.17.
156Guidelines2/2019onArticle6(1)(b)GDPR,paragraph30.
157EDPBBindingdecision2/2022,paragraph90.
158DraftDecision,paragraph4.49.
Adopted 28 and the users159. In support of this consideration, the IE SA refersto the information provided in the
WhatsApp Terms of Service under the headings: “Ways To Improve Our Services.” and “Safety And
Security.”160The IESA considers thatit is clearthatthe WhatsApp servicesare advertised(andwidely
understood) asones thatrequires updatesandimprovement andso, thatanyreasonable user would
“be well-informed that this is precisely the nature of the service being offered by WhatsApp and
containedwithinthe contract” 161.
109.The EDPBis of the opinion that WhatsAppIE is under the legaldutyto assess whetherthe processing
of all its users data is necessary for the purpose of service improvements or if there are alternative,
less intrusive waysto pursue thispurpose (e.g.insteadof relying on allusers' data for the purpose of
service improvements, rely on a pool of users, who voluntarily agreed, by providing consent, to the
processing oftheir personaldata for thispurpose).
110.On this issue, the EDPBrecallsthatthe concept of necessity hasits own independent meaning under
EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU
instrument,in thiscase,the GDPR 162.Accordingly,theconceptofnecessity under Article6(1)(b) GDPR
cannot be interpreted in a way that undermines this provision and the GDPR’sgeneralobjective of
protectingthe righttothe protectionof personaldata 163orcontradictsArticle8 ofthe EU Charter.On
the processing of data in the WhatsApp services, Advocate General Rantos supports a strict
interpretationofArticle6(1)(b) GDPRamongother legalbasis, particularlytoavoidanycircumvention
of therequirement for consent 16.
111.The EDPB finds that an average user cannot fully grasp what is meant by processing for service
improvement andsecurityfeatures,beawareofitsconsequences andimpactontheirrightstoprivacy
and data protection, and reasonably expect it solely based on WhatsApp IE’s Terms of Service.
Advocate General Rantos expresses similar doubts where he states, in relation to Facebook
behavioural advertising practices, “According to the case-law of the Court of Justice, the processing
must be objectivelynecessaryfor the performance ofthe contract in the sense that there must be no
realistic,lessintrusivealternatives,takingintoaccountthereasonableexpectationsofthedatasubject.
Italso concernsthe factthat,wherethecontractconsists ofseveralseparateservicesor elementsofa
service that can be performed independentlyofone another, the applicabilityof Article 6(1)(b) of the
GDPRshould beassessed in thecontextofeach ofthose servicesseparately” 165andaddsin afootnote
that“Moreover,althoughmerelyreferencingormentioningdataprocessingina contractisnotenough
to bring theprocessing in question within thescope ofArticle 6(1)(b) of theGDPR,processing maybe
15DraftDecision,paragraph4.41.
160
161raftDecision,paragraphs4.34and4.35.
DraftDecision,paragraph4.36.
16Seeparagraphs103-105aboveontheprinciplesguidingtheinterpretationoftheGDPRandisprovisions.The
CJEU alsostatedinHuberthat”whatisatissueis aconcept[necessity]whichhasitsownindependentmeaning
inCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthatDirective,
[Directive 95/46], as laid down in Article 1(1) thereof”. Judgment of 18 December 2008, Heinz Huber v
BundesrepublikDeutschland,C-524/06,EU:C:2008:724,paragraph52.
16Article1(2)GDPR.
164Opinion of theAdvocateGeneral of 20 September 2022, Meta Platforms e.a., C-252/21), EU:C:2022:704,
paragraph§51. TheEDPB refers to theAdvocateGeneral’s Opinion in its Binding Decision as anauthoritative
sourceof interpretationto underlinetheEDPB’s reasoning on theprocessing of data in theFacebook service,
withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonCases C-252/21andC-
446/21.
16OpinionoftheAdvocateGeneralof20September2022,MetaPlatformse.a.,C-252/21,EU:C:2022:704,
paragraph54.
Adopted 29 objectively necessary even if not specifically mentioned in the contract, without prejudice to the
166
controller’stransparencyobligations” .
167
112.The EDPB provides in its guidance assessing what is “necessary” involves a combined, fact-based
assessment of the processing “for the objective pursued and of whether it is less intrusive compared
to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the
processing is not “necessary”. Article6(1)(b) GDPRdoes not cover processing which is useful but not
objectively necessary for performing the contractualservice or for taking relevant pre-contractual
steps at the request of the data subject, even if it is necessary for the controller’s other business
purposes. While the possibility of improvements of services mayroutinely be included in contractual
terms,suchprocessing usually cannotbe regardedasbeingobjectively necessaryfor theperformance
of thecontractwiththe user 168.
113.When analysing the performance of a contract asa legalbasis, the necessity requirement has to be
interpreted strictly. As stated earlier by the Article 29 Working Party (hereinafter “WP29”) 169, this
“provision must be interpreted strictly and does not cover situations where the processing is not
genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data
subject bythecontroller” 17.
114.Concerning the processing of service improvement, the EDPB finds that a reasonable user cannot
expectthattheir personaldatais being processedfor service improvement simply because WhatsApp
IE briefly refers to this processing in its Terms of Service (which both WhatsApp IE and the IE SA
consider asconstitutingthe entiretyofthe contract),orbecause ofthe argumentthat“on the basisof
the cont[r]act and wider circumstances, that a reasonable user would have had sufficient
understanding that the service included the use of metrics for improvement” to which the IE SA
refers171.
172
115.Inaddition,the IESA alreadydecided thatWhatsApp IEinfringeditstransparencyobligationsunder
Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR by not clearly informing the Complainant and
other users of the WhatsApp IEservices’ specific processing operations, the personal dataprocessed
in them, the specific purposes they serve, and the legal basis on which each of the processing
operations relies, as the IE SA concludes in its Draft Decision 173. The EDPB considers that this
fundamentalfailureof WhatsAppIEtocomplywithitstransparencyobligationscontradictsthe IESA’s
finding174thatWhatsAppIE’suserscouldreasonablyexpectservice improvementandsecurityfeatures
asbeing necessaryfor theperformance of theircontract.
166Ibid,footnote165.
167
Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25.
168Guidelines2/2019onArticle6(1)(b)GDPR,paragraph49.
169The WP 29 - the predecessorof theEDPB - was established underArticle29 of Directive95/46/EC of the
EuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtothe
processingofpersonaldataandonthefreemovementofsuchdata (“Directive95/46/EC”)andhada role,inter
alia,tocontributetouniformapplicationofnationalmeasuresadoptedundertheDirective.Manyofsubstantive
principlesandprovisionsoftheGDPRalreadyexistedintheDirective95/46/EC,suchastheoneatstakeinthis
Bindingdecision,thusWP29guidanceinthisrespectisrelevantfortheinterpretationoftheGDPR.
170
171P29Opinion06/2014onthenotionoflegitimateinterests,p.16.
CompositeResponse,paragraph59.
172DraftDecision,paragraph5.9.
173DraftDecision,paragraph5.9andFinding3.
174DraftDecision,paragraph4.42.
Adopted 30116.As regardssecurity, the lackof clarityofthe Terms ofService makesit even hardtounderstand what
arethe different purposes pursued andprocessing carriedout 175.
117.The EDPB recallsthat “controllersshould make sure to avoid any confusion as to what the applicable
legalbasis is” and thatthis is “particularlyrelevantwhere theappropriate legalbasis is Article6(1)(b)
GDPRandacontractregardingonline servicesis enteredintobydata subjects”,because “[d]epending
on the circumstances, data subjects may erroneously get the impression that they are giving their
176
consent in line with Article 6(1)(a) GDPR when signing a contract or accepting terms of service” .
Article 6(1)(b) GDPR requires the existence of a contract, its validity, and the processing being
necessaryto perform it.These conditions cannot be metwhere one of the parties(inthis case a data
subject) is not provided with sufficient information to know that they are signing a contract, the
processing of personaldata thatit involves, for which specific purposes andon which legalbasis, and
how this processing is necessary to perform the services delivered. For the purposes of service
improvement and security features, WhatsApp IE has not relied on any other legalbasis to process
personal data. These transparencyrequirements are not only an additional and separate obligation,
but also anindispensable andconstitutive partofthe legalbasis.
118.Given that the main purpose for which a user uses the WhatsApp services is to communicate with
others,andthatWhatsAppIEconditions theirusetotheuser’sacceptanceofacontractandtheservice
improvement andsecurity 177 featurestheyinclude, the EDPB cannot see how a user would have the
possibility of opting out of a particularprocessing which is part of the contract.Thus, WhatsApp IEis
accountable toprove thatthe legalbasis applied for the processing at hand is validand the failure to
demonstratethis proves thatArticle6(1) GDPRisnot the applicable legalbasis.
119.The EDPB agreeswiththe DE SA, FI SA, FR SA, NL SA and NO SA 178that there is a risk that the Draft
Decision’s failure to establish WhatsApp IE’s infringement of Article 6(1)(b) GDPR, pursuant to its
interpretationby the IE SA, nullifies this provision and makes theoretically lawful any collection and
reuseofpersonaldatainconnectionwiththeperformanceofacontractwithadatasubject.WhatsApp
IEcurrentlyleaves the Complainant and other users ofthe WhatsApp services witha “takeit or leave
it” choice. They may either contract away their right to freely determine the processing of their
personal dataand submit toits processing for service improvements or security features,which they
canneither expect, nor fully understand based on the insufficient information WhatsApp IE provides
to them. Alternatively, they may decline accepting WhatsApp IE’s Terms of Service and thus be
excludedfrom aservice thatenablesthem tocommunicatewithmillions ofusers.
120.This precedent could encourage other economic operators touse the contractualperformance legal
basisofArticle6(1)(b)GDPRforalltheirprocessing ofpersonaldata.Therewouldbe theriskthatsome
controllers argue some connection betweenthe processing of the personal data of their consumers
andthe contracttocollect,retainandprocess asmuch personaldatafrom theirusers aspossible and
advance their economic interests at the expense of the safeguards for data subjects. Some of the
safeguardsfrom which datasubjects would be deprived due toaninappropriate use of Article6(1)(b)
GDPR as legal basis, instead of others such as consent under Article 6(1)(a) GDPR and legitimate
interest under Article 6(1)(f) GDPR, are the possibility to specifically consent to certain processing
175Forthemeaningoftheterm“security”,seeparagraph90above.
17EDPBBindingDecision01/2021,paragraph214,andGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph20.
177Forthemeaningoftheterm“security”,seeparagraph90above.
178
DESA’s Objections–p.6,paragraph2andp.8,paragraph1;FI SA’s Objections–p.7,paragraphs32and33;
FR SA’s Objections –paragraph 14;NL SA’s Objections – paragraphs 8 and 28; NO SA’s Objections – p. 4,
paragraph3.
Adopted 31 operations andnot toothersand tothe further processing of their personal data(Article 6(4)GDPR);
their freedom towithdrawconsent (Article 7 GDPR);theirright tobe forgotten(Article17 GDPR);and
the balancing exercise of the legitimate interests of the controller against their interests or
fundamentalrightsandfreedoms(Article 6(1)(f) GDPR).
121.The EDPBthusconcurs withthe objections of theDE SA, FI SA,FR SA, NL SA and NOSA 179toFinding 2
180
of the DraftDecisionin thatthe processing for the purposes of service improvements andsecurity
featuresperformed by WhatsApp IE are objectively not necessary for the performance of WhatsApp
IE’sallegedcontractwithitsusers andare not anessentialor core element ofsuch contract.
122.Inconclusion, the EDPB decides that WhatsApp IE has inappropriatelyrelied on Article 6(1)(b) GDPR
to process the Complainant’s personal data for the purpose of service improvement and security 181
featuresin the context of itsTermsof Service andtherefore lacks a legalbasis toprocess these data.
The EDPBwasnot requiredtoexamine whether dataprocessing for such purposes could be basedon
other legal bases because the controller relied solely on Article 6 (1) (b) GDPR. WhatsApp IE has
consequently infringed Article 6(1) GDPR byunlawfully processing personal data. The EDPB instructs
the IE SA to alter its Finding 2 of its Draft Decision which concludes that WhatsApp IE may rely on
Article6(1)(b) GDPRinthecontext ofitsoffering ofTermsofService andtoinclude aninfringement of
Article6(1) GDPRbasedon theshortcomings thatthe EDPBhasidentified.
5 ON THE POTENTIAL ADDITIONAL INFRINGEMENT OF THE
PRINCIPLES OF FAIRNESS, PURPOSE LIMITATION AND DATA
MINIMISATION
5.1 Analysis by the LSA inthe DraftDecision
123.Inlight oftheaforementionedinquiry’s scope,the DraftDecisionmentionsArticle5(1)GDPRinseveral
182
passages . As for the fairness principle, the inquiry consists of reference to the unfair processing
pointedout bythe Complainant 183.Regardingthepurpose limitationanddataminimisationprinciples,
there are no other references as the ones mentioned above. The Draft Decision makes several
references toArticle 5(1)(a) GDPR andthe principle of transparency 184. However, the Draft Decision
does not address whether Article 5(1)(a) GDPR regarding fairness principle or Article 5(1)(b) and (c)
GDPR have been infringed. In its Draft Decision, the IE SA mentions its Decision on WhatsApp IE’s
Transparency, which made findings to the effect that transparency obligations were infringed.
Therefore,the IESA concludes, that“The inquiry in question focused on the same issues raised in the
herein Complaint insofar as transparencyis concerned (although was much broader in scope). Given
theseissues have alreadybeen investigated and adjudicated on bythe Commission, I provisionallyfind
185
thatthe transparencyissues raised in this Complaint have alreadybeenaddressed.”
179
DE SA’s Objections–p.5, paragraphs3and4;;FI SA’s Objections –p.6,paragraph24;FRSA’s Objections–
p. 7,paragraph38;NLSA’s Objections–paragraph26;NOSA’s Objections-p.8.
18Forthemeaningoftheterm“security”,seeparagraph90above.
18Forthemeaningoftheterm“security”,seeparagraph90above.
18See, forexample,DraftDecision,Section5,paragraphs5.1,5.7and5.8.
183
184omplaint,paragraphs2.3.1.and2.3.2.
DraftDecision,Section5,paragraphs5.8and5.9.
18DraftDecision,Section5,paragraphs5.9and5.10.
Adopted 32 5.2 Summary of the objections raised by the CSAs
124.The ITSAraisesanobjectionarguing that the Draft Decisionshouldbe amendedtoinclude findingsof
aninfringement ofArticle 5(1)(a)GDPRinrelationtothe fairness principle. Thisobjection claimsthat,
even though there is the IE SA’s Decision on WhatsApp IE’s Transparency, which incorporates the
principle set out in the EDPB’sBinding Decision 1/2021 and where an infringement of transparency
principle wastobe found, theinfringementregardingtothefairnessprinciple should beseparatefrom
transparency.The IT SA elaboratesthatreferringtoArticle 6(1)(b) GDPRshould not be found tobe in
line withthe fairness principle, asusers arefactuallyunable tograsphow their personal datais being
used byWhatsApp IE 18.
125.The IT SA raises another objection stating that the Draft Decision should be amended to include
findings of infringement of Article 5(1)(b) and (c) GDPR. The IT SA is of the view that the fact that
WhatsApp IE’s “(multifarious) processing activities involving personal data are grounded in Article
187
6(1)(b) GDPR entails an infringement ofpurpose limitation and data minimization principles” . The
IT SA states that the IE SA has failed to investigate compliance with Article 5(1)(b) and (c) GDPR.
Further,the ITSA statesthatallthe purposes of the processing of personal dataperformedunder the
terms of Article 6(1)(b) GDPR must be specified and communicated to data subjects. As such, the
service thatWhatsApp IEoffers pursues severalpurposes, thereforethe applicabilityof Article6(1)(b)
GDPR should be assessed separately in the context of each service. The IT SA elaborates that the
purposes provided tousers areinadequate andhave no connectiontothe processing activities.
5.3 Position of the LSA on the objections
126.The final position of the IE SA is that of not following these objections. in its Composite Response,
concerning allobjections, the IESA notesthatthe objections onthe fairness principle inArticle 5(1)(a)
188
GDPRarenotinthescope oftheunderlying complaint .Furthermore,theIESAstatesthatthiswould
procedurallyconstrain theIE SA’sabilitytoadopt itsfinal decision 18.
127.Inaddition, the IE SA statesthatit would also risk breaching the controller’srightto afair procedure,
as the controller was not afforded a right to be heardon such matter. The IE SA highlights the legal
consequences thatwouldflow from makingmaterialchangesconcerning infringementsoutside ofthe
complaint andDraftDecision,namelythelikelihood thatWhatsAppIEwouldsucceedinarguingbefore
the Irish courts that it has been denied an opportunity to be heard on additional and extraneous
findings thatare adverse toit 190.
128.The IE SA further considers that the objection raised by the IT SA with regard to the possible
infringementofArticle5(1)(b) and(c)GDPRis not relevantandreasoned,since itwould nothave been
appropriate toundertake anopen-ended assessment of allprocessing operations bythe controller in
191
order to handle the complaint . This would have resulted in a disproportionate and open-ended
examinationoftheprocessing carriedoutbyWhatsAppIE.Therefore,itwasmoreimportanttoresolve
192
the fundamentaldispute regardingtheinterpretationof Article6(1)GDPRfirst .
186ITSA’s Objection,paragraph3,pages8-10.
187
ITSA’s Objection,page6.
188CompositeResponse,paragraphs28and29.
189Ibid.,paragraph29.
190CompositeResponse,paragraphs28to32.
191ITSA’s Objection,paragraph2.
192
CompositeResponse,paragraph25.
Adopted 33 5.4 Analysis of the EDPB
5.4.1 Assessment of whether theobjections were relevant and reasoned
129.The ITSA’sobjection concerns “whetherthereis aninfringement ofthe GDPR” 193.
130.The EDPB takesnote that WhatsApp IE agreeswiththe IE SA’s conclusion in its Composite Response
thattheobjectionfrom theITSA aboutfinding aninfringementofArticle5(1)(a)GDPRalsowithregard
to non-conformity with respect to the fairness principle is not relevant. In addition, WhatsApp IE
submits that the objection does not meet the “reasoned” threshold asit is not basedon anydetailed
factualor legalreasoningandfailstoaddressthe significanceofthe allegedriskstofundamentalrights
194
posed by the DraftDecision . According to WhatsAppIE,“it would be inappropriate for the EDPBto
direct the [IE SA] to make any findings in respect of Article 5(1)(a) (fairness of lawfulness) in its final
195
decisionin theInquiryincircumstanceswherethisis outside theDefinedScope of Inquiry.”
131.Inaddition tothe above mentioned,the Complainant doesnote: “Evenifa trainedlawyerreadsallthe
textthatthecontrollerprovides,he/shecanonlyguesswhatdataisprocessed,forwhich exactpurpose
and on which legalbasis. This is inherentlynon-transparent and unfair within the meaning of Articles
5(1)(a) and 13(c).This approachthereforestandsin clearcontrast to informed consent or any form of
196
“plainlanguage” or even “easytounderstand” requirements(Recital39).”
132.WhatsApp IE also affirms that compliance with Article 5(1)(a) GDPR is distinct from compliance with
Article 6(1) GDPR and must be separately assessed before any finding of infringement could be
197
made .
133.The EDPBrecallsthatanobjectioncould goasfarasidentifying gapsinthe draft decisionjustifying the
need for further investigation by the IE SA, for example in situations where the investigation carried
out by the IE SA unjustifiably fails to cover some of the issues raised by the Complainant 198. In this
regard, the EDPB observes that, in the complaint, the Complainant alleges that the information
provided inWhatsApp IE’sPrivacyPolicy “isinherentlynon-transparent and unfair within themeaning
of Articles5(1)(a) and 13(c)”99.Thisis alsonoted bythe IESA 200.
134.Aspreviously mentioned,the EDPBnotesthatthefirst objection ofthe ITSA concerns “whetherthere
is aninfringement of the GDPR”asit arguesthat the IE SA should have found aninfringement of the
fairnessprinciple under Article5(1)(a)GDPR.Assuchobjectiondemonstratesthat,iffollowed, itwould
leadtoa different conclusion astowhetherthereis aninfringement ofthe GDPRornot, the objection
is tobe considered as“relevant” 201.
135.Inaddition,this objectionisalso consideredtobe “reasoned”sinceitputsforwardseveralfactualand
legalargumentsfor the proposed changeinlegalassessment. The additionalinfringement stemsfrom
193
GuidelinesonRRO,paragraph24.
194WhatsAppIE’sArticle65Submissions,pp.107-109.
195Ibid.,p.31.
196Complaint,paragraph2.3.1.
197
198WhatsAppIE’sArticle65Submissionsparagraph.4.25.
GuidelinesonRRO,paragraph27.
199Complaint,p.14.
200DraftDecision,paragraph5.7.
201GuidelinesonRRO,paragraph13.
Adopted 34 202
the scope and findings of the Draft Decision, which also mentions Article 5(1)(a) GDPR , and the
overarchingnature ofArticle 5(1)(a)GDPR.
136.Additionally, the EDPBfindsthattheobjection oftheITSA clearlydemonstratesthesignificance ofthe
risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects, since it
would create a dangerous precedent that would jeopardize the effective protectionof data subjects
andthus entailflawedcorrective actions.
137.The EDPBconsiders the objection on Article 5(1)(a) GDPRtobe adequatelyreasonedand recallsthat
the assessment of merits of the objection is made separately, after it has been established that the
objection satisfies therequirementsof Article4(24) GDPR 203.
138.Although the second objection of the IT SA, relating to the additional infringements of the purpose
limitationprinciple under Article5(1)(b)GDPRandthedataminimisationprinciple under Article5(1)(c)
GDPR, is relevant and includes justifications concerning why and how issuing a decision with the
changesproposed in theobjection isneededandhow the changewould leadtoadifferent conclusion
in the Draft Decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In
particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left
unchanged,would presentrisks for the fundamentalrightsandfreedomsof datasubjects. Inaddition,
the EDPB notesthat the IT SA’s objection does not explicitly elaborate why such a risk is substantial
and plausible204. Therefore, the EDPB concludes that this particular objection of the IT SA does not
provide a cleardemonstrationof therisks as specificallyrequired byArticle 4(24)GDPR.
5.4.2 Assessment of the merits
139.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the
matterswhich arethe subject of the relevant andreasoned objections, in particularwhether thereis
aninfringement ofthe GDPR.
140.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires
anassessment of whether the DraftDecision needs tobe changedinsofar as it contains nofinding of
infringement of the fairness principle under Article 5(1)(a) GDPR. When assessing the merits of the
objection raised, the EDPB also takes into account WhatsApp IE’sposition on the objection and its
submissions, focussed on arguingthattheITSA objectionis not relevantandreasoned,ratherthanon
the content.
141.Beforeproceedingwiththeassessment ofthemerits,theEDPBrecallsthatthebasic principlesrelating
205
to processing listed in Article 5 GDPR can, assuch, be infringed . This is apparent from the text of
Article 83(5)(a) GDPR which subjects the infringement of the basic principles for processing to
administrative finesof upto20 000 000 EUR,or inthe caseof anundertaking,ofup to4% ofthe total
worldwide annual turnover ofthe preceding financialyear,whichever ishigher.
142.Atfirst,theEDPBnotesthattheconceptoffairnessisnotdefined assuchintheGDPR.However,recital
39 GDPRprovidessome elementsastoitsmeaning andeffect inthe context ofprocessing ofpersonal
202TheObjectionreferstoparagraph5.7oftheDraftDecision.
203GuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised,whether
the objectionmeetstherequirementsofArticle 4(24)GDPRand,ifso,addressthemerits ofthe objectioninthe
bindingdecision.”).
204
205GuidelinesonRRO,paragraph37.
Bindingdecision1/2021,paragraph191.
Adopted 35 data.Animportantaspect oftheprinciple offairnessunder Article5(1)GDPR,whichis linkedtorecital
39, isthatdata subjectsshould be able todetermine in advancewhat thescope andconsequences of
the processing entails andthattheyshould not be takenby surprise ata laterpoint about theways in
whichtheir personal datahave beenused 20.
143.Fairness isanoverarching principle, whichrequires thatpersonaldatashall not be processed in away
that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data
subject. Measuresand safeguardsimplementing the principle of fairness also support the rightsand
freedoms of data subjects, specifically the right toinformation (transparency), the right tointervene
(access, erasure, data portability, rectification) and the right to limit the processing (right not to be
subject to automated individual decision-making and non-discrimination of data subjects in such
207
processing) .
144.The principles offairandtransparentprocessing requirethatthe data subject shall be informedofthe
existence ofthe processing operationanditspurposes. Thecontroller should provide the datasubject
withany further information necessarytoensure fair and transparentprocessing taking intoaccount
the specific circumstances and context in which the personal data are processed. Furthermore, the
datasubjectshould be informedoftheexistenceofprofiling andtheconsequences ofsuchprofiling 208.
145.The EDPB underlines that the principles of fairness, lawfulness and transparency, allthree enshrined
in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that
every controller should respect when processing personal data. The link between these principles is
evident from a number of GDPR provisions: recitals 39 and 42, Article 6(2) and Article 6(3)(b) GDPR
refer tolawful andfairprocessing, while recitals60 and71 GDPR,aswellasArticle 13(2),Article 14(2)
andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing.
146.The IT SA statesthat “theinfringement of Article 5(1)(a) GDPRshould be found by the LSA in thecase
at hand by having also regard to the more general fairness principle, which entails separate
requirementsfromthose relating specificallyto transparency.” 209
147.Thereis nodispute thatinitsDecision onWhatsAppIE’sTransparency,theIESA found a breachofthe
transparency principle, but the EDPB considers that the principle of fairness has an independent
meaning and stresses that an assessment of WhatsApp IE’s compliance with the principle of
transparencydoesnot automaticallyruleout theneedfor anassessment ofWhatsAppIE’scompliance
withthe principle of fairness too.
148.The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter 21.
TheEDPBhasalreadyprovidedsome elementsastothe meaningandeffect ofthe principle offairness
in the context of processing personal data. For example, the EDPB has previously opined in its
GuidelinesonDataProtectionbyDesignandbyDefaultthat“Fairnessisan overarchingprinciplewhich
requires that personal data should not be processed in a way that is unjustifiably detrimental,
206WP29GuidelinesontransparencyunderRegulation2016/679,paragraph10.
207
EDPB Guidelines 4/2019on Article25 Data Protectionby Design and byDefault, Version 2, Adopted on 20
October2020,hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”).
208Recital60GDPR.
209ITSA’s Objection,paragraph3,p.9.
210Article8 of theEU Charter states as follows:“1. Everyone has the right to the protection of personal data
concerninghimorher.2.Suchdatamustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsent
ofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded).
Adopted 36 unlawfully discriminatory, unexpectedor misleading to the data subject” 21. Among the key fairness
elements that controllers should consider in this regard, the EDPB mentions autonomy of the data
subjects, data subjects’ expectation, power balance, avoidance of deception, ethical and truthful
processing 21. These elements are particularlyrelevant in the case at hand. The principle of fairness
under Article 5(1)(a) GDPR underpins the entire data protection framework and seeks to address
power asymmetriesbetweencontrollersand datasubjects in order tocancelout the negativeeffects
of suchasymmetriesandensure the effectiveexercise of datasubjects’ rights.
149.The EDPB has previously explained that “the principle of fairness includes, inter alia, recognising the
reasonable expectationsof the data subjects, considering possible adverse consequences processing
may have on them,and having regardto therelationship and potentialeffectsofimbalance between
them andthe controller” 213.The EDPB recallsthat a fair balance must be struck between,on the one
hand, the commercialinterests of controllers and, on the other hand, the rightsand expectations of
datasubjectsunderthe GDPR 21.Akeyaspectofcompliancewiththeprinciple offairnessunderArticle
5(1)(a) GDPR refers to pursuing “power balance” as a “key objective of the controller-data subject
215
relationship” , especially in the context of online services provided without monetary payment,
where users are often not aware of the ways and extent to which their personal data is being
216
processed . Consequently, if data subjects are not enabled to determine what is done with their
personal data,thisis incontrast withthe elementof “autonomy” of datasubjects astothe controlof
217
the processing of their personaldata .
150.Considering the constantlyincreasing economic value of personaldatain thedigitalenvironment, itis
particularly important to ensure that data subjects are protected from any form of abuse and
deception, intentionalor not, whichwould result inthe unjustified loss of controlover theirpersonal
data.Compliance byproviders ofonline servicesacting ascontrollerswith allthreeof the cumulative
requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being
provided and the characteristics of their users, serves as a shield from the danger of abuse and
deception, especially in situations of power asymmetries. Therefore, the EDPB disagreeswith the IE
SA’s finding that assessing WhatsApp IE’scompliance with the principle of fairness “would therefore
not only represent a significant departure from the scope of inquiry, as formulated, but it would also
risk breaching thecontroller’sright to a fair procedure,asregardsanymatterwhich was neverput to
211EDPB 4/2019 Guidelines on Article25, Data Protectionby Design andby Default, version2, adopted on20
October2022,(hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”)paragraph69.
212GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
213
GuidelinesonArticle65(1)(a),paragraph12.
214Onthebalancebetweenthedifferentinterestsatstakeseeforexample:Judgmentof12December2013,X,
C-486/12,EU:C:2013:836;Judgmentof7May2009,CollegevanburgemeesterenwethoudersvanRotterdamv
M. E. E. Rijkeboer,C-553/07,EU:C:2009:293; Judgmentof9November2010injoinedcases,VolkerundMarkus
ScheckeGbR,C-92/09,andHartmutEifert,C-93/09,vLandHessen,EU:C:2010:662.
215
GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
216On“onlineservices”,seeGuidelines1/2019onArticle6(1)(b)GDPR,paragraphs3-5.
217GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.Accordingtothis elementoffairness,
“data subjects shouldbe granted the highest degree of autonomy possible to determine the use made of their
personaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”.
Adopted 37 the complainant duringthe courseof inquiry.” 218Inaddition, it isimportant tonote that WhatsAppIE
219
hasbeen heardon the objections andthereforesubmitted writtensubmissions onthis matter .
151.The EDPB haspreviously emphasised that the identification of the appropriate lawful basis is tied to
the principles offairness andpurpose limitation 220.Inthis regard,theITSA rightlyobserves thatwhile
finding a breachof transparencyrelatestothe way in which information has been provided to users
via thetermsofservice andthe PrivacyPolicy, compliance withthe principle offairness alsorelatesto
‘how the controlleraddressed thelawfulness of theprocessing activitiesin connection with its calling
and messaging service’ 22.Thus, the EDPB considers that anassessment of compliance by WhatsApp
IE withthe principle of fairness requiresalso anassessment of the consequences thatthe choice and
presentation of the legalbasis entail for the WhatsApp services’ users. Inaddition, that assessment
cannot be made in the abstract, but has to take into account the specificities of the particular
messaging service and of the processing of personal datacarriedout, namelyfor purposes relatedto
222
improvements ofthe messaging service .
152.The EDPB notes that in this particular case, the Complainant was forced to consent to the Terms of
Service andthe PrivacyPolicy 223 andthisclearlyimpactsthe reasonableexpectationsofWhatsApp IE’s
users byconfusing them onwhether clicking the ”Accept”buttonresultsin givingtheir consent tothe
processing oftheirpersonaldata.TheEDPBnotesinthisregardthatoneoftheelementsofcompliance
with the principle of fairness is avoiding deception (i.e. providing information “in an objective and
neutralway, avoiding anydeceptiveor manipulative language or design” 224).
153.As the IESA itselfnotes, the Complainant arguesthatWhatsApp IEreliedon ”forcedconsent” for the
processing simply because it did in fact believe that the controller was relying on the legalbasis of
consent for thatprocessing 225. TheComplainant presentsthescreenshot, aimingtodemonstratethat,
226
“thedatasubject was presentedwith an easyclick to quickly consent,and to returnto the service.”
TheEDPBkeepsinmind thatinthecomplaint,thiswasexplainedinthecontextofarguingthatconsent
wasforced. Therefore,theEDPBsharestheITSA’sconcernthatWhatsAppIEmisrepresentedthe legal
basis of the processing and that WhatsApp IE’s users are left ”in the dark” as to the possible
connections between the purposes sought, the applicable legal basis and the relevant processing
activities27. This being said, the EDPB considers that the processing by WhatsApp IE cannot be
228
regardedasethicaland truthful because it is confusing with regardtothe type of data processed,
218
CompositeResponse,paragraph30.
219WhatsAppIE’sArticle65Submissions,Category1f:“TheDPCshouldalsomakefindingsthatWhatsApp
IrelandinfringedthefairnessprincipleunderArticle5(1)(a)GDPR/lawfulnessprincipleunderArticle5(1)(a)
GDPR“,p. 31.
220
Guidelines1/2019onArticle6(1)(b)GDPR,paragraph1.
221ITSA’s Objection,p.9.
222DraftDecision,paragraph4.40.
223Seeparagraph3above.
224
GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
225DraftDecision,paragraph5.7.
226Complaint,p.5.
227ITSA’s Objection,p.9.
228
GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70,wheretheEDPBexplainsthat“ethical”
means that“Thecontrollershouldseetheprocessing’swiderimpactonindividuals’rightsand
dignity“and“truthful”meansthat“Thecontrollermustmakeavailableinformationabouthowtheyprocess
personaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”.
Adopted 38 the legalbasis used and the purposes of the processing, which ultimatelyrestrictsthe WhatsApp IE’s
users’ possibility toexercise their datasubjects’ rights.
154.Considering the seriousness of WhatsAppIE’smisrepresentationonthe legalbasis reliedonidentified
in the currentBinding decision 22, the EDPBagreeswiththe ITSA thatWhatsApp IE haspresentedits
service toitsusers inamisleading manner 230,whichadverselyaffectstheircontrolover theprocessing
of theirpersonal dataandthe exercise oftheir datasubjects' rights.
155.This isallthe more supported bythe fact thatthecircumstancesof the present caseasdemonstrated
above 231andtheinfringement ofArticle6(1)(b)GDPR 232furtherintensifytheimbalancednatureofthe
relationship betweenWhatsApp IEanditsusers brought up bythe ITSA’sobjection.
156.The combination of factors, such asthe unbalancedrelationship betweenWhatsApp IE andits users,
combined with the “take it or leave it” situation that they are facing due to the lack of alternative
services in the market and the lack of options allowing them to adjust or opt out from a particular
processing under their contract with WhatsApp IE, systematically disadvantages them, limits their
control over the processing of their personal data and undermines the exercise of their rights under
Chapter IIIGDPR.
157.Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of
fairnessunder Article5(1)(a)GDPRbyWhatsAppIEandtoadoptthe appropriatecorrectivemeasures,
byaddressing,but withoutbeinglimitedto,thequestionofanadministrativefine forthisinfringement
asprovided for in Section8 of thisBinding decision.
6 ON THE FURTHERINVESTIGATION
6.1.1 Analysis bythe LSA in the Draft Decision
158.Accordingtotheclaim 233madeinthecomplaint,datasubjectshaveto“agreeto”WhatsAppIE’sTerms
of Service andPrivacyPolicy atthe timeof the update thatwasmadetothe documents inApril 2018.
The IESA considers thatitis necessarytorecognise the difference betweenagreeingtoacontractand
providing consent to personal data processing specifically for the purposes of complying with the
234
GDPR.The IESA elaborates that WhatsAppIE does not rely on consent in order to process dataon
foot of the Terms of Service, nor it is legally requiredto do so, thus reliance on Article 7 GDPR is not
applicable, regarding the subject matter of the complaint and will not be a subject to further
consideration.
159.InitsDraftDecision,the IESA concludes thatargumentsonthe applicabilityof Article6(1)(b) GDPRas
a legalbasis for data processing to facilitate (behavioural) advertising “are not relevant to the within
inquiry”235,giventhe absence of references,relatedtoadvertising or sponsored content inWhatsApp
IE’sTermsofService, andthe absence ofevidence thatsuch processing takesplace.
229See, paragraph117above.
230
ITSAObjection,page9.
231DraftDecision,paragraphs148-153.
232DraftDecision,paragraphs117and122.
233DraftDecision,paragraph3.11.
234DraftDecision,paragraph3.19.
235
DraftDecision,paragraph4.8.
Adopted 39160.Another considerationmadebythe IESAis relatedtothedataprocessing relatedto“exchangeofdata
withaffiliatedcompanies” andthe processing ofspecialcategoriesof data,namely:
1) The IE SA considers that there is no evidence 236for the assertion that WhatsApp IE is
processing data that facilitates the inferring of special categories of personal data,
pertainingtoreligious views,sexualorientation, politicalviewsandhealthstatus.Further,
asstated,noevidence ispresentedin thisregardatall, thusa conclusion is madethat the
processing ofspecialcategoriesofdatapursuanttoArticle9GDPR,doesnot fallwithinthe
scope ofthe complaint andis thusirrelevant.
2) In its Draft Decision, the IE SA notes that a distinguished feature of WhatsApp IE is the
regular monitoring of its service, in order to ensure its well-functioning, as well as
maintaining a security 237and abuse standards (both being part of the substance and
fundamentalobject ofthe contract).Thus,WhatsAppIEcould relyonArticle 6(1)(b)GDPR
238
asalegalbasisfor such processing inprinciple. Further ,theIESA considers thatitis not
for an authoritysuch as it, tasked withthe enforcement of data protectionlaw, to make
assessments as to what will or will not make the performance of a contract possible or
impossible. Instead,the generalprinciples set out in the GDPRandexplainedby theEDPB
in the Guidance must be applied. These principles should be applied on a case-by-case
basis, and should be afforded more weight than generalised examples provided in the
Guidance,which arehelpful andinstructive but arebyno meansabsolute or conclusive.
3) TheIESA statesthatitisclearfromthe TermsofService 239that“anysharing with affiliated
companies forms part of the general “improvements” that are carried out pursuant to
Article6(1)(b) GDPR”and“sharing of WhatsApp user data toMetaCompanies takesplace
on a controller to processor basis only, there does not need to be a distinct legal basis
supporting it(or assessment ofthisissue in theInquiry)”.Moreover,initsview,thereisnot
an explicit prohibition envisagedin Guidelines 2/2019 on Article 6(1)(b) GDPR relatedto
the processing ofpersonal datathatis necessarytofulfil acontractualterm thatcommits
to improving the functionality, efficiency, etc. of an existing service. Further, the IE SA
statesthatthecoreoftheservice,asoutlinedinthespecific contractwiththedatasubject,
clearlyincludes thoseservices. Initsview,theprocessing isnecessarytodeliver theservice
offered(as set out inthe TermsofService).
161.The IESA supports the conclusions made above by referencetothe following:
162.The IE SA 240 begins by pointing out that it is important todistinguish betweenagreeing toa contract
thatmight involve personaldataprocessing, andthe provision ofconsent topersonaldataprocessing
specifically for legitimisingthe saiddataprocessing under the GDPR.Itshouldalsobe notedthatthere
are differences betweenthe legalbases for processing under Article 6(1)(a)and (b) GDPR.The IE SA
continues thatin many such casesinvolving a contract betweena consumer and anorganisation,the
lawfulbasis for processing ofpersonal datais“the necessityfor theperformance of acontract”under
Article6(1)(b) GDPR.
23DraftDecision,paragraph4.33;DraftDecisionSchedule,paragraphs3.29,3.30and3.31.
237
238orthemeaningofthetermsecurity,seeparagraph90ofthisbindingdecision.
DraftDecision,paragraph4.45
23DraftDecision,paragraph4.33,aswellasparagraphs4.36to4.43.
24DraftDecision,paragraphs3.11to3.17.
Adopted 40163.The IESA statesthatthe GDPRdoesnot set out anyform ofhierarchyoflawfulbases thatcanbe used
for processing personal data, whether by reference to the categoriesof personal data or otherwise.
Moreover, Article 7 GDPR(as relied on by the Complainant) concerns the conditions for consent and
is relevant when considerations are made regarding whether particular criteria are met, in order to
ensure thatthe consent is lawful.The aforementionedprovision isnot indicative of whichlawfulbasis
the controller has to rely on, but instead assists the latter to determine whether the conditions of
validityaremet.Therefore,theIESA thusconsiders thatArticle7GDPRisnot applicable tothe subject
matterraisedbythe Complainant.
164.The IE SA considers that no evidence waspresented whatsoever by the Complainant that WhatsApp
IE processes personal data for the purpose of advertising and that it relies on Article6(1)(b) GDPRto
241
do so . Inaddition, the IE SA takes note that WhatsApp IE’sTerms of Service are not similar to the
examplesof situations, citedin the complaint, where Article6(1)(b) GDPRdoes not apply, namely for
advertising andsponsored consent. The IESA concludes thatargumentsrelatedtothe applicabilityof
Article6(1)(b) GDPRfor dataprocessing thatfacilitatesadvertising,arenot relevant.
165.In addition, as outlined in the Schedule to the Draft Decision 242, the assertions about WhatsApp IE’s
alleged ability to infer religious views, sexual orientation, political views and health status are not
243
backedwithanyevidence onthe Complainant’spart.The IESA concludes thatthereis noevidence
thatWhatsApp IEprocesses specialcategoriesof personal dataatall, thus the question ofprocessing
such datadoes not fallwithinthe scope ofthe inquiry atall.
244
166.Moreover, according to the IE SA, it is evident from the Terms of Service that any sharing with
affiliatedcompaniesforms partofthegeneral“improvements”thatarecarriedoutpursuanttoArticle
6(1)(b) GDPR,andso in realityanycleardelineation betweenthese twoforms ofprocessing would be
artificial. It needs to be pointed out that one aspect of the aforementioned sharing is the possible
receptionofmessages for the purposes of directmarketingand, in particular,“anoffer for something
245
thatmight interest” therespective user.
246
167.The Complainant, however, argues that such improvements and security features, as referenced,
and the associated sharing of data with other Meta Companies (then Facebook Companies), is not
necessaryin order to deliver a messaging service, andthat simply placing these termsin the contract
does not make them necessary. Although those statementsmight be true, according to the IE SA it
does not follow that fulfilling these termsis not necessaryin order tofulfil the specific contract with
WhatsAppIE.TheIESAaddsthattodothat,tousethelanguageoftheEDPB,itisnecessarytoconsider
“thenatureof theservicebeing offered to thedata subject”.
6.1.2 Summary ofthe objections raised bythe CSAs
168.TheFISA,FR SAandITSAobjecttotheconclusions reachedbythe IESAinitsDraftDecision,requesting
the IE SA tofurther investigatethe mattersof behavioural advertising,special categoriesof personal
data, the provision of metrics tothird parties, including to companies belonging to the same group,
andmarketing.
241
DraftDecision,paragraph4.8.
242ScheduletoDraftDecision,paragraphs3.29and3.30.
243ScheduletoDraftDecision,paragraph4.33.
244DraftDecision,paragraphs4.33and4.41.
245
246DraftDecision,paragraph2.11(“WaysToImproveOurServices”).
DraftDecision,paragraph4.36.
Adopted 41169.On behaviouraladvertising,inthe FR SA’sview 24, the Draft Decisiondoesnot include an analysisfor
the applicable legalbasis for the processing of personal data,relatedto behaviouraladvertising, asit
considers thatneither the Complainant, nor WhatsAppIE’sgeneralTermsandConditions provide any
evidence that personal data are processed for that purpose. It also notes that this exclusion is not
justified byother elementssuchasinvestigationreportsor thesending ofquestionnaires bythe IESA.
248
Moreover,the FRSA is ofanopinion thatthe IESA should have carriedout aninvestigationin order
to verify whether or not the WhatsApp IE processes personal data for the purposes of behavioural
advertising.
249
170.Onspecialcategoriesofpersonaldata,theFRSAargues thattheDraftDecisiondoesnot pronounce
on the lawfulness ground that is applicable with regard to the processing of special categoriesof
personal data, even though the complaint does. In addition, together with examining whether the
conditions are met in the present case for the processing of special categories of personal data
pursuant toArticle 9(2)GDPR,the IE SA shouldhave carriedout the investigationsnecessary, inorder
toverifywhether such processing is actuallytaking place.
171.The IT SA opines 250that the processing of special categoriesof personal data relating to users that
participate in chatswith business users relying on a third-partyprovider (which might be WhatsApp
IE’s controlling company Meta) should have been identified as a specific processing activity to be
assessed and evaluated separately by the IE SA. In addition, the IT SA considers that no in-depth
assessment has beencarriedout in this regard,but insteadthatthe IE SA simply endorses WhatsApp
IE’sstatementthatallcommunications areencrypted.
172.On theprovisionofmetrics tothirdparties,includingtoaffiliated companies,theFR SA arguesthat
the Draft Decision251 does not pronounce on the applicable legalbasis for such processing, despite
mentioned initially in the complaint. It continues that the IE SA has not defined which activities are
coveredunder such processing. Therefore,the FR SA requests theIE SA tocomplete itsDraftDecision
in thisregard.Inaddition, the FR SA requests thatthe conditions for theapplicationof the other legal
basesmentioned inArticle6 GDPR,namelyconsent, contractandlegitimateinterestareexamined,as
well. Hence,theFR SA considers, thatWhatsAppIE cannot relyonthe aforementionedlegalbasesfor
processing for the purposes provision ofmetricstothirdparties.
173.The IT SA notes 252 that the arguments put forward by the IE SA regarding the joint assessment of
processing for service improvement purposes and the exchange of data withaffiliated companies, is
neither convincing, nor exhaustive. The IT SA is of the view that the IE SA should have identified and
separately assessed the processing activities in question without “pooling” them into the service
improvement category.Moreover,theexact wording usedinWhatsAppIE’sTermsofService includes
“affiliatedcompanies”,“partners”and “service providers”, whichare,inthe IT SA’sview, unspecified,
meaning that the exchange of personal data betweenthem could “hardly fall within the intra-group
communications between WhatsApp and the other Meta companies and could be legitimised as a
controller-processorrelationship.”TheIT SA arguesthattheIE SA couldhave identified andseparately
assessed the legalbasis for the said exchangeof datawithpartnersandthird-partyservice providers.
In addition, in the light of the complaint, the IT SA notes that data are exchanged with affiliated
247
FRSA’s Objection,paragraph6.
248FRSA’s Objection,paragraph7.
249FRSA’s Objection,paragraph33.
250ITSA’s Objection,paragraph3.a.
251
252FRSA’s Objection,paragraphs35to45.
ITSA’s Objection,paragraph3.b.
Adopted 42 companies not only for service improvement purposes, but also for unspecified ones, relatedtothe
management and provision of the WhatsApp services. The IT SA stresses on the need for further
investigationon thismatter.
174.On marketing, the FI SA takes note 253that the Draft Decisioncontains conclusions that WhatsAppIE
may rely on Article 6(1)(b) GDPR as a legal basis in the context of its Terms of Service and, more
precisely, for the processing for the purposes set out there, including marketing. Further, the FI SA
opines that anassessment is needed inorder to determinewhether WhatsApp IEhasa relevant legal
254
basisfor processing personaldataformarketingpurposes .TheFISA arguesthat,providedthatthere
is anindication in WhatsApp IE’sTerms ofService thata user might receive marketing messages,the
IESA should have carriedout aninvestigationinthis regard 25.
6.1.3 Position ofthe LSA on theobjections
175.The IESA statesthatit does not propose to“follow” 256the objections raisedby the CSAs.
176.Inthe lightof thesuggestionsmade bysome ofthe CSAs 257thatthe scope ofthe inquiry oughttohave
considered additional factual matters, such as behavioural advertising, the IE SA notes that a
complaint-based inquiry has been conducted. The IE SA considers thata requirement, from a CSA, to
amendthe DraftDecision in order toinclude findings of infringement(s) thatfall outside ofthe scope
ofthe complaint wouldconstrainitsabilitytoadopt itsfinaldecision. Moreover,theIE SA stressesout
thatWhatsAppIEhasalreadybeeninformed aboutthe scope ofthe complaint.The IESA notes, inthis
regard,thattherighttobe heardisexercisedinresponse toaparticularizedallegationofwrongdoing,
and WhatsApp IE was not informed of an allegation of infringement relating to these additional
258
matters . In the IE SA’s opinion, an amendment would prevent the controller’s right to a fair
procedure andhinder itsrighttobe heard.
177.With regardtothe processing of special categoriesofpersonal dataand the assessment made bythe
IE SA, the latter concludes that the reference to such processing by WhatsApp IE must be read asan
element ofthe Complainant’sfundamentalallegation(i.e.thatthe agreementtothe TermsofService
was a form of GDPR consent to processing of personal data, including consent to the processing of
special categories of data). In circumstances, where the scope of the inquiry has addressed the
fundamental issue of principle on which the complaint depends, the IE SA is satisfied that it is not
necessary to also conduct an indiscriminate and open-ended assessment of the processing by
WhatsApp IEthatmayotherwise fallwithinthe scope ofArticle 9 GDPR.
178.Moreover,regardingthe statementsmade by the FR SA 259,the IESA contends thatit isunclear of the
basis on which the former makes its assumptions, and adds that the matter has already been
considered inthe Schedule tothe DraftDecision.
179.Inaddition, having conductedanassessment ofthe core functions of WhatsAppIE’sTermsof Service,
the IE SA concludes that the nature of the WhatsApp services offered includes regular service
improvement asanaspectoftheagreementconcludedbetweenWhatsAppIEandtherespectiveuser,
25FI SA’s Objection,paragraph3.
254
FI SA’s Objection,paragraph9.
25FI SA’s Objection,paragraph10.
25CompositeResponse,paragraph36.
25CompositeResponse,paragraphs28to30.
25CompositeResponse,paragraphs30-35.
259
CompositeResponse,paragraph34(“NoconsiderationofArticle9GDPRispresentintheDraftDecision.”).
Adopted 43 thus the basis of the processing is to be regarded as necessary for the performance of the
contract260.However,theIESA further notes 261, contractsmay include aspectsof performance which
are optional or contingent. For example, most of the processing carried out by WhatsApp IE, which
relatestocommunicationbetweenusersisoptionalforusers, asauser isnot obligedtosendmessages
to other users (for example). Such processing is nevertheless directly linked to the core “messaging
service” function; it would appear to be uncontroversial that such processing is necessary for the
performanceofthe TermsofService,asatype ofmutuallyexpectedprocessing. Atthesame time,this
processing is optional and not indispensable, and the Terms of Service can otherwise be performed
without any messages being sent by a user. According to the IE SA, this reflectsthe fact the Article
6(1)(b) GDPRisnot limitedtoaspectsofcontractualperformance whichareexpressly mandatoryand
unconditional obligations ofthe parties.
180.Regardingtheissue 262relatedtoWhatsAppIE’scontrollership anditsrelationshipwiththeother Meta
companies, andthedegreeof investigationcarriedout, theIE SA contendsthatit “hasnothing further
to addinthis regard”.
6.1.4 Analysis ofthe EDPB
6.1.4.1 Assessmentof whethertheobjectionswererelevantandreasoned
181.In this section, the EDPB considers whether the objections raised by the FI SA, FR SA and IT SA,
regardingtheneed for a further investigation,meetthe threshold ofArticle 4(24)GDPR.
182.WhatsApp IEconsiders thatthe objections made bythe aforementionedCSAs are without merit.
183.Inessence, WhatsApp IEarguesthatthe FR SA’sobjection raises concernswith regardtobehavioural
advertising that are not connected to any factual content and do not have any merit, because, as
confirmed before to the IE SA, WhatsApp IE does not engage in such processing 263. Moreover,
WhatsAppIEconsiders 264thattheIESA appropriatelyaddressedthismatterinitsDraftDecision,given
the vague nature of the complaint, the misconceptions regardingWhatsApp services, and the lackof
evidence that such processing istaking place.WhatsApp IE thatno factualor legalargumentsare put
forwardbythe FR SA.
184.Furthermore,the EDPBtakesnote ofWhatsAppIE’spositiononthe objection raisedby theFR SA with
regard to the processing of special categories of data, according to which they are based on a
“misunderstanding of the Defined Scope of Inquiry”, aswell as the nature of the service offered and
they “fail to take into account the investigations conducted by the [IE SA]”5. Further, WhatsApp IE
emphasises thatitdoesnot processspecialcategoriesofdatainthe course ofproviding the WhatsApp
services. Moreover, it is of the view66that the FR SA does not acknowledge that the processing in
question has already been addressed by the IE SA in its Draft Decision, concluding that there is no
26CompositeResponse,paragraphs57and59.
261
CompositeResponse,paragraph61.
26CompositeResponse,paragraphs84and85.
26WhatsAppIE’sArticle.65Submissions,paragraph4.27.
26WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a.
26WhatsAppIE’sArticle65Submissions,paragraph4.3.
266
WhatsAppIE’sArticle65Submissions,Section1.a,paragraph6.g.
Adopted 44 evidence that it wastaking place and that it is irrelevant to the complaint and the inquiry. Thus, for
WhatsApp IE,theFR SA’sobjection raisedis neitherrelevant,nor reasoned 267.
185.With regard to the FR SA’s objection 268 regarding the legal basis for provisions of metrics to third
parties and the need for a further investigation, WhatsApp IE states that it does not rely on Article
6(1)(b) GDPRasa legalbasis for theprocessing. Further, the processing for metricspurposesis carried
out ona controller-to-processor basisinorder toassist WhatsApp IEinprocessing whatforms part“of
thegeneral‘improvements’”.WhatsAppIEaddsthatthereisnorequirementpresent tohave adistinct
legalbasis for such sharing. Itstatesthat“theprovision of the WhatsApp Service doesnot involve any
sharing ofEU WhatsAppusers’ personaldata with otherMetaCompanies on a controllerto controller
269
basis”. Furthermore, WhatsAppIE arguesthatthe IT SA’sobjection on the investigationof further
sharing carriedout byWhatsAppIEwith“unspecifiedpartnersand serviceproviders” isnot relevantto
the issues investigatedby the IESA, nor does it have connectionto thesubstance of the complaint or
the DraftDecision. Moreover,WhatsApp IEconsiders thatit is not clear what“exchangeofdata” was
referred to by the IT SA and its relevance to the inquiry. Thus, WhatsApp IE opines that the IT SA’s
objection should be rejected.
270
186.Finally, withregardtotheFISA’sobjection ,WhatsAppIEarguesthattheFISA’sstatement,regarding
therelianceonArticle6(1)(b)GDPRforprocessingfor marketingpurposesisirrelevantandfallsoutside
of thedefined scope ofthe inquiry. Further,WhatsApp IEpoints out thatthe specific referencetothe
Terms of Service is misunderstood, as it is relatedtopotential marketing messagesthat users might
receive from businesses thatuse the servicesoffered by WhatsAppIE.Finally, WhatsAppIE considers
thatsince businesses use WhatsAppBusiness API for exchangingmessages(withtheir owntermsand
privacypolicies), it isnot thecontroller in respectof those processing operations.
***
187.As regardsthe objection of the FR SA, arguingthatthe IESA did not analyse theapplicable legalbasis
for the processing of personaldatarelatedtobehaviouraladvertising,the EDPBestablishesthatit has
a direct connectionwith theDraftDecision. The EDPBconsiders thatthe FR SA’s objection is relevant
and, if followed, would lead to a different conclusion. It includes arguments on factual and legal
mistakes in the IE SA’s Draft Decisionthat require amendments, for which it is considered reasoned.
More specifically, the FR SA’sobjection allegesthatthe IESA should have carriedout aninvestigation
inorder toverifywhetheror not WhatsAppIEprocessespersonal datafor the purposesofbehavioural
advertising.
188.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the
position of the IE SA would incur a risk for the fundamental rightsand freedoms of data subjects, as
well as the possibility that a controller could use the legal basis of the contract toprocess its users'
data for targeted advertising purpose. The FR SA stresses out that such processing would be
particularlymassive andintrusive, thus thatit is not inline withtheprovisions ofthe GDPR.
189.The EDPBconsidersthattheobjections raisedbythe FRSA andthe ITSA withregardtothe processing
of special categoriesof personal data have a direct connection withthe Draft Decision, as theyrefer
(1) to the lack of conclusions with regardto the lawful ground applicable to the processing of such
data,and(2)the rejectionof theComplainant’sargumentofthe processing ofsuchdata byWhatsApp
267
WhatsAppIE’sArticle65Submissions,paragraph4.3.
268WhatsAppIE’sArticle65Submissions,paragraphs4.15to4.16.
269WhatsAppIE’sArticle65Submissions,paragraph4.17.
270WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b.
Adopted 45 IE.Bothare found tobe relevantand,if followed would leadtoa different conclusion since the IE SA
would have tocarry out further investigations in order to establish whether WhatsApp IE processes
special categoriesof personal data,and if so, whether this is done in compliance withthe conditions
set forthin Article9 GDPR.
190.The EDPB notes that both objections argue on factualand legalmistakes in the Draft Decision that
wouldrequire amendments,thustheyarebothreasoned.According totheFRSA, theIESA’sreasoning
is not consistent, as the latter has not considered the matter related to the lawful ground for the
processing of specialcategoriesofpersonal data,norevaluateditscompliance withArticle 9(2)GDPR,
thustheIESA shallcarryout thenecessaryinvestigations.Asfor theITSA’sarguments,theEDPBnotes
that no in-depth assessment was conducted by the IE SA regarding the allegations made by the
Complainant that WhatsApp IE processes special categories of personal data, and instead simply
endorsed WhatsAppIE’sargumentthatallcommunications are encrypted.
191.Inthe Draft Decision, the EDPB identifies, aspreviously asserted by the FR SA and the IT SA, risks for
the fundamental rights and freedoms of the data subjects, with concrete examples of targetedand
behaviouraladvertising given,thatwouldhinder the users’ abilitytohave controlover theirdata,thus
the FR SA’sandITSA’sobjections areconsidered reasoned.
192.Taking into account the objection raised by the FR SA concerning the legal basis for the provision of
metrics to third parties, the EDPB considers that it has a direct connection to the Draft Decision,
because it reflects on the fact that the IE SA does not define what the processing for provision of
metrics to third parties covers, and does not pronounce itself on the legalbasis applicable to such
processing (including sharing between companies within the same group), even though initially
mentioned in the latter. The objection is relevant, because if it were followed, different conclusions
wouldbe reachedregardingtheconditions under whichWhatsAppIEcollectsconsent ofdata subjects
for the processing oftheir personal datafor provision ofmetricstothirdparties.
193.TheEDPBnotesthattheFRSA putsforwardargumentsregardingfactualandlegalmistakesthatrelate
to the legalbasis applicable to the provisions of metrics to third parties, and regarding the lack of
definition of what the aforementioned processing entails. For these reasons, the FR SA’s objection is
considered reasoned.
194.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the
DraftDecisionwould be detrimentalfor the fundamentalrightsandfreedoms of datasubjects, asthe
only informationprovided bythe IESA doesnot amount toany assessment.
195.An objection is raised by the IT SA with regard to the exchange of personal data with affiliated
companies. The EDPBis of the view that it hasa directconnection to the DraftDecision, asthe latter
only coverstwopurposes ofprocessing, namelythisofservice improvement andsecurity, outof those
raisedby the Complainant, hence lacks anassessment ofthe exchangeof databetweenWhatsApp IE
and its affiliated companies. The EDPB considers the IT SA’s objection to be relevant, because, if
followed, itwould leadtodifferentconclusions intheDraftDecision,regardingtheassessment related
tothe core functions ofthe contractandthe exchangeofdata withaffiliatedcompanies.
196.Asregardstothe risks posedtothe fundamentalrightsandfreedoms ofdatasubjects, the EDPBtakes
note of the IT SA’s remarks that if the Draft Decision is left unchanged, it would lead to a severe
infringement of the users’ right to self-determine the processing of their sensitive personal data, as
alsorelatedtothe exchangeofdatawithaffiliatedcompaniesand, thus, it wouldprevent the usersto
have controlover their data.
Adopted 46197.The EDPB notes that the IT SA’s objection includes clarifications and argumentson factualand legal
mistakes,namelythe failure oftheIESA toconduct investigationswithregardtothe exchangeofdata
with affiliatedcompanies not only for service improvement purposes, but also for unspecified ones,
relatedtothe managementandtheoverallprovision of theservice.
198.Finally, the EDPB considers that the objection raised by the FI SA, with regardto the processing of
personal data for the purposes of marketing, has a direct connection with the Draft Decision, as it
reflects on the fact that the IE SA concludes that there is no evidence of processing related to
marketing. The FI SA’s objection is considered relevant, as if followed it would lead to a different
conclusion regardingthelegalbasis,namelythisofArticle6(1)(b) GDPRforprocessing ofpersonaldata
for marketingpurposes.
199.The FI SA putsforwardargumentsregardingthe factualandlegalmistakesmade bythe IESA, relating
to the legalbasis for processing of personal data and the possibility for the respective WhatsApp IE
users toreceivemarketingmessages. For these reasons, the FI SA’sobjection isconsidered reasoned.
200.Asregardstotherisks posed bytheDraftDecisiontothefundamentalrightsandfreedomsofthe data
subjects, the EDPB takes note of the FI SA’s remarkthat it would incur a risk for data subjects and,
more precisely, theirunawarenessofthe processing and, asa consequence, their subsequent inability
to have control over the processing of their personal data. Moreover, the EDPB considers that this
could leadtoundermining their fundamentalrightof protectionoftheir personal data.
6.1.4.2 Assessmenton themerits
201.Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB
shall take a binding decision concerning all the matters which are the subject of the relevant and
reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.
202.The EDPBconsiders thatthe objections found to be relevantandreasonedinthis subsection require
anassessment of whethertheDraftDecisionneedstobe changed,astheyconclude thatthe IESA has
not carried out a enough investigation as to the applicable legalbasis for WhatsApp IE’sprocessing
operations(a) for the purposes of behaviouraladvertising, (b)involving specialcategoriesofpersonal
data pursuant to Article 9 GDPR,(c) for provision of metricstothird partiesand (d) for the exchange
of data withaffiliated companies for the purposes of service improvements and (e) for the purposes
of marketing. When assessing the merits of the objections raised, the EDPB also takes into account
WhatsApp IE’sposition on theobjections.
203.In its submissions, WhatsApp IE supports the conclusions made by the IE SA that no further
investigationis neededasregardsthe aforementionedissues raised.
204.Withregardtobehaviouraladvertising,WhatsAppIEstatesthatit doesnot engageinsuchprocessing,
whichfact wassubsequently “appropriatelyaddressed” 271bythe IESA inits DraftDecision.
205.As for the specialcategoriesof personal data 272,WhatsApp IEcontends that it does not process such
data in the course of providing the WhatsApp IE services. Moreover, the processing in question has
alreadybeen addressedby the IESA in itsDraft Decision, concluding thatthere is no evidence thatit
is takingplace andthatit is irrelevanttothe complaint andthe inquiry.
271WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a,aswellasparagraph4.27idem.
272WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.g.
Adopted 47206.Moreover, WhatsApp IE argues that it does not rely on Article 6(1)(b) GDPR as a legal basis for
processing for the provision of metricstothirdparties 273.Further, such processing is carriedout ona
controller-to-processor basis in order to assist WhatsApp IE in processing that forms part “of the
generalimprovements”.WhatsApp IEadds that there is no requirement tohave a distinct legalbasis
for such sharing.It statesthat“theprovision of the WhatsApp Servicedoesnot involve any sharing of
EU WhatsApp users’ personal data with other Meta Companies on a controller to controller basis”.
Furthermore,WhatsAppIEopines thatthematteroffurther sharing 274 with“unspecified partnersand
service providers” is not relevant tothe issues investigatedby the IE SA, nor does it have connection
tothe substance of thecomplaint or the DraftDecision.
207.Finally, withregardtothe processing for the purposes ofdirectmarketing,WhatsAppIEargues 275that
it is irrelevantandfalls outside of the definedscope of theinquiry.
208.The IE SA argues 276that it would have been infeasible, hypothetical, and contraryto the complaint
within the meaning of Article 77 GDPR to undertake an assessment of all discrete processing
operationsassociatedgenerallywiththeWhatsAppIE’sTermsofService,including whetherWhatsApp
IE processes special categoriesof personal data in this context andwhether the sharing of data with
third partiesspecifically is lawful, as wellas the additional mattersconcerning WhatsApp IE,in order
toconclude aninvestigationofthecomplaint.Inrelationtotheprocessing ofArticle9GDPRcategories
ofpersonal data,theIESA considers thattheinquiry hasaddressed thefundamentalissue ofprinciple
on which the complaint depends, and this makes it unnecessary to conduct an indiscriminate and
open-ended assessment of processing falling within the scope of this Article or the ePrivacy
277
Directive .
209.Moreover, the IE SA considers that there is no evidence for the assertion that WhatsApp IE is
processing personaldata,thatfacilitatestheinferringofspecialcategoriesofpersonaldata,pertaining
toreligiousviews, sexualorientation,politicalviews andhealthstatus. Further,asstated,noevidence
is presentedinthis regardatall,thus aconclusion is madethatthe processing ofspecial categoriesof
personal data,pursuanttoArticle 9 GDPRconsent does not fallwithinthe scope ofthe complaint and
is thus irrelevant. The Complainant considers the agreement tothe Privacy Policy and the Termsof
Service to be anallegedconsent todata processing operations designated in those documents. This
also includes the aforementioned data processing operations and the respective purposes, thus the
EDPBconsiders thatthose processing operations arewithinthe scope ofthe complaint.
210.Inaddition andtaking into account the previous paragraph, the IE SA 278warns the CSAs on the legal
risks derived from asking throughthe objections toexpandthe materialscope ofthe inquiry and thus
cover infringementsoutside ofthe complaint (namelythe processing ofspecialcategoriesofpersonal
data, question of location data, factual investigations into the presence of behavioural advertising,
sharing withthird parties)and the Draft Decisionthat the IE SA has not investigated(pursuant to its
own decision to limit the scope of the inquiry) and put to WhatsApp IE as an allegation of
wrongdoing 279.
273
WhatsAppIE’sArticle65Submissions,paragraphs4.15and4.16.
27WhatsAppIE’sArticle65Submissions,paragraph4.17.
27WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b.
27CompositeResponse,paragraph22.
27CompositeResponse,paragraph27.
278
CompositeResponse,paragraph28.
27CompositeResponse,paragraphs29and31.
Adopted 48211.The EDPB notes that the complaint reiterates the confusion of WhatsApp IE’susers over whether it
processes personal data for the purposes of behavioural advertising, which of the users’ special
categoriesof personal data are processed and for which purposes, the provision of metrics to third
parties and the exchange of data with affiliated companies and on which basis, as well as for the
processing ofpersonal datafor the purposes of marketing.
212.WhatsApp IE’s Terms of Service note in general terms “WhatsApp works with partners, service
providers, andaffiliated companiesto help us provide ways for you to connectwith their services.We
use the information we receive from them to help operate, provide, and improve our Services”;
“WhatsApp uses theinformation it has and also works with partners,service providers, and affiliated
companiesto do this” andinthe matterofsharing datawithaffiliatedcompanies: “Weare partof the
Facebook Companies. As part of the Facebook Companies, WhatsApp receivesinformation from, and
sharesinformationwith, theFacebookCompanies asdescribed in WhatsApp's PrivacyPolicy”.
213.The Terms of Service make up the entire agreement, and include a reference to two separate
documents: WhatsApp IE’sPrivacy Policy and to the Meta Companies. WhatsApp IE’sPrivacy Policy
statesthat“The typesof information we receiveand collect depend on how you use our Services.We
require certainofYour Account Information in accordance with our Termsto deliver our Servicesand
without this we will not be able to provide our Services to you.” With regardto sharing information
with third parties, the Privacy Policy states that “You share your information as you use and
communicate through our Services, and we share your information to help us operate, provide,
improve,understand,customiseandsupport ourServices”.Further,thedocumentitselfdoes notmake
any referenceswhatsoever for the processing of data for the purposes of behavioural advertising, or
the processing of specialcategoriesofdatapursuant toArticle 9 GDPR. Asfor the provisionofmetrics
to third parties and the exchange of data with affiliated companies, as well as the processing of
personal data for the purposes of marketing, the Privacy Policy does not elaborate further on that
matter.
214.The CJEU assertedrecentlythatthe purpose ofArticle 9(1)GDPRis toensure anenhancedprotection
of data subjects for processing, which, because of a particular sensitivity of the personal data
processed, is liable to constitute a particularly serious interference with the fundamental rights to
respect for private life and tothe protection of personal data, guaranteedbyArticles7 and 8 of the
Charter 28. The CJEU adopts a wide interpretationof the terms“special categoriesof personal data”
and “sensitive data” that includes data liable indirectly to reveal sensitive information concerning a
281
natural person . Advocate General Rantos reiterates the importance for the protection of data
subjects of Article9 GDPRand applies thesame interpretationtothe potentialdataprocessing inthe
WhatsAppservices for behaviouraladvertising bystatingthat“the prohibition on processing sensitive
personaldatamayinclude theprocessing ofdatacarriedoutbyanoperatorofanonline socialnetwork
consisting inthecollection ofa user’sdatawhenhe or she visits otherwebsitesor apps or enterssuch
dataintothem, thelinking of such datatotheuser accounton the socialnetworkandthe use ofsuch
data,providedthatthe informationprocessed, considered inisolation or aggregated,makeit possible
toprofile users on thebasis ofthe categoriesthatemergefrom the listing inthatprovision oftypesof
sensitive personaldata.”
28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022),
ECLI:EU:C:2022:601,§126.
28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022),
ECLI:EU:C:2022:601,§127.
Adopted 49215.Therefore, the GDPR and the case-law pay especial attention to the processing or the potential
processing ofspecialcategoriesof personaldataunder Article9 GDPRtoensure the protectionofthe
data subjects. Inthis connection, the Complainant allegesin its complaint, among others, a violation
of Article9 GDPRandexpressly requeststhe IESA toinvestigate WhatsAppIE’sprocessing operations
covered by this provision. In a subsequent submission on the preliminary Draft Decision, the
Complainant criticises the scope that the IE SA decided to give to the complaint and its lack of
investigation of WhatsApp IE’s processing activities and alleges that the IE SA failed to give due
consideration toprocessing under Article9 GDPRandother casesin whichit relieson consent.
216.In the present case, the IE SA did not carry out any investigation, regarding (a) the legal basis for
WhatsApp IE’sprocessing operations for the purposes of behavioural advertising, (b) the applicable
legal basis for processing special categories of personal data, pursuant to Article 9 GDPR, (c) the
applicable legal basis for provision of metrics to third parties and (d) the exchange of data with
affiliatedcompaniesfor thepurposes of serviceimprovements and(e)theprocessing of personaldata
for the marketingpurposes. The IE SA categoricallyconcludes thatno further investigation is needed
withregardtothese issues.
217.Byfailingtoinvestigate,furthertothecomplaint,the processing of specialcategoriesofpersonaldata
byWhatsApp IE,theIESA leavesunaddressed the risks thisprocessing poses for the Complainant and
for WhatsAppIE’susers in general.First,there is the risk thatthe Complainant’s specialcategoriesof
personal data are potentially processed by WhatsApp IE to build intimate profiles of them for the
purposes ofbehaviouraladvertisingwithoutalegalbasisandina mannernotcompliant withtheGDPR
and inparticular the strict requirementsof Articles 7 and Article9(2) GDPR.Second, thereis also the
riskthatWhatsApp IEdoesnot consider certaincategoriesofpersonal dataitpotentiallyprocesses, as
specialor sensitive categoriesofpersonaldatain line withtheGDPRandthe CJEU case-lawandtreats
them accordingly. Third, the Complainant and other WhatsApp IE’susers, whose sensitive data are
potentiallyprocessed may be deprived of certainspecialsafeguardsderived from the use of consent,
such asthe possibility tospecifically consent tocertainprocessing operations andnot toothersandto
the further processing of personal data under Article 6(4) GDPR; the freedom to withdraw consent,
pursuant toArticle 7 GDPR, andthe subsequent right tobe forgotten. Fourth, given the size andthe
number of users of WhatsApp IE in the social media market, leaving unaddressed the current
ambiguity in the processing of special categories of personal data, and its limited transparency of
WhatsAppIEvis-à-vis datasubjects,mayseta precedentforcontrollerstooperateinthesamemanner
andcreatelegaluncertainty,hampering thefree flow ofpersonal datawithinthe EU.
218.The EDPB further considers, also in view of these risks tothe Complainant and WhatsApp IE’susers,
thatthe IE SA did not handle the complaint withalldue diligence.The EDPBconsiders the lackof any
further investigation intothe legalbasis for WhatsApp IE’sprocessing operations for the purposes of
behavioural advertising, the potential processing of special categories of personal data, applicable
legalbasis for provision of metricstothirdpartiesandthe exchangeofdata withaffiliatedcompanies
for the purposes of service improvements, aswellasthe processing of personal datafor the purposes
ofmarketingasanomission, and– in thepresent case – finds itrelevant thattheComplainant alleged
infringementsof Article9 in the complaint.
219.The EDPBcontendsthatinthepresent case,theIE SA should have verifiedonthe basisof thecontract
and the data processing actuallycarried out on which legalbases eachdata processing operation in
question relies.
220.The EDPB also highlights that byhaving excessively limited the scope of its inquiry despite the scope
ofthecomplaint inthiscross-border case andsystematicallyconsidering themajorityofthe objections
Adopted 50 raisedby the CSAs not relevantand reasonedandthus denying their formaladmissibility, the IE SA as
LSA in thiscase, constrains the capacityof CSAs to actand tackle the risks todata subjects in sincere
and effective cooperation. As ruled by the CJEU, the SA must exercise its competence within a
framework of close cooperation with other supervisory authorities concerned and cannot “eschew
essential dialogue with and sincere and effective cooperation with the other supervisory authorities
concerned”. The limited scope that the IE SA gave tothe inquiry also impairs the EDPB’scapacityto
conclude on the matter pursuant to Article 65 GDPR and thus ensure a consistent application of EU
data protection law, despite the fact that the complaint covered these aspects and was introduced
more thanfour yearsago.
221.Asa result ofthelimitedscope ofthe inquiryandlackofassessment bythe IESA inthe DraftDecision,
the EDPBdoes not have sufficient factualevidence on WhatsApp IE’sprocessing operationstoenable
it to make a finding on any possible infringement by WhatsApp IE of its obligations under Article 9
GDPRandother relevantGDPRprovisions.
222.The EDPB decides that the IE SA shall carry out an investigation into WhatsApp IE’s processing
operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article
9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well
asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for
the purposes of service improvements, and in order to determine if it complies with the relevant
obligations under the GDPR.Basedonthe resultsof thatinvestigationandthe findings, the IE SA shall
issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR.
7 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES
7.1 Analysis by the IESA in the DraftDecision
223.According tothe DraftDecision,the IE SAconcludes thatthe Complainant’scase is not made out that
the GDPR does not permit the reliance by WhatsApp IE on Article 6(1)(b) GDPR in the context of its
offering of Termsof Service 282. Therefore, without finding any infringement of this legalbasis, the IE
SA wasnot ina position to consider the applicationof its correctivepowers as provided for in Article
58(2)GDPR.
224.Regardingthe provision of necessary information relatingtoWhatsApp IE’slegalbasis for processing
pursuant to acceptance of the Terms of Service and whether the information set out was in a
transparent manner, the IE SA recalled that it found infringements in this regard in a previous own-
volition inquiry andexerciseda number of corrective powersin response, including anadministrative
fine andanorder tobring theWhatsApp IE’sPrivacyPolicy intocompliance 283.
7.2 Summary of the objections raised by the CSAs
225.The NO SA objects to the IE SA’s finding by stating that WhatsApp IE cannot rely on Article 6(1)(b)
284
GDPR asa legalbasis for processing in the context of service improvements andsecurity features .
As a consequence resulting from the finding of such infringement, the NO SA requests the IE SA to
exercise corrective powers under Article 58(2) GDPR accordingly, byordering WhatsApp IE todelete
282DraftDecision,Issue2.
283DraftDecision,paragraph5.9andlastrowofthetableinp.38.
284NOSAObjection,p.1,Introductoryremarks,paragraph3.
Adopted 51 personal data that has been unlawfully processed under the erroneous assumption that it could be
based on Article 6(1)(b) GDPR unless those data were also collected for other purposes with a valid
legal basis, and by imposing an administrative fine against WhatsApp IE for unlawfully processing
personal data in the context of service improvements and security features, erroneously relying on
285
Article6(1)(b) GDPR,asthatlegalbasis wasnot applicable in thiscase .
226.The DE SAs object to the IE SA’s finding by stating that the IE SA should find that WhatsApp IE has
breachedthe Article5(1)(a)andArticle6(1)GDPR.Asa consequence resulting from the finding ofsuch
infringements, the DE SAs request the IE SA to impose a temporary or definitive limitation of the
respectiveprocessing without legalbasisinaccordancewithArticle58(2)(f)GDPR,namely,theerasure
of unlawfully processed personal dataand the banof the processing ofdata untila valid legalbasis is
inplace 28.
227.The FI SA objectsto the IESA’s finding by statingthatthe IE SA should find aninfringement of Article
6(1)GDPR,notablybecause the FI SA isof the opinion thatWhatsAppIE cannot relyon Article6(1)(b)
GDPR for all the processing operations set out in the Terms of Service, such as marketing, service
287
improvements and security purposes . As a consequence resulting from the finding of such
infringement,the FISA requests theIESA tomakeuse ofitscorrectivepower accordingly,pursuant to
Article 58(2)GDPR 288.Inorder to doso, the FI SA is of the opinion that the IESA should at least order
WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR
withrespect to the processing of marketing,service improvements and securityfor which WhatsApp
IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83
GDPR 289.
7.3 Position of the IESA on the objections
228.The IE SA is of the opinion that since it does not follow the objections raised on the infringements
matters, it results that the IE SA does not follow the related objections on the corrective measures
either290.The IESA also does not consider the objections tobe relevantand/or reasoned.
7.4 Analysis of the EDPB
7.4.1 Assessment of whether theobjections were relevant and reasoned
229.The objections raised by the NO SA, DE SAs and FI SA concern “whether the action envisaged in the
DraftDecision complieswith theGDPR” 291.
230.As statedand analysed above in Subsection 4.4.1,the EDPBfinds the NO SA and DESA objections on
292
the subject of correctivemeasurespursuant toArticle58(2)GDPRrelevantbut not reasoned .
231.Regarding the FI SA’s objection, WhatsApp IE considers it not relevant because it is based on an
objection pertaining to a mistaken allegationof infringement of Article 6(1) GDPR 293andwhich does
285NOSAObjection,p.8-9,EnvisagedoutcomeoftheRRO,secondbulletpoint.
286DESAObjection,p.8,d.Envisagedresultoftheobjection.
287FI SAObjection,paragraph36.
288FI SAObjection,paragraph36.
289
FI SAObjection,paragraph36.
290WhatsAppIE'sArticle65Submissions,paragraph80.
291EDPBGuidelinesonRRO,paragraph32.
292Paragraphs75,80,86and87above.
293WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph3.
Adopted 52 not satisfy the thresholds andlacksof merit 294.The EDPBdoesnot follow WhatsAppIE’sposition asit
analyses andconcludes in Subsection 4.4.1 above that the objection of the FI SA on the finding of an
infringement ofArticle6 GDPRor more specifically Article6(1)(b) GDPR,onwhichthe FI SA request of
correctivemeasuresis based, isrelevant andreasoned.
232.The FI SA’sobjection arguingthat the IESA should, inapplication ofArticle 58(2)GDPR,atleast order
WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR
withrespect to the processing of marketing,service improvements and securityfor which WhatsApp
IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83
GDPR, is linked to the IE SA’s Finding 2 of its Draft Decision with regard to Article 6(1)(b) GDPR.
Therefore, the FI SA objection is directly connected with the substance of the Draft Decision and if
followed, would lead to a different conclusion, namely a change of this Finding 2 as well as the
imposition of correctivemeasures.
233.Thus, the EDPBconsiders thatthe FI SAobjection isrelevant.
234.Interms of argumentsclarifying why the amendment of the Draft Decision requestedby the FI SA is
proposed, the FI SA firstly arguesthatif theIE SA does not make use of itscorrective powers, thereis
a dangerthat WhatsAppIE continuestounlawfullyprocesspersonaldata onthe foot ofArticle 6(1)(b)
GDPR for processing operations such as marketing, service improvements and security, and that
WhatsApp IEcontinues toundermine or bypass dataprotectionprinciples 295.
235.Secondly, the FI SA argues that because WhatsApp IE cannot rely on Article 6(1)(b) GDPR for all
processing operations set out in its Terms of Service, this inevitably leads to the conclusion that
correctivepowersmust beexercisedinorder tobring theprocessing operationsofWhatsApp IEinline
withthe GDPR 296.
236.Thirdly, the FI SA relies on the ruling of the CJEU C-311/18 Schrems II 297to argue that when an
infringement is found, the supervisory authoritymust take appropriateactionin order toremedyany
findingsofinadequacyandthereforetheFISA isoftheopinionthattheIESAmust exerciseappropriate
andnecessarycorrective powers 298.
237.Finally, according to the FI SA, the IE SA must exercise appropriate and necessary corrective powers
andmust take intoaccount the nature andseverity ofthe abovementioned infringement since the FI
SA is of theopinion thatthis infringementcannot be consider asminor 299.
238.Intermsofthe significance of the risks posed by the DraftDecision,the FI SA arguesthatthe absence
of appropriate and necessary corrective powers would amount toa dangerousprecedent, sending a
deceiving message to the market and to data subjects, and would also endanger the fundamental
rightsandfreedomsof datasubjects whose personal dataareandwillbe processedby the WhatsApp
IE300.
239.In addition, the FI SA argues that if WhatsApp IE could continue torely on Article 6(1)(b) GDPR, the
datasubjects wouldnot have the possibility tocontrolthe processing of theirpersonal data,whilethe
righttomonitor theprocessing of personaldatais animportantprinciple of theGDPR. 301
294WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph4.
295FI SAObjection,paragraph37.
296FI SAObjection,paragraph40.
297
C-311/18SchremsII,paragraph111.
298FI SAObjection,paragraphs41-42.
299FI SAObjection,paragraphs42-43.
300FI SAObjection,paragraph45.
301FI SAObjection,paragraph45.
Adopted 53240.The FI SA ends its argumentationbystatingthat theDraft Decisionaffectsallthe data subjectswithin
the EEA.Therefore,the consequences of not making use of the correctivepowers pursuant to Article
58(2)GDPRarevast 302.
241.WhatsApp IE considers that the FI SA objection cannot satisfy the significance of risk threshold, as it
does not set out how theDraftDecision wouldpose a directand significant risktofundamentalrights
andfreedoms, because it is basedon a misunderstanding ofthe DraftDecisionand the definedscope
ofinquiry303. WhatsApp IEalsoconsiders thatcontrarytothe FI SA statement,theGDPRprovidesdata
subjectswitharangeofcontrolsandrightsover theirpersonal dataregardlessofthelegalbasesrelied
on and therefore the Draft Decision does not pose a risk to data subjects’ fundamental rights and
freedom 304.Moreover,WhatsApp IEconsiders thatthe FISA statementthattheDraftDecisionaffects
all the data subjects within the EEA and that therefore, the consequences of not making use of the
correctivepowers pursuant toArticle 58(2)GDPRare vast,is based on unsubstantiatedconcerns and
unsupported by anyfactsor legalreasoning or anything which wasinvestigatedinthe inquiry 30.
242.Considering WhatsApp IE’s arguments, the EDPB understands that WhatsApp IE is challenging the
substance oftheFISA objectioninsteadofchallengingitsabilitytoclearlydemonstratethesignificance
306
of the risks posed by the Draft Decision .Therefore, the EDPB considers these arguments not
applicable toassess whether theFI SA’sobjection is reasoned.
243.Asthe FI SA objection clearlydemonstrateswhyanamendment ofthe DraftDecisionis proposed and
how this amendment would lead to a different conclusion as to whether the envisaged action in
relationto WhatsApp IE complies with the GDPR, it clearlydemonstrates a sound and substantiated
reasoning andthe significance of therisks posed bythe DraftDecision.
244.Therefore,the EDPBconsiders the FI SAobjectiontobe reasoned.
245.Considering the FI SA objection and the arguments brought forward by WhatsApp IE, the EDPB
considers thatthe FI SAobjection requesting corrective measurestobe imposed accordingto Article
58(2)GDPRis relevantandreasonedpursuanttoArticle4(24)GDPR.
7.4.2 Assessment on the merits
Preliminarymatters
246.The EDPB considers that the FI SA objection found to be relevant and reasoned in Subsection 7.4.1
requiresanassessment ofwhetherthe DraftDecisionneedstobe changedinrespectofthe corrective
measuresproposed. More specifically, the EDPBneeds toassess whether the IE SA should impose an
order on WhatsApp IE to bring its processing operations in compliance with the provisions of Article
6(1)GDPRwithrespect tothe processing for marketing,service improvements andsecurityfor which
WhatsApp IE reliedupon Article 6(1)(b) GDPRand consider imposing an administrative fine pursuant
toArticle83 GDPR,inapplicationof Article58(2) GDPR.
247.Any issue concerning theimposition ofadministrativefinesis coveredbelow in Section8.
248.Concerning the issue ofimposing correctivemeasuresin respectof theallegedinfringement of Article
6(1)(b) GDPR for processing personal data for marketing purposeraisedbythe FI SA and which was
not partofthescope oftheinquiry 307, it isappropriatetorefertotheEDPBconclusion asstatedabove
30FI SAObjection,paragraph46.
30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph5.
30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph6.
305
306hatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph7.
GuidelinesonRRO,paragraph18.
30DraftDecision,paragraph4.8.
Adopted 54 in Subsection 6.1.4.2,whichnotably statesthat the IE SA is instructed tolaunch aninvestigation into
WhatsApp IE’sprocessing operations in its service in order to determine ifit processes personal data
for marketing purposes and in order to determine if it complies with the relevant obligations under
the GDPR. In this situation where the possibility for WhatsApp IE to rely on Article 6(1)(b) GDPR for
processing personal data for marketing purpose has not been investigated, there is no ground to
further proceed in the assessment of the merits of the FI SA’s objection requesting to impose
corrective measures for processing personal data for marketing purpose by unlawfully relying on
Article6(1)(b) GDPR.
249.Conversely, concerning the issue of imposing corrective measures in respect of the alleged
infringement of Article 6(1) GDPRfor processing for otherpurposesstatedinthe FI SA’s objection, it
isappropriatetorefertotheEDPBconclusionasstatedabove inSubsection4.4.2,whichnotablystates
thatWhatsAppIEhasinfringedArticle 6(1)GDPR byunlawfullyprocessing the Complainant’spersonal
data, in particular by inappropriately relying on Article 6(1)(b) GDPR to process the Complainant’s
308
personaldatafor thepurposes of service improvement andsecurity featuresprocessing operations
inthe context ofits Termsof Service.As a consequence, the EDPBfurtherproceedintheassessment
ofthemeritsofthese partsoftheFI SA objection 309andanalyseswhetheranordertobringprocessing
intocompliance should be imposed.
250.When assessing the merits of the objection raised, the EDPB also takes into account WhatsApp IE’s
position on the objectionand itssubmissions andthe findings inthis Binding Decision.
251.It is alsoimportant to clarifythe EDPB’sviews in respect of itscompetence,incontrast to WhatsApp
IE’s argument, which considers the EDPB is not competent to direct the IE SA to adopt specific
310
correctivemeasures .
252.WhatsAppIEstates“Thisis clearfromthe objectionoftheFinnish SA, whichacknowledgesthatit isfor
the IE SA alone to decide which corrective measures are appropriate and necessary, citing Case C-
311/18 (SchremsII),para 112” 311.
253.The EDPB finds that WhatsApp IE misunderstands the FI SA objection when it argues that it does
acknowledge that it is for the IE SA alone to decide which corrective measures are appropriate and
necessary, by citing paragraph112 of the Judgement of the CJEU of 16 July 2020, Data Protection
Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18, ECLI:EU:C:2020:559 ,
(hereinafter ‘C-311/18 Schrems II'). In fact, the FI SA does no such thing: in its objection “The FI SA
refersto the ruling of the CJEU C-311/18 whereit was stated that if a supervisory authoritytakes the
viewthataninfringementwasfound, therespectivesupervisoryauthoritymusttakeappropriateaction
312
inorder to remedyanyfindings ofinadequacy” inorder tosupport itsconclusion, whichstatesthat
because “WhatsApp cannot relyon Article 6(1)(b) for all processing operationsset out in itsTermsof
Service. Thisinevitably leads into the conclusion that corrective powersmust be exercised in order to
313
bringthe processing operationsof WhatsApp in line with theGDPR” .Thus,this statementby the FI
SA seems tosimply strengthenthe needfor appropriatecorrectivemeasures tobe imposed.
254.Moreover,WhatsAppIEconsiders theIESAhassole discretiontodeterminetheappropriatecorrective
measuresin theevent of afinding of infringement 31.
30Seeparagraph90ofthisBindingDecision.
309
FI SAObjection,paragraph36.
31WhatsAppIE'sArticle65Submissions,paragraphs8.6to8.11.
31WhatsAppIE'sArticle65Submissions,paragraph8.9.
31FI SAObjection,paragraph41.
31FI SAObjection,paragraph40.
314
WhatsAppIE'sArticle65Submissions,paragraphs8.12to8.14.
Adopted 55255.WhatsApp IE considers that where a Draft Decision does not find an infringement and therefore
proposes nocorrective measures,there cannot be a dispute oncorrective measureswithin thescope
of Article 65 GDPR. WhatsAppIE arguesthat “should the EDPB find an infringement of Article 6(1)(b)
GDPR, the appropriate course is for it to refer the matter back to the DPC, as IE SA, to determine
whether to impose any appropriate corrective measuresand, if so, what those corrective measures
should be. Were the EDPB to do otherwise and direct the DPC to make a specific order in the terms
315
proposed by certainObjections, it would exceeditscompetenceunderArticle65GDPR” .
256.WhatsAppIE’sstatesthatitis “a matterfortheLSA to determinewhich(ifany) correctivemeasuresto
orderandto ensurethat anyordercomplieswith allapplicable proceduralsafeguards, includingthose
provided for under national law, and is issued in accordance with due process and in circumstances
316
wherethecontrollerhas beenaffordedaright to be heard” .
257.WhatsApp IE also argues that “In the context of an inquiry relating to cross-border processing, the
powerto determinewhichmeasuresareappropriateto exerciseundertheGDPRisa matterwithinthe
317
sole competenceoftheDPCasIESA—nottheEDPB” .WhileWhatsAppIEacknowledgesthat“Article
65(1) GDPRallowsthe EDPBto consider reasoned objectionsconcerningwhethercorrectivemeasures
envisaged by the IE SA comply with the GDPR”, it argues “it does not empower the EDPB to issue
prescriptive instructions as to which (if any) of the corrective powers under Article 58 ought to be
318
exercised” .WhatsAppIE adds that“As noted in the EDPBGuidelines03/2021 on the application of
Article65(1)(a) GDPR(‘Article65Guidelines’),atmost,the EDPBcan‘instructtheIESA tore-assess the
envisaged action and change the draft decision in accordance with the binding decision of the
319
EDPB’” .
258.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one-
stop-shop mechanism andof the sharedcompetencesof the CSAs. While the EDPBagreesthat the IE
SA does act as ‘sole interlocutor’ of the controller or processor0, this should not be understood as
meaning it has ‘sole competence’ in a situation where the GDPR requires supervisory authorities to
cooperatepursuant toArticle60 GDPRtoachieve aconsistent interpretationofthe Regulation 321.The
fact that the IE SA will be the authority that can ultimately exercise the corrective powers listed in
Article58(2) GDPRcannotneither limit the role of the CSAs withinthe cooperationprocedure nor the
one of the EDPBinthe consistency procedure 322.
259.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote
a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount
the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions
the action(s) envisaged by the Draft Decision towards the controller or processor, or the absence
thereof. More specifically, when raising anobjection on the existing or missing corrective measure in
the DraftDecision, the CSA should indicatewhich actionit believes wouldbe appropriate for theIE SA
toundertake andinclude inthe finaldecision.
260.Asmentioned above,aside from the question ofadministrativefines tackledbelow inSection8, theFI
SA calls on the IE SA touse its corrective powers under Article 58(2) GDPR, by imposing an order on
31WhatsAppIE'sArticle65Submissions,paragraph8.11.
31WhatsAppIE'sArticle65Submissions,paragraph8.13.
31WhatsAppIE'sArticle65Submissions,paragraph8.14.
31WhatsAppIE'sArticle65Submissions,paragraph8.14.
319
WhatsAppIE'sArticle65Submissions,paragraph8.14.
32Article56(6)GDPR.
32SeeArticle51(2),Article60,Article61(1)GDPRandtheJudgementoftheCJEUof15June2021,Facebook
IrelandLtdandOthersvGegevensbeschermingsautoriteit,CaseC-645/19,ECLI:EU:C:2021:483,(hereinafter‘C-
645/19FacebookIrelandLtdandOthers’),paragraphs53,63,68,72.
322
Articles63and65GDPR.
Adopted 56 WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR
with respect to the processing of service improvements and security for which WhatsApp IE relied
upon Article6(1)(b) GDPR.
WhatsApp IE’spositiononthe objectionsand itssubmissions
261.WhatsAppIEconsidersthat“Anycorrectivemeasuresshould be exercisedina manner consistentwith
theprinciplesofproportionality” and“should not go beyond whatisnecessarytoachieve theobjective
323
ofensuring compliancewith theGDPR”,inparticularinaccordancewithRecital129 GDPR .
262.In addition, WhatsApp IE argues that “the EDPB cannot direct, nor can the DPCimpose, a corrective
orderthat wouldbe prescriptiveinspecifying a legalbasis on which WhatsApp Irelandmust rely” 32.
263.Moreover,WhatsAppIE statesthat“WhatsApp Irelandcan onlybe orderedtobring itsprocessing into
compliance by ensuring it has a valid legal basis for processing and must be afforded discretion as to
325
how it achievessuchcompliance” .
264.Finally, WhatsAppIEarguesthat“Thereisno basis for theimposition ofadministrative fines” 326and“it
would be inappropriate, disproportionate, and unnecessary to impose an administrative fine” 32, as
further developed byWhatsApp IEin Section8.
EDPB’sassessment on themerits
265.In assessing the appropriate corrective measures to be applied, Article 58(2)(d) GDPR lists the
following correctivemeasure:
“order the controller or processor to bring processing operationsinto compliance with the provisions
ofthis Regulation,whereappropriate,ina specifiedmanner and within a specified period”.
266.According to recital 129 GDPR, every corrective measure applied by a supervisory authority under
Article58(2)GDPRshouldbe “appropriate,necessaryandproportionateinviewofensuringcompliance
withthe Regulation”in light ofthe circumstancesof eachindividual case.This highlightsthe need for
the corrective measures and any exercise of powers by supervisory authorities to be tailoredto the
specific case. Recital129 GDPR also provides that each measure should “respect the right of every
person to be heard before any individual measure which would affect him or her adversely is taken”.
The measures chosen should provide consideration to ensuring that theydo not create “superfluous
costs” and“excessiveinconveniences”for the persons concernedinlight of theobjective pursued.
267.Recital148 GDPR shows the duty for supervisory authoritiestoimpose correctivemeasures that are
proportionate tothe seriousness ofthe infringement.
268.TheEDPB recallsthatalthoughthe supervisory authoritymust determinewhich actionis appropriate
andnecessary andtake into considerationall the circumstancesof the processing ofpersonal data in
question in that determination, the supervisory authority is nevertheless required to execute its
328
responsibility for ensuring thatthe GDPRisfully enforcedwithalldue diligence .
323
WhatsAppIE'sArticle65Submissions,paragraph8.15.
32WhatsAppIE'sArticle65Submissions,paragraph8.33.
32WhatsAppIE'sArticle65Submissions,paragraph8.34.
32C‑311/18SchremsII,paragraph112.
32C‑311/18SchremsII,paragraph112.
328
C‑311/18SchremsII,paragraph112.
Adopted 57269.The EDPB agreeswith the FI SA that “the infringement cannot be consider as minor” 329. The EDPB
reiteratesthat lawfulness of processing is one of the fundamental pillars of the data protectionlaw
andconsiders thatprocessing ofpersonaldatawithoutanappropriatelegalbasis isaclear andserious
violation of the data subjects’ fundamental right to data protection. In addition, the infringement in
the present case concernsa highnumber of datasubjects 330and alargeamount of personaldata.
270.Indeed,theEDPBagreeswiththeFISAthat“IftheIESAdoesnotmakeuse oftheirrespectivecorrective
powers, there is danger that WhatsApp continuesto unlawfully process personal data on the foot of
Article 6(1)(b) GDPR” for service improvement and security processing operations 331and “there isa
danger that WhatsApp continuesto undermine or bypass” data protection principles 332. In addition,
failure toadopt anycorrectivemeasureinthis case“would amountto a dangerousprecedent,sending
adeceivingmessage to themarket andto data subjects,and would endangerthe fundamentalrights
andfreedomsofdatasubjectswhose personaldata are and willbe processed bythecontroller”. 333
271.As aconsequence, the EDPBfinds it appropriateforanordertobringprocessingintocomplianceto
be imposed in this case (without prejudice to the additional conclusions in respect of the imposition
of administrativefines available below in Section8).
272.According to the EDPB, the deadline for compliance with the order should be reasonable and
proportionate,inlight ofthe potentialfor harmstothe datasubject rightsandtheresourcesavailable
tothe controller toachievecompliance 334.
273.Finally, the EDPB recallsthat non-compliance withan order issued by a supervisory authority canbe
relevantbothin termsofit being subject toadministrativefines upto20.000.000eurosor,in thecase
of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financial year in
line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of
administrative fines.335Inaddition, the investigative powersof supervisory authoritiesallow them to
order the provision of all the information necessary for the performance of their tasks including the
verificationof compliance withone of theirorders 336.
274.Inlightoftheabove,theEDPBinstructstheIESAtoincludeinitsfinaldecisionanorderforWhatsApp
IE to bring its processing ofpersonaldata for the purposes ofservice improvement and security
329FI SAObjection,paragraph43.
330
FI SAObjection,paragraph46:“thedraftdecisionaffectsallthedatasubjectswithintheEEA.Therefore,the
consequencesofnotmakinguseofthecorrectivepowerspursuanttoArticle58(2)GDPRarevast ”.
331FI SAObjection,paragraph37.
332FI SAObjection,paragraph37.
333FI SAObjection,paragraph45.
334
TheEDPBrecallsitsBindingDecision1/2021adoptedon28July2021wheretheEDPBwascalledtoresolvea
dispute pursuant to Article 65 GDPR concerning, among others, the appropriateness of the deadline for
compliancesuggested inthedraft decision at stake. After highlighting therelevanceof Recitals 129 as well as
148 GDPR for theimposition of correctivemeasures, theEDPB took intoaccount thenumber of data subjects
affected and theimportanceof theinterest of affected data subjects in seeing therelevant provisions of the
GDPR complied with ina short timeframe. WhiletheEDPB also tooknoteof thechallenges highlighted by the
controller,itfoundinthatcasethatacomplianceorderwithathreemonths’timeframecouldnotbeconsidered
disproportionateconsidering the infringement as well as the type of organization, its sizeand the means
(includinginteraliafinancialresourcesbutalsolegalexpertise)availabletoit.Consequently,theEDPBinstructed
theLSAto amendthedraftdecisionbyreducingthedeadlineforcompliancefromsixmonthstothreemonths.
EDPBBindingDecision1/2021,paragraphs254-263.
335Article83(2)(i)GDPR.
336Article58(1)GDPR.
Adopted 58 featuresin thecontextofits TermsofServiceinto compliancewith Article 6(1) GDPRin accordance
withthe conclusion reachedbythe EDPB 337withina specified periodof time 33.
8 ON THE IMPOSITION OFAN ADMINISTRATIVEFINE
8.1 Analysis by the LSA inthe DraftDecision
275.TheIESA asLSAdoes notfind anyinfringementintheDraftDecision,thusnocorrectivemeasuresand,
in particular,noadministrativefine areforeseen. TheIE SA points out thatinthe own-volition inquiry
in relation toWhatsApp IE’sPrivacyPolicy (deemed as “WhatsApp TransparencyDecision” by the IE
SA)corrective measuresandamongthem anadministrativefine areincluded 33. Moreover,asfurther
clarified by the IE SA, no further examination or the issuance of further determinationis needed, as
the issues raisedin the latterareconsistent withthe present case.
8.2 Summary of the objections raised by the CSAs
276.The FR SA, NOSA, DE SA and IT SA object to the IE SA’sfailure to take actionwith respect to one or
more specific infringements they deem should have been found and ask the IE SA to impose an
administrativefineasa result of these infringements.
277.The FR SA objects to the absence of an administrative fine by the IESA in its Draft Decision. Since a
breachofArticle 6 GDPRhasbeencommittedin the opinion of theFR SA, whichin light ofthe serious
character of this infringement should result in the imposition of an administrative fine. If further
breaches were to be identified with regard to the processing related to behavioural advertising,
provision ofmetricstothirdpartiesandwiththeprocessing ofspecialcategoriesofpersonaldata,they
340
should be takenintoaccount bythe IESA when defining the amount ofthe administrativefine . The
FR SA therefore asksthe IE SA toimpose anadministrativefine.
278.The NO SA and DE SA also argue that the IE SA should take concrete corrective measures against
WhatsApp IE in relation to the additional infringement of Article 6(1) GDPR or Article 6(1)(b) GDPR,
including toimpose anadministrativefine 341.
279.The IT SA arguesthatthere should be anadministrative fine following the finding of aninfringement
342 343
ofArticle5(1)(a)GDPR ,andofArticle5(1)(b) and(c)GDPR .TheITSAarguesthatWhatsAppIEhas
failedtocomplywiththe generalprinciple offairness under Article5(1)(a)GDPR,which,inthe view of
the IT SA, entails separate requirements from those relating specifically to transparency. Moreover,
the IT SA statesthat there is an additional infringement of points (b) and(c) of Article 5(1) GDPR on
account of WhatsApp IE’s failure to comply with the purpose limitation and data minimisation
principles. TheIT SA asks for a fine tobe issued for those additionalinfringements.
337As establishedaboveinSubsection4.4.2.
338
Seeabovefootnote334onparagraph272.
339DraftDecision,paragraph5.9.
340FRSAObjection,paragraph53.
341NOSAObjection,p.9;DESAObjection,p.8.
342ITSAObjection,p.10.
343
ITSAObjection,p.8.
Adopted 59280.Inaddition, theEDPBconsidersthe FISA’srequesttoconsider theimposition ofanadministrativefine,
assummarised above inSubsection 7.2,not asa separateobjection but ratherasa possible outcome
of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR 34.
8.3 Position of the LSA on the objections
281.TheIESA notesinitsComposite Response thatitis satisfiedthatthescope oftheinquiry isappropriate
andno question of aninfringement ofthese provisions arisesfrom the complaint, thereforethe IE SA
would not exercise itscorrectivepowers andwould not follow therespective objections 345.
8.4 Analysis of the EDPB
8.4.1 Assessment of whether theobjections were relevant and reasoned
The objections raisedby theFR SA, NOSA, DESA andITSA concern“whethertheactionenvisaged in
theDraft Decisioncomplieswith theGDPR” 346.
282.Inaddition tothe primaryargument levelled against allCSA’s objections 347as wellas the arguments
against the objections regarding Article 6(1) GDPR of these CSAs, WhatsApp IE provides additional
arguments on why it considers these not to be relevant and/or reasoned. In a general manner,
WhatsApp IEarguesthatin anyevent, thereis no basis for a finding that theyinfringedArticle 6(1), 9
and/or 5 GDPR because the actualprocessing hasnot been investigatedor assessed in the course of
348
theinquiry bytheIESA .Moreover,WhatsAppIEopines thattheimposition ofanadministrativefine
with respect to new findings of infringements would violate its right to be heard and rights of the
defence 34. Furthermore, WhatsApp IE points out that the power to impose an administrative fine
under the GDPR lies within the sole competence of the IE SA and that the EDPB does not have the
power to consider objections solely challenging the amount of a fine or the possible instruction to
350
impose a fine .
283.WhatsApp IEisof the view thatthe FR SA’sobjection cannotbe consideredrelevant because theyare
dependent on another objection, which WhatsApp IE deems “anincorrect allegationof infringement
of Article 6(1)(b) GDPR”351. WhatsAppIE alsodoes not consider the FR SAs objection to be reasoned
enoughwithregardstothe powertoimpose administrativefineslying withtheLSA andconsiders that
the FR SAs objection“fails tospecify anydirect,substantial, or plausible risks thatcould be prevented
by applying Article 83(3)GDPR” 352.RegardingtheDESA and NOSA objections tothe imposition of an
administrative fine, WhatsApp IE does not provide arguments against the “relevant and reasoned”
threshold apartfrom the generalpositions alreadyreflected.
344
FI SAObjection,paragraph43to46.
34CompositeResponse,paragraph78.
34GuidelinesonRRO,paragraph32.
34WhatsAppIE’sarguesthattheseare“matters[…]outsidetheDefinedScopeofInquiryand,assuch,these
ObjectionsarenotrelevantanddonotmeettherequirementsofArticle4(24).Accordingly,theEDPBisnot
competenttoenter intothesubstantiveconsiderationofthesubjectmattersoftheseObjectionsortopurport
to directtheDPCtofindadditionalinfringementsoftheGDPR”(WhatsApp’sArticle65Submissions,paragraph
7.3).TheEDPBdoes notsharethisunderstanding,asexplainedabove.SeeSection4.4.1.
348
349hatsAppIE’sArticle65Submissions,paragraph7.5.
WhatsAppIE’sArticle65Submissions,paragraph7.4.
35WhatsApp'sIE’sArticle65Submissions,paragraph7.9.
35WhatsAppIE'sArticle65Submissions,Annex1,p.82.
35WhatsAppIE'sArticle65Submissions,Annex1,p.82-83.
Adopted 60284.It is in the EDPB’sunderstanding that the FR SA disagrees with a specific part of the IE SA’s Draft
Decision, namely the lackof anadministrative fine regardingthe breachof Article6 GDPR.TheFR SA
adds that if additional breacheswere tobe found after anyfurther investigations by the IE SA, they
should be taken into account when assessing the fine and its amount 35. In consequence, the EDPB
considers the objection tobe relevant.
285.The FRSA further arguesthatthe lackofanadministrative fine isincontradictionwiththe seriousness
of the issues at hand, the nature ofthe processing and the size ofthe controller 35. Inthe view of the
FR SA, not imposing a fine would clearlybe detrimentaltothe rights,freedoms andguaranteesofthe
data subjects andwould also lead toreduce the authorities' coercive power and, consequently, their
ability to ensure effective compliance with the protection of the personal data of European
residents355. Therefore,the EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate
the significance ofthe risks posed by the DraftDecision.
***
286.The EDPBrecallsthatthe NO andDESAarguethat WhatsAppIE maynot relyon Article6(1)(b) GDPR
for the specified data processing and the IE SA should exercise its corrective powers and impose an
administrative fine356. If followed, these objections would lead to a different conclusion as to the
possible imposition ofanadministrativefine. Inconsequence, theEDPBconsiders theobjections tobe
relevantandto be reflections upon how the IE SA intheir view should 'give full effect tothe binding
direction(s) asset out in the EDPB’sdecision 357. The EDPB finds that the objection is concrete in the
changeproposed. However,it takesnote thatthe NOandDE SA’sassessment ofthe risks of the draft
decision relatetothe IESAs interpretationofArticle6(1)(b) GDPRandnot sufficiently tothe lackofan
imposition ofanadministrative fine. Therefore,the EDPBdoesnot consider this aspectof the NOand
DE SAs objections tomeet the requirements of Article 4(24) GDPR andare therefore not sufficiently
reasoned 358.
287.Takingintoaccounttheaforementioned,theEDPBconsidersthattheobjectionoftheFRSA requesting
the imposition of anadministrativefine is relevantandreasonedpursuanttoArticle4(24) GDPR.
288.With respect tothe objection raisedby the ITSA concerning the imposition of anadministrative fine
for the allegedinfringement ofthe fairnessprinciple enshrined inArticle5(1)(a), theEDPBfinds thatit
stands in connection with the substance of the Draft Decision, as it concerns the imposition of a
corrective measure for an additional infringement, which would be found as a consequence of
incorporating the finding put forward by the objection. Clearly, the decision on the merits of the
demandtotake correctivemeasuresfor aproposed additionalinfringement isaffectedby theEDPB’s
decision on whethertoinstruct the IESA toinclude anadditionalinfringement.
289.If followed, the IT SA’s objection sets out how it would lead to a different conclusion in terms of
corrective measures imposed 359. Therefore, the EDPB finds the objections raised by the IT SA to be
relevant.
353FRSAObjection,paragraph53.
354
355FRSAObjection,paragraph56.
FRSAObjection,paragraph56-57.
356NOSAObjection,p.8-9;DESAobjection,p.8.
357GuidelinesonArticle65(1)(a)GDPR,paragraph50.
358SeealsoSection4.4.1ofthisBindingDecision.
359
ITSAObjection,p.8-10.
Adopted 61290.WhatsApp IE argues the IT SA’s objection is insufficiently detailed, adding that it is not possible to
identify the legalargumentsthe IT SA wishes toput forward in respect of the fine 360.The EDPB finds
thatthe ITSA adequatelyargueswhytheypropose amending the DraftDecisionandhow thisleadsto
a different conclusion in termsofadministrative fine imposed 361.
291.WhatsAppIEarguestheobjection oftheITSA failstodemonstratetheriskposed bytheDraftDecision
as required and, in doing so, WhatsApp IE dismisses the concerns articulated by the IT SA on the
362
precedent thedraft decision sets .
292.The EDPBfindsthatthe ITSA articulatesanadverse effectonthe rightsandfreedomsofdata subjects
if the DraftDecisionis left unchanged, byreferring toa failure toguaranteea highlevelof protection
363
inthe EU for the rightsandinterestsofthe individuals .
293.Therefore,the EDPBconsidersthe IT SA’sobjectionconcerning the impositionof afine for the alleged
additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned.
***
294.The EDPB recallsitsanalysis of whether the objection raised by the IT SA in respect of the proposed
allegedadditionalinfringements of Article 5(1)(b) GDPRand 5(1)(c) GDPRmeetsthe threshold set by
Article 4(24) GDPR (see Section 5.4.1 above). In light of the conclusion that such objection is not
relevantand reasoned,the EDPBdoes not needtofurther examine thislinked objection.
295.Furthermore, with regardto the FI SA’s objection the EDPB recalls the analysis made in Subsection
7.4.1andin 8.2of thisBinding Decision.
8.4.2 Assessment on the merits
296.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the
matters which are the subject of the relevant and reasoned objections, in particular whether the
envisagedactioninrelationtothe controller or processor complies withtheGDPR.
297.Regarding the processing of purposes or of data categoriesraisedby the FR SA and which were not
part of the scope of the inquiry, it is appropriate to refer to the EDPB conclusion as statedabove in
subsection 6.1.4.2,wheretheIE SA is instructedtolaunchfurther investigations.
298.Regarding the FI SA’s objection as mentioned in Subsection 8.2 and analysed in Section 7, the EDPB
againrecallsthat it only takesnote ofit, asit is not deemeda separateobjection but rather apossible
outcome of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR.
299.Whenassessing themeritsofall theobjections raised,theEDPBalsotakesintoaccount WhatsAppIE’s
position on the objectionand itssubmissions.
300.WhatsAppIE considers thatthe LSA hassole discretiontoimpose anadministrativefine. WhatsApp IE
argues that in the context of a matter relating to cross-border processing, the power to impose an
360WhatsAppIE'sArticle65Submissions,Annex1,p.108-109.
361TheITSAargues thatthefindingofsuchinfringement“shouldresultintotheimpositionoftherelevant
administrativefineasperArticle83(5)(a)GDPR”,addingtherequirementthateachfineshouldbe
proportionateanddissuasiveandarguingthegravityoftheinfringement,seeITSAObjection,p.10.
362
363WhatsAppIE'sArticle65Submissions,Annex1,p.109.
ITSAObjection,p.10.
Adopted 62 administrativefine under theGDPRlieswithinthesole competenceofthe LSA andnot the CSAsor the
EDPB. Furthermore, WhatsApp IE arguesthat the GDPR does not confer any power on the EDPB to
consider objections solely challengingthe amountof afine, andthe EDPBmaynot giveinstructions as
towhethera fine ought tobe imposed, or as toits amount 364.
301.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one-
stop-shop mechanism and of the shared competencesof the CSAs. The EDPBresponds to WhatsApp
IE’sargumentthattheLSAhassole discretiontodetermine theappropriatecorrectivemeasuresinthe
event ofa finding ofinfringement above (see Section7, paragraph258-259).
302.While the EDPB agreesthat the LSA does act as “sole interlocutor” of the controller or processor 365,
this should not be understood as meaning it has “sole competence” in a situation where the GDPR
requires SAs to cooperate pursuant to Article 60 GDPR to achieve a consistent interpretationof the
Regulation 36. The fact that the LSA will be the authority that can ultimately exercise the corrective
powerslistedin Article58(2)GDPRcannotlimit the role ofthe CSAswithinthe cooperationprocedure
or the one of the EDPBinthe consistency procedure 36.
303.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote
a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount
the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions
the action(s) envisaged by the Draft Decision vis-a-vis the controller/processor, or the absence
thereof368.More specifically, whenraising anobjection on the existing or missing corrective measure
– suchasanadministrativefine – intheDraftDecision,theCSA should indicate whichactionit believes
would be appropriatefor theLSA toundertakeandinclude in thefinal decision 369.
8.4.2.1.1 Assessment of whetheranadministrativefine should be imposedfor the infringementof
Article6(1) GDPR
304.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires
anassessment of whether the DraftDecisionneeds tobe changedin respect tothe lackof corrective
measures proposed. More specifically, the EDPB needs to assess the request to impose an
administrative fine for the infringements that are ought to be found by the LSA according to this
Binding Decision.The EDPBrecallsitsconclusion inthisBinding Decisiononthe infringementof Article
6(1)GDPR 370.
305.The EDPBconcurs that the decision to impose anadministrative fine needs tobe takenona case-by-
case basisin lightof thecircumstancesandis not anautomaticone 371. However,theEDPBrecallsthat
36WhatsAppIE'sArticle65Submissions,paragraph7.9.
365
Article56(6)GDPR.
36SeeGDPRArt.51(2),60,61(1),andC-645/19FacebookIrelandLtdandOthers, paragraphs53,63,68,72.
36Article63and65GDPR.
368GuidelinesonRRO,paragraph7.Objectionsmayrelatetobothexistingormissingelementsinthedraft
decision.
36GuidelinesonRRO,paragraphs29and33.
37SeeSection4.4.2ofthisBindingDecision.
37WP29GuidelinesonAdministrativefines,p.6(“Likeallcorrectivemeasuresingeneral,administrativefines
shouldadequatelyrespondtothenature,gravityandconsequences ofthebreach,andsupervisoryauthorities
mustassessallthefacts ofthecaseina mannerthatisconsistentandobjectivelyjustified.Theassessmentof
whatis effective,proportionalanddissuasiveineachcasewillhavetoalsoreflecttheobjectivepursuedbythe
correctivemeasurechosen,thatiseithertore-establishcompliancewiththerules,ortopunishunlawful
behavior(orboth)”),p.7(“TheRegulationrequiresassessmentofeachcaseindividually”;“Finesarean
Adopted 63 when a violation of the Regulation has been established, competent supervisory authorities are
required to react appropriatelytoremedy this infringement in accordance with the means provided
to them by Article 58(2) GDPR 372, which includes the possible imposition of an administrative fine
373
pursuant toArticle 58(2)(i) GDPR .
306.Indeed, asalreadymentioned the consistency mechanism mayalso be used to promote a consistent
applicationofadministrativefines 374: wherearelevantandreasonedobjectionidentifiesshortcomings
in the reasoning leading tothe imposition of the fine atstake (or naturallythe lackof one), the EDPB
can instruct the LSA to engage in a new assessment of the need for a fine or the calculation of a
375
proposed fine .
307.The EDPBagainwantstorecallthat althoughthe supervisory authoritymust determine whichaction
is appropriate and necessary and take into consideration all the circumstances of the processing of
personal datain question inthat determination,the supervisory authorityis nevertheless requiredto
executeits responsibility for ensuring that the GDPRis fully enforced withalldue diligence 376.Recital
148 shows theduty for supervisory authoritiesto impose correctivemeasuresthat areproportionate
tothe seriousness ofthe infringement 377.
308.With respect tothe imposition of anadministrative fine, the EDPBrecallsthe requirements of Article
83(1)GDPR,aswellasthatdue account must be giventothe elementsof Article83(2) GDPR.
309.Asalreadyestablished theEDPBconsiders the lawfulnessofprocessingtobe one ofthe fundamental
pillars of the data protection law and that processing of personal data without an appropriate legal
basis is aclear andserious violation of the datasubjects’ fundamentalright todataprotection 378.The
379
EDPBthereforeagreeswiththe FR SA in considering the identified breachasserious .
Furthermore, the EDPB takes the view that the infringement at issue relates to the processing of
personal dataof asignificant numberofpeopleina cross-borderscopeandthattheimpact onthem
hastobe considered 38.
310.The EDPB underlines that the specific circumstances of the case have to be reflected. Such
circumstances not only refer to the specific elements of the infringement, but also those of the
controller or processor whocommittedthe infringement,namelyitssize andfinancial position 381.
importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisory
authoritiesareencouragedtousea consideredandbalancedapproachintheiruseofcorrectivemeasures,in
ordertoachievebothaneffectiveanddissuasiveaswellasa proportionatereactiontothebreach.Thepointis
to notqualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousethem
insuchawaywhichwoulddevaluetheireffectivenessasa tool.”).
372
373C-311/18SchremsII,paragraph111.
SeealsoFI SAObjection,paragraph43.
374Recital150GDPR.
375GuidelinesonRRO,paragraph34.
376C-311/18SchremsII,paragraph112.
377
Recital 148GDPR states, forinstance:“in a caseof a minor infringement or if thefinelikely to beimposed
wouldconstitutea disproportionateburdentoa natural person,a reprimandmaybeissuedinsteadofa fine”.
TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective
measures in general and for the choiceof the combination of correctivemeasures that is appropriateand
proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256.
378Article8(2),EUCharter.
379FRSAObjection,paragraph56.
380SeeGuidelinesoncalculationoffines,paragraph54.
381
OnturnoverseeGuidelinesoncalculationoffines,paragraph49;alsoFRSAobjection,paragraph56.
Adopted 64311.Though the damageis verydifficult toexpress in termsof a monetaryvalue, it remains the case that
data subjects have been faced with data processing that should not have occurred (by relying
inappropriately on Article 6(1)(b) GDPR as a legal basis as established in section 4.4.2). The data
processing in question entails decisions about information that data subjects are exposed to or
excluded from receiving.The EDPB recallsthat non-materialdamageis explicitly regardedas relevant
in recital75 GDPR and that such damage may result from situations “where data subjects might be
deprivedof their rights and freedomsor prevented from exercising controlover their personal data”.
Giventhe nature andgravityof the infringement ofArticle 6(1)GDPR,arisk of damagecausedtodata
subjects is, insuch circumstances,consubstantial withthe finding of the infringementitself.
312.In the light of the nature and gravity of the infringement pursuant to Article 83(2)(a) GDPR as
identified inthe paragraphsabove, inthe view of theEDPBthe combination ofthe mentionedfactors
alreadyclearlytipthe balance infavourofimposinganadministrativefine.
313.For conduct infringing data protection rules, the GDPR does not provide for a minimum fine. Rather,
the GDPR only provides for maximum amounts in Article 83(4)–(6) GDPR, in which several different
typesof conduct aregrouped together.Afine canultimatelyonly be calculatedbyweighing upallthe
elementsexpressly identified in Article83(2)(a)–(j) GDPR,relevanttothe case andany other relevant
elements, even if not explicitly listed in the said provisions (as Article 83(2)(k) GDPR requires togive
due regardto any other applicable factor). Finally, the final amount of the fine resulting from this
assessment must be effective, proportionate and dissuasive in each individual case (Article 83(1)
GDPR).Anyfine imposedmust sufficiently takeintoaccountallofthese parameters,whilstatthesame
time not exceedingthe legalmaximum provided for inArticle 83(4)–(6)GDPR 382.
314.Inlight ofthe above, the EDPBinstructstheIESAtoimposeanadministrativefine, remaining inline
with the criteria provided for by Article 83(2) GDPR and ensuring it is effective, proportionate and
dissuasive in line with Article 83(1) GDPR, in accordance withthe conclusions reached by the EDPB,
namelythe identified infringementof Article6(1) GDPR.
8.4.2.1.2 Assessment of whetheranadministrativefine should be imposedfor the infringementof
the fairnessprinciple under Article5(1)(a)GDPR
315.The EDPB recalls its conclusion in this Binding Decision on the infringement by WhatsApp IE of the
fairness principle under Article 5(1)(a) GDPR383 and that the objection raised by the IT SA, which is
found to be relevant and reasoned, requested the IE SA to exercise its power to impose an
administrative fine38.
316.The EDPB takesnote of WhatsApp IE’sview that the IT SA objection is not relevant and reasoned 385
and also notes that WhatsApp IE takes that view that inappropriate, clearly disproportionate, and
unnecessary toimpose anadministrative fine 386.
382SeeGuidelinesoncalculationoffines,paragraph16.
383Section5.4.2ofthisBindingDecision.
384Paragraphs289-293ofthisBindingDecision.
385
386Paragraph138ofthisBindingDecision.
WhatsAppIE'sArticle65Submissions,Annex1,p.109.
Adopted 65317.The EDPBagainrecallsthat the decisiontoimpose anadministrative fine needs tobe takenon acase-
387
by-case basis in light of the circumstances andis not anautomatic one and the specificities of the
case have tobe takeninto account.
318.As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically
linked totheprinciples of lawfulness andtransparencyunder thesame provision, hasanindependent
388
meaning .
319.Considering the EDPB’s findings in Section 5.4.2 that WhatsApp IE has not complied with key
requirementsof the principle of fairness, the EDPB reiteratesitsview that WhatsApp IEhas infringed
the principle of fairness under Article 5(1)(a) GDPR and agreeswith the IT SA that this infringement
should be adequately taken into account by the IE SA in the calculation of the amount of the
administrative fine tobe imposed following the conclusion ofthis inquiry.
320.Therefore, the EDPB instructsthe IE SA to take intoaccount the infringement by WhatsApp IE of the
fairnessprinciple enshrinedinArticle5(1)(a)GDPRasestablishedabove whendeterminingthe fine for
the violation of Article 6(1) GDPR asinstructed above. If, however, the IE SA considers an additional
fine for the breachofthe principle offairness isanappropriatecorrectivemeasure,theEDPBrequests
the IE SA toinclude this in its final decision. Inanycase, the IE SA must take into account the criteria
providedfor byArticle83(2)GDPRandensuringit iseffective,proportionateanddissuasive inline with
Article83(1) GDPR.
9 BINDINGDECISION
321.Inlight of the above andin accordancewiththe taskof the EDPBunder Article70(1)(t) GDPRtoissue
binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision in
accordancewithArticle65(1)(a) GDPR.
322.The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in
accordancewithArticle65(2) GDPR.
323. On the objections concerning whether the LSA should have found an infringement for lack of
appropriatelegalbasis
1. The EDPB decidesthat the objections of the DE SA, FI SA, FR SA, NL SA and NO SA regarding
WhatsApp relianceon Article6(1)(b) GDPR,meettherequirementsof Article4(24) GDPR.
2. The EDPB decides that WhatsApp IE has inappropriately relied on Article 6(1)(b) GDPR to
process the Complainant’spersonal data for the purpose of service improvement and securityin the
contextofitsTermsofService andthereforelacksalegalbasis toprocess thesedata.WhatsAppIEhas
consequently infringed Article6(1)GDPRby unlawfully processing personal data.
3. The EDPB instructsthe IE SA to alter its Finding 2 of its Draft Decision, which concludes that
WhatsAppIEmayrelyonArticle6(1)(b) inthecontextofitsoffering ofTermsofService,andtoinclude
aninfringement ofArticle6(1)GDPR,onthebasisoftheconclusion reachedbytheEDPBinthisBinding
Decision.
387Seeaboveparagraph305ofthisBindingDecision.
388Seeparagraph147-149ofthisBindingDecision.
Adopted 66324.Onthe objectionsconcerningthepotentialadditionalinfringement oftheprinciple offairness
4. The EDPB decides thatthe objection of the IT SA regardingthe infringement by WhatsApp IE
of theprinciple of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR.
5. The EDPB instructs the IE SA to find in its final decision an additional infringement of the
principle offairness under Article 5(1)(a)GDPRbyWhatsApp IE.
325. On the objection concerning the potential additional infringement of the principles of purpose
limitationand dataminimisation
6. OntheobjectionbytheITSAconcerningthe possible additionalinfringementsoftheprinciples
of purpose limitationanddataminimisation under Article5(1)(b) and(c) GDPR,theEDPBdecides this
objection does not meetthe requirementsofArticle 4(24)GDPR.
326. Onthe objectionsconcerningthepotentialneedfor furtherinvestigation:
7. The EDPB decides that the objections of the IT SA, FR SA and FI SA regarding the lack of
investigationof WhatsApp’sprocessing operationsin itsservice ofspecial categoriesofpersonal data
(Article 9 GDPR), of data processed for the purposes of behavioural advertising, for marketing
purposes, aswellasfortheprovision ofmetricstothirdpartiesandtheexchangeofdatawithaffiliated
companies for the purposes of service improvements, meetthe requirementsof Article4(24)GDPR.
8. The EDPB decides that the IE SA shall carry out an investigation into WhatsApp’s processing
operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article
9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well
asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for
the purposes of service improvements, and in order to determine if it complies with the relevant
obligations under the GDPR.Basedon the results of thatinvestigationandthe findings theIE SA shall
issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR.
327. On correctivemeasuresotherthan administrative fines
9. TheEDPBdecidesthattheobjectionoftheFI SArequesting correctivemeasurestobe imposed
incompliance withtheArticle 58(2)GDPRmeetthe requirementsof Article4(24)GDPR.
10.On the objections by the DE and NO SAs requesting corrective measures to be imposed in
compliance with the Article 58(2) GDPR, the EDPB decides that these objections do not meet the
requirementsof Article4(24)GDPR.
11.The EDPB instructsthe IESA to include in its finaldecision anorder for WhatsApp IEto bring
its processing of personal data for the purposes of service improvement and security featuresin the
context of its Terms of Service into compliance with Article 6(1) GDPR in accordance with the
conclusion reachedby theEDPB 389withina specified periodof time 39.
328.Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis
12.The EDPB decides that the objections of the FR SA regarding the imposition of an
administrative fine for the infringement of Article 6(1) GDPRmeetsthe requirements of Article 4(24)
GDPR.
38As establishedaboveinSubsection4.4.2.
39Seeabovefootnote334onparagraph272.
Adopted 67 13.The EDPB decidesthat the relevant partsof the objections of the NO and DE SAs specifically
relatingto anadministrative fine for the lackof legalbasis donot meet the threshold of Article 4(24)
GDPR.
14.The EDPBinstructsthe IESA tocover theadditional infringement ofArticle 6(1)GDPRwithan
administrative fine, which is effective, proportionate and dissuasive in accordance withArticle 83(1)
GDPR. In determining the fine amount, the IE SA must give due regardto all the applicable factors
listedinArticle 83(2)GDPR,inparticularthenatureandgravityofthe infringementandthe number of
datasubjects affected.
329. On theobjectionconcerningtheimpositionofan administrativefinefor theinfringementofthefairness
principle underArticle5(1)(a) GDPR
15.The EDPBdecidesthattheobjection ofthe ITSA regardingthe impositionofanadministrative
fine for the infringementof Article5(1)(a) GDPRmeetsthe requirementsof Article4(24)GDPR.
16.The EDPB instructs the IE SA to take into account the infringement by WhatsApp IE of the
fairness principle enshrined in Article 5(1)(a) GDPR when determining the fine for the violation of
Article6(1)GDPRasinstructedabove.If,however,theIESA considers anadditionalfine for thebreach
oftheprinciple of fairnessisanappropriatecorrectivemeasure,theEDPBrequeststheIESA toinclude
thisinitsfinaldecision. Inanycase,theIESA must takeintoaccountthe criteriaprovidedforby Article
83(2)GDPRandensuring it iseffective,proportionate and dissuasive in line withArticle 83(1)GDPR.
330. On the objection concerning the imposition of an administrative fine for the infringement of Article
5(1)(b) and (c) GDPR
17.The EDPB decides that it does not need to examine the objection of the IT SA regarding the
imposition of anadministrative fine for the infringement of Article5(1)(b) and(c)GDPR.
10 FINAL REMARKS
331.This Binding Decisionis addressedtothe IESA andthe CSAs. The IE SA shall adopt itsfinaldecision on
the basis ofthis binding decision pursuant toArticle65(6) GDPR.
332.Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the
EDPBdoes not take anyposition on the meritof anysubstantial issues raised bythese objections. The
EDPBreiteratesthat itscurrent decisioniswithout anyprejudice toanyassessments the EDPBmaybe
calledupon tomake in other cases, including with the same parties, taking into account the contents
of therelevant draftdecision and theobjections raised bythe CSAs.
333.According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding
Decision without undue delay and at the latest by one month after the EDPB has notified its Binding
Decision.
334.The IE SA shall inform the EDPBof the date when its finaldecision is notified to the controller or the
processor 391. This Binding Decision will be made public pursuant to Article 65(5) GDPR without delay
392
afterthe IESA hasnotified itsfinaldecision tothe controller .
391Article65(6)GDPR.
392Article65(5)and(6)GDPR.
Adopted 68 393
335.The IESA willcommunicate its finaldecision to theBoard .Pursuant to Article70(1)(y) GDPR,theIE
SA’s final decision communicated tothe EDPB willbe included in the registerof decisions which have
beensubject totheconsistency mechanism.
For the EuropeanDataProtectionBoard
The Chair
(Andrea Jelinek)
39Article60(7)GDPR.
Adopted 69
