EDPB - Binding Decision 5/2022 - 'Whatsapp'

From GDPRhub
Revision as of 14:42, 1 February 2023 by AK (talk | contribs)
EDPB - Whatsapp Ireland Limited - Decision 5/2022
LogoEDPB.png
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 56 GDPR
Article 58 GDPR
Article 60 GDPR
Article 65 GDPR
Article 77 GDPR
Article 79 GDPR
Article 83 GDPR
Type: Other
Outcome: n/a
Started: 19.08.2022
Decided: 05.12.2022
Published: 25.01.2023
Fine: n/a
Parties: German Whatsapp user (represented by noyb - European Centre for Digital Rights)
Whatsapp Ireland Limited
National Case Number/Name: Whatsapp Ireland Limited - Decision 5/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: LR

Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision on a case initiated by noyb finding Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful.

English Summary

Facts

In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy.

In accordance with the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data they undertook. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account.

A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.

Firstly, there existed a clear imbalance of power between the controller and the data subject. This was likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly had a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject was left with no other realistic alternatives.

Secondly, the use of the Whatsapp service was conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the controller seeks to rely was invalid.

Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.

Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.

The BfDI referred the case to the Irish DPA (DPC) under Article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.

Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “the legitimization of the processing at issue in this inquiry falls under Article 6(1)(b) GDPR [necessary for the performance of a contract] and therefore an assessment under Article 6(1)(b) only is required”. (DPC Preliminary Draft Decision, para 3.4)

On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Six DPAs (DE, FI, FR, IT, NL, NO) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 19 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 12 January 2023, published on 19 January 2023.

Holding

Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision.

Please note: in order to explain the issues addressed in the decision, it is necessary to explain the proposals in the DPC’s Draft Decision, in order to provide the context for the EDPB decision.


Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis

The first issue concerns whether Whatsapp IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”. When issuing its Draft Decision, the DPC firstly sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis.

Summarising the DPC’s position on the question of scope, they asserted that their inquiry must be limited to the processing of personal data for “service improvements” and “security”. In doing so, the DPC elected not to conduct an investigation into the processing of sensitive categories of data, as well as data processed for the purposes of: behavioural advertising; providing metrics to third parties; and marketing.

Responding to this proposal, the EDPB disagreed with the DPC's conclusions regarding the scope of the inquiry, and directed the DPC to commence a new inquiry into whether Whatsapp processes data in the ways described above (222). The DPC did not conduct this inquiry as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion of the issue of scope, and the EDPB’s directions regarding a further investigation, please see “Issue 3 – On the Further Investigation” below.

Addressing the second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it” (DPC - 3.27).

However, the DPC added that “necessity is to be determined by reference to the particular contract” (DPC - 3.27) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (DPC - 3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the actual bargain which has been struck between the parties” (DPC - 3.30). The DPC stated “it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms” (DPC - 3.42). Accordingly, the Draft Decision “proposed to conclude... that WhatsApp was, in principle, entitled to rely on Article 6(1)(b) GDPR for processing personal data” (DPC - 3.50).

In response, when issuing its Binding Decision with regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:

The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (100).

"The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model” (101).

"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR" (102).

...it is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance” (105).

"the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (110).

Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose” (109).

Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service” (111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” in DPC Decision IN-18-5-6), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “one of the parties (in this case a data subject) [has not been] provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis” (117).

The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of Article 6(1)(b) GDPR:

“...there is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of Article 6(1)(b) GDPR, pursuant to the interpretation by the [DPC], nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject" (119). “This precedent could encourage other economic operators to use the contractual performance legal basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects” (120).

In light of all of the above, the EDPB directed the following:

processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it" (121). "Whatsapp IE has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on Article 6(1)(b) GDPR. Whatsapp IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (122).

Accordingly, the EDPB instructed the DPC to alter “Finding 2” of its Draft Decision to include a finding that Whatsapp IE was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data in this context, and to find an infringement of Article 6(1) GDPR based on the shortcomings the EDPB has identified (122).


Issue 2 – On the Potential Infringement of the Principles of Fairness, Purpose Limitation and Data Minimisation

During the course of the Article 60 GDPR consultation period, the Italian DPA raised two objections to the DPC’s Draft Decision. The Italian DPA asserted that the Draft Decision should be amended to include a separate finding of an infringement of the Article 5(1)(a) GDPR principle of fairness, and infringements of the Article 5(1)(b) and (c) GDPR principles of purpose limitation and data minimisation.

Potential infringement of principles of purpose limitation and data minimisation:

The Italian DPA explained that the fact that Whatsapp IE’s multifarious processing practices involving personal data are grounded in Article 6(1)(b) GDPR entails an infringement of the principles of purpose limitation and data minimisation. This is because the purposes must have been specified and communicated to data subjects. In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.

In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it includes justifications concerning why and how issuing a decision with the changes proposed in the objection is needed and how the change could lead to a different conclusion. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR.

Potential infringement of the principle of fairness:

The objection raised by the Italian DPA sought an additional finding of an infringement of the principle of fairness in Article 5(1)(a) GDPR. In its Draft Decision, the DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing” (DPC - 5.1). The matter was referred to the EDPB, which determined the objection raised by the Italian DPA to be both relevant and reasoned in accordance with Article 4(24) GDPR, and stated as follows:

Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject” (143).

"...the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too" (147).

"the concept of fairness stems from the EU Charter… [it] underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (148).

Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjectsare protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the [DPC]’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ In addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter” (150).

Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights” (154, 156).

Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (157).


Issue 3 – On the Further Investigation

As discussed in “Issue 1” above, the DPC reached certain conclusions on the scope of their inquiry, limiting their analysis to personal data processing for the purposes of “service improvements” and “security”. In their draft Decision, the DPC explained that that their analysis will be based only on the Whatsapp Terms of Service, and not the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (DPC 3.4 – 3.5). The DPC then takes issue with the generality, or vagueness, of the complaint which – in their view – does not identify “specific processing operations by reference to an identifiable body of data with any clarity of precision” (DPC - 3.6). Furthermore, according to the DPC, the complainant was not entitled to request that the DPC “conduct an assessment of all processing operations carried out by Whatsapp” (DPC - 3.6). After stating that “the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising” (DPC - 3.7), the DPC explains that their Draft Decision proposed an assessment of whether Whatsapp IE can rely on Article 6(1)(b) GDPR for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising” (DPC - 3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “providing metrics to third parties”, the DPC states later in the decision that “any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to Article 6(1)(b) GDPR” (DPC - 3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “any clear delineation between these two forms of processing was artificial” (DPC - 3.33). As a result, the DPC restricted the scope of their inquiry to “regular improvements and maintaining standards of security”.

During the Article 60 GDPR consultation period, 3 DPAs (FI, FR, IT) raised objections to the conclusions reached by the DPC in the Draft Decision. The objections requested that the DPC further investigate matters of behavioural advertising, special categories of personal data, the provision of metrics to third parties, including companies belonging to the same group, and marketing. (168 – see also 169 – 174). In response, the DPC stated that it does not propose to “follow” the objections raised, and the matter was referred to the EDPB.

Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, and found the objections raised both relevant and reasoned in accordance with Article 4(24) GDPR. Regarding specifically the question of special categories of personal data, the EDPB notes that the GDPR and case law pay close attention to the processing of such data, and that the complaint expressly requests the DPC to investigate Whatsapp IE’s processing operations in this area (215). The EDPB outlines the risk of the DPC’s failure to address the issue of special categories of personal data including: the use of this data to build intimate profiles of users; the failure to recognise it as a special category of personal data; ignoring the role of consent in the processing; and setting a precedent of ambiguity and transparency which could be followed by other controllers (see 217). They also assert that the DPC “did not handle the complaint with all due diligence” and that the lack of any further investigation into processing for behavioural advertising, of special categories of personal data, provision of metrics to third parties, exchange with affiliated companies, and processing for the purposes of marketing, was an omission (218). Taking into account the limited scope of the inquiry and lack of assessment by the DPC, the EDPB decided that the DPC “shall carry out an investigation into Whatsapp IE’s processing operations in its service to determine if it processes special categories of data” and to investigate the processing for all of the above purposes in order to determine if Whatsapp IE complied with its obligations under the GDPR. The EDPB also instructs the DPC to issue a new Draft Decision, based on the results of that investigation and the findings (222).

It is worthy to note, at this stage, that the DPC did not conduct this further investigation as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion, please see DPC (Ireland) – Whatsapp Ireland Limited – IN-8-5-6 (discussion of “Issue 2”).


Issue 4 – On Corrective Measures Other than Additional Fines

In its Draft Decision, the DPC did not find any infringement of Article 6(1)(b) GDPR and so was not in a position to consider the application of its corrective powers as provided for in Article 59(2) GDPR. The DPC did consider that Whatsapp IE had infringed its transparency obligations under the GDPR, however, they had dealt with this issue in a previous own-volition inquiry and imposed an administrative fine and order to bring processing into compliance.

A number of objections were raised to the lack of corrective measures in the Draft Decision to address the infringement of Article 6(1) GDPR. Most notably, the Finnish DPA stated that the DPC should use its corrective powers to at least order Whatsapp IE to bring its processing operations into compliance with Article 6(1) GDPR. Also, the DPC should consider the imposition of an administrative fine.

After reviewing the merits of the objection, the EDPB instructed the DPC “to include in its final decision an order for WhatsApp IE to bring its processing of personal data for the purposes of service improvement and security features in the context of its Terms of Service into compliance with Article 6(1) GDPR” (274).


Issue 5 – On the imposition of the administrative fine

During the Article 60 GDPR consultation period, four DPAs (FR, NO, DE, IT) objected to the failure of the DPC to take action with respect to one or more specific infringements and asked the DPC to impose an administrative fine. After considering the objections in light of Article 4(24) GDPR and the factors outlined in Article 83(2) GDPR the EDPB instructed the DPC to impose an administrative fine for the infringement of Article 6(1) GDPR (314) and, in doing so, to take into account the infringement of the principle of fairness in Article 5(1)(a) GDPR (320).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

BindingDecision5/2022onthedisputesubmittedby the
Irish SAregardingWhatsAppIrelandLimited(Art.65GDPR)





               Adopted on 5December 2022





















AdoptedTABLEOFCONTENTS


1    Summaryofthe dispute...................................................................................................5

2    The Right togoodadministration......................................................................................8

3    Conditionsfor adopting a binding decision .........................................................................9
   3.1    Objection(s)expressedby CSA(s)inrelationtoa draft decision.......................................9

   3.2    The LSA does not follow the relevantandreasoned objections totheDraftDecision or isof
   the opinionthat the objectionsare not relevant or reasoned..................................................10

   3.3    Admissibilityofthe case..........................................................................................10

   3.4    Structure ofthe binding decision..............................................................................11
4    Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis .....11

   4.1    Analysisbythe LSA inthe Draft Decision....................................................................11

   4.2    Summaryofthe objectionsraisedbythe CSAs............................................................14

   4.3    Positionofthe LSA onthe objections ........................................................................19
   4.4    Analysisofthe EDPB...............................................................................................21

     4.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................21

     4.4.2     Assessment onthe merits.................................................................................24
5    Onthe potentialadditionalinfringement of theprinciples of fairness, purpose limitationand

data minimisation................................................................................................................32

   5.1    Analysisbythe LSA inthe Draft Decision....................................................................32
   5.2    Summaryofthe objectionsraisedbythe CSAs............................................................33

   5.3    Positionofthe LSA onthe objections ........................................................................33

   5.4    Analysisofthe EDPB...............................................................................................34

     5.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................34
     5.4.2     Assessment ofthe merits.................................................................................35

6    Onthe further investigation...........................................................................................39

     6.1.1     Analysisbythe LSA inthe Draft Decision.............................................................39
     6.1.2     Summaryofthe objectionsraisedbythe CSAs.....................................................41

     6.1.3     Positionofthe LSA onthe objections .................................................................43

     6.1.4     Analysisofthe EDPB........................................................................................44

7    Oncorrective measuresother thanadministrative fines.....................................................51
   7.1    Analysisbythe IE SA inthe Draft Decision..................................................................51

   7.2    Summaryofthe objectionsraisedbythe CSAs............................................................51

   7.3    Positionofthe IE SA onthe objections ......................................................................52

   7.4    Analysisofthe EDPB...............................................................................................52
     7.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................52




Adopted                                                                                              2     7.4.2     Assessment onthe merits.................................................................................54
8    Onthe impositionofanadministrative fine ......................................................................59

  8.1     Analysisbythe LSA inthe Draft Decision....................................................................59

  8.2     Summaryofthe objectionsraisedbythe CSAs............................................................59

  8.3     Positionofthe LSA onthe objections ........................................................................60

  8.4     Analysisofthe EDPB...............................................................................................60
     8.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................60

     8.4.2     Assessment onthe merits.................................................................................62

9    Binding Decision...........................................................................................................66

10     Finalremarks............................................................................................................68




TheEuropeanDataProtectionBoard



Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European
Parliamentandof theCouncil of 27 April2016 on theprotectionof naturalpersons withregardtothe

processing of personaldataandonthe freemovement of suchdata,andrepealing Directive95/46/EC
(hereinafter“GDPR”)  1,

HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37 thereof,asamended
                                                                      2
by theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018    ,
                                                                                          3
HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) ,

Whereas:

(1) The main role of the European Data Protection Board (hereinafter the “EDPB”) is to ensure the
consistent applicationofthe GDPRthroughout the EEA.Tothis effect,it follows from Article60 GDPR

that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory
authoritiesconcerned(hereinafter“CSAs”)inanendeavour toreachconsensus, thatthe LSA andCSAs
shall exchange all relevant information with each other, and that the LSA shall, without delay,

communicate the relevant information on the matter tothe other CSAs. The LSA shall without delay
submit adraft decision tothe other CSAs for their opinion and takedue account oftheir views.

(2)Where anyofthe CSAs expressed a reasonedandrelevantobjection (“RRO”)on thedraft decision
inaccordancewithArticle4(24)andArticle 60(4)GDPRandthe LSA does not intendtofollow the RRO

or considers that the objection is not reasoned and relevant, the LSA shall submit this matter tothe
consistency mechanism referredtoinArticle 63 GDPR.

(3)Pursuant toArticle65(1)(a)GDPR,theEDPBshallissue abinding decisionconcerningallthematters
whichare thesubject of theRROs,in particularwhetherthere isaninfringement of theGDPR.



1OJL119,4.5.2016,p.1.
2References to “MemberStates”madethroughout this decision should beunderstood as references to “EEA
MemberStates”.
3EDPBRoP,adoptedon25May2018,aslastmodifiedandadoptedon6April2022.


Adopted                                                                                           3(4) The binding decision ofthe EDPBshall be adopted bya two-thirds majorityofthe members ofthe

EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB RoP, within one
monthafterthe Chairandthe competentsupervisory authorityhave decidedthatthefile is complete.
The deadline maybe extendedby a further month, taking into account the complexity ofthe subject
matter upon decision of the Chair on own initiative or at the request of at least one third of the

membersof theEDPB.

(5)InaccordancewithArticle 65(3)GDPR,if,inspite of suchanextension, theEDPBhasnot beenable
to adopt a decision within the timeframe, it shall do so within two weeksfollowing the expiration of
the extensionby a simple majorityof itsmembers.

(6) Inaccordance withArticle11(6) EDPBRoP,only the English textof the decision is authenticasit is

the languageofthe EDPBadoptionprocedure.

















































Adopted                                                                                          4     HAS ADOPTED THE FOLLOWING BINDING DECISION



     1 SUMMARYOF THE DISPUTE

1.   This document contains a binding decision adopted by the EDPB in accordance with

     Article65(1)(a) GDPR.Thedecision concerns thedispute arisenfollowing a draftdecision (hereinafter
     “DraftDecision”)issuedby theIrishsupervisory authority(“DataProtectionCommission", hereinafter

     the “IESA”,alsoreferredtointhisdocument asthe LSA)andthe subsequent objections expressedby
     six CSAs,namely the GermanFederal Commissioner for DataProtectionand Freedom of Information
     (“Der Bundesbeauftragter für den Datenschutz und die Informationsfreiheit”) hereinafter the “the

     German Federal SA” or the “DE SA”, the Finnish supervisory authority (“Tietosuojavaltuutetun
     toimisto”), hereinafter the “FI SA”, the French supervisory authority (“Commission Nationale de
     l'Informatique et des Libertés”), hereinafter the “FR SA”, the Italiansupervisory authority (“Garante

     per la protezione dei dati personali”), hereinafter the “IT SA”, the supervisory authority of the
     Netherlands(“AutoriteitPersoonsgegevens”),hereinafterthe“NL SA” andthe Norwegiansupervisory
     authority(“Datatilsynet”),hereinafterthe“NOSA”.


2.   The Draft Decision relates to a “complaint-based inquiry”, which was commenced by the IE SA,
     regardingacomplaint originally submittedtothe Hamburgsupervisory authority(“DerHamburgische
     Beauftragte für Datenschutz und Informationsfreiheit”), hereinafter “the DE HH SA“. The case was

     subsequently referred to the DE SA, being the relevant supervisory authority, to decide whether
     WhatsApp Ireland Limited (hereinafter, “WhatsApp IE”), an online instant messaging platform,
     complies withitsobligations under the GDPR.

3.   The complaint was lodged on 25 May2018 by a data subject who requested the non-profit noyb –

     “EuropeanCenter for DigitalRights” (hereinafter “NOYB”)torepresent her under Article80(1) GDPR
     (both hereinafter referredto as the “Complainant”). It concerned the lawfulness of WhatsApp IE’s

     processing ofpersonal data(hereinafter“WhatsAppservices”),specificallydata processing onfoot of
     the Complainant’s acceptance ofits Termsof Service (and purportedly her acceptance of its Privacy
     Policy), andthe transparencyof information provided by WhatsApp IEtothe Complainant about that

     processing. The Complainant alleged a violation of the right to data protection and especially a
     violationof“Articles4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR”    4,byarguingthat
     the controller relied on a “forced consent”5. The complaint requested to investigate andto impose
                         7
     correctivemeasures   .“Inthealternative,shouldtheSupervisoryAuthoritynotinterprettheseelements
     asconsent”,theComplainanttakestheposition thatthecontrollerhasnolegalbasisfortheprocessing
     operations “which are not a core element ofthe instant-messaging service and /or in the interest of

     the user (such as advertisement, sponsored content, sharing of information within a group of


     4
     5Complaint,paragraph2.2.5.
      Complaint,paragraphs1.3and2.2.5.
     6Within its request to investigate, theComplainant requested that a full investigationbemadeto determine
     “whichprocessingoperationsthecontrollerengagesin,inrelationtothepersonaldataofthedatasubject”,“for
     which purpose they are performed”, “on which legal basis foreach specificprocessingoperationthe controller
     relies on”,andtoacquire“acopyofanyrecordsofprocessingactivities”.TheComplainantalsorequested“that
     theresults ofthisinvestigation[be]madeavailableto[her]”.Complaint,paragraph3.1.
     7
      Morespecifically, thecomplaint requested in paragraph3.2 that thecompetent SA“prohibits all processing
     operations that are based on aninvalid consent of the data subject”, and inparagraph3.3 that an“effective,
     proportionateanddissuasivefine”beimposed.



     Adopted                                                                                            5     companies analysis and improvement of the controller’s products etc.)”, “since these elements are

     clearlynot a relevantcontractualobligationsand no otheroption underArticle6 oftheGDPRseemsto
     apply inthissituation”.

4.   Uponreceiptofthecomplaint on31May2018,the IESAqualified theactivitiesfallingwithinthescope
     ofthe aforementionedcomplaintascross-border processing pursuant Article4(23)GDPR.Asthemain

     establishment ofWhatsApp IE (asdefined in Article4(16) GDPR)wasfound tobe in Ireland,the IE SA
     was identified as being the LSA, within the meaning of the GDPR, in respect of the cross-border
     processing carriedout by thatcompany  .

5.   The following table presents a summary timeline of the events part of the procedure leading to the

     submission of the mattertothe consistency mechanism:

      25 May2018               The complaint waslodgedwiththe DEHHSA.

                               The DE-HH SA passed the complaint, for reasons of competence, to
                               the DE SA. On 31 May2018, the complaint was passed by the DE SA
                               tothe IESA.

      20 August 2018           The IE SA commenced the inquiry (hereinafter the “inquiry”) and
                               requestedinformation from WhatsAppIE.

                               Itsscope andlegalbasisweresetoutinthe NoticeofCommencement
                               of Inquiry that was sent to the Complainant and WhatsApp IE by
                               letterson20 August2018.

                               On 11 March 2019, WhatsApp IE provided replies to preliminary

                               queries by the IE SA. Procedural issues, including allegation of bias
                               were raised by the Complainant by correspondence on 3 December
                               2018, and subsequent lettersfrom 29 February 2019, 19 April 2019

                               and 24 February 2020, as well as a phone call on 1 April 2019, that
                               wereaddressed by theIE SA.

      20 May2020               The IE SA prepared a Draft Inquiry Report against WhatsApp IE
                               regardingitsprocessing activitieswithinthe scope of theinquiry. The
                               IESA invited the Complainant and WhatsAppIE tomake submissions
                               inrelationtosuch draftreport.

      22 June 2020             WhatsApp IEprovided itssubmissions in relationtothe DraftInquiry
                               Report.

      23 September 2020        The Complainant’s submissions dated 4 September 2020 were
                               provided tothe IESA by the DESA.

      18 January2021           The Complainant and WhatsApp IE, as well as the IE SA’s decision

                               maker,were furnished witha copy ofthe IESA’sFinal InquiryReport,
                               outlining the Investigator’s views, as to whether WhatsApp IE
                               complied withitsobligationunder theGDPR.
      6 and7 April 2021        The IESA commencedthedecision-making stage.

      23 December2021          The IE SA issued a preliminary draft decision (hereinafter “the

                               Preliminary Draft Decision”) against WhatsApp IE, regarding its
                               processing activitieswithin thescope of theinquiry.


     8Complaint,paragraph1.3.
     9ScheduletoDraftDecision,paragraphs2.11to2.17(CompetenceoftheCommission)(p.10-12).


     Adopted                                                                                        6                           Itwas communicatedon the same dayto the Complainant to enable
                           them to make observations. The IE SA further attempted to

                           communicate the Preliminary Draft Decision to WhatsApp IE on this
                           same date, to enable it to exercise its right to be heard. Having
                           subsequently discovered that an IT systems’ failure prevented the

                           Preliminary Draft Decision from reaching WhatsApp IE, the IE SA
                           shared againthe Preliminary Draft DecisionwithWhatsApp IE on 20

                           January2022.
 December      2021    – Further exchangesof correspondence took place betweenthe IE SA

 February2022              and the Complainant, addressing translationissues, the scope of the
                           complaint, as well as allegationsthat the complete documents had

                           not beenprovided.
 17 February2022           WhatsApp IEprovided submissions on the PreliminaryDraftDecision

                           tothe IESA.
 25 February2022           The IE SA communicated with Complainant’s’ legal representatives,

                           confirming thatifnofurthercorrespondence wasreceivedby1March
                           2022, theIE SA would proceed onthe basis that theComplainant did
                           not wish tomake submissions. Nosubmissions werereceived.

 1 April2022               The IE SA sharedits Draft Decisionwiththe CSAs inaccordance with
                           Article60(3) GDPR.

                           Several CSAs (DE SA, FI SA, FR SA, IT SA, NL SA, and NO SA) raised
                           objections in accordancewithArticle60(4)GDPR.

 1 July 2022               The IE SA issued a Composite Response setting out its replies to the
                           objections raised and shared it with the CSAs (hereinafter,

                           “CompositeResponse”).
                           The IE SA requested that the CSAs consider the responses and
                           proposals outlined in the Composite Response and confirm whether

                           theyaddressed theconcerns underlying the objections raised.
 1 to11 July 2022          In light of the proposals in the Composite Response, further
                           exchanges took place between the IE SA and the CSAs. During the
                                                                          10           11
                           exchanges, severalCSAs (among which the NL SA , the DE SA , the
                           FI SA12and the NO SA ) confirmed tothe IE SA that itscompromise

                           proposals were not sufficient and they intended to maintain their
                           objections.

                           On8July 2022,WhatsAppIEwasinformedofthe upcoming triggering
                           ofthe Article65 GDPRprocedure,andwasinvitedtoexerciseitsright
                           to be heardin respect of all the materialthat the IE SA proposed to







10ResponseofNLSAtoIESACompositeResponseMemorandumdated7July2022.
11
12ResponseofDESAto IESACompositeResponseMemorandumdated8July2022.
  ResponseofFI SAtoIESACompositeResponseMemorandumdated8July2022.
13ResponseofNOSAtoIESACompositeResponseMemorandumdated11July2022.



Adopted                                                                                         7                                refer tothe EDPB andon 17 August 2022 WhatsApp IEprovided its

                                submissions (hereinafterthe “WhatsAppIEArticle65 Submissions”).
      19 August 2022            The IE SA referredthe matterto the EDPBin accordancewithArticle

                                60(4)GDPR,therebyinitiatingthedisputeresolutionprocedureunder
                                Article65(1)(a) GDPR.



6.   Following the submission by the LSA ofthis mattertothe EDPBinaccordancewithArticle 60(4)GDPR
     in the Internal Market Information system (hereinafter, “IMI”)   15 on 19 August 2022, the EDPB

     Secretariatassessedthecompleteness ofthe file on behalfofthe Chair inline withArticle 11(2)ofthe
     EDPBRoP.

7.   The EDPBSecretariatcontactedtheIESAon 23September 2022,asking for clarificationsin relationto
     some documents not provided whilst mentioned in Article 11.7 of the EDPB RoP, but mentioned in

     other documents. Onthe samedate,the IE SA providedthe informationrequestedandconfirmedthe
     completeness ofthe file.

8.   A matter of particular importance that was scrutinized by the EDPB Secretariat wasthe right to be
     heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights(hereinafter the “EU

     Charter”).Furtherdetailson thisare provided inSection 2 ofthis Binding Decision.

9.   On 7 October 2022, after the Chair confirmed the completeness of the file, the EDPB Secretariat
     circulatedthe file totheEDPBmembers.

10. The Chair decided,in compliancewithArticle65(3)GDPRinconjunction withArticle11(4)of theEDPB

     RoP, toextendthe default timeline for adoption of one month by a further month on account of the
     complexityof the subject-matter.



     2 THE RIGHT TOGOOD ADMINISTRATION

11. The EDPB is subject to EU Charter , in particular Article 41 (the right to good administration). This is
     alsoreflectedinArticle11(1)EDPBRoP.FurtherdetailswereprovidedintheEDPBGuidelinesonArticle
                   16
     65(1)(a)GDPR    .

12. The EDPB’sbindingdecision “shall bereasonedand addressed tothelead supervisoryauthorityand all
     the supervisory authoritiesconcerned and binding on them” (Article 65(2) GDPR). It is not aiming to

     address directly any third party. However, asa precautionary measure to address the possible need
     for the EDPB to offer the right to be heard at the EDPB level to WhatsApp IE, the EDPB assessed if
     WhatsAppIE wasofferedthe opportunitytoexercise itsright tobe heardin relationtothe procedure

     led by the LSA and the subject-matter of the dispute to be resolved by the EDPB. In particular, the
     EDPBassessed if allthe documents containing the mattersof factsandlaw received andused by the
     EDPBtotakeitsdecision inthis procedure have alreadybeenshared previously withWhatsApp IE.



     14The objections, the CompositeResponse, including the IE SA’s assessment of the relevant and reasoned
     objections,aswellastherepliesoftheCSAs.
     15
       TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17
     EDPBRoP.
     16SeeEDPBGuidelines3/2021ontheapplicationofArticle65(1)(a)GDPR,adoptedon13April2021(versionfor
     publicconsultation)(hereinafter,“GuidelinesonArticle65(1)(a),paragraphs94-108.



     Adopted                                                                                           813. The EDPB notes that WhatsApp IE has received the opportunity to exercise its right to be heard
     regardingallthe documents containing the mattersoffactsandof law considered by the EDPBinthe
     contextofthisdecisionandprovideditswrittenobservations    17,whichhave beensharedwiththeEDPB
               18
     by theLSA   .

14. Considering that WhatsApp IE hasbeen alreadyheard by the IE SA on all mattersoffacts andof law
     addressed by the EDPB in its binding decision, the EDPB is satisfied that Article 41 of the EU Charter
     hasbeen respected.

15. TheEDPBconsiders thattheComplainant isnot likelytobe adverselyaffectedbythisbinding decision,

     andconsequently does not meetthe conditions tobe granteda right tobe heard bythe EDPBin line
     withArticle 41 of the EU Charter,applicable case law,andArticle 11 of the EDPB RoP.This is without
     prejudice to any right to be heard or other related rights the Complainant may have before the

     competent nationalsupervisory authority(/-ies).


     3 CONDITIONSFOR ADOPTING A BINDINGDECISION


16. The generalconditions for the adoptionof abinding decision by theEDPBareset forthinArticle 60(4)
     andArticle 65(1)(a)GDPR  1.


     3.1 Objection(s) expressed by CSA(s) in relationto a draft decision

17. The EDPBnotes thatseveralCSAs raisedobjections to theDraftDecision via IMI.Theobjections were
     raisedpursuant toArticle 60(4)GDPR.

18. More specifically, objections were raisedbyCSAs in relationtothe following matters:

         •  whetherthe LSA should have found aninfringement for lackof appropriatelegalbasis;


         •  the potentialadditionalinfringement ofthe principles offairness, purpose limitationanddata
            minimisation;

         •  on possible further investigation;

         •  correctivemeasuresother thanfines;

         •  the imposition of anadministrativefine.

19. Eachof the objections wassubmittedwithinthe deadline provided byArticle 60(4)GDPR.








     1WhatsAppIE’sSubmissionsinrelationtotheDraftInquiryReport,dated22June2020.WhatsAppIE’sResponse
     to Preliminary Draft Decision, dated 17February 2022.WhatsAppIE Article65 Submissions, dated 717August
     2022.
     18IN-18-5-6Memo for Secretariat (Referral of objections to theEDPB pursuant to Article60(4) and65(1)(a)

     19PR),19August2022.
       According to Article65(1)(a) GDPR, theEDPB will issuea binding decisionwhen a supervisory authority has
     raisedarelevantandreasonedobjectiontoadraftdecisionoftheLSAandtheLSAhasnotfollowedtheobjection
     ortheLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned.



     Adopted                                                                                         9     3.2 TheLSAdoes not follow therelevantandreasoned objections to the DraftDecision

           or isof the opinion that the objections arenot relevant or reasoned

20. On 1 July 2022,the IESA provided to the CSAs an analysis of the objections raised by the CSAs in the
     Composite Response.

21. The IE SA concluded that it would not follow the objections, andin addition, underlined that some of

     them arenot inits view “relevant”and/or “reasoned”; withinthe meaning of Article4(24) GDPRand,
     otherwise,for the reasonsset out in the Composite Response and below     20.


     3.3 Admissibility of the case

22. The caseatissue fulfils, primafacie,alltheelementslistedbyArticle65(1)(a)GDPR,since severalCSAs
     raisedobjectionstoadraftdecision oftheLSA withinthedeadline provided byArticle60(4)GDPR,and

     the LSA has not followed objections or rejected them, for being in its views, as not relevant or
     reasoned.


23. The EDPB takesnote of WhatsApp IE’sposition that the EDPB should suspend the current Article 65
     GDPRdispute resolution due topending preliminaryruling proceedings before the Court of Justice of
     the EU (hereinafter, “CJEU”) 21. WhatsAppIE refersin particular tocases C-252/21   22 and C-446/21 .3

     Following itsassessment, theEDPBdecidestocontinue itsproceedingsonthisArticle65 GDPRdispute
     resolution, as there is no explicit legalbasis for a stay of the dispute resolution procedure in EU law,
                                                                                         24
     nor are existing CJEU rulings on the matterconclusive for the situation of the EDPB   .Also, the EDPB
     takesintoconsiderationthe datasubjects’right tohave their complaintshandledwithina ‘reasonable
     period’ (Article 57(1)(f) GDPR),andto have their case handled withina reasonable time by EU bodies

     (Article41oftheEUCharter).Moreover,ultimatelythereareremediesavailabletotheaffectedparties
     in case of a discrepancy betweenthe EDPB binding decision and CJEU rulings in the aforementioned
          25
     cases  .

24. Considering the above, in particularthatthe conditions of Article 65(1)(a) GDPRare met,the EDPBis
     competent to adopt a binding decision, which shall concernall the matterswhich are the subject of






     20
     21CompositeResponse,paragraphs36,74,78and80.
       WhatsAppIE'sArticle65Submissions,paragraph2.11.
     22Requestfora preliminaryrulingof22April2021,MetaPlatformsandOthers,C-252/21.
     23Requestfora preliminaryrulingof20July2021,Schrems,C-446/21.
     24Judgment of theCJEU of 28 February1991, Delimitis, C-234/89, EU:C:1991:91;Judgment of theCJEU of 14
     December2000,Masterfoods,C-344/98,EU:C:2000:689.Thesecasesconcernedproceedingsbeforethenational

     courts,wherethepartiesfacedtheriskofbeingconfrontedwithaconflictingdecisionofthenationaljudgethat
     couldbeseenasdefactonullifyingtheCommissiondecision–a powerwhichisretainedbytheCJEU.Thecurrent
     disputeresolution procedureconcerns theadoption of anadministrativedecision, which canbesubject to full
     judicialreview.
     25In caseanaction forannulment is brought against theEDPB decision(s) andfoundadmissible, theGeneral

     Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU
     were to deliver any judgment in the time between the adoptionof the EDPB’s Article65 decisionand the
     adoptionoftheIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakes
     followingtheEDPB'sbindingdecision-iftheCJEU’srulingsgivescausetodoso-inaccordancewiththeprinciple
     of cooperationas elaborated by the CJEU in its judgment of 12 January2004, Kühne&Heitz NV, C-453/00,

     EU:C:2004:17).



     Adopted                                                                                            10     the relevantandreasonedobjection(s), (i.e.whetherthereis aninfringement ofthe GDPRor whether
     the envisagedactioninrelationtothe controller or processor complieswiththe GDPR ).      26


25. TheEDPBrecallsthatitscurrentbinding decision iswithoutanyprejudice toanyassessments theEDPB
     may be called upon tomake in other cases, including with the same parties, taking into account the
     contentsof therelevant draftdecision and theobjections raised bythe CSA(s).


     3.4 Structure of the binding decision

26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether

     they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24)
     GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection         27.

27. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the

     EDPBdoes not take anyposition onthe merit of anysubstantialissues raisedby thatobjection in this
     specific case.TheEDPBwillanalyse themeritsofthesubstantialissues raisedbyallobjectionsit deems
     tobe relevant andreasoned    28.



     4 ON WHETHER THE LSA SHOULD HAVE FOUND AN INFRINGEMENT

          FOR LACK OF APPROPRIATE LEGAL BASIS


     4.1 Analysis by the LSA inthe DraftDecision

28. The IESA concludes that theGDPR,thecase law andtheEDPB Guidelinesrelevant for the case donot

     preclude WhatsApp IEfrom relying on Article6(1)(b) GDPRasa legalbasis for the processing of users’
     data necessary for the provision of its service, including through the improvement of the existing
     service andthe maintenanceofsecurity standards     29.Finding 2 of the DraftDecisionreads “Ifind the

     Complainant’scaseisnotmade outthattheGDPRdoesnotpermitthereliancebyWhatsApp on6(1)(b)
     GDPRinthe context ofitsoffering ofTermsofService.” Inaddition, the IE SA considersthe Guidelines
                                                                                    31
     of the EDPB on processing for online services based on Article 6(1)(b) GDPR       as being “not strictly
     binding, nonetheless instructive in considering thisissue”32.

29. The IE SA understands the Complainant’s allegationsas : firstly, the Complainant wasgiven a binary

     choice: i.e. to either accept the Terms of Service and the associated Privacy Policy by selecting the


     26
       Article65(1)(a) in fine GDPR. SomeCSAs raised comments and not perse objections, which were, therefore,
     nottakenintoaccountbytheEDPB.
     27EDPB Guidelines 9/2020on theconcept of relevant andreasoned objection, version 2 adopted on 9 March
     2021(hereinafter“GuidelinesonRRO”).Theywereadoptedon9March2021,afterthecommencementofthe
     inquirybytheIESArelatingtothisparticularcase.
     2SeeEDPBGuidelinesonArticle65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjection

     raised,whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsofthe
     objectioninthebindingdecision”).
     29DraftDecision,paragraphs4.49and4.50.
     30DraftDecision,Finding2,p.32.
     31EDPB  Guidelines2/2019ontheprocessingofpersonaldata underArticle6(1)(b)GDPRinthecontextofthe

     provision of onlineservices to data subjects, version 2, adopted on 8 October 2019 (hereinafter “Guidelines
     2/2019onArticle6(1)(b)GDPR”).
     32DraftDecision,paragraph4.22.
     33
       DraftDecision,paragraph2.19.



     Adopted                                                                                             11     “accept”button, or cease using the service ; secondthat there wasa lackofclarityonwhichspecific
                                                                      35
     legal basis WhatsApp IE relies on for each processing operation    ;and the Complainant’s concern on
     WhatsApp IE’srelianceon Article6(1)(b) GDPRtodeliver itsTermsof Service       36.

30. While the IESA acknowledgesthattheEDPBconsidersin itsGuidelines2/2019 onArticle 6(1)(b)GDPR

     that, as a general rule, processing for the provision of new services, is not necessary for the
     performance ofa contractfor online service under Article6(1)(b) GDPR,inthis particularcase,having

     regardtothe specific termsof thecontractandthenatureofthe service providedandagreeduponby
     the parties,theIESA concludesthatWhatsApp IEmayinprinciple relyonArticle6(1)(b) GDPRaslegal
     basis of the processing of users’ data necessary for the provision of its service, including throughthe

     improvement of the existing service and the maintenance of securitystandards      3. In addition, the IE
     SA considers that“issues ofinterpretationandvalidityof nationalcontractlaware notdirectlywithin”

     their competence   3.

31. The IE SA disagrees with what it describes as a “veryrestrictive view on when processing should be

     deemedto be “necessary” for the performance ofa contract” proposed by the Complainant and the
     EDPB  39. The IE SA concludes that “core functions” cannot, however, be considered in isolation from
     the meaning of “performance”, the meaning of “necessity” as set out in the Draft Decision, and the
                                                40
     content ofthe specific contractinquestion    . The IESA considers thatArticle6(1)(b) GDPRcannot be
     interpreted as requiring that it is impossible to perform the contract without the data processing
                            41
     operationsin question    .

32. The IE SA finds it important tohave regardnot just to the concept of whatis “necessary”, but also to
     the concept of “performance” of the contract. According tothe IE SA, a contract is performed when

     each party discharges their contractualobligations as has been agreedby reference to the bargain
     struckbetweenthe parties.While theIESA agreesthatthemereinclusion of atermina contractdoes

     not necessarily meanthatit is necessarytoperform theparticularcontract,itstresses out thatregard
     must be hadfor what is necessaryfor the performance of the specific contractfreelyenteredintoby
                42
     the parties  .

33. Therefore,the IE SA notesthat,the inclusion of a term,which does not relatetothe core function of
     the contractcouldnot be considered necessaryfor itsperformance .    43


34. For thepurposes ofidentifying the“core”functions ofthe contractbetweenWhatsAppIEanditsusers,
     the IE SA points out that the Complainant does not specify withany greatprecision the extentof the
     processing (or indeed the processing operation(s)) thatthe Complainant believes tonot be necessary

     to perform the Terms of Service). The Complainant has however made some specific submissions
     arguing processing for service improvement, security, “exchange of data with affiliated companies”

     and that the processing of special categoriesof personal data is not necessary in order to fulfil the



     34DraftDecision,paragraph2.8.
     35
       DraftDecision,paragraph2.9.
     36DraftDecision,paragraphs2.9and4.9.
     37DraftDecision,paragraph4.49.
     38DraftDecision,paragraphs3.13,4.11,4.22,4.39and4.44.
     39
     40DraftDecision,paragraph4.39and4.41.
       DraftDecision,paragraph4.29.
     41DraftDecision,paragraphs4.47,4.49and4.50.
     42DraftDecision,paragraph4.23.
     43DraftDecision,paragraph4.30.




     Adopted                                                                                             12     “corefunction” of amessagingandcallingservice suchasthe WhatsAppservices.Asa result,theDraft
                                                      44
     Decisionfocuses onthese processing operations .
                                                                         45
35. Although according to Guidelines 2/2019 on Article 6(1)(b) GDPR , processing cannot be rendered
     lawful by Article 6(1)(b) GDPR “simply because processing is necessary for the controller’s wider

     business model”, the IE SA considers that having regardtothe specific termsof the contract andthe
     nature of the service provided and agreedupon by the parties, WhatsApp IEmay in principle relyon

     Article 6(1)(b) GDPRas a legalbasis of the processing of users’ datanecessary for the provision of its
     service, including services for improvements andsecurityfeatures,insofar asthis forms acore partof
     the service offeredtoandacceptedbyusers      46.


36. Moreover, as described by the IE SA, a distinguishing feature of the WhatsApp IE’sservice is that it
     regularlymonitorsitsserviceinordertoensureit functionswell(asdistinct from theEDPB’sreluctance

     expressedinitsGuidelines2/2019 onArticle6(1)(b) GDPRwithusing datatobringabout new services)
     andmaintainscertainsecurity andabuse standards. Therefore,the IESA concludes thatthe provision

     of thisform of service is partof thesubstance andfundamentalobject of thecontract.

37. The IE SA considers thatthis information is both clearlyset out and publicly available, hence it would
     be difficult to argue that this is not part of the mutual expectations of a prospective user and of

     WhatsApp IE. Moreover, the IE SA states that the service is advertised as being one that has these
     features, and so any reasonable user would expect and understand that this was part of the
                                                                                                     47
     agreement,evenifusers would prefer the marketwouldoffer them betteralternativechoices            .

38. Basedonthe foregoing, the IESA reachesthe conclusion thatnothing inGuidelines 2/2019 on Article
     6(1)(b) GDPR prevents WhatsApp IE, in principle, from relying on Article 6(1)(b) GDPR for these
              48
     purposes   .

39. The IESA thusconcludes thatWhatsAppIEmayinprinciple relyonArticle6(1)(b) GDPRasalegalbasis
     ofthe processing ofusers’ datanecessaryon foot of theacceptanceofthe Termsof Service,including
                                                                      49
     for regularimprovements andmaintaining standardsofsecurity         .

40. The IE SA clarifies that, having regard to the scope of the complaint and its inquiry, the above

     conclusion cannot be construed as an indication that allprocessing operations carriedout on users’
     personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR      5.

41. The IE SA also notes that other provisions of the GDPR, suchas those on transparency, act tostrictly

     regulatethe manner in whichthe WhatsApp IEservices are to be delivered and the information that
     should be giventousers, anddecides toaddressit separatelyin itsDraftDecision      51.

42. Inaseparatefinding ofitsDraftDecision ,the IESA reiteratesthatina previousinquiryon WhatsApp

     IE,aninfringement of the GDPRwas found asto itscompliance withArticle 12(1)and Article 13(1)(c)



     44
       DraftDecision,paragraph4.32.
     45Guidelines2/2019onArticle6(1)(b)GDPR,paragraph36.
     46DraftDecision,paragraph4.41.
     47DraftDecision,paragraph4.42.
     48
     49DraftDecision,paragraph4.42.
       DraftDecision,paragraphs4.47and4.49.
     50DraftDecision,paragraph4.50.
     51DraftDecision,paragraph4.47.
     52DraftDecision,p.37,Finding3.




     Adopted                                                                                             13     GDPR for processing on foot of Article 6(1)(b) GDPR . The IE recalls the general requirement of
     transparencyunder Article5(a)GDPR    54,anditspreviousdecisionandtheassociatedfindings, including
                                                                                                    55
     the imposition of a fine andanorder toWhatsApp IEtobring itsPrivacyPolicy intocompliance        .

     4.2 Summary of the objections raised by the CSAs


43. The DESA,FI SA, FRSA, NLSA andNOSA objecttoFinding2 oftheDraft Decisionandthe assessment
     leading up to it. They consider that the IE SA should have found an infringement of Article 6(1)
     GDPR  56,inline withtheEDPB’sinterpretationof thisprovision . 57


44. Inthe DESA’sview,contrarytotheIESA’ssubmissions intheDraftDecision,WhatsAppIEcannotrely
     on Article 6(1)(b) GDPR or any other legalbases ofArticle 6(1) GDPR for the processingofa user’s
     data. According to the DE SA, this constitutes a breach of the principle of lawfulness under Article

     5(1)(a) and Article 6(1) GDPR. The DE SA is of the opinion also that the IE SA failed to impose an
     appropriate correctivemeasure in order toremedy these infringements. The DESA puts forwardthe

     following argumentsin support of the above allegations.

45. First, the DE SA does not share the understanding of the IE SA regarding the binding nature ofthe
     Guidelines2/2019onArticle 6(1)(b) GDPR.TheDESA agreesthatguidelinesare not legallybinding in

     the same way as legalprovisions are. It recalls however that they are instrumental for establishing
     uniform application of EU law according toArticle 70(1)(e) GDPR,aswellas for ensuring a consistent
     and highlevel of protectionfor naturalpersons in the light of recital10 GDPR.The DESA claims that

     therelevantandbinding natureofguidelinesfor allsupervisory authoritiesassuchcannotbe disputed.

46. Second, the DE SA disputes theIE SA’sallegationsthat,onthe one hand, theGDPR doesnotprohibit

     WhatsApp IE to rely onArticle 6(1)(b)GDPR in connection with itsoffer of Terms of Service and, on
     the other hand, that the LSA is not competent to assess the validity ofcontracts, respectivelythe
     validity ofthe Termsof Service or individual clauses. Inthisregard,theDE SA notes thatthe IESA has

     full competenceaccording toArticle57(1)(a) GDPRtoassess the validity ofcontracts.

47. Moreover,asstatedinthe Guidelines 2/2019 onArticle6(1)(b) GDPR,avalidcontractisa prerequisite
     for controllers to base their processing operations on Article 6(1)(b) GDPR. Onthat background, the

     DESA points out thatinordertomonitor the applicationofArticle6(1)(b) GDPR,asrequiredby Article
     57(1)(a)GDPR,theIEAmustalso verify thevalidityofthe contractWhatsAppIEisrelying upon. The

     DESA addsthataccording toArticle5(2)GDPR,WhatsAppIEmust alsoprove that sucha contracthas
     come intoexistence,meaningthatanofferandcorrespondingacceptanceofacontractisdeclaredby
     the parties. Inother words, it must be apparent tothe contractualpartner that theyare not giving a

     (revocable) consent, but are concluding a contract. If this is not the case, the DE SA considers, as
     opposed tothe IE SA  58,thatWhatsApp IEcannot relyonthe right tochoose its ownlegalbasis.




     53IE SA’s decision of 20 August 2021 in inquiryreferenceIN-18-12-2(hereinafter“the IE SA’s Decision on
     WhatsApp IE’s Transparency”), adopted following EDPB Binding decision1/2021on thedisputearisen onthe
     draft decision of the IE SA regarding WhatsApp IE under Article65(1)(a) GDPR (hereinafter “EDPB Binding
     Decision1/2021”).
     54
       DraftDecision,paragraph5.8.
     55DraftDecision,paragraph5.9.
     56DESA’s Objection,pp.1-8;FI SA’s Objection,pp.2-8;NLSA’s Objection,pp.3-7;NOSA‘s Objection,pp.1-5,
     FRSA’s Objection,p.9.
     57Guidelines2/2019onArticle6(1)(b)GDPR.
     58
       DraftDecision,Issue3.



     Adopted                                                                                            1448. Third, theDE SA objectstothe IESA’sfinding   59 thatthenecessityoftheprocessingisdeterminednot
     by what is necessary to fulfil the objectives of “a social network“ in a general sense, but what is

     necessarytofulfil thecore functionsoftheparticularcontractbetweenWhatsAppIEanditsusers.
     Those core functions do not encompass the improvements to an existing service and maintaining

     certain security and abuse standards. The DE SA stresses out that first WhatsApp IE is not a social
     networkbut a messaging service and thatfrom the perspective of anaveragedatasubject, it is not a
     distinguishing characteristic of the WhatsApp IE services to improve their service constantly or

     maintain certain security standards. Therefore, according to Guidelines 2/2019 on Article 6(1)(b)
     GDPR  60, such processing cannot be rendered lawful by Article 6(1)(b) GDPR simply because the

     processing is necessary for the controller’s wider business model. Only the data processing that are
     actually necessary for the corresponding contractualpurpose – the operation of the WhatsApp IE
     Services–canbe justifiedonthebasis ofArticle6(1)(b)GDPR.Inaddition,pursuanttoArticle 32GDPR,

     WhatsAppIEhastheobligationtoimplementdatasecuritymeasuresregardlessofthecontentofthe
     contract,sothose measures arenot tobe considered asanessentialelement ofthe contract.

49. The DE SA reiteratesthat Guidelines 2/2019 on Article 6(1)(b) GDPR explicitly limit the controller’s

     possibility to expand the categories of personaldata or types of processing operations that are
     necessary for the performance of the contract. Based on this, the DE SA concludes that the

     interpretationof Article 6(1)(b) GDPR givenin the DraftDecision would allow for bypassingthedata
     protectionprinciples,inparticulartherequirementsforavalidconsent,usingtheTermsofServices.

50. Finally, withregardtothe allegationinthe DraftDecisionthat theComplainantdidnotspecify“with
                                                                                     61
     any great precision” which processingoperationsshe believes to be unlawful        , the DE SA argues,
     referring to Article 77 GDPR, that the Complainant has no obligation todo so. The DE SA takes into

     account also that the only source of information about WhatsApp IE’s processing operations is the
     publicly available documents that are non-transparent    62. In the DE SA’s view, it is the duty of
     WhatsApp IE to prove compliance in accordance with Article 5(2) GDPR. As a whole, the DE SA

     concludes that the processing described or indicated in the Terms of Service cannot be (fully) based
     onArticle 6(1)(b)GDPR.Moreover,theDESA considers thatthereisno othervalid legalbasisevident.

51. The FI SAobjects tothe IE SA’sfinding  63 thatWhatsApp IE canrelyon Article 6(1)(b) GDPRfor allthe

     processing operations set out in the Terms of Service, such as service improvements and security
     purposes.Whenitcomestothe serviceimprovementsandsecuritypurposesofprocessing, the FI SA
                                                                     64
     refersattheoutsettoGuidelines2/2019 onArticle6(1)(b) GDPR         inordertojustifyitsallegationthat
     the processing of data for those purposes is not necessary for performing the key aspects of the
     contractandfor this reasonit cannotbe basedon Article6(1)(b) GDPR.


52. The FI SA contests the LSA’s statement that the legal concept of“core” processingfalls out of the
     interpretationofGDPR    6.Inthisrespectthe FI SA finds thatthe rationalebehind Article6(1)(b) GDPR
     is that it provides a legalbasis for situations where processing of personal data willlogically need to

     takeplace only inthe course of the provisions ofa contractualservice.Furthermore,in relationtothe
     IE SA’sallegationthat thenecessityofprocessingistobe determinedbyreferencetothe particular


     59DraftDecision,paragraph4.29.
     60
       Guidelines2/2019onArticle6(1)(b)GDPR,paragraph37.
     61DraftDecision,paragraph4.32.
     62DraftDecision,Issue3.
     63DraftDecision,Finding2,p.32.
     64Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25.
     65
       DraftDecision,paragraph4.11.



     Adopted                                                                                           15     contract,theFISAhighlightsthatthecontroller cannot include inthe contracteverythingtheywishto
     be legitimizedunderArticle6(1)(b)GDPR,withouthavingfor exampletoensure thatthedatasubject’s
     consent was obtained or to carry out balancing tests between their legitimate interests and the

     interestsofthe datasubjects.

53. Inaddition, referringtoGuidelines 2/2019 on Article6(1)(b) GDPR    66,theFI SA reachesthe conclusion
     that neither WhatsApp IE, nor the IE SA in its Draft Decision have properly and objectively reasoned

     how theprocessing ofpersonaldatawasnecessaryalsofromtheuser´sperspectiveandnotonlyfrom
     thecontroller’sside. TheFISA conteststheIESA’sstatementsthat,ingeneral,areasonableuserwould
     be well-informed about the processing coveredby the contract     67, andthat in the specific case the

     user is informed about the processing of personal data for service improvements and security
     purposes, therefore this processing is part of the mutual expectations of a prospective user and
     WhatsApp IE  68.Inaddition, while the FI SA admits thatservice improvements andsecuritymight be a

     valid part of the WhatsApp IE services, it is of the opinion that processing for those purposes is not
     necessaryfor providing such services, astheWhatsAppIEservicescouldbedeliveredintheabsence
     ofprocessingofsuch personaldata.Inaddition, theFI SA maintainsthatthe saidprocessing activities

     are notnecessaryfortheperformanceofthecontract.

54. Next, while the FI SA agreesthatthere is nohierarchybetweenlegalbases, it points out thatit is the
     responsibility of the controller toassess which legal basis is appropriate for the specific processing.
                                                                                         69
     WhenitcomestotheIESA’sargumentthatEDPBguidelinesarenotstrictlybinding                 theFISArecalls
     that the GDPR itself refers to the EDPB guidelines in its Article 70(1)(e) and therefore stresses the
     importanceof the commonposition of supervisory authorities.The FI SA alsohighlights thattheEDPB

     shall ensure the consistent applicationof the GDPRas laiddown in Article 70(1)GDPR andenshrined
     inrecital10 GDPR.

55. The FR SAobjects tothe conclusions in Part4 of theDraftDecision, inparticular points4.47 and4.49,

     that WhatsApp IE has not failed to fulfil its obligations under Article 6 GDPR, and, in addition, that
     WhatsApp IEis not required torelyon the legalbasis of consent (Article 6(1)(a)GDPR).At the outset,
     the FR SA finds questionable the position adoptedby the IE SA on WhatsApp IE’sreliance on Article

     6(1)(b)GDPRforprocessing operationsrelatedtoservice improvements.The FRSA notesinthisregard
     that the Draft Decision does not define what service improvement processing covers and does not
     provide enoughelementsonthe categoriesofdatausedforservice improvement purpose,whichdoes

     not allow topronounce on the applicable legalbasis for the processing inquestion. Therefore,the FR
     SA requests that the IE SA completes its Draft Decision on this point, by providing more specific
     information and evidence. According tothe FR SA, the main reason ofthe users’ registrationto the

     WhatsAppservicesisnottheuseoftheirdatatoimprovethemessagingservice.IntheFRSA’sview,
     the factthat WhatsAppIE'sprocessing operationsfor service improvement purpose arebased onthe

     legalbasis of the contract,andthatit is acceptedbya simple validationof theTermsof Service,is not
     compliant withthe applicable provisions.

56. The FR SA considers that only thelegalbasesof legitimateinterestandconsent canbe considered for
     processing operations relatedto service improvement purpose among those listed in Article6 GDPR.

     Nevertheless, the FR SA submits that at first analysis, neither the conditions for the application of
     consent, nor theconditions for theapplicationof legitimateinterestseemtobe metandWhatsApp IE


     66
       Guidelines2/2019on6(1)(b)GDPR,paragraphs32,48and49.
     67DraftDecision,paragraph4.36.
     68DraftDecision,paragraph4.42.
     69DraftDecision,paragraph4.22.


     Adopted                                                                                           16     could not use it for the implementation of the processing operations in connection with service

     improvements. Inconclusion, since theIESA doesnot define whatiscoveredbythe processing ofdata
     for service improvement purpose and theconditions ofimplementation,it is not easyfor the FR SA to
     have a firm position on this point andso, onthe legalbasis thatapplies for the processing. The FR SA

     suggeststhattheIE SA should provide more specific evidence initsDraftDecisionregardingthisissue,
     inordertoassessiftheprocessing can,or cannot,bebasedonthelegalbasisofthelegitimateinterest.

     The FR SA statesthat inreaching the conclusion for lackof breachof Article 6(1) GDPRthe LSA erred
     inits assessment of the factsof the case.

57. The NLSAfirst observes thatthe IE SA failedtoinclude sufficient analysis, evidence andresearchinits

     Draft Decision on what the purposes of processing selected are, and how data are used, making it
     difficult to apply Article 6 GDPR70. The NL SA then questions the validity of the contract between

     WhatsApp IE and users, and the NL SA argues that, as a result, grounding the processing on Article
     6(1)(b) would be impossible . The NL SA presents the following arguments. First, in the NL SA’s
                                                                                  72
     opinion, theTermsofServiceandthePrivacyPolicyare lengthyandunclear .Next,theNLSA notes
     thatas a generalrule, bothpartiesmust be awareof the substance of a contract,inorder towillingly

     enter into it, and considers that ”the established serious lack of transparency on behalf of the
     controller,thereforeleadstoareasonabledoubt whetherdatasubjectshaveindeedbeenable toenter
                                                                               73
     into a contractwiththecontrollerbothwillingly and sufficiently informed”   .TheNL SA compounds its
     doubts on the validity of the contract by arguing that WhatsApp IE presents a completely one-sided
     dealwhereby an individual data subject has no influence on anyof the terms    74. The NL SA therefore

     considers that WhatsApp IE’s statement that it relies on Article 6(1)(b) GDPR for the WhatsApp
     services, in combination withdocuments withgeneraldescriptions of the services provided, and the

     IESA’sreference tothe controller’sright tochoose itsownlegalbasistoprocess data,are insufficient
     toacceptthatthe performanceof acontractcanbe used asalegalbasis. Last,due toalack ofinsight

     in the processing operations and the potentialprocessing of children’s personaldata or special
     categories of personaldata, the NL SA has serious doubts on the validity of such a contract when
                          75
     children areinvolved   .

58. Furtherto theforegoing,theNL SA also raises anobjection withregardto the IESA’s approachin its
     DraftDecision’sFinding 2.The NLSA deemsthe approachtakentobecontradictory,giventhefactthe

     IEAdoes not wish toenterinto analysis ofcontractlaw,while atthe same timecertainconceptsfrom
     contract law are presented, such as “performance” of a contract     76. The NL SA argues there is a

     contradictionintheidea thataclearcontractispresent,whiletherearesignificant transparencyissues
     atthesame time.TheNL SA notesthatwithoutenteringintothespecifics ofcontractlaw,regardmust
     be had tothe generalrule that both partiesmust be aware ofthe substance of a contract aswell as

     the obligations of both partiesto the contract, inorder to willingly enter into such contract7. Inthe
     NL SA’s view, the established serious lack of transparency on behalf of the controller gives rise to
                                     78
     reasonable doubt inthis regard   .


     70
       NLSA’s Objection,paragraph5.
     71NLSA’s Objection,paragraph10.
     72NLSA’s Objection,paragraph8.
     73NLSA’s Objection,paragraph12.
     74
     75NLSA’s Objection,paragraph10.
       NLSA’s Objection,paragraph10.
     76NLSA’s Objection,paragraph11.
     77NLSA’s Objection,paragraph12.
     78DraftDecision,p.31.




     Adopted                                                                                            1759. Adding to that, the NL SA also notes that a relevant step is to assess whether the concrete data
     processing activities that are based on the contract, are actually necessary for performing the key
     aspectsofthe agreement    79. TheNLSAarguesthattheIESA hasnot interpretedtheterm“necessary”

     in Article 6(1)(b) GDPR in line with the EDPB guidance, such as Guideline 2/2019 on Article 6(1)(b)
     GDPR, on this provision  80. The NL SA adds that the IE SA also did not include any substantive

     investigationinto what datasubjects have understood to be the core of the service theyhave signed
     up to and whether they meant to give their consent for the processing of personal data or whether
     they intended toconclude an agreement withthe controller     81. Inthe NL SA’sview, the IE SA did not

     conduct a proper assessment on whether allprocessing operations could be based on a contractand
     if not, what other legalbasis could be applicable82. The NL SA disagreeswith the IE SA´s finding that

     the criterionof necessitylaiddown inArticle 6(1)(b) GDPRisindirectlyimpactedbydomestic contract
     law,since thiscriterionhasanindependent meaningin case lawandin different EDPBguidelines         8.

60. The NOSAcontestsinessence the IESA’sfinding thatWhatsAppIEcanrelyonArticle 6(1)(b)GDPRas
     alegalbasisfor processing inthecontextofserviceimprovementsandsecurityfeaturesandproposes

     imposing respective corrective measures. The NO SA questions whether the processing ofpersonal
     datafor the purposesofserviceimprovementsandsecurityfeaturesisgenuinelynecessaryforthe
     performance of the contract in question. According to the NO SA, the Draft Decision enables

     controllers to artificially expand what can fall under Article 6(1)(b) GDPR. In support of the above
     objection, the NOSA advancesthe following arguments.

61. First, the NOSA disagrees withthe IE SA’sposition that any processing ofpersonaldata includedin

     contractualtermswouldautomaticallybelawfulifframedin a particularmanner.Inthat context,in
     theNOSA’sview,it isnot the legislationwhichsetsthe boundariesfor lawfulness under Article5(1)(a)

     GDPR, but instead the individual contract, which makes the IE SA’s interpretationof Article 6(1)(b)
     GDPR incompatible withArticle 8 of the EU Charter. Second, the NO SA suggests that Article 6(1)(b)
     GDPR should be interpreted in light of its wording, purpose and context. The NO SA considers that

     therewould alwaysneedtobe anin concretoassessment ofwhat isnecessaryfor the performance of
     the particularcontractoverall, on a case-by-case basis. The NOSA is of the opinion that the rationale
     behind the first alternative of Article 6(1)(b) GDPR is to provide a legal basis for situations where

     processing of personal data will logically need to take place in the course of the provision of a
     contractualservice.Inthis sense, the NOSA claimsthat processingofpersonaldataforthepurposes

     of service improvements and security features as described in the Draft Decision is not a logical
     preconditionforthemessagingservicethatWhatsAppIEentails.Third,theNOSA believesthattheI
     E SA’s interpretation ofArticle 6(1)(b) GDPR has the effect of undermining or circumventing the

     otherlegalbasesofArticle 6(1) GDPR.

62. Withsuch interpretation,the NOSA finds it hardtoforesee whenconsent under Article 6(1)(a)GDPR
     would be reliedupon asa legalbasis. The same appliestosituations invoking Article 9 GDPR. TheNO

     SAsuggeststhattherewouldbenouseofthelegalbasisunderArticle6(1)(a)and(f)GDPR,because
     for the controller is much more convenient to rely on Article 6(1)(b) GDPR. Fourth, according to the
     NO SA, Article 7(4) GDPR entails that, if processing ofpersonaldata is in fact necessary for the

     performanceofa contract,thenaconsentcanbeconsideredfreelygivenevenifthedatasubjectis
     excluded from a service should they decline to give consent. The NO SA considers that under the


     79NLSA’s Objection,paragraph13.
     80
     81NLSA’s Objection,paragraph16.
       NLSA’s Objection,paragraph13.
     82NLSA’s Objection,paragraph33.
     83NLSA’s Objection,paragraph16.


     Adopted                                                                                            18     interpretationput forwardbythe IE SA, generallyalmost allprocessing ofpersonaldata bynon-public
     entitiescould be framed asbeing necessaryfor the performance of a contract,alsoin the contextof
     Article 7(4) GDPR. The NO SA alleges that this would render Article 7(4) GDPR meaningless and

     withouteffect in practice,asit wouldneverbeinvoked. Thiswould, inthe NOSA’sview, render the
     take-it-or-leave-itconsents permissible.

63. The NOSA submits thatthislower standardfor validconsent wouldinparticularbe problematic when
     consent serves asa basis for processing ofspecial categoryofpersonal datapursuant toArticle9(2)(a)

     GDPR,orasa Chapter V GDPRexemptionpursuant toArticle 49(1)(a)GDPR.

64. Moreover, the NO SA advances the argument that data subjects may be de facto dependent on
     certain services and in lack of realistic alternatives to them, in particular due to network effects,
     therefore they will generallyhave little opportunity to negotiate standardised terms of service. This

     createsa take-it-or-leave-itsituation andanuneven playing field. The NO SA comesto theconclusion
     thatif rejectingthe contractualtermsis necessary inorder toprotectoneself from harm,so that one
     is subsequently excludedfrom the service, participatingindiscussions, corresponding withothersand

     receiving information becomes significantly more difficult. As a result, this interpretation could also
     adverselyaffectdatasubjects’freedomofexpressionandinformation.


     4.3 Position of the LSA on the objections

65. The IESA considers thatthe objectionsabove are not relevant and/or not reasonedfor the purpose of
     Article60(4) GDPRanddecidesnot tofollow them     84.

66. With regardtothe objections of the DE SA, FI SA, FR SA, NL SA andNO SA concerning WhatsApp IE’s

     possible reliance onArticle6(1)(b) GDPRasthe applicable basisfor personaldataprocessing, the IESA
     is ofthe opinion thatanassessment of the corefunctions ofthe contractinrequired.

67. The IE SA acknowledges that there are different views on how the “core” elements of the Terms of
     Service areassessed,however itconsiders thatitdoesnotadopt amerelyformalapproachwithregard

     to Article 6(1)(b) GDPR that reliesonly on the textualcontent of the Termsof Service. Moreover, it
     considers thatanassessment of the core functions of the contract(not merely onthe writtenterms)
     is required,pursuant toArticle6(1)(b) GDPRandthe requirementfor thenecessity test     8.

68. The IE SA considers that WhatsApp IE has not sought to make the WhatsApp services contingent on

     the Complainant’s consent to the Termsof Service. Moreover, it does not consider that the test for
     contractual necessity under Article 6(1)(b) GDPR would be reduced to an assessment of written
     contractualterms, without reference tothe fundamentalpurpose of the contract.The DraftDecision

     does not take the view that all written contractualterms are necessary for the performance of a
     contract,thusthe risks describedin thisregardarenot relevant   8.

69. TheIESA notesthatArticle6(1)(b)GDPRlegitimisesprocessing whichisnecessaryfor theperformance

     of a contract (i.e. an agreement which serves the mutual interests of the parties). In addition, it is
     considered that a reasonable user would have had sufficient understanding thatthe service included
     the use of metricsfor improvement.Accordingly, theIE SA disagreeswiththeinterpretationof “core”

     contractual purposes, as suggested by the CSAs, and considers that the Terms of Service properly


     84
       CompositeResponse,paragraphs44,45,46,48,49,72and73.
     85CompositeResponse,paragraphs47-48.
     86CompositeResponse,paragraph50.



     Adopted                                                                                          19     reflectsthe agreemententeredintobythe Complainant,nor does therestrictiveinterpretationreflect
     the purpose ofArticle 6(1)(b) GDPR .87

70. The IE SA statesthatthe guidelines arenot binding on supervisory authorities, however, theyshould

     be takeninto account.However,the IE SA’sposition is thatthe EDPBhas not been provided withthe
     legal power to mandate that certain categories of processing must be based on consent, to the
     exclusion of any other legal bases for processing. The IE SA’s view is that such a power is properly

     exercised from time to time by the EU legislator, in the form of specific legislative measures. In
     particular,itisnotedthatGuidelines2/2019 onArticle6(1)(b) GDPRcontainverygeneralobservations
     tothe effect thatpersonal data should not be used “generally”for service improvement pursuant to

     Article 6(1)(b) GDPR. The IE SA considers that under these guidelines, processing for service
     improvement is not prohibited, pursuant toArticle 6 (1)(b) GDPR,so long asit falls within the core or
                                    88
     essentialaspectsof the service   .

71. The IE SA recallsin this regardthat the Draft Decision also assesses the core functions of WhatsApp
     IE’sTermsof Service 89.TheDraftDecisionnotesthatanyapplicationofthe principle of necessitymust

     be specific to the agreement entered into between the parties. The Draft Decision states that
     processing should be regardedasnecessaryfor theperformance ofa contractbetweenthe controller
     and the datasubject if it is necessary toperform the clearlyunderstood objectives of a contract.The

     Draft Decision also statesthat in order to understand the mutual understanding of a contract, it is
     necessary to have regard to the specific content of the agreement itself. Having conducted an
     assessment of thecore or fundamentalaspectsof WhatsAppIE’sTermsof Service, the DraftDecision

     concludes that the nature of the service being offered on this occasion specifically included regular
     service improvement including dealing withabuse,asanaspectof theagreementbetweenWhatsApp

     IEandits users.

72. The IE SA clarifies that in reaching the above conclusion, it had regardto the expectations of users
     basedonthe specificcontentoftheTermsofService.TheIE concludesonthisbasisthattheprocessing
     should be regardedasnecessary for the performance of WhatsApp IE’sTermsof Service. Moreover,

     the IESA adopts theposition thatthemutualexpectationsofthe partiesastothe performance ofthe
     contract should consider the expectationsand interestsof both parties, as reflectedin the contract
          90
     itself .

73. The IE SA considers that the EU legislator did not limit the provision of Article 6(1)(b) GDPR only to
     processing which is strictlynecessaryfor the delivery of goods andservices toa data subject, nor are
     the contractualinterestsofthe controller disregardedbythisprovision. Inthis regard,theIE SA notes

     thatcontractsmayincludeaspectsofperformance,whichareoptionalorcontingent.IntheIEA’sview,
     Article 6(1)(b) GDPR is not limited to aspects of contractual performance which are expressly

     mandatoryandunconditional obligationsof the parties.Accordingly,the IESA isnot satisfiedthatthe
     abilityto opt-out of any particularprocessing must logically be construed asconclusive evidence that
     such processing isnot necessarytoperform a contract.TheIE SA submits that theexercise of options

     by a datasubject inthe context ofa contractdoes not necessarilyundermine the agreemententered
     into, or the necessity of processing while suchoptions are engaged.TheIE SA refersto the CJEU case
     C-524/06 91 in support of its finding that necessity in the context of Article 6(1)(b) GDPR cannot be



     87CompositeResponse,paragraph59.
     88
     89CompositeResponse,paragraphs66–69.
       DraftDecision,paragraph4.30.
     90CompositeResponse,paragraph58.
     91Judgmentof18December2008,HeinzHuberv.BundesrepublikDeutschland,C-524-06,EU:C:2008:724.


     Adopted                                                                                            20     assessed by reference tohypothetical alternativeforms of the WhatsApp IEservices, asthe CJEU has

     heldin thatcasethatprocessing whichexceedsthe most minimallevelof processing possible, maybe
     regardedasnecessary, where it rendersa lawful objective “more effective”.The IE SA statesthat it is
     not the role of supervisory authoritiestoimpose specific business models oncontrollers.


74. The IESA,taking intoaccountthe specific factsofthiscase,considers thatWhatsApp IEasacontroller
     hasnotattemptedtoartificiallyincludeprocessing whichisnotnecessaryfor thefundamentalpurpose

     of its services. The IE SA considers that Guidelines 2/2019 on Article 6(1)(b) GDPR confirm the legal
     position, which is that service improvement processing pursuant to Article 6(1)(b) GDPR is not
     prohibited perse, aslong asit falls withinthe coreor essentialaspectsofthe service.


     4.4 Analysis of the EDPB


     4.4.1 Assessment of whether theobjections were relevant and reasoned

75. The objections raised by the DE SA, FI SA, FR SA, NL SA, and NO SA concern “whether there is an
                               92
    infringementoftheGDPR”       .Additionally,theDESA andNOSA’sobjections alsoconcern“whetherthe
    actionenvisagedinthe DraftDecisioncomplieswith the GDPR”        9.

76. The EDPBtakesnote of WhatsApp IE’sview thatnot a single objection put forwardby the CSAs meets
                                         94
    the threshold of Article 4(24) GDPR . From a generalstandpoint, WhatsApp IE argues that “to the
    extent Objectionsrelate to matterswhich are outside of the Defined Scope of Inquiry, as identified in

    the Draft Decision, they fail to satisfy the requirements of Article 4(24) GDPR and as such are not
    “relevant and reasoned”.”  95. Contrary toWhatsApp IE’sposition on relevance , objections canhave

    bearing on the “specific legal and factualcontent ofthe Draft Decision”,despite not aligning withthe
    scope of the inquiry as defined by an IE SA. Furthermore, the EDPB does not accept WhatsApp IE’s
    narrowingthe scope ofthe ”reasoned”criteriontoargumentsonissues thathave beeninvestigatedor

    addressed inthe inquiry  97,asno such limitationcanbe readinArticle 4(24)GDPR .    98

77. Contraryto WhatsApp IE’sargument that CSAsmay not object tothe scope of the inquiry as decided

    by the IE SA, the EDPB does not share this reading of Article 65 GDPR. Furthermore, this possibility is
    explicitlystatedinthe RROGuidelines, especiallyregardingcomplaint-basedinvestigations      99.





     92GuidelinesonRRO,paragraph24.
     93GuidelinesonRRO,paragraph32.
     94WhatsAppIE’s Article65Submissions,Annex1,p.75-120.
     95WhatsAppIE’sArticle65Submissions,paragraph3.3.
     96
       WhatsAppIEcitestheGuidelinesonRRO,whichstatethat“[a]nobjectionshouldonlybeconsideredrelevant
     if it relatesto thespecificlegalandfactualcontentoftheDraftDecision”(paragraph14)todrawtheconclusion
     that any objection raising matters outsidethescopeof theinquiryis not relevant. SeeWhatsApp's Article65
     Submissions, paragraph 3.3. TheEDPB notes that paragraph14 of theGuidelines on RRO draws a distinction

     between relevant objections and “abstract or broad concerns or remarks” on the one hand and “minor
     disagreements”ontheother.Moreover,thisparagraphshouldbereadinconjunctionwithparagraph27ofthe
     Guidelines onRRO.
     97WhatsAppIE’sArticle65Submissions,paragraph3.3.
     98
     99GuidelinesonRRO,paragraph16-19.
       GuidelinesonRRO,paragraph27:“Forinstance,iftheinvestigationcarriedoutbytheLSAunjustifiablyfailsto
     coversomeoftheissuesraisedbythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevant
     and reasoned objectionmaybe raised basedon the failure of the LSA to properly handle the complaint and to
     safeguardtherightsofthedatasubject.”




     Adopted                                                                                            2178. WhatsApp IE also states that “were the EDPB to expand the scope of the Inquiry as set by the DPCat
    this stage, in the manner proposedin the Objections, this could not be reconciled with the procedural

    requirements of Irish or European Union (“EU”) law, and would infringe WhatsApp IE’s legitimate
    expectations,righttofairproceduresand dueprocess(including theright tobeheard),and rightsofthe
              100
    defence”    . Despite claiming it is “clear”, WhatsApp IE does not demonstrate in which manner its
    procedural rights would be breached, just by the mere fact that the EDPB finds specific objections
    admissible. This isespeciallyquestionable, since admissibility determinesthe competenceofthe EDPB,

    but not the outcome of the dispute betweenthe LSA and the CSAs. Likewise, WhatsApp IE does not
    explainhow the mere actof considering the meritsof admissible objections inevitablyandirreparably
                                                         101
    breachestheproceduralrightscitedby WhatsAppIE           .AcceptingWhatsAppIE’sinterpretationwould
    severely limit the EDPB’s possibility to resolve disputes arising in the one-stop-shop, and thus
    undermine the consistent applicationoftheGDPR.Theobjectionsofthe DESA,FI SA,FR SA,NLSA, and

    NO SA on the finding of an infringement all have a direct connection with the Draft Decision as they
    refer toa specific part of the latter,whichis Finding 2. Allof those objections concern “whetherthere

    is an infringement of the GDPR” as they argue that the IE SA should have found an infringement of
    Article 6 GDPR  102or Article 6(1)(b) GDPR. As the IE SA considered that Article 6(1)(b) GDPR was not
    breached, the objections entaila need for a change of the IESA’sDraft Decisionleading to a different

    conclusion. Consequently, the EDPB finds that the DE SA, FI SA, FR SA, NL SA, and NO SA’s objections
    relatingtothe infringement ofArticle 6 or Article6(1)(b) GDPRrelevant.


79. The part of the DE SA’s objection arguing that the IE SA should find an infringement of Article 5(1)(a)
    GDPRand impose the erasure of unlawfully processed personal dataand the banof the processing of
    data,andthepartof the NOSA’sobjectionarguingthatthe IE SA should order WhatsAppIE to“delete

    personal data” and “impose an administrative fine” are linked to the IE SA’s Finding 2 of the Draft
    DecisionwithregardtoArticle6(1)(b)GDPR.Therefore,theyaredirectlyconnectedwiththe substance

    of the Draft Decision and, if followed, would lead to a different conclusion, namely a change in this
    Finding. Thus, the EDPB considers that these parts of the DE SA and NO SA’s objections are also
    relevant.


80. The objections of the DE SA, FI SA, FR SA, NL SA, and NO SA all include arguments on legal/factual
    mistakesinthe DraftDecisionthatrequire amending.More specifically, these CSAsprovide arguments
    tochallenge the DraftDecision’s consideration thatWhatsApp IEcanrely on Article6(1)(b) GDPRasa

    lawfulbasis for personal dataprocessing asspecified inthe TermsofService     10.The IESA held thatthe
    GDPR permits the reliance, by WhatsApp IE, on Article 6(1)(b) GDPR in the context of its offering of
                     104
    Termsof Service     including of users’ data in relationtoimprovement of the existing service and the
    maintenanceof securitystandards    105. This view is challengedin broad termsas wellasin detail.Some
    oftheCSAsprovide argumentschallengingthevalidityofthecontractonwhichtheuseofArticle6(1)(b)

    GDPRasalegalbasis depends, andwhich theIESA accepts         10.Someof theCSAs express thatofArticle





     100WhatsAppIE’sArticle65Submissions,paragraph3.13.
     101TheEDPBfailstoseehow,forinstance,declaringanobjectionadmissiblebutrejectingitonthemeritscould

     impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase.
     102As specifiedintheobjectionsoftheDESA,FRSAandNLSA.
     103DraftDecision,paragraph4.
     104DraftDecision,paragraph4.50.
     105DraftDecision,paragraph4.49.
     106
        DESA’s Objection,pp.3-4;FI SA’s Objection,paragraphs21-24;NLSA’s Objection,paragraph26.



     Adopted                                                                                            22    6(1)(b) GDPRas a legalbasis cannot be reliedupon regardingthe purpose of service improvements         107
                              108
    andstandardsof security      .

81. Some CSAs   109recall,while referringtothe termsof Guidelines 2/2019 on Article 6(1)(b) GDPR     110,that

    it is the fundamentaland mutuallyunderstood – by the partiesof the contract– contractualpurpose,
    which justifies that the processing is necessary. This purpose is not only based on the controller’s

    perspective but also on a reasonable data subject’s perspective when entering into the contract and
    thus on “the mutualperspectivesand expectationsofthe parties to the contract”. The FR SA and the
    NO SA  111disagree with the Draft Decisionin that the purposes of service improvement are described

    in the Draft Decision in very broad and vague terms, are not a logical precondition for the actual
    contractualserviceofWhatsAppIEandarenotthemainreasonofauser’sregistrationtotheWhatsApp

    services. The FI SA adds that most users, including the Complainant, are likely unaware of this
    processing ofpersonal datainthe context ofthe WhatsAppIE services       112.


82. The DESA,FI SA, FRSA, NLSA, andNOSA’sobjections alsoidentify risksposedby theDraftDecisionas
    drafted in the current manner, in particular the interpretationof Article 6(1)(b) GDPR that could be
                                                                                                         113
    invoked by anycontroller for anyprocessing would undermine or bypass data protectionprinciples          ,
    would lower the threshold for legality of data processing    114 and thus endanger the rights of data
                             115
    subjects within the EEA    . As anexample, the NOSA highlights that ”if it is possible to frame almost
    any processing of personal data in contractualterms such that it automatically becomes lawful, as

    would be the result pursuant to the [Draft Decision], data subjects would in realityhave no control of
    their personal data”  116, while “the FI SA stresses that this would create a significant risk that the
                                                          117
    principle oflawfulness and fairness is circumvented”     .

83. WhatsAppIEcontends thatintermsof risk, theobjections must ”demonstratethelikelihood ofa direct
    negative impact of a certain significance of the Draft Decision on fundamental rights and freedoms
                                                                 118
    under the EU Charter and not just any data subject rights”      . WhatsApp IE thus adds a condition to
    Article4(24) GDPR,whichis not supported by theGDPR       119.


84. Considering the objections of the CSAs andthe argumentsbrought forwardby WhatsAppIE,the EDPB
    finds the objections of the DE SA, FI SA, FR SA, NL SA andNO SAs on the finding of aninfringement of

    Article6 or Article6(1)(b) GDPRreasoned.




     107FI SA’s Objection,paragraphs21-24;FRSA’s Objection,paragraphs8-16;NOSA’s Objection,pp.7-8.
     108
        FI SA’s Objection, paragraph 31;theDE SA’s Objectionmentions that securitymeasures arenot part of the
     contractbuta legalobligationunderArticle32GPDR,p.5.
     109DE SA’s Objection,p.5;FI SA’s Objection,paragraph31;FRSA’s Objection,paragraph10;NOSA’s Objection,
     p.6.
     110
     111Guidelines2/2019onArticle6(1)(b)GDPR,paragraphs32and33.
        FRSA’s Objection,paragraphs13-14;NOSA’s objection,pp.3-4.
     112FI SA’s Objection,paragraph22.
     113DESA’s Objection,pp.7-8.
     114
     115NLSA’s Objection,paragraphs28-29.
        FRSA’s Objection,paragraphs50-51.
     116NOSA’s Objection,p.8.
     117FI SA’s oObjection,paragraph33.
     118
     119WhatsAppIE’sArticle65Submissions,Annex1,p.73.
        Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons
     and in particulartheirright to protection of personal data”, whichdirectlystems from Article8(1) of theEU
     Charter. Therefore, thereis noreason to draw a distinction between thedata subject rights protected by the

     GDPRandthefundamentalrightsprotectedundertheEUCharterwheninterpretingArticle4(24)GDPR.


     Adopted                                                                                              2385. As regardsthe partsof the DE SA andNO SA’sobjections requesting the finding of aninfringement of
    Article 5(1)(a) GDPR and specific corrective measures under Article 58 GDPR for the infringement of
    Article6(1)(b) GDPR,theEDPBconsidersthatthesepartsofthe objectionsdonot sufficiently elaborate

    the legalor factualargumentsthat would justify a change inthe Draft Decisionleading to the finding
    of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective measures
    mentioned above.Likewise, the significance of the risk for data subjects, which stemsfrom the IE SA’s

    Draft Decision not to conclude on the infringement of Article 5(1)(a) GDPR and not to impose the
    requestedcorrectivemeasures, is not sufficiently demonstrated.

86. Considering the above, the EDPBfinds thatthe objections of the DESA, FI SA, FR SA, NL SA andNO SA
    on the finding of an infringement of Article 6 or Article 6(1)(b) GDPR are relevant and reasoned in

    accordancewithArticle4(24) GDPR.

87. However, the parts of the DE SA and NO SA’s objections concerning the additional infringement of
    Article5(1)(a)GDPRandthe imposition ofspecific correctivemeasuresarenot “reasoned”anddonot
    meetthe threshold of Article4(24)GDPR.


     4.4.2 Assessment on the merits

88. Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB
     shall take a binding decision concerning all the matterswhich are the subject of the relevant and

     reasonedobjections,inparticularwhether thereis aninfringement ofthe GDPR.

89. Based on the documents transmittedby the IE SA, the EDPB understands that the purposes of the
     processing operationscoveredbythese objections arethefollowing: (i)service improvements,and(ii)
     “safety and security”. In its Terms of Service, WhatsApp IE refers to its own definition of safety and

     securityasfollows: "We worktoprotectthe safetyand securityofWhatsApp byappropriatelydealing
     with abusive people and activity and violations of our Terms. We prohibit misuse of our Services,
     harmfulconducttowardsothers,andviolationsofourTermsand policies,andaddresssituationswhere

     wemaybe able to helpsupport or protectourcommunity.We develop automatedsystemstoimprove
     our ability to detect and remove abusive people and activity that may harm our communityand the
     safety and securityof our Services. Ifwe learn of people or activitylike this, we will take appropriate

     actionbyremoving such people or activityor contacting law enforcement.Weshare information with
     otheraffiliatedcompanieswhenwelearnofmisuseorharmfulconductbysomeoneusing our Services."

90. As a preliminary remark, the EDPB notes, as observed by the NL SA, that the purposes are vague,

     especially the one on “safetyand security”, mentioned by WhatsApp IE in its Terms of Service. The
     EDPB understands from the short description provided under the relevant section of WhatsApp IE's
     TermsofService thatitrefersto“misuse” ofWhatsAppservices, “harmfulconduct”,andactivitiesthat

     would violate WhatsApp IE’s Terms of Service. In its Draft Decision, the IE SA considered that the
     Complainant did not identify particular processing operations withany degreeof specificity, and that
     complaints should in generalhave a reasonable degreeof specificity, and,hence addressed the issue

     of Article 6(1)(b) GDPR in principle. In doing so, the Draft Decision refers to various terms: “abusive
     activity”(which is referredtoin WhatsAppIE’sTermsofService)     120, “fraud”121and“security”without
     further description122(which is referred to in WhatsApp IE’s Terms of Service), which do not bring

     clarity and/or more specificity on this purpose. Based on these elements, and considering that
     WhatsApp IE’sTermsof Service refer to another purpose of processing than the security carriedout


     12DraftDecision,paragraphs4.36,4.41,4.42.
     12DraftDecision,paragraphs4.38and4.49.
     12DraftDecision,paragraphs4.40,4.42,4.47,4.49.


     Adopted                                                                                           24     bytechnicalandorganisationalmeasuresinorder tosecure the processing ofpersonaldata,networks
     and services or processing to which WhatsApp IE is entitled or obliged under other legal provisions

     (e.g.technicaland organisationalmeasuresapplied toprotectpersonal data,for instance asrequired
     under Article 32 GDPR   123), the EDPB is excluding “IT Security” from its assessment of the merits

     hereinafter. On a similar note, the EDPB highlights that when the purpose of the processing is “IT
     Security”, for instance in the meaning of Article 32 GDPR, the purpose of the processing has to be
     clearlyandspecifically identifiedby the controller124.

                                                                                                 125
91. TheEDPBconsidersthattheobjections found tobe relevantandreasonedinthissubsection                require
     an assessment of whether the Draft Decision needs to be changed insofar as it rejects the
     Complainant’sclaimthatthe GDPRdoesnot permitWhatsAppIE’srelianceonArticle 6(1)(b)GDPRfor

     the processing operationsset out initsTermsof Service. Whenassessing the meritsof the objections
     raised,the EDPBalsotakesintoaccount WhatsAppIE’sposition onthe objections anditssubmissions.

92. The CSAs seek in essence to establish whether Article 6(1)(b) GDPR could serve as a valid legal basis

     for the processing of personal data at issue, namely for service improvements andsecurity features,
     inthe specific case andtoestablishwhether thereis aninfringement ofArticle 6(1)GDPR.

93. The CJEU hasfound thatsofar asconcernstheprinciples relatingtolawfulnessof processing, Article6

     GDPRsets out an exhaustive and restrictivelist of the cases inwhich processing of personal datacan
     be regardedaslawful. Thus, in order to be considered lawful, processing must fall within one of the
                                         126
     casesprovided for in Article6 GDPR     andit isthe controller’sobligationtoprovide andtobe able to
     prove that thecorrectlegalbasis isapplied for the respective processing.

94. The EDPB considers that there is sufficient information in the file for it to decide whether the IE SA

     needstochangeitsDraftDecisioninsofar asit rejectsthe Complainant’sclaimthatthe GDPRdoesnot
     permit WhatsApp IE’sreliance on Article 6(1)(b) GDPR toprocess personal data in the context of its
     offering of itsTermsofService.


95. As described above, in Section 4.3, the IE SA concludes in Finding 2 of its Draft Decision that the
     Complainant’s case is not made out that the GDPR does not permit the reliance by WhatsApp IE on

     Article 6(1)(b) GDPR in the context of the latter offering its Terms of Service. Neither Article 6(1)(b)
     GDPRnoranyother provision oftheGDPRprecludesWhatsAppIEfrom relyingon Article6(1)(b)GDPR
     as a legal basis to deliver a service, including the improvement of the existing service and the
                                                                                             127
     maintenance of security standards insofar as that forms a core part of the service        . The IE SA
     considers that, having regard to the specific terms of the contract and the nature of the service

     provided andagreeduponby theparties,WhatsAppIE mayin principle relyonArticle 6(1)(b)GDPRas
     a legalbasis of the processing of users’ data necessaryfor the provision of its WhatsApp services, on
     foot of the Complainant’s acceptance of the Terms of Service       12. The IE SA considers that this




     123WhatsAppIEmayalsofallunderlegaldutiestoprotectthesecurityofitsnetworksandservices,asrequired
     by other laws. Seefor instanceArticle40of theEuropeanElectronicCommunications Codeestablished under
     Directive(EU)2018/1972oftheEuropeanParliamentandoftheCouncilof11December2018.
     124SeeGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16.
     125
        Objections concerning the issue on the applicability of Article 6(1)(b) GDPR for purposes of service
     improvementandsecurityfeatureswereraisedbytheDESA, FI SA,FR SA,NL SA, andNOSA.
     126Judgment of 11December 2019, Asociaţia de Proprietari bloc M5A-ScaraA,C-708/18,EU:C:2019:1064,
     paragraphs37and38.
     127DraftDecision,paragraph4.49.
     128
        DraftDecision,paragraph4.50.



     Adopted                                                                                            25     information is clearly set out, publicly available and understandable by any reasonable user        12.
                                                  130
     WhatsApp IEsupports the IESA’sconclusion       .

96. To assess the IE SA and WhatsApp IE’sclaims, the EDPB considers it necessary to recallthe general
     objectives that the GDPR pursues, which must guide itsinterpretation, together withthe wording of

     itsprovisions and itsnormative context  131.

97. The GDPR develops the fundamental right tothe protectionof personal data found in Article 8(1) of

     the EU Charter and Article 16(1) of the Treaty on the Functioning of the EU, which constitute EU
     primarylaw  132.As the CJEU clarified, ”anEU act must be interpreted,asfar as possible, in sucha way
     as not to affect itsvalidity andin conformitywith primarylaw as a whole and, in particular, with the

     provisions of the Charter. Thus, if the wording of secondaryEU legislation is open to more than one
     interpretation,preferenceshouldbe given to theinterpretationwhichrendersthe provision consistent

     withprimarylaw ratherthanto the interpretationwhich leadsto its being incompatible with primary
     law” 133.Inview of rapidtechnologicaldevelopments andincreases in the scale of datacollection and

     sharing, the GDPR createsa strong andmore coherent data protectionframeworkin the EU, backed
     by strong enforcement,and built on the principle thatnaturalpersons should have control over their
                        134
     own personal data     . Byensuring a consistent, homogenous and equivalent high level of protection
     throughout the EU, the GDPR seeks to ensure the free movement of personal data within the EU       135.

     The GDPR acknowledges that the right to data protection needs to be balanced against other
     fundamentalrightsandfreedoms, such asthe freedom toconduct a business, in accordancewiththe
                                 136
     principle of proportionality   andhas these considerations integratedintoits provisions. The GDPR,
     pursuant toEU primarylaw,treatspersonal dataasafundamentalrightinherent todata subjectsand
                                                                                     137
     their dignity, and not as a commodity, they cantradeawaythrougha contract          .The CJEU provided
     additionalinterpretativeguidanceby assertingthatthe fundamentalrightsofdata subjectstoprivacy
     andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests       138.


98. The principle of lawfulness under Article 5(1)(a) and Article 6 GDPR is one of the main safeguardsto
     theprotectionofpersonaldata.Itfollowsarestrictiveapproachwherebyacontroller mayonlyprocess

     the personal data of individuals if it is able to rely on one of the basis found in the exhaustive and
     restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR     139.

99. Theprinciple oflawfulness goeshandinhandwiththe principlesoffairnessandtransparencyinArticle

     5(1)(a) GDPR.Theprinciple of fairness includes, interalia, recognising the reasonable expectationsof




     129
        DraftDecision,paragraph4.42.
     130WhatsAppIE’sArticle65Submission,paragraphs5.47.
     13Judgmentof1August2022,Vyriausiojitarnybinėsetikoskomisija,C-184/20,),EU:C:2022:601,paragraph121.
     132
     133Recitals1and2GDPR.
         Judgment of 21 June 2022, Liguedes droits humains v. Conseil des ministres, C-817/19, , EU:C:2022:491,
     paragraph86;andjudgment of 2February2021,Consob, C-481/19, EU:C:2021:84, paragraph50and thecase-

     lawcited.
     134Article1(1)(2)andrecital6and7GDPR.
     135Article1(3)andrecitals9,10and13GDPR.
     136Recital4GDPR.
     137
     138Guidelines2/2019onArticle6(1)(b)GDPR,paragraph54.
        Judgmentof13May2014,GoogleSpainSL,C-131/12,EU:C:2014:317,paragraphs97and99.
     139Judgment of 11 December 2019, TK v Asociaţia de Proprietari blocM5A-ScaraA, C-708/18, EU:C:2019:1064,
     paragraph37.




     Adopted                                                                                             26     datasubjects, considering possible adverse consequences aprocessing mayhave onthem,andhaving
                                                                                                   140
     regardtothe relationshipandpotentialeffectsof imbalancebetweenthem andthe controller             .

100.The EDPBagreeswiththe IE SA and WhatsAppIE thatthere isno hierarchybetweenArticle6(1) legal
     bases 14. However, this does not mean that a controller, as WhatsApp IE in the present case, has

     absolute discretion tochoose the legalbasis that suits better itscommercialinterests. The controller
     may only rely on one of the legal bases established under Article 6 GDPR if it is appropriate for the
                           142
     processing in question   . A specific legalbasis willbe appropriateinsofar as the processing canmeet
     its requirements set by the GDPR  143andfulfil the objective of the GDPR toprotect the fundamental
     rightsandfreedomsof naturalpersons andin particulartheir righttothe protectionof personaldata.

     Alegalbasiswillnot beappropriateifitsapplicationtoaspecific processing defeatsthispracticaleffect
     “effetutile”pursuedby theGDPRanditsArticle5(1)(a)andArticle6 GDPR         144.Thesecriteriastemfrom

     the contentof theGDPR   145 andthe interpretationfavourable totherightsofdatasubjects tobe given
     theretodescribed inparagraph97 above.


101.The GDPR makesWhatsApp IE, asthe controller for the processing at stake, directly responsible for
     complying withthe GDPR’sprinciples,including theprocessing of datainalawful, fairandtransparent
     manner, and any obligations derived therefrom    14. This obligation applies even where the practical

     applicationofGDPRprinciples suchasthose of Article5(1)(a)andArticle(5)(2)GDPRare inconvenient
     or runcounter tothe commercialinterestsofWhatsApp IE.The controller isalsoobligedtobe able to

     demonstratethatitmeetstheseprinciplesandanyobligationsderivedtherefrom,suchasthatitmeets
     the specific conditions applicable toeachlegalbasis 147.More specifically, this condition to be able to

     relyonArticle 6(1)(b)GDPRasalegalbasistoprocess thedatasubject’sdataimplies thata controller,
     in line withitsaccountability obligationsunder Article 5(2) GDPR,hastobe able todemonstrate that
                                                                                                  148
     (a)a contractexistsand(b) the contractisvalidpursuant toapplicable nationalcontractlaws         .

102.The EDPB agrees that supervisory authorities do not have, under the GDPR, a broad and general
     competence incontractualmatters.However,theEDPB considers thatthe supervisory tasks, thatthe

     GDPR bestows on supervisory authorities, imply a limited competence to assess a contract’sgeneral

     140
        See, recital39GDPRandGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12.
     141DraftDecision,paragraph2.9,andWhatsAppIE'sArticle65Submission,paragraph8.34.
     14As mentionedinGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationoftheappropriate
     lawfulbasisistiedtotheprinciplesoffairnessandpurposelimitation.Itwillbedifficultforcontrollerstocomply

     withtheseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposes oftheprocessing,oriftheprocessing
     of personal data goes beyondwhat is necessaryfor thespecified purposes. SeealsoSection 5 below on the
     potentialadditionalinfringementoftheprinciplesoffairness,purposelimitationanddataminimisation.
     143Judgmentof11December2019,TK v Asociaţiade Proprietari blocM5A    -ScaraA,C-708/18,EU:C:2019:1064,
     paragraph37.
     144
        Judgment of 18 December 2008, Heinz Huber v. BundesrepublikDeutschland, C-524-06, EU:C:2008:724,
     paragraph52 on the concept of necessitybeing interpreted in a manner that fully reflects theobjectiveof
     Directive95/46/EC.Ontheimportanceofconsideringthepracticaleffect(“effetutile”)soughtbyEUlawinits
     interpretation,seealsoforinstance:judgmentof21June2022,Liguedesdroitshumainsv.Conseildesministres,

     C-817/19,EU:C:2022:491,paragraph195;andjudgmentof17September2002,MuñozandSuperiorFruiticola,
     C-253/00,EU:C:2002:497,paragraph30.
     145Article1(1)(2)and(5)GDPR.
     146Article5(2)GDPR“Principleofaccountability”ofcontrollers;seealsoOpinionoftheAdvocateGeneralof20

     147tember2022,MetaPlatformse.a.,C-252/21,,EU:C:2022:704,paragraph52.
        Guidelines2/2019onArticle6(1)(b)GDPR,paragraph26.
     14EDPBBindingdecision2/2022onthedisputearisenonthedraftdecisionoftheIESAregardingMetaPlatforms
     Ireland Limited (Instagram) under Article65(1)(a) GDPR, adopted on 28July2022(hereinafter“EDPB Binding
     decision2/2022”),paragraph84.




     Adopted                                                                                            27     validity insofar as this is relevant to the fulfilment of their tasks under the GDPR49. Otherwise, the

     supervisory authoritiesswouldsee theirmonitoringandenforcementtaskunder Article57(1)(a)GDPR
     limitedto actions,such asverifying whether the processing at stake is necessaryfor the performance
     ofa contract(Article6(1)(b)GDPR),andwhetheracontractwithaprocessor under Article28(3)GDPR

     anddataimporter under Article 46(2)GDPRincludes appropriate safeguardspursuant totheGDPR.

103.The DESA andNL SA     150arguethatthe validityof thecontractfor theWhatsApp servicesbetweenthe

     latterandtheComplainant isquestionable giventheserioustransparencyissues inrelationtothelegal
     basis reliedon 15. Incontract law, as a generalrule, both parties must be aware of the substance of
     the contractandof the obligationsof both partiestothe contractinorder towillingly enter intosuch

     contract.

104.Notwithstanding the possible invalidity of the contract,the EDPBrefers toits previous interpretative
                             152
     guidanceon thismatter      toprovide below itsanalysis onwhetherthe processing for the purposes of
     service improvement and securityfeatures    153is objectively necessary for WhatsApp IE to provide its

     services tousers based onitsTermsof Service andthe natureof theservices.

105.The EDPBrecalls   154that for the assessment of necessity under Article 6(1)(b) GDPR,”[i]t is important

     to determine the exact rationale ofthe contract, i.e. itssubstance and fundamental objective, asit is
     against this that it will be testedwhetherthe data processing is necessaryfor itsperformance”   155.As
     the EDPBhaspreviously stated,regardshould be giventothe particular aim,purpose, or objective of

     the serviceand, for applicabilityofArticle6(1)(b) GDPR,itisrequiredthat the processing isobjectively
     necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject        156.


106.Moreover, the EDPBnotes thatthe controller should be able tojustify the necessity of itsprocessing
     byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose. Thisdependsnot only

     onthe controller’sperspective,but alsoonareasonable datasubject’sperspective whenenteringinto
     the contract 15.

107.The IESA accepts“that,as a generalrule,theEPDB considersthat processing for the provision ofnew
                                                                                              158
     services[…]would not benecessaryfor theperformanceofa contractfor online services”          .However,
     the IESA considers that inthis particularcase,having regardtothe specific termsof the contractand

     the natureofthe services provided andagreeduponby theparties,WhatsApp IEmayinprinciple rely
     on Article 6(1)b) GDPR toprocess the user’s data necessary for the provision of its service, including
     throughthe improvement ofthe existing service andthe maintenanceof securitystandards.


108.Inparticular,theIESA viewsservice improvement toanexisting service and“a commitmenttouphold
     certainstandards relating to abuse, etc.” asa “core” element of the contract betweenWhatsApp IE



     149EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs9and13.
     150DESA’s Objection,p.3;NLSA’s Objection,paragraph10.
     151DraftDecision,paragraph5.9.
     152
        Guidelines2/2019onArticle6(1)(b)GDPR.
     153Fortheterm security,seeparagraph90ofthisbindingdecision.
     154EDPBBindingdecision2/2022,paragraph89.
     155Article29WorkingPartyOpinion06/2014onthenotionoflegitimateinterestsofthedata controllerunder

     Article7 Directive95/46/EC, WP217, adopted on 9 April 2014(hereinafter, “WP29Opinion 06/2014on the
     notionoflegitimateinterests”),p.17.
     156Guidelines2/2019onArticle6(1)(b)GDPR,paragraph30.
     157EDPBBindingdecision2/2022,paragraph90.
     158DraftDecision,paragraph4.49.




     Adopted                                                                                            28     and the users159. In support of this consideration, the IE SA refersto the information provided in the
     WhatsApp Terms of Service under the headings: “Ways To Improve Our Services.” and “Safety And

     Security.”160The IESA considers thatit is clearthatthe WhatsApp servicesare advertised(andwidely
     understood) asones thatrequires updatesandimprovement andso, thatanyreasonable user would

     “be well-informed that this is precisely the nature of the service being offered by WhatsApp and
     containedwithinthe contract”  161.

109.The EDPBis of the opinion that WhatsAppIE is under the legaldutyto assess whetherthe processing

     of all its users data is necessary for the purpose of service improvements or if there are alternative,
     less intrusive waysto pursue thispurpose (e.g.insteadof relying on allusers' data for the purpose of

     service improvements, rely on a pool of users, who voluntarily agreed, by providing consent, to the
     processing oftheir personaldata for thispurpose).

110.On this issue, the EDPBrecallsthatthe concept of necessity hasits own independent meaning under

     EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU
     instrument,in thiscase,the GDPR   162.Accordingly,theconceptofnecessity under Article6(1)(b) GDPR

     cannot be interpreted in a way that undermines this provision and the GDPR’sgeneralobjective of
     protectingthe righttothe protectionof personaldata    163orcontradictsArticle8 ofthe EU Charter.On
     the processing of data in the WhatsApp services, Advocate General Rantos supports a strict

     interpretationofArticle6(1)(b) GDPRamongother legalbasis, particularlytoavoidanycircumvention
     of therequirement for consent  16.


111.The EDPB finds that an average user cannot fully grasp what is meant by processing for service
     improvement andsecurityfeatures,beawareofitsconsequences andimpactontheirrightstoprivacy
     and data protection, and reasonably expect it solely based on WhatsApp IE’s Terms of Service.

     Advocate General Rantos expresses similar doubts where he states, in relation to Facebook
     behavioural advertising practices, “According to the case-law of the Court of Justice, the processing

     must be objectivelynecessaryfor the performance ofthe contract in the sense that there must be no
     realistic,lessintrusivealternatives,takingintoaccountthereasonableexpectationsofthedatasubject.

     Italso concernsthe factthat,wherethecontractconsists ofseveralseparateservicesor elementsofa
     service that can be performed independentlyofone another, the applicabilityof Article 6(1)(b) of the
     GDPRshould beassessed in thecontextofeach ofthose servicesseparately”      165andaddsin afootnote

     that“Moreover,althoughmerelyreferencingormentioningdataprocessingina contractisnotenough
     to bring theprocessing in question within thescope ofArticle 6(1)(b) of theGDPR,processing maybe


     15DraftDecision,paragraph4.41.
     160
     161raftDecision,paragraphs4.34and4.35.
       DraftDecision,paragraph4.36.
     16Seeparagraphs103-105aboveontheprinciplesguidingtheinterpretationoftheGDPRandisprovisions.The
     CJEU alsostatedinHuberthat”whatisatissueis aconcept[necessity]whichhasitsownindependentmeaning
     inCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthatDirective,

     [Directive 95/46], as laid down in Article 1(1) thereof”. Judgment of 18 December 2008, Heinz Huber v
     BundesrepublikDeutschland,C-524/06,EU:C:2008:724,paragraph52.
     16Article1(2)GDPR.
     164Opinion of theAdvocateGeneral of 20 September 2022, Meta Platforms e.a., C-252/21), EU:C:2022:704,
     paragraph§51. TheEDPB refers to theAdvocateGeneral’s Opinion in its Binding Decision as anauthoritative

     sourceof interpretationto underlinetheEDPB’s reasoning on theprocessing of data in theFacebook service,
     withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonCases C-252/21andC-
     446/21.
     16OpinionoftheAdvocateGeneralof20September2022,MetaPlatformse.a.,C-252/21,EU:C:2022:704,
     paragraph54.




     Adopted                                                                                           29     objectively necessary even if not specifically mentioned in the contract, without prejudice to the
                                           166
     controller’stransparencyobligations”     .
                                        167
112.The EDPB provides in its guidance       assessing what is “necessary” involves a combined, fact-based
     assessment of the processing “for the objective pursued and of whether it is less intrusive compared

     to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the
     processing is not “necessary”. Article6(1)(b) GDPRdoes not cover processing which is useful but not

     objectively necessary for performing the contractualservice or for taking relevant pre-contractual
     steps at the request of the data subject, even if it is necessary for the controller’s other business
     purposes. While the possibility of improvements of services mayroutinely be included in contractual

     terms,suchprocessing usually cannotbe regardedasbeingobjectively necessaryfor theperformance
     of thecontractwiththe user   168.


113.When analysing the performance of a contract asa legalbasis, the necessity requirement has to be
     interpreted strictly. As stated earlier by the Article 29 Working Party (hereinafter “WP29”)   169, this

     “provision must be interpreted strictly and does not cover situations where the processing is not
     genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data
     subject bythecontroller”  17.


114.Concerning the processing of service improvement, the EDPB finds that a reasonable user cannot
     expectthattheir personaldatais being processedfor service improvement simply because WhatsApp

     IE briefly refers to this processing in its Terms of Service (which both WhatsApp IE and the IE SA
     consider asconstitutingthe entiretyofthe contract),orbecause ofthe argumentthat“on the basisof
     the cont[r]act and wider circumstances, that a reasonable user would have had sufficient

     understanding that the service included the use of metrics for improvement” to which the IE SA
     refers171.

                                          172
115.Inaddition,the IESA alreadydecided        thatWhatsApp IEinfringeditstransparencyobligationsunder
     Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR by not clearly informing the Complainant and
     other users of the WhatsApp IEservices’ specific processing operations, the personal dataprocessed

     in them, the specific purposes they serve, and the legal basis on which each of the processing
     operations relies, as the IE SA concludes in its Draft Decision    173. The EDPB considers that this

     fundamentalfailureof WhatsAppIEtocomplywithitstransparencyobligationscontradictsthe IESA’s
     finding174thatWhatsAppIE’suserscouldreasonablyexpectservice improvementandsecurityfeatures

     asbeing necessaryfor theperformance of theircontract.



     166Ibid,footnote165.
     167
        Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25.
     168Guidelines2/2019onArticle6(1)(b)GDPR,paragraph49.
     169The WP 29 - the predecessorof theEDPB - was established underArticle29 of Directive95/46/EC of the
     EuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtothe

     processingofpersonaldataandonthefreemovementofsuchdata (“Directive95/46/EC”)andhada role,inter
     alia,tocontributetouniformapplicationofnationalmeasuresadoptedundertheDirective.Manyofsubstantive
     principlesandprovisionsoftheGDPRalreadyexistedintheDirective95/46/EC,suchastheoneatstakeinthis
     Bindingdecision,thusWP29guidanceinthisrespectisrelevantfortheinterpretationoftheGDPR.
     170
     171P29Opinion06/2014onthenotionoflegitimateinterests,p.16.
        CompositeResponse,paragraph59.
     172DraftDecision,paragraph5.9.
     173DraftDecision,paragraph5.9andFinding3.
     174DraftDecision,paragraph4.42.




     Adopted                                                                                             30116.As regardssecurity, the lackof clarityofthe Terms ofService makesit even hardtounderstand what
     arethe different purposes pursued andprocessing carriedout    175.

117.The EDPB recallsthat “controllersshould make sure to avoid any confusion as to what the applicable
     legalbasis is” and thatthis is “particularlyrelevantwhere theappropriate legalbasis is Article6(1)(b)

     GDPRandacontractregardingonline servicesis enteredintobydata subjects”,because “[d]epending
     on the circumstances, data subjects may erroneously get the impression that they are giving their
                                                                                                       176
     consent in line with Article 6(1)(a) GDPR when signing a contract or accepting terms of service”    .
     Article 6(1)(b) GDPR requires the existence of a contract, its validity, and the processing being
     necessaryto perform it.These conditions cannot be metwhere one of the parties(inthis case a data

     subject) is not provided with sufficient information to know that they are signing a contract, the
     processing of personaldata thatit involves, for which specific purposes andon which legalbasis, and
     how this processing is necessary to perform the services delivered. For the purposes of service

     improvement and security features, WhatsApp IE has not relied on any other legalbasis to process
     personal data. These transparencyrequirements are not only an additional and separate obligation,
     but also anindispensable andconstitutive partofthe legalbasis.


118.Given that the main purpose for which a user uses the WhatsApp services is to communicate with
     others,andthatWhatsAppIEconditions theirusetotheuser’sacceptanceofacontractandtheservice
     improvement andsecurity   177 featurestheyinclude, the EDPB cannot see how a user would have the

     possibility of opting out of a particularprocessing which is part of the contract.Thus, WhatsApp IEis
     accountable toprove thatthe legalbasis applied for the processing at hand is validand the failure to
     demonstratethis proves thatArticle6(1) GDPRisnot the applicable legalbasis.

119.The EDPB agreeswiththe DE SA, FI SA, FR SA, NL SA and NO SA       178that there is a risk that the Draft

     Decision’s failure to establish WhatsApp IE’s infringement of Article 6(1)(b) GDPR, pursuant to its
     interpretationby the IE SA, nullifies this provision and makes theoretically lawful any collection and

     reuseofpersonaldatainconnectionwiththeperformanceofacontractwithadatasubject.WhatsApp
     IEcurrentlyleaves the Complainant and other users ofthe WhatsApp services witha “takeit or leave
     it” choice. They may either contract away their right to freely determine the processing of their

     personal dataand submit toits processing for service improvements or security features,which they
     canneither expect, nor fully understand based on the insufficient information WhatsApp IE provides
     to them. Alternatively, they may decline accepting WhatsApp IE’s Terms of Service and thus be

     excludedfrom aservice thatenablesthem tocommunicatewithmillions ofusers.

120.This precedent could encourage other economic operators touse the contractualperformance legal
     basisofArticle6(1)(b)GDPRforalltheirprocessing ofpersonaldata.Therewouldbe theriskthatsome
     controllers argue some connection betweenthe processing of the personal data of their consumers

     andthe contracttocollect,retainandprocess asmuch personaldatafrom theirusers aspossible and
     advance their economic interests at the expense of the safeguards for data subjects. Some of the

     safeguardsfrom which datasubjects would be deprived due toaninappropriate use of Article6(1)(b)
     GDPR as legal basis, instead of others such as consent under Article 6(1)(a) GDPR and legitimate
     interest under Article 6(1)(f) GDPR, are the possibility to specifically consent to certain processing


     175Forthemeaningoftheterm“security”,seeparagraph90above.
     17EDPBBindingDecision01/2021,paragraph214,andGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph20.
     177Forthemeaningoftheterm“security”,seeparagraph90above.
     178
        DESA’s Objections–p.6,paragraph2andp.8,paragraph1;FI SA’s Objections–p.7,paragraphs32and33;
     FR SA’s Objections –paragraph 14;NL SA’s Objections – paragraphs 8 and 28; NO SA’s Objections – p. 4,
     paragraph3.



     Adopted                                                                                            31     operations andnot toothersand tothe further processing of their personal data(Article 6(4)GDPR);
     their freedom towithdrawconsent (Article 7 GDPR);theirright tobe forgotten(Article17 GDPR);and

     the balancing exercise of the legitimate interests of the controller against their interests or
     fundamentalrightsandfreedoms(Article 6(1)(f) GDPR).

121.The EDPBthusconcurs withthe objections of theDE SA, FI SA,FR SA, NL SA and NOSA        179toFinding 2
                                                                                                       180
     of the DraftDecisionin thatthe processing for the purposes of service improvements andsecurity
     featuresperformed by WhatsApp IE are objectively not necessary for the performance of WhatsApp
     IE’sallegedcontractwithitsusers andare not anessentialor core element ofsuch contract.

122.Inconclusion, the EDPB decides that WhatsApp IE has inappropriatelyrelied on Article 6(1)(b) GDPR

     to process the Complainant’s personal data for the purpose of service improvement and security    181
     featuresin the context of itsTermsof Service andtherefore lacks a legalbasis toprocess these data.

     The EDPBwasnot requiredtoexamine whether dataprocessing for such purposes could be basedon
     other legal bases because the controller relied solely on Article 6 (1) (b) GDPR. WhatsApp IE has
     consequently infringed Article 6(1) GDPR byunlawfully processing personal data. The EDPB instructs

     the IE SA to alter its Finding 2 of its Draft Decision which concludes that WhatsApp IE may rely on
     Article6(1)(b) GDPRinthecontext ofitsoffering ofTermsofService andtoinclude aninfringement of

     Article6(1) GDPRbasedon theshortcomings thatthe EDPBhasidentified.


     5 ON THE POTENTIAL ADDITIONAL INFRINGEMENT OF THE

          PRINCIPLES OF FAIRNESS, PURPOSE LIMITATION AND DATA

          MINIMISATION


     5.1 Analysis by the LSA inthe DraftDecision

123.Inlight oftheaforementionedinquiry’s scope,the DraftDecisionmentionsArticle5(1)GDPRinseveral
              182
     passages    . As for the fairness principle, the inquiry consists of reference to the unfair processing
     pointedout bythe Complainant   183.Regardingthepurpose limitationanddataminimisationprinciples,
     there are no other references as the ones mentioned above. The Draft Decision makes several

     references toArticle 5(1)(a) GDPR andthe principle of transparency  184. However, the Draft Decision
     does not address whether Article 5(1)(a) GDPR regarding fairness principle or Article 5(1)(b) and (c)

     GDPR have been infringed. In its Draft Decision, the IE SA mentions its Decision on WhatsApp IE’s
     Transparency, which made findings to the effect that transparency obligations were infringed.
     Therefore,the IESA concludes, that“The inquiry in question focused on the same issues raised in the

     herein Complaint insofar as transparencyis concerned (although was much broader in scope). Given
     theseissues have alreadybeen investigated and adjudicated on bythe Commission, I provisionallyfind
                                                                                        185
     thatthe transparencyissues raised in this Complaint have alreadybeenaddressed.”




     179
       DE SA’s Objections–p.5, paragraphs3and4;;FI SA’s Objections –p.6,paragraph24;FRSA’s Objections–
     p. 7,paragraph38;NLSA’s Objections–paragraph26;NOSA’s Objections-p.8.
     18Forthemeaningoftheterm“security”,seeparagraph90above.
     18Forthemeaningoftheterm“security”,seeparagraph90above.
     18See, forexample,DraftDecision,Section5,paragraphs5.1,5.7and5.8.
     183
     184omplaint,paragraphs2.3.1.and2.3.2.
       DraftDecision,Section5,paragraphs5.8and5.9.
     18DraftDecision,Section5,paragraphs5.9and5.10.


     Adopted                                                                                           32     5.2 Summary of the objections raised by the CSAs

124.The ITSAraisesanobjectionarguing that the Draft Decisionshouldbe amendedtoinclude findingsof

     aninfringement ofArticle 5(1)(a)GDPRinrelationtothe fairness principle. Thisobjection claimsthat,
     even though there is the IE SA’s Decision on WhatsApp IE’s Transparency, which incorporates the
     principle set out in the EDPB’sBinding Decision 1/2021 and where an infringement of transparency

     principle wastobe found, theinfringementregardingtothefairnessprinciple should beseparatefrom
     transparency.The IT SA elaboratesthatreferringtoArticle 6(1)(b) GDPRshould not be found tobe in

     line withthe fairness principle, asusers arefactuallyunable tograsphow their personal datais being
     used byWhatsApp IE    18.

125.The IT SA raises another objection stating that the Draft Decision should be amended to include

     findings of infringement of Article 5(1)(b) and (c) GDPR. The IT SA is of the view that the fact that
     WhatsApp IE’s “(multifarious) processing activities involving personal data are grounded in Article
                                                                                                    187
     6(1)(b) GDPR entails an infringement ofpurpose limitation and data minimization principles”       . The
     IT SA states that the IE SA has failed to investigate compliance with Article 5(1)(b) and (c) GDPR.
     Further,the ITSA statesthatallthe purposes of the processing of personal dataperformedunder the

     terms of Article 6(1)(b) GDPR must be specified and communicated to data subjects. As such, the
     service thatWhatsApp IEoffers pursues severalpurposes, thereforethe applicabilityof Article6(1)(b)

     GDPR should be assessed separately in the context of each service. The IT SA elaborates that the
     purposes provided tousers areinadequate andhave no connectiontothe processing activities.


     5.3 Position of the LSA on the objections

126.The final position of the IE SA is that of not following these objections. in its Composite Response,
     concerning allobjections, the IESA notesthatthe objections onthe fairness principle inArticle 5(1)(a)
                                                           188
     GDPRarenotinthescope oftheunderlying complaint           .Furthermore,theIESAstatesthatthiswould
     procedurallyconstrain theIE SA’sabilitytoadopt itsfinal decision   18.

127.Inaddition, the IE SA statesthatit would also risk breaching the controller’srightto afair procedure,

     as the controller was not afforded a right to be heardon such matter. The IE SA highlights the legal
     consequences thatwouldflow from makingmaterialchangesconcerning infringementsoutside ofthe
     complaint andDraftDecision,namelythelikelihood thatWhatsAppIEwouldsucceedinarguingbefore

     the Irish courts that it has been denied an opportunity to be heard on additional and extraneous
     findings thatare adverse toit 190.

128.The IE SA further considers that the objection raised by the IT SA with regard to the possible

     infringementofArticle5(1)(b) and(c)GDPRis not relevantandreasoned,since itwould nothave been
     appropriate toundertake anopen-ended assessment of allprocessing operations bythe controller in
                                     191
     order to handle the complaint      . This would have resulted in a disproportionate and open-ended
     examinationoftheprocessing carriedoutbyWhatsAppIE.Therefore,itwasmoreimportanttoresolve
                                                                                     192
     the fundamentaldispute regardingtheinterpretationof Article6(1)GDPRfirst          .


     186ITSA’s Objection,paragraph3,pages8-10.
     187
        ITSA’s Objection,page6.
     188CompositeResponse,paragraphs28and29.
     189Ibid.,paragraph29.
     190CompositeResponse,paragraphs28to32.
     191ITSA’s Objection,paragraph2.
     192
        CompositeResponse,paragraph25.



     Adopted                                                                                             33     5.4 Analysis of the EDPB


     5.4.1 Assessment of whether theobjections were relevant and reasoned

129.The ITSA’sobjection concerns “whetherthereis aninfringement ofthe GDPR”         193.

130.The EDPB takesnote that WhatsApp IE agreeswiththe IE SA’s conclusion in its Composite Response

     thattheobjectionfrom theITSA aboutfinding aninfringementofArticle5(1)(a)GDPRalsowithregard
     to non-conformity with respect to the fairness principle is not relevant. In addition, WhatsApp IE

     submits that the objection does not meet the “reasoned” threshold asit is not basedon anydetailed
     factualor legalreasoningandfailstoaddressthe significanceofthe allegedriskstofundamentalrights
                                 194
     posed by the DraftDecision    . According to WhatsAppIE,“it would be inappropriate for the EDPBto
     direct the [IE SA] to make any findings in respect of Article 5(1)(a) (fairness of lawfulness) in its final
                                                                                               195
     decisionin theInquiryincircumstanceswherethisis outside theDefinedScope of Inquiry.”

131.Inaddition tothe above mentioned,the Complainant doesnote: “Evenifa trainedlawyerreadsallthe
     textthatthecontrollerprovides,he/shecanonlyguesswhatdataisprocessed,forwhich exactpurpose

     and on which legalbasis. This is inherentlynon-transparent and unfair within the meaning of Articles
     5(1)(a) and 13(c).This approachthereforestandsin clearcontrast to informed consent or any form of
                                                                               196
     “plainlanguage” or even “easytounderstand” requirements(Recital39).”

132.WhatsApp IE also affirms that compliance with Article 5(1)(a) GDPR is distinct from compliance with
     Article 6(1) GDPR and must be separately assessed before any finding of infringement could be
           197
     made    .

133.The EDPBrecallsthatanobjectioncould goasfarasidentifying gapsinthe draft decisionjustifying the
     need for further investigation by the IE SA, for example in situations where the investigation carried

     out by the IE SA unjustifiably fails to cover some of the issues raised by the Complainant 198. In this
     regard, the EDPB observes that, in the complaint, the Complainant alleges that the information

     provided inWhatsApp IE’sPrivacyPolicy “isinherentlynon-transparent and unfair within themeaning
     of Articles5(1)(a) and 13(c)”99.Thisis alsonoted bythe IESA  200.

134.Aspreviously mentioned,the EDPBnotesthatthefirst objection ofthe ITSA concerns “whetherthere

     is aninfringement of the GDPR”asit arguesthat the IE SA should have found aninfringement of the
     fairnessprinciple under Article5(1)(a)GDPR.Assuchobjectiondemonstratesthat,iffollowed, itwould

     leadtoa different conclusion astowhetherthereis aninfringement ofthe GDPRornot, the objection
     is tobe considered as“relevant”  201.

135.Inaddition,this objectionisalso consideredtobe “reasoned”sinceitputsforwardseveralfactualand

     legalargumentsfor the proposed changeinlegalassessment. The additionalinfringement stemsfrom




     193
        GuidelinesonRRO,paragraph24.
     194WhatsAppIE’sArticle65Submissions,pp.107-109.
     195Ibid.,p.31.
     196Complaint,paragraph2.3.1.
     197
     198WhatsAppIE’sArticle65Submissionsparagraph.4.25.
        GuidelinesonRRO,paragraph27.
     199Complaint,p.14.
     200DraftDecision,paragraph5.7.
     201GuidelinesonRRO,paragraph13.




     Adopted                                                                                            34                                                                                               202
     the scope and findings of the Draft Decision, which also mentions Article 5(1)(a) GDPR      , and the
     overarchingnature ofArticle 5(1)(a)GDPR.

136.Additionally, the EDPBfindsthattheobjection oftheITSA clearlydemonstratesthesignificance ofthe

     risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects, since it
     would create a dangerous precedent that would jeopardize the effective protectionof data subjects
     andthus entailflawedcorrective actions.

137.The EDPBconsiders the objection on Article 5(1)(a) GDPRtobe adequatelyreasonedand recallsthat

     the assessment of merits of the objection is made separately, after it has been established that the
     objection satisfies therequirementsof Article4(24) GDPR   203.

138.Although the second objection of the IT SA, relating to the additional infringements of the purpose

     limitationprinciple under Article5(1)(b)GDPRandthedataminimisationprinciple under Article5(1)(c)
     GDPR, is relevant and includes justifications concerning why and how issuing a decision with the

     changesproposed in theobjection isneededandhow the changewould leadtoadifferent conclusion
     in the Draft Decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In
     particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left

     unchanged,would presentrisks for the fundamentalrightsandfreedomsof datasubjects. Inaddition,
     the EDPB notesthat the IT SA’s objection does not explicitly elaborate why such a risk is substantial
     and plausible204. Therefore, the EDPB concludes that this particular objection of the IT SA does not

     provide a cleardemonstrationof therisks as specificallyrequired byArticle 4(24)GDPR.

     5.4.2 Assessment of the merits

139.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the

     matterswhich arethe subject of the relevant andreasoned objections, in particularwhether thereis
     aninfringement ofthe GDPR.

140.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires

     anassessment of whether the DraftDecision needs tobe changedinsofar as it contains nofinding of
     infringement of the fairness principle under Article 5(1)(a) GDPR. When assessing the merits of the
     objection raised, the EDPB also takes into account WhatsApp IE’sposition on the objection and its

     submissions, focussed on arguingthattheITSA objectionis not relevantandreasoned,ratherthanon
     the content.

141.Beforeproceedingwiththeassessment ofthemerits,theEDPBrecallsthatthebasic principlesrelating
                                                                     205
     to processing listed in Article 5 GDPR can, assuch, be infringed   . This is apparent from the text of
     Article 83(5)(a) GDPR which subjects the infringement of the basic principles for processing to
     administrative finesof upto20 000 000 EUR,or inthe caseof anundertaking,ofup to4% ofthe total

     worldwide annual turnover ofthe preceding financialyear,whichever ishigher.

142.Atfirst,theEDPBnotesthattheconceptoffairnessisnotdefined assuchintheGDPR.However,recital
     39 GDPRprovidessome elementsastoitsmeaning andeffect inthe context ofprocessing ofpersonal



     202TheObjectionreferstoparagraph5.7oftheDraftDecision.
     203GuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised,whether
     the objectionmeetstherequirementsofArticle 4(24)GDPRand,ifso,addressthemerits ofthe objectioninthe
     bindingdecision.”).
     204
     205GuidelinesonRRO,paragraph37.
        Bindingdecision1/2021,paragraph191.



     Adopted                                                                                            35     data.Animportantaspect oftheprinciple offairnessunder Article5(1)GDPR,whichis linkedtorecital
     39, isthatdata subjectsshould be able todetermine in advancewhat thescope andconsequences of

     the processing entails andthattheyshould not be takenby surprise ata laterpoint about theways in
     whichtheir personal datahave beenused     20.

143.Fairness isanoverarching principle, whichrequires thatpersonaldatashall not be processed in away

     that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data
     subject. Measuresand safeguardsimplementing the principle of fairness also support the rightsand
     freedoms of data subjects, specifically the right toinformation (transparency), the right tointervene

     (access, erasure, data portability, rectification) and the right to limit the processing (right not to be
     subject to automated individual decision-making and non-discrimination of data subjects in such
                207
     processing)   .

144.The principles offairandtransparentprocessing requirethatthe data subject shall be informedofthe
     existence ofthe processing operationanditspurposes. Thecontroller should provide the datasubject
     withany further information necessarytoensure fair and transparentprocessing taking intoaccount

     the specific circumstances and context in which the personal data are processed. Furthermore, the
     datasubjectshould be informedoftheexistenceofprofiling andtheconsequences ofsuchprofiling         208.

145.The EDPB underlines that the principles of fairness, lawfulness and transparency, allthree enshrined

     in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that
     every controller should respect when processing personal data. The link between these principles is

     evident from a number of GDPR provisions: recitals 39 and 42, Article 6(2) and Article 6(3)(b) GDPR
     refer tolawful andfairprocessing, while recitals60 and71 GDPR,aswellasArticle 13(2),Article 14(2)
     andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing.


146.The IT SA statesthat “theinfringement of Article 5(1)(a) GDPRshould be found by the LSA in thecase
     at hand by having also regard to the more general fairness principle, which entails separate
     requirementsfromthose relating specificallyto transparency.”   209


147.Thereis nodispute thatinitsDecision onWhatsAppIE’sTransparency,theIESA found a breachofthe
     transparency principle, but the EDPB considers that the principle of fairness has an independent
     meaning and stresses that an assessment of WhatsApp IE’s compliance with the principle of

     transparencydoesnot automaticallyruleout theneedfor anassessment ofWhatsAppIE’scompliance
     withthe principle of fairness too.

148.The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter    21.

     TheEDPBhasalreadyprovidedsome elementsastothe meaningandeffect ofthe principle offairness
     in the context of processing personal data. For example, the EDPB has previously opined in its
     GuidelinesonDataProtectionbyDesignandbyDefaultthat“Fairnessisan overarchingprinciplewhich

     requires that personal data should not be processed in a way that is unjustifiably detrimental,



     206WP29GuidelinesontransparencyunderRegulation2016/679,paragraph10.
     207
        EDPB Guidelines 4/2019on Article25 Data Protectionby Design and byDefault, Version 2, Adopted on 20
     October2020,hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”).
     208Recital60GDPR.
     209ITSA’s Objection,paragraph3,p.9.
     210Article8 of theEU Charter states as follows:“1. Everyone has the right to the protection of personal data

     concerninghimorher.2.Suchdatamustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsent
     ofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded).



     Adopted                                                                                            36     unlawfully discriminatory, unexpectedor misleading to the data subject”   21. Among the key fairness
     elements that controllers should consider in this regard, the EDPB mentions autonomy of the data

     subjects, data subjects’ expectation, power balance, avoidance of deception, ethical and truthful
     processing 21. These elements are particularlyrelevant in the case at hand. The principle of fairness

     under Article 5(1)(a) GDPR underpins the entire data protection framework and seeks to address
     power asymmetriesbetweencontrollersand datasubjects in order tocancelout the negativeeffects

     of suchasymmetriesandensure the effectiveexercise of datasubjects’ rights.

149.The EDPB has previously explained that “the principle of fairness includes, inter alia, recognising the
     reasonable expectationsof the data subjects, considering possible adverse consequences processing

     may have on them,and having regardto therelationship and potentialeffectsofimbalance between
     them andthe controller”  213.The EDPB recallsthat a fair balance must be struck between,on the one

     hand, the commercialinterests of controllers and, on the other hand, the rightsand expectations of
     datasubjectsunderthe GDPR     21.Akeyaspectofcompliancewiththeprinciple offairnessunderArticle
     5(1)(a) GDPR refers to pursuing “power balance” as a “key objective of the controller-data subject
                  215
     relationship”   , especially in the context of online services provided without monetary payment,
     where users are often not aware of the ways and extent to which their personal data is being
               216
     processed    . Consequently, if data subjects are not enabled to determine what is done with their
     personal data,thisis incontrast withthe elementof “autonomy” of datasubjects astothe controlof
                                          217
     the processing of their personaldata    .

150.Considering the constantlyincreasing economic value of personaldatain thedigitalenvironment, itis
     particularly important to ensure that data subjects are protected from any form of abuse and

     deception, intentionalor not, whichwould result inthe unjustified loss of controlover theirpersonal
     data.Compliance byproviders ofonline servicesacting ascontrollerswith allthreeof the cumulative
     requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being

     provided and the characteristics of their users, serves as a shield from the danger of abuse and
     deception, especially in situations of power asymmetries. Therefore, the EDPB disagreeswith the IE

     SA’s finding that assessing WhatsApp IE’scompliance with the principle of fairness “would therefore
     not only represent a significant departure from the scope of inquiry, as formulated, but it would also

     risk breaching thecontroller’sright to a fair procedure,asregardsanymatterwhich was neverput to









     211EDPB 4/2019 Guidelines on Article25, Data Protectionby Design andby Default, version2, adopted on20
     October2022,(hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”)paragraph69.
     212GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
     213
        GuidelinesonArticle65(1)(a),paragraph12.
     214Onthebalancebetweenthedifferentinterestsatstakeseeforexample:Judgmentof12December2013,X,
     C-486/12,EU:C:2013:836;Judgmentof7May2009,CollegevanburgemeesterenwethoudersvanRotterdamv
     M. E. E. Rijkeboer,C-553/07,EU:C:2009:293; Judgmentof9November2010injoinedcases,VolkerundMarkus
     ScheckeGbR,C-92/09,andHartmutEifert,C-93/09,vLandHessen,EU:C:2010:662.
     215
        GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
     216On“onlineservices”,seeGuidelines1/2019onArticle6(1)(b)GDPR,paragraphs3-5.
     217GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.Accordingtothis elementoffairness,
     “data subjects shouldbe granted the highest degree of autonomy possible to determine the use made of their
     personaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”.




     Adopted                                                                                            37     the complainant duringthe courseof inquiry.”   218Inaddition, it isimportant tonote that WhatsAppIE
                                                                                                    219
     hasbeen heardon the objections andthereforesubmitted writtensubmissions onthis matter             .

151.The EDPB haspreviously emphasised that the identification of the appropriate lawful basis is tied to
     the principles offairness andpurpose limitation 220.Inthis regard,theITSA rightlyobserves thatwhile

     finding a breachof transparencyrelatestothe way in which information has been provided to users
     via thetermsofservice andthe PrivacyPolicy, compliance withthe principle offairness alsorelatesto

     ‘how the controlleraddressed thelawfulness of theprocessing activitiesin connection with its calling
     and messaging service’  22.Thus, the EDPB considers that anassessment of compliance by WhatsApp

     IE withthe principle of fairness requiresalso anassessment of the consequences thatthe choice and
     presentation of the legalbasis entail for the WhatsApp services’ users. Inaddition, that assessment

     cannot be made in the abstract, but has to take into account the specificities of the particular
     messaging service and of the processing of personal datacarriedout, namelyfor purposes relatedto
                                             222
     improvements ofthe messaging service       .

152.The EDPB notes that in this particular case, the Complainant was forced to consent to the Terms of
     Service andthe PrivacyPolicy 223 andthisclearlyimpactsthe reasonableexpectationsofWhatsApp IE’s

     users byconfusing them onwhether clicking the ”Accept”buttonresultsin givingtheir consent tothe
     processing oftheirpersonaldata.TheEDPBnotesinthisregardthatoneoftheelementsofcompliance

     with the principle of fairness is avoiding deception (i.e. providing information “in an objective and
     neutralway, avoiding anydeceptiveor manipulative language or design”     224).

153.As the IESA itselfnotes, the Complainant arguesthatWhatsApp IEreliedon ”forcedconsent” for the

     processing simply because it did in fact believe that the controller was relying on the legalbasis of
     consent for thatprocessing 225. TheComplainant presentsthescreenshot, aimingtodemonstratethat,
                                                                                                        226
     “thedatasubject was presentedwith an easyclick to quickly consent,and to returnto the service.”
     TheEDPBkeepsinmind thatinthecomplaint,thiswasexplainedinthecontextofarguingthatconsent

     wasforced. Therefore,theEDPBsharestheITSA’sconcernthatWhatsAppIEmisrepresentedthe legal
     basis of the processing and that WhatsApp IE’s users are left ”in the dark” as to the possible

     connections between the purposes sought, the applicable legal basis and the relevant processing
     activities27. This being said, the EDPB considers that the processing by WhatsApp IE cannot be
                                     228
     regardedasethicaland truthful       because it is confusing with regardtothe type of data processed,




     218
        CompositeResponse,paragraph30.
     219WhatsAppIE’sArticle65Submissions,Category1f:“TheDPCshouldalsomakefindingsthatWhatsApp
     IrelandinfringedthefairnessprincipleunderArticle5(1)(a)GDPR/lawfulnessprincipleunderArticle5(1)(a)
     GDPR“,p. 31.
     220
        Guidelines1/2019onArticle6(1)(b)GDPR,paragraph1.
     221ITSA’s Objection,p.9.
     222DraftDecision,paragraph4.40.
     223Seeparagraph3above.
     224
        GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
     225DraftDecision,paragraph5.7.
     226Complaint,p.5.
     227ITSA’s Objection,p.9.
     228
       GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70,wheretheEDPBexplainsthat“ethical”
     means that“Thecontrollershouldseetheprocessing’swiderimpactonindividuals’rightsand
     dignity“and“truthful”meansthat“Thecontrollermustmakeavailableinformationabouthowtheyprocess
     personaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”.




     Adopted                                                                                            38     the legalbasis used and the purposes of the processing, which ultimatelyrestrictsthe WhatsApp IE’s
     users’ possibility toexercise their datasubjects’ rights.


154.Considering the seriousness of WhatsAppIE’smisrepresentationonthe legalbasis reliedonidentified
     in the currentBinding decision 22, the EDPBagreeswiththe ITSA thatWhatsApp IE haspresentedits
     service toitsusers inamisleading manner   230,whichadverselyaffectstheircontrolover theprocessing

     of theirpersonal dataandthe exercise oftheir datasubjects' rights.

155.This isallthe more supported bythe fact thatthecircumstancesof the present caseasdemonstrated
     above 231andtheinfringement ofArticle6(1)(b)GDPR     232furtherintensifytheimbalancednatureofthe

     relationship betweenWhatsApp IEanditsusers brought up bythe ITSA’sobjection.

156.The combination of factors, such asthe unbalancedrelationship betweenWhatsApp IE andits users,
     combined with the “take it or leave it” situation that they are facing due to the lack of alternative

     services in the market and the lack of options allowing them to adjust or opt out from a particular
     processing under their contract with WhatsApp IE, systematically disadvantages them, limits their

     control over the processing of their personal data and undermines the exercise of their rights under
     Chapter IIIGDPR.

157.Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of

     fairnessunder Article5(1)(a)GDPRbyWhatsAppIEandtoadoptthe appropriatecorrectivemeasures,
     byaddressing,but withoutbeinglimitedto,thequestionofanadministrativefine forthisinfringement
     asprovided for in Section8 of thisBinding decision.



     6 ON THE FURTHERINVESTIGATION


     6.1.1 Analysis bythe LSA in the Draft Decision

158.Accordingtotheclaim    233madeinthecomplaint,datasubjectshaveto“agreeto”WhatsAppIE’sTerms
     of Service andPrivacyPolicy atthe timeof the update thatwasmadetothe documents inApril 2018.

     The IESA considers thatitis necessarytorecognise the difference betweenagreeingtoacontractand
     providing consent to personal data processing specifically for the purposes of complying with the
                                 234
     GDPR.The IESA elaborates       that WhatsAppIE does not rely on consent in order to process dataon
     foot of the Terms of Service, nor it is legally requiredto do so, thus reliance on Article 7 GDPR is not
     applicable, regarding the subject matter of the complaint and will not be a subject to further

     consideration.

159.InitsDraftDecision,the IESA concludes thatargumentsonthe applicabilityof Article6(1)(b) GDPRas
     a legalbasis for data processing to facilitate (behavioural) advertising “are not relevant to the within

     inquiry”235,giventhe absence of references,relatedtoadvertising or sponsored content inWhatsApp
     IE’sTermsofService, andthe absence ofevidence thatsuch processing takesplace.




     229See, paragraph117above.
     230
        ITSAObjection,page9.
     231DraftDecision,paragraphs148-153.
     232DraftDecision,paragraphs117and122.
     233DraftDecision,paragraph3.11.
     234DraftDecision,paragraph3.19.
     235
        DraftDecision,paragraph4.8.



     Adopted                                                                                            39160.Another considerationmadebythe IESAis relatedtothedataprocessing relatedto“exchangeofdata
     withaffiliatedcompanies” andthe processing ofspecialcategoriesof data,namely:

             1) The IE SA considers that there is no evidence   236for the assertion that WhatsApp IE is

                 processing data that facilitates the inferring of special categories of personal data,
                 pertainingtoreligious views,sexualorientation, politicalviewsandhealthstatus.Further,
                 asstated,noevidence ispresentedin thisregardatall, thusa conclusion is madethat the

                 processing ofspecialcategoriesofdatapursuanttoArticle9GDPR,doesnot fallwithinthe
                 scope ofthe complaint andis thusirrelevant.

             2) In its Draft Decision, the IE SA notes that a distinguished feature of WhatsApp IE is the

                 regular monitoring of its service, in order to ensure its well-functioning, as well as
                 maintaining a security 237and abuse standards (both being part of the substance and
                 fundamentalobject ofthe contract).Thus,WhatsAppIEcould relyonArticle 6(1)(b)GDPR
                                                                       238
                 asalegalbasisfor such processing inprinciple. Further    ,theIESA considers thatitis not
                 for an authoritysuch as it, tasked withthe enforcement of data protectionlaw, to make

                 assessments as to what will or will not make the performance of a contract possible or
                 impossible. Instead,the generalprinciples set out in the GDPRandexplainedby theEDPB
                 in the Guidance must be applied. These principles should be applied on a case-by-case

                 basis, and should be afforded more weight than generalised examples provided in the
                 Guidance,which arehelpful andinstructive but arebyno meansabsolute or conclusive.

             3) TheIESA statesthatitisclearfromthe TermsofService       239that“anysharing with affiliated

                 companies forms part of the general “improvements” that are carried out pursuant to
                 Article6(1)(b) GDPR”and“sharing of WhatsApp user data toMetaCompanies takesplace
                 on a controller to processor basis only, there does not need to be a distinct legal basis

                 supporting it(or assessment ofthisissue in theInquiry)”.Moreover,initsview,thereisnot
                 an explicit prohibition envisagedin Guidelines 2/2019 on Article 6(1)(b) GDPR relatedto
                 the processing ofpersonal datathatis necessarytofulfil acontractualterm thatcommits

                 to improving the functionality, efficiency, etc. of an existing service. Further, the IE SA
                 statesthatthecoreoftheservice,asoutlinedinthespecific contractwiththedatasubject,

                 clearlyincludes thoseservices. Initsview,theprocessing isnecessarytodeliver theservice
                 offered(as set out inthe TermsofService).

161.The IESA supports the conclusions made above by referencetothe following:

162.The IE SA 240 begins by pointing out that it is important todistinguish betweenagreeing toa contract

     thatmight involve personaldataprocessing, andthe provision ofconsent topersonaldataprocessing
     specifically for legitimisingthe saiddataprocessing under the GDPR.Itshouldalsobe notedthatthere
     are differences betweenthe legalbases for processing under Article 6(1)(a)and (b) GDPR.The IE SA

     continues thatin many such casesinvolving a contract betweena consumer and anorganisation,the
     lawfulbasis for processing ofpersonal datais“the necessityfor theperformance of acontract”under

     Article6(1)(b) GDPR.




     23DraftDecision,paragraph4.33;DraftDecisionSchedule,paragraphs3.29,3.30and3.31.
     237
     238orthemeaningofthetermsecurity,seeparagraph90ofthisbindingdecision.
       DraftDecision,paragraph4.45
     23DraftDecision,paragraph4.33,aswellasparagraphs4.36to4.43.
     24DraftDecision,paragraphs3.11to3.17.


     Adopted                                                                                           40163.The IESA statesthatthe GDPRdoesnot set out anyform ofhierarchyoflawfulbases thatcanbe used
     for processing personal data, whether by reference to the categoriesof personal data or otherwise.

     Moreover, Article 7 GDPR(as relied on by the Complainant) concerns the conditions for consent and
     is relevant when considerations are made regarding whether particular criteria are met, in order to
     ensure thatthe consent is lawful.The aforementionedprovision isnot indicative of whichlawfulbasis

     the controller has to rely on, but instead assists the latter to determine whether the conditions of
     validityaremet.Therefore,theIESA thusconsiders thatArticle7GDPRisnot applicable tothe subject

     matterraisedbythe Complainant.

164.The IE SA considers that no evidence waspresented whatsoever by the Complainant that WhatsApp
     IE processes personal data for the purpose of advertising and that it relies on Article6(1)(b) GDPRto
          241
     do so   . Inaddition, the IE SA takes note that WhatsApp IE’sTerms of Service are not similar to the
     examplesof situations, citedin the complaint, where Article6(1)(b) GDPRdoes not apply, namely for
     advertising andsponsored consent. The IESA concludes thatargumentsrelatedtothe applicabilityof

     Article6(1)(b) GDPRfor dataprocessing thatfacilitatesadvertising,arenot relevant.

165.In addition, as outlined in the Schedule to the Draft Decision 242, the assertions about WhatsApp IE’s
     alleged ability to infer religious views, sexual orientation, political views and health status are not
                                                                               243
     backedwithanyevidence onthe Complainant’spart.The IESA concludes             thatthereis noevidence
     thatWhatsApp IEprocesses specialcategoriesof personal dataatall, thus the question ofprocessing
     such datadoes not fallwithinthe scope ofthe inquiry atall.

                                                     244
166.Moreover, according to the IE SA, it is evident      from the Terms of Service that any sharing with
     affiliatedcompaniesforms partofthegeneral“improvements”thatarecarriedoutpursuanttoArticle
     6(1)(b) GDPR,andso in realityanycleardelineation betweenthese twoforms ofprocessing would be

     artificial. It needs to be pointed out that one aspect of the aforementioned sharing is the possible
     receptionofmessages for the purposes of directmarketingand, in particular,“anoffer for something
                         245
     thatmight interest”    therespective user.
                                         246
167.The Complainant, however, argues        that such improvements and security features, as referenced,
     and the associated sharing of data with other Meta Companies (then Facebook Companies), is not

     necessaryin order to deliver a messaging service, andthat simply placing these termsin the contract
     does not make them necessary. Although those statementsmight be true, according to the IE SA it
     does not follow that fulfilling these termsis not necessaryin order tofulfil the specific contract with

     WhatsAppIE.TheIESAaddsthattodothat,tousethelanguageoftheEDPB,itisnecessarytoconsider
     “thenatureof theservicebeing offered to thedata subject”.


     6.1.2 Summary ofthe objections raised bythe CSAs

168.TheFISA,FR SAandITSAobjecttotheconclusions reachedbythe IESAinitsDraftDecision,requesting
     the IE SA tofurther investigatethe mattersof behavioural advertising,special categoriesof personal

     data, the provision of metrics tothird parties, including to companies belonging to the same group,
     andmarketing.


     241
        DraftDecision,paragraph4.8.
     242ScheduletoDraftDecision,paragraphs3.29and3.30.
     243ScheduletoDraftDecision,paragraph4.33.
     244DraftDecision,paragraphs4.33and4.41.
     245
     246DraftDecision,paragraph2.11(“WaysToImproveOurServices”).
        DraftDecision,paragraph4.36.



     Adopted                                                                                            41169.On behaviouraladvertising,inthe FR SA’sview      24, the Draft Decisiondoesnot include an analysisfor
     the applicable legalbasis for the processing of personal data,relatedto behaviouraladvertising, asit

     considers thatneither the Complainant, nor WhatsAppIE’sgeneralTermsandConditions provide any
     evidence that personal data are processed for that purpose. It also notes that this exclusion is not
     justified byother elementssuchasinvestigationreportsor thesending ofquestionnaires bythe IESA.
                         248
     Moreover,the FRSA       is ofanopinion thatthe IESA should have carriedout aninvestigationin order
     to verify whether or not the WhatsApp IE processes personal data for the purposes of behavioural

     advertising.
                                                             249
170.Onspecialcategoriesofpersonaldata,theFRSAargues             thattheDraftDecisiondoesnot pronounce
     on the lawfulness ground that is applicable with regard to the processing of special categoriesof

     personal data, even though the complaint does. In addition, together with examining whether the
     conditions are met in the present case for the processing of special categories of personal data
     pursuant toArticle 9(2)GDPR,the IE SA shouldhave carriedout the investigationsnecessary, inorder

     toverifywhether such processing is actuallytaking place.

171.The IT SA opines  250that the processing of special categoriesof personal data relating to users that
     participate in chatswith business users relying on a third-partyprovider (which might be WhatsApp

     IE’s controlling company Meta) should have been identified as a specific processing activity to be
     assessed and evaluated separately by the IE SA. In addition, the IT SA considers that no in-depth
     assessment has beencarriedout in this regard,but insteadthatthe IE SA simply endorses WhatsApp

     IE’sstatementthatallcommunications areencrypted.

172.On theprovisionofmetrics tothirdparties,includingtoaffiliated companies,theFR SA arguesthat
     the Draft Decision251 does not pronounce on the applicable legalbasis for such processing, despite

     mentioned initially in the complaint. It continues that the IE SA has not defined which activities are
     coveredunder such processing. Therefore,the FR SA requests theIE SA tocomplete itsDraftDecision

     in thisregard.Inaddition, the FR SA requests thatthe conditions for theapplicationof the other legal
     basesmentioned inArticle6 GDPR,namelyconsent, contractandlegitimateinterestareexamined,as
     well. Hence,theFR SA considers, thatWhatsAppIE cannot relyonthe aforementionedlegalbasesfor

     processing for the purposes provision ofmetricstothirdparties.

173.The IT SA notes  252 that the arguments put forward by the IE SA regarding the joint assessment of
     processing for service improvement purposes and the exchange of data withaffiliated companies, is

     neither convincing, nor exhaustive. The IT SA is of the view that the IE SA should have identified and
     separately assessed the processing activities in question without “pooling” them into the service

     improvement category.Moreover,theexact wording usedinWhatsAppIE’sTermsofService includes
     “affiliatedcompanies”,“partners”and “service providers”, whichare,inthe IT SA’sview, unspecified,
     meaning that the exchange of personal data betweenthem could “hardly fall within the intra-group

     communications between WhatsApp and the other Meta companies and could be legitimised as a
     controller-processorrelationship.”TheIT SA arguesthattheIE SA couldhave identified andseparately

     assessed the legalbasis for the said exchangeof datawithpartnersandthird-partyservice providers.
     In addition, in the light of the complaint, the IT SA notes that data are exchanged with affiliated

     247
        FRSA’s Objection,paragraph6.
     248FRSA’s Objection,paragraph7.
     249FRSA’s Objection,paragraph33.
     250ITSA’s Objection,paragraph3.a.
     251
     252FRSA’s Objection,paragraphs35to45.
        ITSA’s Objection,paragraph3.b.



     Adopted                                                                                            42     companies not only for service improvement purposes, but also for unspecified ones, relatedtothe
     management and provision of the WhatsApp services. The IT SA stresses on the need for further

     investigationon thismatter.

174.On marketing, the FI SA takes note  253that the Draft Decisioncontains conclusions that WhatsAppIE
     may rely on Article 6(1)(b) GDPR as a legal basis in the context of its Terms of Service and, more

     precisely, for the processing for the purposes set out there, including marketing. Further, the FI SA
     opines that anassessment is needed inorder to determinewhether WhatsApp IEhasa relevant legal
                                                             254
     basisfor processing personaldataformarketingpurposes       .TheFISA arguesthat,providedthatthere
     is anindication in WhatsApp IE’sTerms ofService thata user might receive marketing messages,the
     IESA should have carriedout aninvestigationinthis regard   25.


     6.1.3 Position ofthe LSA on theobjections

175.The IESA statesthatit does not propose to“follow”   256the objections raisedby the CSAs.

176.Inthe lightof thesuggestionsmade bysome ofthe CSAs      257thatthe scope ofthe inquiry oughttohave

     considered additional factual matters, such as behavioural advertising, the IE SA notes that a
     complaint-based inquiry has been conducted. The IE SA considers thata requirement, from a CSA, to

     amendthe DraftDecision in order toinclude findings of infringement(s) thatfall outside ofthe scope
     ofthe complaint wouldconstrainitsabilitytoadopt itsfinaldecision. Moreover,theIE SA stressesout
     thatWhatsAppIEhasalreadybeeninformed aboutthe scope ofthe complaint.The IESA notes, inthis

     regard,thattherighttobe heardisexercisedinresponse toaparticularizedallegationofwrongdoing,
     and WhatsApp IE was not informed of an allegation of infringement relating to these additional
             258
     matters   . In the IE SA’s opinion, an amendment would prevent the controller’s right to a fair
     procedure andhinder itsrighttobe heard.

177.With regardtothe processing of special categoriesofpersonal dataand the assessment made bythe

     IE SA, the latter concludes that the reference to such processing by WhatsApp IE must be read asan
     element ofthe Complainant’sfundamentalallegation(i.e.thatthe agreementtothe TermsofService
     was a form of GDPR consent to processing of personal data, including consent to the processing of

     special categories of data). In circumstances, where the scope of the inquiry has addressed the
     fundamental issue of principle on which the complaint depends, the IE SA is satisfied that it is not

     necessary to also conduct an indiscriminate and open-ended assessment of the processing by
     WhatsApp IEthatmayotherwise fallwithinthe scope ofArticle 9 GDPR.

178.Moreover,regardingthe statementsmade by the FR SA       259,the IESA contends thatit isunclear of the

     basis on which the former makes its assumptions, and adds that the matter has already been
     considered inthe Schedule tothe DraftDecision.

179.Inaddition, having conductedanassessment ofthe core functions of WhatsAppIE’sTermsof Service,

     the IE SA concludes that the nature of the WhatsApp services offered includes regular service
     improvement asanaspectoftheagreementconcludedbetweenWhatsAppIEandtherespectiveuser,


     25FI SA’s Objection,paragraph3.
     254
       FI SA’s Objection,paragraph9.
     25FI SA’s Objection,paragraph10.
     25CompositeResponse,paragraph36.
     25CompositeResponse,paragraphs28to30.
     25CompositeResponse,paragraphs30-35.
     259
       CompositeResponse,paragraph34(“NoconsiderationofArticle9GDPRispresentintheDraftDecision.”).



     Adopted                                                                                          43     thus the basis of the processing is to be regarded as necessary for the performance of the
     contract260.However,theIESA further notes   261, contractsmay include aspectsof performance which

     are optional or contingent. For example, most of the processing carried out by WhatsApp IE, which
     relatestocommunicationbetweenusersisoptionalforusers, asauser isnot obligedtosendmessages

     to other users (for example). Such processing is nevertheless directly linked to the core “messaging
     service” function; it would appear to be uncontroversial that such processing is necessary for the
     performanceofthe TermsofService,asatype ofmutuallyexpectedprocessing. Atthesame time,this

     processing is optional and not indispensable, and the Terms of Service can otherwise be performed
     without any messages being sent by a user. According to the IE SA, this reflectsthe fact the Article

     6(1)(b) GDPRisnot limitedtoaspectsofcontractualperformance whichareexpressly mandatoryand
     unconditional obligations ofthe parties.

180.Regardingtheissue   262relatedtoWhatsAppIE’scontrollership anditsrelationshipwiththeother Meta

     companies, andthedegreeof investigationcarriedout, theIE SA contendsthatit “hasnothing further
     to addinthis regard”.


     6.1.4 Analysis ofthe EDPB

     6.1.4.1  Assessmentof whethertheobjectionswererelevantandreasoned

181.In this section, the EDPB considers whether the objections raised by the FI SA, FR SA and IT SA,

     regardingtheneed for a further investigation,meetthe threshold ofArticle 4(24)GDPR.

182.WhatsApp IEconsiders thatthe objections made bythe aforementionedCSAs are without merit.

183.Inessence, WhatsApp IEarguesthatthe FR SA’sobjection raises concernswith regardtobehavioural

     advertising that are not connected to any factual content and do not have any merit, because, as
     confirmed before to the IE SA, WhatsApp IE does not engage in such processing        263. Moreover,
     WhatsAppIEconsiders   264thattheIESA appropriatelyaddressedthismatterinitsDraftDecision,given

     the vague nature of the complaint, the misconceptions regardingWhatsApp services, and the lackof
     evidence that such processing istaking place.WhatsApp IE thatno factualor legalargumentsare put

     forwardbythe FR SA.

184.Furthermore,the EDPBtakesnote ofWhatsAppIE’spositiononthe objection raisedby theFR SA with
     regard to the processing of special categories of data, according to which they are based on a

     “misunderstanding of the Defined Scope of Inquiry”, aswell as the nature of the service offered and
     they “fail to take into account the investigations conducted by the [IE SA]”5. Further, WhatsApp IE
     emphasises thatitdoesnot processspecialcategoriesofdatainthe course ofproviding the WhatsApp

     services. Moreover, it is of the view66that the FR SA does not acknowledge that the processing in
     question has already been addressed by the IE SA in its Draft Decision, concluding that there is no






     26CompositeResponse,paragraphs57and59.
     261
       CompositeResponse,paragraph61.
     26CompositeResponse,paragraphs84and85.
     26WhatsAppIE’sArticle.65Submissions,paragraph4.27.
     26WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a.
     26WhatsAppIE’sArticle65Submissions,paragraph4.3.
     266
       WhatsAppIE’sArticle65Submissions,Section1.a,paragraph6.g.



     Adopted                                                                                          44     evidence that it wastaking place and that it is irrelevant to the complaint and the inquiry. Thus, for
     WhatsApp IE,theFR SA’sobjection raisedis neitherrelevant,nor reasoned      267.

185.With regard to the FR SA’s objection   268 regarding the legal basis for provisions of metrics to third
     parties and the need for a further investigation, WhatsApp IE states that it does not rely on Article

     6(1)(b) GDPRasa legalbasis for theprocessing. Further, the processing for metricspurposesis carried
     out ona controller-to-processor basisinorder toassist WhatsApp IEinprocessing whatforms part“of

     thegeneral‘improvements’”.WhatsAppIEaddsthatthereisnorequirementpresent tohave adistinct
     legalbasis for such sharing. Itstatesthat“theprovision of the WhatsApp Service doesnot involve any
     sharing ofEU WhatsAppusers’ personaldata with otherMetaCompanies on a controllerto controller
                                                                         269
     basis”. Furthermore, WhatsAppIE arguesthatthe IT SA’sobjection         on the investigationof further
     sharing carriedout byWhatsAppIEwith“unspecifiedpartnersand serviceproviders” isnot relevantto
     the issues investigatedby the IESA, nor does it have connectionto thesubstance of the complaint or

     the DraftDecision. Moreover,WhatsApp IEconsiders thatit is not clear what“exchangeofdata” was
     referred to by the IT SA and its relevance to the inquiry. Thus, WhatsApp IE opines that the IT SA’s
     objection should be rejected.

                                               270
186.Finally, withregardtotheFISA’sobjection      ,WhatsAppIEarguesthattheFISA’sstatement,regarding
     therelianceonArticle6(1)(b)GDPRforprocessingfor marketingpurposesisirrelevantandfallsoutside
     of thedefined scope ofthe inquiry. Further,WhatsApp IEpoints out thatthe specific referencetothe

     Terms of Service is misunderstood, as it is relatedtopotential marketing messagesthat users might
     receive from businesses thatuse the servicesoffered by WhatsAppIE.Finally, WhatsAppIE considers
     thatsince businesses use WhatsAppBusiness API for exchangingmessages(withtheir owntermsand

     privacypolicies), it isnot thecontroller in respectof those processing operations.

                                                      ***

187.As regardsthe objection of the FR SA, arguingthatthe IESA did not analyse theapplicable legalbasis
     for the processing of personaldatarelatedtobehaviouraladvertising,the EDPBestablishesthatit has

     a direct connectionwith theDraftDecision. The EDPBconsiders thatthe FR SA’s objection is relevant
     and, if followed, would lead to a different conclusion. It includes arguments on factual and legal
     mistakes in the IE SA’s Draft Decisionthat require amendments, for which it is considered reasoned.

     More specifically, the FR SA’sobjection allegesthatthe IESA should have carriedout aninvestigation
     inorder toverifywhetheror not WhatsAppIEprocessespersonal datafor the purposesofbehavioural
     advertising.


188.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the
     position of the IE SA would incur a risk for the fundamental rightsand freedoms of data subjects, as
     well as the possibility that a controller could use the legal basis of the contract toprocess its users'

     data for targeted advertising purpose. The FR SA stresses out that such processing would be
     particularlymassive andintrusive, thus thatit is not inline withtheprovisions ofthe GDPR.

189.The EDPBconsidersthattheobjections raisedbythe FRSA andthe ITSA withregardtothe processing
     of special categoriesof personal data have a direct connection withthe Draft Decision, as theyrefer

     (1) to the lack of conclusions with regardto the lawful ground applicable to the processing of such
     data,and(2)the rejectionof theComplainant’sargumentofthe processing ofsuchdata byWhatsApp


     267
        WhatsAppIE’sArticle65Submissions,paragraph4.3.
     268WhatsAppIE’sArticle65Submissions,paragraphs4.15to4.16.
     269WhatsAppIE’sArticle65Submissions,paragraph4.17.
     270WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b.


     Adopted                                                                                            45     IE.Bothare found tobe relevantand,if followed would leadtoa different conclusion since the IE SA

     would have tocarry out further investigations in order to establish whether WhatsApp IE processes
     special categoriesof personal data,and if so, whether this is done in compliance withthe conditions
     set forthin Article9 GDPR.

190.The EDPB notes that both objections argue on factualand legalmistakes in the Draft Decision that
     wouldrequire amendments,thustheyarebothreasoned.According totheFRSA, theIESA’sreasoning

     is not consistent, as the latter has not considered the matter related to the lawful ground for the
     processing of specialcategoriesofpersonal data,norevaluateditscompliance withArticle 9(2)GDPR,
     thustheIESA shallcarryout thenecessaryinvestigations.Asfor theITSA’sarguments,theEDPBnotes

     that no in-depth assessment was conducted by the IE SA regarding the allegations made by the
     Complainant that WhatsApp IE processes special categories of personal data, and instead simply
     endorsed WhatsAppIE’sargumentthatallcommunications are encrypted.

191.Inthe Draft Decision, the EDPB identifies, aspreviously asserted by the FR SA and the IT SA, risks for
     the fundamental rights and freedoms of the data subjects, with concrete examples of targetedand

     behaviouraladvertising given,thatwouldhinder the users’ abilitytohave controlover theirdata,thus
     the FR SA’sandITSA’sobjections areconsidered reasoned.

192.Taking into account the objection raised by the FR SA concerning the legal basis for the provision of
     metrics to third parties, the EDPB considers that it has a direct connection to the Draft Decision,

     because it reflects on the fact that the IE SA does not define what the processing for provision of
     metrics to third parties covers, and does not pronounce itself on the legalbasis applicable to such
     processing (including sharing between companies within the same group), even though initially

     mentioned in the latter. The objection is relevant, because if it were followed, different conclusions
     wouldbe reachedregardingtheconditions under whichWhatsAppIEcollectsconsent ofdata subjects
     for the processing oftheir personal datafor provision ofmetricstothirdparties.

193.TheEDPBnotesthattheFRSA putsforwardargumentsregardingfactualandlegalmistakesthatrelate
     to the legalbasis applicable to the provisions of metrics to third parties, and regarding the lack of

     definition of what the aforementioned processing entails. For these reasons, the FR SA’s objection is
     considered reasoned.

194.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the
     DraftDecisionwould be detrimentalfor the fundamentalrightsandfreedoms of datasubjects, asthe

     only informationprovided bythe IESA doesnot amount toany assessment.

195.An objection is raised by the IT SA with regard to the exchange of personal data with affiliated
     companies. The EDPBis of the view that it hasa directconnection to the DraftDecision, asthe latter
     only coverstwopurposes ofprocessing, namelythisofservice improvement andsecurity, outof those
     raisedby the Complainant, hence lacks anassessment ofthe exchangeof databetweenWhatsApp IE

     and its affiliated companies. The EDPB considers the IT SA’s objection to be relevant, because, if
     followed, itwould leadtodifferentconclusions intheDraftDecision,regardingtheassessment related
     tothe core functions ofthe contractandthe exchangeofdata withaffiliatedcompanies.

196.Asregardstothe risks posedtothe fundamentalrightsandfreedoms ofdatasubjects, the EDPBtakes

     note of the IT SA’s remarks that if the Draft Decision is left unchanged, it would lead to a severe
     infringement of the users’ right to self-determine the processing of their sensitive personal data, as
     alsorelatedtothe exchangeofdatawithaffiliatedcompaniesand, thus, it wouldprevent the usersto
     have controlover their data.





     Adopted                                                                                          46197.The EDPB notes that the IT SA’s objection includes clarifications and argumentson factualand legal

     mistakes,namelythe failure oftheIESA toconduct investigationswithregardtothe exchangeofdata
     with affiliatedcompanies not only for service improvement purposes, but also for unspecified ones,
     relatedtothe managementandtheoverallprovision of theservice.

198.Finally, the EDPB considers that the objection raised by the FI SA, with regardto the processing of

     personal data for the purposes of marketing, has a direct connection with the Draft Decision, as it
     reflects on the fact that the IE SA concludes that there is no evidence of processing related to
     marketing. The FI SA’s objection is considered relevant, as if followed it would lead to a different

     conclusion regardingthelegalbasis,namelythisofArticle6(1)(b) GDPRforprocessing ofpersonaldata
     for marketingpurposes.

199.The FI SA putsforwardargumentsregardingthe factualandlegalmistakesmade bythe IESA, relating
     to the legalbasis for processing of personal data and the possibility for the respective WhatsApp IE

     users toreceivemarketingmessages. For these reasons, the FI SA’sobjection isconsidered reasoned.

200.Asregardstotherisks posed bytheDraftDecisiontothefundamentalrightsandfreedomsofthe data
     subjects, the EDPB takes note of the FI SA’s remarkthat it would incur a risk for data subjects and,
     more precisely, theirunawarenessofthe processing and, asa consequence, their subsequent inability

     to have control over the processing of their personal data. Moreover, the EDPB considers that this
     could leadtoundermining their fundamentalrightof protectionoftheir personal data.

     6.1.4.2  Assessmenton themerits


201.Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB
     shall take a binding decision concerning all the matters which are the subject of the relevant and
     reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.

202.The EDPBconsiders thatthe objections found to be relevantandreasonedinthis subsection require

     anassessment of whethertheDraftDecisionneedstobe changed,astheyconclude thatthe IESA has
     not carried out a enough investigation as to the applicable legalbasis for WhatsApp IE’sprocessing
     operations(a) for the purposes of behaviouraladvertising, (b)involving specialcategoriesofpersonal

     data pursuant to Article 9 GDPR,(c) for provision of metricstothird partiesand (d) for the exchange
     of data withaffiliated companies for the purposes of service improvements and (e) for the purposes
     of marketing. When assessing the merits of the objections raised, the EDPB also takes into account

     WhatsApp IE’sposition on theobjections.

203.In its submissions, WhatsApp IE supports the conclusions made by the IE SA that no further
     investigationis neededasregardsthe aforementionedissues raised.

204.Withregardtobehaviouraladvertising,WhatsAppIEstatesthatit doesnot engageinsuchprocessing,
     whichfact wassubsequently “appropriatelyaddressed”      271bythe IESA inits DraftDecision.

205.As for the specialcategoriesof personal data  272,WhatsApp IEcontends that it does not process such

     data in the course of providing the WhatsApp IE services. Moreover, the processing in question has
     alreadybeen addressedby the IESA in itsDraft Decision, concluding thatthere is no evidence thatit
     is takingplace andthatit is irrelevanttothe complaint andthe inquiry.




     271WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a,aswellasparagraph4.27idem.
     272WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.g.



     Adopted                                                                                            47206.Moreover, WhatsApp IE argues that it does not rely on Article 6(1)(b) GDPR as a legal basis for
     processing for the provision of metricstothirdparties 273.Further, such processing is carriedout ona

     controller-to-processor basis in order to assist WhatsApp IE in processing that forms part “of the
     generalimprovements”.WhatsApp IEadds that there is no requirement tohave a distinct legalbasis

     for such sharing.It statesthat“theprovision of the WhatsApp Servicedoesnot involve any sharing of
     EU WhatsApp users’ personal data with other Meta Companies on a controller to controller basis”.
     Furthermore,WhatsAppIEopines thatthematteroffurther sharing        274 with“unspecified partnersand

     service providers” is not relevant tothe issues investigatedby the IE SA, nor does it have connection
     tothe substance of thecomplaint or the DraftDecision.

207.Finally, withregardtothe processing for the purposes ofdirectmarketing,WhatsAppIEargues        275that

     it is irrelevantandfalls outside of the definedscope of theinquiry.

208.The IE SA argues  276that it would have been infeasible, hypothetical, and contraryto the complaint
     within the meaning of Article 77 GDPR to undertake an assessment of all discrete processing

     operationsassociatedgenerallywiththeWhatsAppIE’sTermsofService,including whetherWhatsApp
     IE processes special categoriesof personal data in this context andwhether the sharing of data with

     third partiesspecifically is lawful, as wellas the additional mattersconcerning WhatsApp IE,in order
     toconclude aninvestigationofthecomplaint.Inrelationtotheprocessing ofArticle9GDPRcategories
     ofpersonal data,theIESA considers thattheinquiry hasaddressed thefundamentalissue ofprinciple

     on which the complaint depends, and this makes it unnecessary to conduct an indiscriminate and
     open-ended assessment of processing falling within the scope of this Article or the ePrivacy
              277
     Directive   .

209.Moreover, the IE SA considers that there is no evidence for the assertion that WhatsApp IE is
     processing personaldata,thatfacilitatestheinferringofspecialcategoriesofpersonaldata,pertaining

     toreligiousviews, sexualorientation,politicalviews andhealthstatus. Further,asstated,noevidence
     is presentedinthis regardatall,thus aconclusion is madethatthe processing ofspecial categoriesof

     personal data,pursuanttoArticle 9 GDPRconsent does not fallwithinthe scope ofthe complaint and
     is thus irrelevant. The Complainant considers the agreement tothe Privacy Policy and the Termsof
     Service to be anallegedconsent todata processing operations designated in those documents. This

     also includes the aforementioned data processing operations and the respective purposes, thus the
     EDPBconsiders thatthose processing operations arewithinthe scope ofthe complaint.

210.Inaddition andtaking into account the previous paragraph, the IE SA    278warns the CSAs on the legal

     risks derived from asking throughthe objections toexpandthe materialscope ofthe inquiry and thus
     cover infringementsoutside ofthe complaint (namelythe processing ofspecialcategoriesofpersonal

     data, question of location data, factual investigations into the presence of behavioural advertising,
     sharing withthird parties)and the Draft Decisionthat the IE SA has not investigated(pursuant to its
     own decision to limit the scope of the inquiry) and put to WhatsApp IE as an allegation of

     wrongdoing  279.




     273
       WhatsAppIE’sArticle65Submissions,paragraphs4.15and4.16.
     27WhatsAppIE’sArticle65Submissions,paragraph4.17.
     27WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b.
     27CompositeResponse,paragraph22.
     27CompositeResponse,paragraph27.
     278
       CompositeResponse,paragraph28.
     27CompositeResponse,paragraphs29and31.


     Adopted                                                                                           48211.The EDPB notes that the complaint reiterates the confusion of WhatsApp IE’susers over whether it

     processes personal data for the purposes of behavioural advertising, which of the users’ special
     categoriesof personal data are processed and for which purposes, the provision of metrics to third
     parties and the exchange of data with affiliated companies and on which basis, as well as for the

     processing ofpersonal datafor the purposes of marketing.

212.WhatsApp IE’s Terms of Service note in general terms “WhatsApp works with partners, service
     providers, andaffiliated companiesto help us provide ways for you to connectwith their services.We
     use the information we receive from them to help operate, provide, and improve our Services”;

     “WhatsApp uses theinformation it has and also works with partners,service providers, and affiliated
     companiesto do this” andinthe matterofsharing datawithaffiliatedcompanies: “Weare partof the
     Facebook Companies. As part of the Facebook Companies, WhatsApp receivesinformation from, and

     sharesinformationwith, theFacebookCompanies asdescribed in WhatsApp's PrivacyPolicy”.

213.The Terms of Service make up the entire agreement, and include a reference to two separate
     documents: WhatsApp IE’sPrivacy Policy and to the Meta Companies. WhatsApp IE’sPrivacy Policy
     statesthat“The typesof information we receiveand collect depend on how you use our Services.We

     require certainofYour Account Information in accordance with our Termsto deliver our Servicesand
     without this we will not be able to provide our Services to you.” With regardto sharing information
     with third parties, the Privacy Policy states that “You share your information as you use and

     communicate through our Services, and we share your information to help us operate, provide,
     improve,understand,customiseandsupport ourServices”.Further,thedocumentitselfdoes notmake
     any referenceswhatsoever for the processing of data for the purposes of behavioural advertising, or

     the processing of specialcategoriesofdatapursuant toArticle 9 GDPR. Asfor the provisionofmetrics
     to third parties and the exchange of data with affiliated companies, as well as the processing of
     personal data for the purposes of marketing, the Privacy Policy does not elaborate further on that

     matter.

214.The CJEU assertedrecentlythatthe purpose ofArticle 9(1)GDPRis toensure anenhancedprotection
     of data subjects for processing, which, because of a particular sensitivity of the personal data
     processed, is liable to constitute a particularly serious interference with the fundamental rights to

     respect for private life and tothe protection of personal data, guaranteedbyArticles7 and 8 of the
     Charter 28. The CJEU adopts a wide interpretationof the terms“special categoriesof personal data”
     and “sensitive data” that includes data liable indirectly to reveal sensitive information concerning a
                    281
     natural person    . Advocate General Rantos reiterates the importance for the protection of data
     subjects of Article9 GDPRand applies thesame interpretationtothe potentialdataprocessing inthe
     WhatsAppservices for behaviouraladvertising bystatingthat“the prohibition on processing sensitive

     personaldatamayinclude theprocessing ofdatacarriedoutbyanoperatorofanonline socialnetwork
     consisting inthecollection ofa user’sdatawhenhe or she visits otherwebsitesor apps or enterssuch
     dataintothem, thelinking of such datatotheuser accounton the socialnetworkandthe use ofsuch

     data,providedthatthe informationprocessed, considered inisolation or aggregated,makeit possible
     toprofile users on thebasis ofthe categoriesthatemergefrom the listing inthatprovision oftypesof
     sensitive personaldata.”





     28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022),
     ECLI:EU:C:2022:601,§126.
     28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022),
     ECLI:EU:C:2022:601,§127.


     Adopted                                                                                           49215.Therefore, the GDPR and the case-law pay especial attention to the processing or the potential

     processing ofspecialcategoriesof personaldataunder Article9 GDPRtoensure the protectionofthe
     data subjects. Inthis connection, the Complainant allegesin its complaint, among others, a violation
     of Article9 GDPRandexpressly requeststhe IESA toinvestigate WhatsAppIE’sprocessing operations
     covered by this provision. In a subsequent submission on the preliminary Draft Decision, the

     Complainant criticises the scope that the IE SA decided to give to the complaint and its lack of
     investigation of WhatsApp IE’s processing activities and alleges that the IE SA failed to give due
     consideration toprocessing under Article9 GDPRandother casesin whichit relieson consent.

216.In the present case, the IE SA did not carry out any investigation, regarding (a) the legal basis for

     WhatsApp IE’sprocessing operations for the purposes of behavioural advertising, (b) the applicable
     legal basis for processing special categories of personal data, pursuant to Article 9 GDPR, (c) the
     applicable legal basis for provision of metrics to third parties and (d) the exchange of data with
     affiliatedcompaniesfor thepurposes of serviceimprovements and(e)theprocessing of personaldata

     for the marketingpurposes. The IE SA categoricallyconcludes thatno further investigation is needed
     withregardtothese issues.

217.Byfailingtoinvestigate,furthertothecomplaint,the processing of specialcategoriesofpersonaldata
     byWhatsApp IE,theIESA leavesunaddressed the risks thisprocessing poses for the Complainant and

     for WhatsAppIE’susers in general.First,there is the risk thatthe Complainant’s specialcategoriesof
     personal data are potentially processed by WhatsApp IE to build intimate profiles of them for the
     purposes ofbehaviouraladvertisingwithoutalegalbasisandina mannernotcompliant withtheGDPR

     and inparticular the strict requirementsof Articles 7 and Article9(2) GDPR.Second, thereis also the
     riskthatWhatsApp IEdoesnot consider certaincategoriesofpersonal dataitpotentiallyprocesses, as
     specialor sensitive categoriesofpersonaldatain line withtheGDPRandthe CJEU case-lawandtreats
     them accordingly. Third, the Complainant and other WhatsApp IE’susers, whose sensitive data are

     potentiallyprocessed may be deprived of certainspecialsafeguardsderived from the use of consent,
     such asthe possibility tospecifically consent tocertainprocessing operations andnot toothersandto
     the further processing of personal data under Article 6(4) GDPR; the freedom to withdraw consent,

     pursuant toArticle 7 GDPR, andthe subsequent right tobe forgotten. Fourth, given the size andthe
     number of users of WhatsApp IE in the social media market, leaving unaddressed the current
     ambiguity in the processing of special categories of personal data, and its limited transparency of
     WhatsAppIEvis-à-vis datasubjects,mayseta precedentforcontrollerstooperateinthesamemanner

     andcreatelegaluncertainty,hampering thefree flow ofpersonal datawithinthe EU.

218.The EDPB further considers, also in view of these risks tothe Complainant and WhatsApp IE’susers,
     thatthe IE SA did not handle the complaint withalldue diligence.The EDPBconsiders the lackof any
     further investigation intothe legalbasis for WhatsApp IE’sprocessing operations for the purposes of

     behavioural advertising, the potential processing of special categories of personal data, applicable
     legalbasis for provision of metricstothirdpartiesandthe exchangeofdata withaffiliatedcompanies
     for the purposes of service improvements, aswellasthe processing of personal datafor the purposes
     ofmarketingasanomission, and– in thepresent case – finds itrelevant thattheComplainant alleged

     infringementsof Article9 in the complaint.

219.The EDPBcontendsthatinthepresent case,theIE SA should have verifiedonthe basisof thecontract
     and the data processing actuallycarried out on which legalbases eachdata processing operation in
     question relies.

220.The EDPB also highlights that byhaving excessively limited the scope of its inquiry despite the scope

     ofthecomplaint inthiscross-border case andsystematicallyconsidering themajorityofthe objections



     Adopted                                                                                           50     raisedby the CSAs not relevantand reasonedandthus denying their formaladmissibility, the IE SA as

     LSA in thiscase, constrains the capacityof CSAs to actand tackle the risks todata subjects in sincere
     and effective cooperation. As ruled by the CJEU, the SA must exercise its competence within a
     framework of close cooperation with other supervisory authorities concerned and cannot “eschew

     essential dialogue with and sincere and effective cooperation with the other supervisory authorities
     concerned”. The limited scope that the IE SA gave tothe inquiry also impairs the EDPB’scapacityto
     conclude on the matter pursuant to Article 65 GDPR and thus ensure a consistent application of EU

     data protection law, despite the fact that the complaint covered these aspects and was introduced
     more thanfour yearsago.

221.Asa result ofthelimitedscope ofthe inquiryandlackofassessment bythe IESA inthe DraftDecision,
     the EDPBdoes not have sufficient factualevidence on WhatsApp IE’sprocessing operationstoenable

     it to make a finding on any possible infringement by WhatsApp IE of its obligations under Article 9
     GDPRandother relevantGDPRprovisions.

222.The EDPB decides that the IE SA shall carry out an investigation into WhatsApp IE’s processing
     operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article

     9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well
     asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for
     the purposes of service improvements, and in order to determine if it complies with the relevant

     obligations under the GDPR.Basedonthe resultsof thatinvestigationandthe findings, the IE SA shall
     issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR.



     7 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES

     7.1 Analysis by the IESA in the DraftDecision

223.According tothe DraftDecision,the IE SAconcludes thatthe Complainant’scase is not made out that

     the GDPR does not permit the reliance by WhatsApp IE on Article 6(1)(b) GDPR in the context of its
     offering of Termsof Service 282. Therefore, without finding any infringement of this legalbasis, the IE
     SA wasnot ina position to consider the applicationof its correctivepowers as provided for in Article

     58(2)GDPR.

224.Regardingthe provision of necessary information relatingtoWhatsApp IE’slegalbasis for processing
     pursuant to acceptance of the Terms of Service and whether the information set out was in a
     transparent manner, the IE SA recalled that it found infringements in this regard in a previous own-

     volition inquiry andexerciseda number of corrective powersin response, including anadministrative
     fine andanorder tobring theWhatsApp IE’sPrivacyPolicy intocompliance       283.

     7.2 Summary of the objections raised by the CSAs

225.The NO SA objects to the IE SA’s finding by stating that WhatsApp IE cannot rely on Article 6(1)(b)
                                                                                                       284
     GDPR asa legalbasis for processing in the context of service improvements andsecurity features      .
     As a consequence resulting from the finding of such infringement, the NO SA requests the IE SA to
     exercise corrective powers under Article 58(2) GDPR accordingly, byordering WhatsApp IE todelete



     282DraftDecision,Issue2.
     283DraftDecision,paragraph5.9andlastrowofthetableinp.38.
     284NOSAObjection,p.1,Introductoryremarks,paragraph3.



     Adopted                                                                                            51     personal data that has been unlawfully processed under the erroneous assumption that it could be
     based on Article 6(1)(b) GDPR unless those data were also collected for other purposes with a valid

     legal basis, and by imposing an administrative fine against WhatsApp IE for unlawfully processing
     personal data in the context of service improvements and security features, erroneously relying on
                                                                           285
     Article6(1)(b) GDPR,asthatlegalbasis wasnot applicable in thiscase       .

226.The DE SAs object to the IE SA’s finding by stating that the IE SA should find that WhatsApp IE has
     breachedthe Article5(1)(a)andArticle6(1)GDPR.Asa consequence resulting from the finding ofsuch

     infringements, the DE SAs request the IE SA to impose a temporary or definitive limitation of the
     respectiveprocessing without legalbasisinaccordancewithArticle58(2)(f)GDPR,namely,theerasure

     of unlawfully processed personal dataand the banof the processing ofdata untila valid legalbasis is
     inplace 28.

227.The FI SA objectsto the IESA’s finding by statingthatthe IE SA should find aninfringement of Article

     6(1)GDPR,notablybecause the FI SA isof the opinion thatWhatsAppIE cannot relyon Article6(1)(b)
     GDPR for all the processing operations set out in the Terms of Service, such as marketing, service
                                            287
     improvements and security purposes        . As a consequence resulting from the finding of such
     infringement,the FISA requests theIESA tomakeuse ofitscorrectivepower accordingly,pursuant to
     Article 58(2)GDPR  288.Inorder to doso, the FI SA is of the opinion that the IESA should at least order

     WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR
     withrespect to the processing of marketing,service improvements and securityfor which WhatsApp

     IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83
     GDPR  289.


     7.3 Position of the IESA on the objections

228.The IE SA is of the opinion that since it does not follow the objections raised on the infringements
     matters, it results that the IE SA does not follow the related objections on the corrective measures

     either290.The IESA also does not consider the objections tobe relevantand/or reasoned.


     7.4 Analysis of the EDPB


     7.4.1 Assessment of whether theobjections were relevant and reasoned

229.The objections raised by the NO SA, DE SAs and FI SA concern “whether the action envisaged in the
     DraftDecision complieswith theGDPR”     291.

230.As statedand analysed above in Subsection 4.4.1,the EDPBfinds the NO SA and DESA objections on
                                                                                                  292
     the subject of correctivemeasurespursuant toArticle58(2)GDPRrelevantbut not reasoned            .

231.Regarding the FI SA’s objection, WhatsApp IE considers it not relevant because it is based on an
     objection pertaining to a mistaken allegationof infringement of Article 6(1) GDPR  293andwhich does


     285NOSAObjection,p.8-9,EnvisagedoutcomeoftheRRO,secondbulletpoint.
     286DESAObjection,p.8,d.Envisagedresultoftheobjection.
     287FI SAObjection,paragraph36.
     288FI SAObjection,paragraph36.
     289
        FI SAObjection,paragraph36.
     290WhatsAppIE'sArticle65Submissions,paragraph80.
     291EDPBGuidelinesonRRO,paragraph32.
     292Paragraphs75,80,86and87above.
     293WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph3.




     Adopted                                                                                            52     not satisfy the thresholds andlacksof merit 294.The EDPBdoesnot follow WhatsAppIE’sposition asit
     analyses andconcludes in Subsection 4.4.1 above that the objection of the FI SA on the finding of an

     infringement ofArticle6 GDPRor more specifically Article6(1)(b) GDPR,onwhichthe FI SA request of
     correctivemeasuresis based, isrelevant andreasoned.

232.The FI SA’sobjection arguingthat the IESA should, inapplication ofArticle 58(2)GDPR,atleast order
     WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR

     withrespect to the processing of marketing,service improvements and securityfor which WhatsApp
     IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83
     GDPR, is linked to the IE SA’s Finding 2 of its Draft Decision with regard to Article 6(1)(b) GDPR.

     Therefore, the FI SA objection is directly connected with the substance of the Draft Decision and if
     followed, would lead to a different conclusion, namely a change of this Finding 2 as well as the
     imposition of correctivemeasures.

233.Thus, the EDPBconsiders thatthe FI SAobjection isrelevant.


234.Interms of argumentsclarifying why the amendment of the Draft Decision requestedby the FI SA is
     proposed, the FI SA firstly arguesthatif theIE SA does not make use of itscorrective powers, thereis
     a dangerthat WhatsAppIE continuestounlawfullyprocesspersonaldata onthe foot ofArticle 6(1)(b)

     GDPR for processing operations such as marketing, service improvements and security, and that
     WhatsApp IEcontinues toundermine or bypass dataprotectionprinciples       295.

235.Secondly, the FI SA argues that because WhatsApp IE cannot rely on Article 6(1)(b) GDPR for all
     processing operations set out in its Terms of Service, this inevitably leads to the conclusion that

     correctivepowersmust beexercisedinorder tobring theprocessing operationsofWhatsApp IEinline
     withthe GDPR   296.

236.Thirdly, the FI SA relies on the ruling of the CJEU C-311/18 Schrems II     297to argue that when an
     infringement is found, the supervisory authoritymust take appropriateactionin order toremedyany

     findingsofinadequacyandthereforetheFISA isoftheopinionthattheIESAmust exerciseappropriate
     andnecessarycorrective powers    298.

237.Finally, according to the FI SA, the IE SA must exercise appropriate and necessary corrective powers

     andmust take intoaccount the nature andseverity ofthe abovementioned infringement since the FI
     SA is of theopinion thatthis infringementcannot be consider asminor    299.

238.Intermsofthe significance of the risks posed by the DraftDecision,the FI SA arguesthatthe absence
     of appropriate and necessary corrective powers would amount toa dangerousprecedent, sending a

     deceiving message to the market and to data subjects, and would also endanger the fundamental
     rightsandfreedomsof datasubjects whose personal dataareandwillbe processedby the WhatsApp
     IE300.

239.In addition, the FI SA argues that if WhatsApp IE could continue torely on Article 6(1)(b) GDPR, the

     datasubjects wouldnot have the possibility tocontrolthe processing of theirpersonal data,whilethe
     righttomonitor theprocessing of personaldatais animportantprinciple of theGDPR.        301



     294WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph4.
     295FI SAObjection,paragraph37.
     296FI SAObjection,paragraph40.
     297
        C-311/18SchremsII,paragraph111.
     298FI SAObjection,paragraphs41-42.
     299FI SAObjection,paragraphs42-43.
     300FI SAObjection,paragraph45.
     301FI SAObjection,paragraph45.




     Adopted                                                                                            53240.The FI SA ends its argumentationbystatingthat theDraft Decisionaffectsallthe data subjectswithin
     the EEA.Therefore,the consequences of not making use of the correctivepowers pursuant to Article
     58(2)GDPRarevast   302.

241.WhatsApp IE considers that the FI SA objection cannot satisfy the significance of risk threshold, as it

     does not set out how theDraftDecision wouldpose a directand significant risktofundamentalrights
     andfreedoms, because it is basedon a misunderstanding ofthe DraftDecisionand the definedscope
     ofinquiry303. WhatsApp IEalsoconsiders thatcontrarytothe FI SA statement,theGDPRprovidesdata

     subjectswitharangeofcontrolsandrightsover theirpersonal dataregardlessofthelegalbasesrelied
     on and therefore the Draft Decision does not pose a risk to data subjects’ fundamental rights and
     freedom 304.Moreover,WhatsApp IEconsiders thatthe FISA statementthattheDraftDecisionaffects
     all the data subjects within the EEA and that therefore, the consequences of not making use of the

     correctivepowers pursuant toArticle 58(2)GDPRare vast,is based on unsubstantiatedconcerns and
     unsupported by anyfactsor legalreasoning or anything which wasinvestigatedinthe inquiry    30.

242.Considering WhatsApp IE’s arguments, the EDPB understands that WhatsApp IE is challenging the
     substance oftheFISA objectioninsteadofchallengingitsabilitytoclearlydemonstratethesignificance
                                               306
     of the risks posed by the Draft Decision     .Therefore, the EDPB considers these arguments not
     applicable toassess whether theFI SA’sobjection is reasoned.

243.Asthe FI SA objection clearlydemonstrateswhyanamendment ofthe DraftDecisionis proposed and
     how this amendment would lead to a different conclusion as to whether the envisaged action in

     relationto WhatsApp IE complies with the GDPR, it clearlydemonstrates a sound and substantiated
     reasoning andthe significance of therisks posed bythe DraftDecision.

244.Therefore,the EDPBconsiders the FI SAobjectiontobe reasoned.

245.Considering the FI SA objection and the arguments brought forward by WhatsApp IE, the EDPB

     considers thatthe FI SAobjection requesting corrective measurestobe imposed accordingto Article
     58(2)GDPRis relevantandreasonedpursuanttoArticle4(24)GDPR.


     7.4.2 Assessment on the merits
         Preliminarymatters


246.The EDPB considers that the FI SA objection found to be relevant and reasoned in Subsection 7.4.1
     requiresanassessment ofwhetherthe DraftDecisionneedstobe changedinrespectofthe corrective

     measuresproposed. More specifically, the EDPBneeds toassess whether the IE SA should impose an
     order on WhatsApp IE to bring its processing operations in compliance with the provisions of Article
     6(1)GDPRwithrespect tothe processing for marketing,service improvements andsecurityfor which
     WhatsApp IE reliedupon Article 6(1)(b) GDPRand consider imposing an administrative fine pursuant

     toArticle83 GDPR,inapplicationof Article58(2) GDPR.

247.Any issue concerning theimposition ofadministrativefinesis coveredbelow in Section8.

248.Concerning the issue ofimposing correctivemeasuresin respectof theallegedinfringement of Article
     6(1)(b) GDPR for processing personal data for marketing purposeraisedbythe FI SA and which was
     not partofthescope oftheinquiry  307, it isappropriatetorefertotheEDPBconclusion asstatedabove



     30FI SAObjection,paragraph46.
     30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph5.
     30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph6.
     305
     306hatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph7.
       GuidelinesonRRO,paragraph18.
     30DraftDecision,paragraph4.8.


     Adopted                                                                                         54     in Subsection 6.1.4.2,whichnotably statesthat the IE SA is instructed tolaunch aninvestigation into
     WhatsApp IE’sprocessing operations in its service in order to determine ifit processes personal data

     for marketing purposes and in order to determine if it complies with the relevant obligations under
     the GDPR. In this situation where the possibility for WhatsApp IE to rely on Article 6(1)(b) GDPR for
     processing personal data for marketing purpose has not been investigated, there is no ground to
     further proceed in the assessment of the merits of the FI SA’s objection requesting to impose

     corrective measures for processing personal data for marketing purpose by unlawfully relying on
     Article6(1)(b) GDPR.

249.Conversely, concerning the issue of imposing corrective measures in respect of the alleged
     infringement of Article 6(1) GDPRfor processing for otherpurposesstatedinthe FI SA’s objection, it

     isappropriatetorefertotheEDPBconclusionasstatedabove inSubsection4.4.2,whichnotablystates
     thatWhatsAppIEhasinfringedArticle 6(1)GDPR byunlawfullyprocessing the Complainant’spersonal
     data, in particular by inappropriately relying on Article 6(1)(b) GDPR to process the Complainant’s
                                                                        308
     personaldatafor thepurposes of service improvement andsecurity        featuresprocessing operations
     inthe context ofits Termsof Service.As a consequence, the EDPBfurtherproceedintheassessment
     ofthemeritsofthese partsoftheFI SA objection    309andanalyseswhetheranordertobringprocessing

     intocompliance should be imposed.

250.When assessing the merits of the objection raised, the EDPB also takes into account WhatsApp IE’s
     position on the objectionand itssubmissions andthe findings inthis Binding Decision.

251.It is alsoimportant to clarifythe EDPB’sviews in respect of itscompetence,incontrast to WhatsApp
     IE’s argument, which considers the EDPB is not competent to direct the IE SA to adopt specific
                         310
     correctivemeasures     .

252.WhatsAppIEstates“Thisis clearfromthe objectionoftheFinnish SA, whichacknowledgesthatit isfor
     the IE SA alone to decide which corrective measures are appropriate and necessary, citing Case C-
     311/18 (SchremsII),para 112”  311.


253.The EDPB finds that WhatsApp IE misunderstands the FI SA objection when it argues that it does
     acknowledge that it is for the IE SA alone to decide which corrective measures are appropriate and
     necessary, by citing paragraph112 of the Judgement of the CJEU of 16 July 2020, Data Protection
     Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18, ECLI:EU:C:2020:559 ,

     (hereinafter ‘C-311/18 Schrems II'). In fact, the FI SA does no such thing: in its objection “The FI SA
     refersto the ruling of the CJEU C-311/18 whereit was stated that if a supervisory authoritytakes the
     viewthataninfringementwasfound, therespectivesupervisoryauthoritymusttakeappropriateaction
                                                   312
     inorder to remedyanyfindings ofinadequacy”        inorder tosupport itsconclusion, whichstatesthat
     because “WhatsApp cannot relyon Article 6(1)(b) for all processing operationsset out in itsTermsof
     Service. Thisinevitably leads into the conclusion that corrective powersmust be exercised in order to
                                                                         313
     bringthe processing operationsof WhatsApp in line with theGDPR”       .Thus,this statementby the FI
     SA seems tosimply strengthenthe needfor appropriatecorrectivemeasures tobe imposed.

254.Moreover,WhatsAppIEconsiders theIESAhassole discretiontodeterminetheappropriatecorrective
     measuresin theevent of afinding of infringement   31.



     30Seeparagraph90ofthisBindingDecision.
     309
       FI SAObjection,paragraph36.
     31WhatsAppIE'sArticle65Submissions,paragraphs8.6to8.11.
     31WhatsAppIE'sArticle65Submissions,paragraph8.9.
     31FI SAObjection,paragraph41.
     31FI SAObjection,paragraph40.
     314
       WhatsAppIE'sArticle65Submissions,paragraphs8.12to8.14.



     Adopted                                                                                           55255.WhatsApp IE considers that where a Draft Decision does not find an infringement and therefore
     proposes nocorrective measures,there cannot be a dispute oncorrective measureswithin thescope

     of Article 65 GDPR. WhatsAppIE arguesthat “should the EDPB find an infringement of Article 6(1)(b)
     GDPR, the appropriate course is for it to refer the matter back to the DPC, as IE SA, to determine
     whether to impose any appropriate corrective measuresand, if so, what those corrective measures
     should be. Were the EDPB to do otherwise and direct the DPC to make a specific order in the terms
                                                                                           315
     proposed by certainObjections, it would exceeditscompetenceunderArticle65GDPR”           .

256.WhatsAppIE’sstatesthatitis “a matterfortheLSA to determinewhich(ifany) correctivemeasuresto
     orderandto ensurethat anyordercomplieswith allapplicable proceduralsafeguards, includingthose
     provided for under national law, and is issued in accordance with due process and in circumstances
                                                                316
     wherethecontrollerhas beenaffordedaright to be heard”        .

257.WhatsApp IE also argues that “In the context of an inquiry relating to cross-border processing, the
     powerto determinewhichmeasuresareappropriateto exerciseundertheGDPRisa matterwithinthe
                                                         317
     sole competenceoftheDPCasIESA—nottheEDPB”              .WhileWhatsAppIEacknowledgesthat“Article
     65(1) GDPRallowsthe EDPBto consider reasoned objectionsconcerningwhethercorrectivemeasures
     envisaged by the IE SA comply with the GDPR”, it argues “it does not empower the EDPB to issue
     prescriptive instructions as to which (if any) of the corrective powers under Article 58 ought to be
               318
     exercised”   .WhatsAppIE adds that“As noted in the EDPBGuidelines03/2021 on the application of
     Article65(1)(a) GDPR(‘Article65Guidelines’),atmost,the EDPBcan‘instructtheIESA tore-assess the
     envisaged action and change the draft decision in accordance with the binding decision of the
            319
     EDPB’”    .

258.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one-
     stop-shop mechanism andof the sharedcompetencesof the CSAs. While the EDPBagreesthat the IE
     SA does act as ‘sole interlocutor’ of the controller or processor0, this should not be understood as

     meaning it has ‘sole competence’ in a situation where the GDPR requires supervisory authorities to
     cooperatepursuant toArticle60 GDPRtoachieve aconsistent interpretationofthe Regulation       321.The
     fact that the IE SA will be the authority that can ultimately exercise the corrective powers listed in

     Article58(2) GDPRcannotneither limit the role of the CSAs withinthe cooperationprocedure nor the
     one of the EDPBinthe consistency procedure   322.

259.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote
     a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount

     the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions
     the action(s) envisaged by the Draft Decision towards the controller or processor, or the absence
     thereof. More specifically, when raising anobjection on the existing or missing corrective measure in
     the DraftDecision, the CSA should indicatewhich actionit believes wouldbe appropriate for theIE SA

     toundertake andinclude inthe finaldecision.

260.Asmentioned above,aside from the question ofadministrativefines tackledbelow inSection8, theFI
     SA calls on the IE SA touse its corrective powers under Article 58(2) GDPR, by imposing an order on


     31WhatsAppIE'sArticle65Submissions,paragraph8.11.
     31WhatsAppIE'sArticle65Submissions,paragraph8.13.
     31WhatsAppIE'sArticle65Submissions,paragraph8.14.
     31WhatsAppIE'sArticle65Submissions,paragraph8.14.
     319
       WhatsAppIE'sArticle65Submissions,paragraph8.14.
     32Article56(6)GDPR.
     32SeeArticle51(2),Article60,Article61(1)GDPRandtheJudgementoftheCJEUof15June2021,Facebook
     IrelandLtdandOthersvGegevensbeschermingsautoriteit,CaseC-645/19,ECLI:EU:C:2021:483,(hereinafter‘C-
     645/19FacebookIrelandLtdandOthers’),paragraphs53,63,68,72.
     322
       Articles63and65GDPR.



     Adopted                                                                                           56     WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR
     with respect to the processing of service improvements and security for which WhatsApp IE relied

     upon Article6(1)(b) GDPR.

         WhatsApp IE’spositiononthe objectionsand itssubmissions

261.WhatsAppIEconsidersthat“Anycorrectivemeasuresshould be exercisedina manner consistentwith
     theprinciplesofproportionality” and“should not go beyond whatisnecessarytoachieve theobjective
                                                                                              323
     ofensuring compliancewith theGDPR”,inparticularinaccordancewithRecital129 GDPR              .

262.In addition, WhatsApp IE argues that “the EDPB cannot direct, nor can the DPCimpose, a corrective
     orderthat wouldbe prescriptiveinspecifying a legalbasis on which WhatsApp Irelandmust rely”     32.

263.Moreover,WhatsAppIE statesthat“WhatsApp Irelandcan onlybe orderedtobring itsprocessing into
     compliance by ensuring it has a valid legal basis for processing and must be afforded discretion as to
                                      325
     how it achievessuchcompliance”      .

264.Finally, WhatsAppIEarguesthat“Thereisno basis for theimposition ofadministrative fines”     326and“it
     would be inappropriate, disproportionate, and unnecessary to impose an administrative fine”    32, as

     further developed byWhatsApp IEin Section8.

         EDPB’sassessment on themerits

265.In assessing the appropriate corrective measures to be applied, Article 58(2)(d) GDPR lists the
     following correctivemeasure:


     “order the controller or processor to bring processing operationsinto compliance with the provisions
     ofthis Regulation,whereappropriate,ina specifiedmanner and within a specified period”.

266.According to recital 129 GDPR, every corrective measure applied by a supervisory authority under
     Article58(2)GDPRshouldbe “appropriate,necessaryandproportionateinviewofensuringcompliance

     withthe Regulation”in light ofthe circumstancesof eachindividual case.This highlightsthe need for
     the corrective measures and any exercise of powers by supervisory authorities to be tailoredto the
     specific case. Recital129 GDPR also provides that each measure should “respect the right of every

     person to be heard before any individual measure which would affect him or her adversely is taken”.
     The measures chosen should provide consideration to ensuring that theydo not create “superfluous
     costs” and“excessiveinconveniences”for the persons concernedinlight of theobjective pursued.

267.Recital148 GDPR shows the duty for supervisory authoritiestoimpose correctivemeasures that are

     proportionate tothe seriousness ofthe infringement.

268.TheEDPB recallsthatalthoughthe supervisory authoritymust determinewhich actionis appropriate
     andnecessary andtake into considerationall the circumstancesof the processing ofpersonal data in
     question in that determination, the supervisory authority is nevertheless required to execute its
                                                                                   328
     responsibility for ensuring thatthe GDPRisfully enforcedwithalldue diligence     .





     323
       WhatsAppIE'sArticle65Submissions,paragraph8.15.
     32WhatsAppIE'sArticle65Submissions,paragraph8.33.
     32WhatsAppIE'sArticle65Submissions,paragraph8.34.
     32C‑311/18SchremsII,paragraph112.
     32C‑311/18SchremsII,paragraph112.
     328
       C‑311/18SchremsII,paragraph112.



     Adopted                                                                                           57269.The EDPB agreeswith the FI SA that “the infringement cannot be consider as minor”        329. The EDPB

     reiteratesthat lawfulness of processing is one of the fundamental pillars of the data protectionlaw
     andconsiders thatprocessing ofpersonaldatawithoutanappropriatelegalbasis isaclear andserious
     violation of the data subjects’ fundamental right to data protection. In addition, the infringement in

     the present case concernsa highnumber of datasubjects     330and alargeamount of personaldata.

270.Indeed,theEDPBagreeswiththeFISAthat“IftheIESAdoesnotmakeuse oftheirrespectivecorrective

     powers, there is danger that WhatsApp continuesto unlawfully process personal data on the foot of
     Article 6(1)(b) GDPR” for service improvement and security processing operations    331and “there isa
     danger that WhatsApp continuesto undermine or bypass” data protection principles      332. In addition,

     failure toadopt anycorrectivemeasureinthis case“would amountto a dangerousprecedent,sending
     adeceivingmessage to themarket andto data subjects,and would endangerthe fundamentalrights

     andfreedomsofdatasubjectswhose personaldata are and willbe processed bythecontroller”.           333

271.As aconsequence, the EDPBfinds it appropriateforanordertobringprocessingintocomplianceto

     be imposed in this case (without prejudice to the additional conclusions in respect of the imposition
     of administrativefines available below in Section8).

272.According to the EDPB, the deadline for compliance with the order should be reasonable and

     proportionate,inlight ofthe potentialfor harmstothe datasubject rightsandtheresourcesavailable
     tothe controller toachievecompliance   334.

273.Finally, the EDPB recallsthat non-compliance withan order issued by a supervisory authority canbe

     relevantbothin termsofit being subject toadministrativefines upto20.000.000eurosor,in thecase
     of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financial year in

     line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of
     administrative fines.335Inaddition, the investigative powersof supervisory authoritiesallow them to

     order the provision of all the information necessary for the performance of their tasks including the
     verificationof compliance withone of theirorders  336.

274.Inlightoftheabove,theEDPBinstructstheIESAtoincludeinitsfinaldecisionanorderforWhatsApp

     IE to bring its processing ofpersonaldata for the purposes ofservice improvement and security


     329FI SAObjection,paragraph43.
     330
        FI SAObjection,paragraph46:“thedraftdecisionaffectsallthedatasubjectswithintheEEA.Therefore,the
     consequencesofnotmakinguseofthecorrectivepowerspursuanttoArticle58(2)GDPRarevast ”.
     331FI SAObjection,paragraph37.
     332FI SAObjection,paragraph37.
     333FI SAObjection,paragraph45.
     334
        TheEDPBrecallsitsBindingDecision1/2021adoptedon28July2021wheretheEDPBwascalledtoresolvea
     dispute pursuant to Article 65 GDPR concerning, among others, the appropriateness of the deadline for
     compliancesuggested inthedraft decision at stake. After highlighting therelevanceof Recitals 129 as well as
     148 GDPR for theimposition of correctivemeasures, theEDPB took intoaccount thenumber of data subjects

     affected and theimportanceof theinterest of affected data subjects in seeing therelevant provisions of the
     GDPR complied with ina short timeframe. WhiletheEDPB also tooknoteof thechallenges highlighted by the
     controller,itfoundinthatcasethatacomplianceorderwithathreemonths’timeframecouldnotbeconsidered
     disproportionateconsidering the infringement as well as the type of organization, its sizeand the means

     (includinginteraliafinancialresourcesbutalsolegalexpertise)availabletoit.Consequently,theEDPBinstructed
     theLSAto amendthedraftdecisionbyreducingthedeadlineforcompliancefromsixmonthstothreemonths.
     EDPBBindingDecision1/2021,paragraphs254-263.
     335Article83(2)(i)GDPR.
     336Article58(1)GDPR.




     Adopted                                                                                            58     featuresin thecontextofits TermsofServiceinto compliancewith Article 6(1) GDPRin accordance
     withthe conclusion reachedbythe EDPB     337withina specified periodof time  33.



     8 ON THE IMPOSITION OFAN ADMINISTRATIVEFINE


     8.1 Analysis by the LSA inthe DraftDecision

275.TheIESA asLSAdoes notfind anyinfringementintheDraftDecision,thusnocorrectivemeasuresand,
     in particular,noadministrativefine areforeseen. TheIE SA points out thatinthe own-volition inquiry

     in relation toWhatsApp IE’sPrivacyPolicy (deemed as “WhatsApp TransparencyDecision” by the IE
     SA)corrective measuresandamongthem anadministrativefine areincluded          33. Moreover,asfurther
     clarified by the IE SA, no further examination or the issuance of further determinationis needed, as

     the issues raisedin the latterareconsistent withthe present case.


     8.2 Summary of the objections raised by the CSAs

276.The FR SA, NOSA, DE SA and IT SA object to the IE SA’sfailure to take actionwith respect to one or
     more specific infringements they deem should have been found and ask the IE SA to impose an

     administrativefineasa result of these infringements.

277.The FR SA objects to the absence of an administrative fine by the IESA in its Draft Decision. Since a
     breachofArticle 6 GDPRhasbeencommittedin the opinion of theFR SA, whichin light ofthe serious
     character of this infringement should result in the imposition of an administrative fine. If further

     breaches were to be identified with regard to the processing related to behavioural advertising,
     provision ofmetricstothirdpartiesandwiththeprocessing ofspecialcategoriesofpersonaldata,they
                                                                                                   340
     should be takenintoaccount bythe IESA when defining the amount ofthe administrativefine          . The
     FR SA therefore asksthe IE SA toimpose anadministrativefine.

278.The NO SA and DE SA also argue that the IE SA should take concrete corrective measures against

     WhatsApp IE in relation to the additional infringement of Article 6(1) GDPR or Article 6(1)(b) GDPR,
     including toimpose anadministrativefine   341.

279.The IT SA arguesthatthere should be anadministrative fine following the finding of aninfringement
                            342                                  343
     ofArticle5(1)(a)GDPR     ,andofArticle5(1)(b) and(c)GDPR       .TheITSAarguesthatWhatsAppIEhas
     failedtocomplywiththe generalprinciple offairness under Article5(1)(a)GDPR,which,inthe view of

     the IT SA, entails separate requirements from those relating specifically to transparency. Moreover,
     the IT SA statesthat there is an additional infringement of points (b) and(c) of Article 5(1) GDPR on
     account of WhatsApp IE’s failure to comply with the purpose limitation and data minimisation

     principles. TheIT SA asks for a fine tobe issued for those additionalinfringements.






     337As establishedaboveinSubsection4.4.2.
     338
        Seeabovefootnote334onparagraph272.
     339DraftDecision,paragraph5.9.
     340FRSAObjection,paragraph53.
     341NOSAObjection,p.9;DESAObjection,p.8.
     342ITSAObjection,p.10.
     343
        ITSAObjection,p.8.



     Adopted                                                                                            59280.Inaddition, theEDPBconsidersthe FISA’srequesttoconsider theimposition ofanadministrativefine,

     assummarised above inSubsection 7.2,not asa separateobjection but ratherasa possible outcome
     of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR    34.


     8.3 Position of the LSA on the objections

281.TheIESA notesinitsComposite Response thatitis satisfiedthatthescope oftheinquiry isappropriate
     andno question of aninfringement ofthese provisions arisesfrom the complaint, thereforethe IE SA

     would not exercise itscorrectivepowers andwould not follow therespective objections   345.


     8.4 Analysis of the EDPB


     8.4.1 Assessment of whether theobjections were relevant and reasoned

     The objections raisedby theFR SA, NOSA, DESA andITSA concern“whethertheactionenvisaged in
     theDraft Decisioncomplieswith theGDPR”     346.

282.Inaddition tothe primaryargument levelled against allCSA’s objections    347as wellas the arguments

     against the objections regarding Article 6(1) GDPR of these CSAs, WhatsApp IE provides additional
     arguments on why it considers these not to be relevant and/or reasoned. In a general manner,

     WhatsApp IEarguesthatin anyevent, thereis no basis for a finding that theyinfringedArticle 6(1), 9
     and/or 5 GDPR because the actualprocessing hasnot been investigatedor assessed in the course of
                           348
     theinquiry bytheIESA     .Moreover,WhatsAppIEopines thattheimposition ofanadministrativefine
     with respect to new findings of infringements would violate its right to be heard and rights of the
     defence 34. Furthermore, WhatsApp IE points out that the power to impose an administrative fine

     under the GDPR lies within the sole competence of the IE SA and that the EDPB does not have the
     power to consider objections solely challenging the amount of a fine or the possible instruction to
                  350
     impose a fine   .

283.WhatsApp IEisof the view thatthe FR SA’sobjection cannotbe consideredrelevant because theyare
     dependent on another objection, which WhatsApp IE deems “anincorrect allegationof infringement

     of Article 6(1)(b) GDPR”351. WhatsAppIE alsodoes not consider the FR SAs objection to be reasoned
     enoughwithregardstothe powertoimpose administrativefineslying withtheLSA andconsiders that

     the FR SAs objection“fails tospecify anydirect,substantial, or plausible risks thatcould be prevented
     by applying Article 83(3)GDPR” 352.RegardingtheDESA and NOSA objections tothe imposition of an

     administrative fine, WhatsApp IE does not provide arguments against the “relevant and reasoned”
     threshold apartfrom the generalpositions alreadyreflected.


     344
       FI SAObjection,paragraph43to46.
     34CompositeResponse,paragraph78.
     34GuidelinesonRRO,paragraph32.
     34WhatsAppIE’sarguesthattheseare“matters[…]outsidetheDefinedScopeofInquiryand,assuch,these

     ObjectionsarenotrelevantanddonotmeettherequirementsofArticle4(24).Accordingly,theEDPBisnot
     competenttoenter intothesubstantiveconsiderationofthesubjectmattersoftheseObjectionsortopurport
     to directtheDPCtofindadditionalinfringementsoftheGDPR”(WhatsApp’sArticle65Submissions,paragraph
     7.3).TheEDPBdoes notsharethisunderstanding,asexplainedabove.SeeSection4.4.1.
     348
     349hatsAppIE’sArticle65Submissions,paragraph7.5.
       WhatsAppIE’sArticle65Submissions,paragraph7.4.
     35WhatsApp'sIE’sArticle65Submissions,paragraph7.9.
     35WhatsAppIE'sArticle65Submissions,Annex1,p.82.
     35WhatsAppIE'sArticle65Submissions,Annex1,p.82-83.




     Adopted                                                                                          60284.It is in the EDPB’sunderstanding that the FR SA disagrees with a specific part of the IE SA’s Draft
     Decision, namely the lackof anadministrative fine regardingthe breachof Article6 GDPR.TheFR SA

     adds that if additional breacheswere tobe found after anyfurther investigations by the IE SA, they
     should be taken into account when assessing the fine and its amount     35. In consequence, the EDPB

     considers the objection tobe relevant.

285.The FRSA further arguesthatthe lackofanadministrative fine isincontradictionwiththe seriousness
     of the issues at hand, the nature ofthe processing and the size ofthe controller 35. Inthe view of the

     FR SA, not imposing a fine would clearlybe detrimentaltothe rights,freedoms andguaranteesofthe
     data subjects andwould also lead toreduce the authorities' coercive power and, consequently, their
     ability to ensure effective compliance with the protection of the personal data of European

     residents355. Therefore,the EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate
     the significance ofthe risks posed by the DraftDecision.


                                                      ***

286.The EDPBrecallsthatthe NO andDESAarguethat WhatsAppIE maynot relyon Article6(1)(b) GDPR

     for the specified data processing and the IE SA should exercise its corrective powers and impose an
     administrative fine356. If followed, these objections would lead to a different conclusion as to the

     possible imposition ofanadministrativefine. Inconsequence, theEDPBconsiders theobjections tobe
     relevantandto be reflections upon how the IE SA intheir view should 'give full effect tothe binding
     direction(s) asset out in the EDPB’sdecision 357. The EDPB finds that the objection is concrete in the

     changeproposed. However,it takesnote thatthe NOandDE SA’sassessment ofthe risks of the draft
     decision relatetothe IESAs interpretationofArticle6(1)(b) GDPRandnot sufficiently tothe lackofan

     imposition ofanadministrative fine. Therefore,the EDPBdoesnot consider this aspectof the NOand
     DE SAs objections tomeet the requirements of Article 4(24) GDPR andare therefore not sufficiently
     reasoned  358.


287.Takingintoaccounttheaforementioned,theEDPBconsidersthattheobjectionoftheFRSA requesting
     the imposition of anadministrativefine is relevantandreasonedpursuanttoArticle4(24) GDPR.

288.With respect tothe objection raisedby the ITSA concerning the imposition of anadministrative fine

     for the allegedinfringement ofthe fairnessprinciple enshrined inArticle5(1)(a), theEDPBfinds thatit
     stands in connection with the substance of the Draft Decision, as it concerns the imposition of a

     corrective measure for an additional infringement, which would be found as a consequence of
     incorporating the finding put forward by the objection. Clearly, the decision on the merits of the
     demandtotake correctivemeasuresfor aproposed additionalinfringement isaffectedby theEDPB’s

     decision on whethertoinstruct the IESA toinclude anadditionalinfringement.

289.If followed, the IT SA’s objection sets out how it would lead to a different conclusion in terms of
     corrective measures imposed   359. Therefore, the EDPB finds the objections raised by the IT SA to be

     relevant.


     353FRSAObjection,paragraph53.
     354
     355FRSAObjection,paragraph56.
        FRSAObjection,paragraph56-57.
     356NOSAObjection,p.8-9;DESAobjection,p.8.
     357GuidelinesonArticle65(1)(a)GDPR,paragraph50.
     358SeealsoSection4.4.1ofthisBindingDecision.
     359
        ITSAObjection,p.8-10.



     Adopted                                                                                            61290.WhatsApp IE argues the IT SA’s objection is insufficiently detailed, adding that it is not possible to
     identify the legalargumentsthe IT SA wishes toput forward in respect of the fine   360.The EDPB finds
     thatthe ITSA adequatelyargueswhytheypropose amending the DraftDecisionandhow thisleadsto

     a different conclusion in termsofadministrative fine imposed 361.

291.WhatsAppIEarguestheobjection oftheITSA failstodemonstratetheriskposed bytheDraftDecision
     as required and, in doing so, WhatsApp IE dismisses the concerns articulated by the IT SA on the
                                      362
     precedent thedraft decision sets    .

292.The EDPBfindsthatthe ITSA articulatesanadverse effectonthe rightsandfreedomsofdata subjects
     if the DraftDecisionis left unchanged, byreferring toa failure toguaranteea highlevelof protection
                                                           363
     inthe EU for the rightsandinterestsofthe individuals    .

293.Therefore,the EDPBconsidersthe IT SA’sobjectionconcerning the impositionof afine for the alleged
     additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned.


                                                      ***

294.The EDPB recallsitsanalysis of whether the objection raised by the IT SA in respect of the proposed

     allegedadditionalinfringements of Article 5(1)(b) GDPRand 5(1)(c) GDPRmeetsthe threshold set by
     Article 4(24) GDPR (see Section 5.4.1 above). In light of the conclusion that such objection is not
     relevantand reasoned,the EDPBdoes not needtofurther examine thislinked objection.

295.Furthermore, with regardto the FI SA’s objection the EDPB recalls the analysis made in Subsection

     7.4.1andin 8.2of thisBinding Decision.

     8.4.2 Assessment on the merits


296.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the
    matters which are the subject of the relevant and reasoned objections, in particular whether the

    envisagedactioninrelationtothe controller or processor complies withtheGDPR.

297.Regarding the processing of purposes or of data categoriesraisedby the FR SA and which were not
    part of the scope of the inquiry, it is appropriate to refer to the EDPB conclusion as statedabove in

    subsection 6.1.4.2,wheretheIE SA is instructedtolaunchfurther investigations.

298.Regarding the FI SA’s objection as mentioned in Subsection 8.2 and analysed in Section 7, the EDPB
    againrecallsthat it only takesnote ofit, asit is not deemeda separateobjection but rather apossible

    outcome of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR.

299.Whenassessing themeritsofall theobjections raised,theEDPBalsotakesintoaccount WhatsAppIE’s
    position on the objectionand itssubmissions.

300.WhatsAppIE considers thatthe LSA hassole discretiontoimpose anadministrativefine. WhatsApp IE

     argues that in the context of a matter relating to cross-border processing, the power to impose an


     360WhatsAppIE'sArticle65Submissions,Annex1,p.108-109.
     361TheITSAargues thatthefindingofsuchinfringement“shouldresultintotheimpositionoftherelevant
     administrativefineasperArticle83(5)(a)GDPR”,addingtherequirementthateachfineshouldbe
     proportionateanddissuasiveandarguingthegravityoftheinfringement,seeITSAObjection,p.10.
     362
     363WhatsAppIE'sArticle65Submissions,Annex1,p.109.
        ITSAObjection,p.10.



     Adopted                                                                                            62     administrativefine under theGDPRlieswithinthesole competenceofthe LSA andnot the CSAsor the
     EDPB. Furthermore, WhatsApp IE arguesthat the GDPR does not confer any power on the EDPB to

     consider objections solely challengingthe amountof afine, andthe EDPBmaynot giveinstructions as
     towhethera fine ought tobe imposed, or as toits amount    364.


301.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one-
     stop-shop mechanism and of the shared competencesof the CSAs. The EDPBresponds to WhatsApp
     IE’sargumentthattheLSAhassole discretiontodetermine theappropriatecorrectivemeasuresinthe

     event ofa finding ofinfringement above (see Section7, paragraph258-259).

302.While the EDPB agreesthat the LSA does act as “sole interlocutor” of the controller or processor  365,
     this should not be understood as meaning it has “sole competence” in a situation where the GDPR

     requires SAs to cooperate pursuant to Article 60 GDPR to achieve a consistent interpretationof the
     Regulation 36. The fact that the LSA will be the authority that can ultimately exercise the corrective

     powerslistedin Article58(2)GDPRcannotlimit the role ofthe CSAswithinthe cooperationprocedure
     or the one of the EDPBinthe consistency procedure   36.

303.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote

     a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount
     the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions

     the action(s) envisaged by the Draft Decision vis-a-vis the controller/processor, or the absence
     thereof368.More specifically, whenraising anobjection on the existing or missing corrective measure

     – suchasanadministrativefine – intheDraftDecision,theCSA should indicate whichactionit believes
     would be appropriatefor theLSA toundertakeandinclude in thefinal decision     369.

     8.4.2.1.1  Assessment of whetheranadministrativefine should be imposedfor the infringementof

                Article6(1) GDPR
304.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires
     anassessment of whether the DraftDecisionneeds tobe changedin respect tothe lackof corrective

     measures proposed. More specifically, the EDPB needs to assess the request to impose an
     administrative fine for the infringements that are ought to be found by the LSA according to this

     Binding Decision.The EDPBrecallsitsconclusion inthisBinding Decisiononthe infringementof Article
     6(1)GDPR  370.

305.The EDPBconcurs that the decision to impose anadministrative fine needs tobe takenona case-by-

     case basisin lightof thecircumstancesandis not anautomaticone     371. However,theEDPBrecallsthat


     36WhatsAppIE'sArticle65Submissions,paragraph7.9.
     365
       Article56(6)GDPR.
     36SeeGDPRArt.51(2),60,61(1),andC-645/19FacebookIrelandLtdandOthers, paragraphs53,63,68,72.
     36Article63and65GDPR.
     368GuidelinesonRRO,paragraph7.Objectionsmayrelatetobothexistingormissingelementsinthedraft

     decision.
     36GuidelinesonRRO,paragraphs29and33.
     37SeeSection4.4.2ofthisBindingDecision.
     37WP29GuidelinesonAdministrativefines,p.6(“Likeallcorrectivemeasuresingeneral,administrativefines

     shouldadequatelyrespondtothenature,gravityandconsequences ofthebreach,andsupervisoryauthorities
     mustassessallthefacts ofthecaseina mannerthatisconsistentandobjectivelyjustified.Theassessmentof
     whatis effective,proportionalanddissuasiveineachcasewillhavetoalsoreflecttheobjectivepursuedbythe
     correctivemeasurechosen,thatiseithertore-establishcompliancewiththerules,ortopunishunlawful
     behavior(orboth)”),p.7(“TheRegulationrequiresassessmentofeachcaseindividually”;“Finesarean




     Adopted                                                                                           63     when a violation of the Regulation has been established, competent supervisory authorities are

     required to react appropriatelytoremedy this infringement in accordance with the means provided
     to them by Article 58(2) GDPR   372, which includes the possible imposition of an administrative fine
                                      373
     pursuant toArticle 58(2)(i) GDPR    .

306.Indeed, asalreadymentioned the consistency mechanism mayalso be used to promote a consistent
     applicationofadministrativefines 374: wherearelevantandreasonedobjectionidentifiesshortcomings

     in the reasoning leading tothe imposition of the fine atstake (or naturallythe lackof one), the EDPB
     can instruct the LSA to engage in a new assessment of the need for a fine or the calculation of a
                   375
     proposed fine   .

307.The EDPBagainwantstorecallthat althoughthe supervisory authoritymust determine whichaction
     is appropriate and necessary and take into consideration all the circumstances of the processing of

     personal datain question inthat determination,the supervisory authorityis nevertheless requiredto
     executeits responsibility for ensuring that the GDPRis fully enforced withalldue diligence 376.Recital

     148 shows theduty for supervisory authoritiesto impose correctivemeasuresthat areproportionate
     tothe seriousness ofthe infringement  377.


308.With respect tothe imposition of anadministrative fine, the EDPBrecallsthe requirements of Article
     83(1)GDPR,aswellasthatdue account must be giventothe elementsof Article83(2) GDPR.

309.Asalreadyestablished theEDPBconsiders the lawfulnessofprocessingtobe one ofthe fundamental

     pillars of the data protection law and that processing of personal data without an appropriate legal
     basis is aclear andserious violation of the datasubjects’ fundamentalright todataprotection   378.The
                                                                                         379
     EDPBthereforeagreeswiththe FR SA in considering the identified breachasserious         .

     Furthermore, the EDPB takes the view that the infringement at issue relates to the processing of
     personal dataof asignificant numberofpeopleina cross-borderscopeandthattheimpact onthem

     hastobe considered   38.

310.The EDPB underlines that the specific circumstances of the case have to be reflected. Such

     circumstances not only refer to the specific elements of the infringement, but also those of the
     controller or processor whocommittedthe infringement,namelyitssize andfinancial position      381.



     importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisory

     authoritiesareencouragedtousea consideredandbalancedapproachintheiruseofcorrectivemeasures,in
     ordertoachievebothaneffectiveanddissuasiveaswellasa proportionatereactiontothebreach.Thepointis
     to notqualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousethem
     insuchawaywhichwoulddevaluetheireffectivenessasa tool.”).
     372
     373C-311/18SchremsII,paragraph111.
        SeealsoFI SAObjection,paragraph43.
     374Recital150GDPR.
     375GuidelinesonRRO,paragraph34.
     376C-311/18SchremsII,paragraph112.
     377
        Recital 148GDPR states, forinstance:“in a caseof a minor infringement or if thefinelikely to beimposed
     wouldconstitutea disproportionateburdentoa natural person,a reprimandmaybeissuedinsteadofa fine”.
     TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective
     measures in general and for the choiceof the combination of correctivemeasures that is appropriateand

     proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256.
     378Article8(2),EUCharter.
     379FRSAObjection,paragraph56.
     380SeeGuidelinesoncalculationoffines,paragraph54.
     381
        OnturnoverseeGuidelinesoncalculationoffines,paragraph49;alsoFRSAobjection,paragraph56.


     Adopted                                                                                            64311.Though the damageis verydifficult toexpress in termsof a monetaryvalue, it remains the case that
    data subjects have been faced with data processing that should not have occurred (by relying

    inappropriately on Article 6(1)(b) GDPR as a legal basis as established in section 4.4.2). The data
    processing in question entails decisions about information that data subjects are exposed to or
    excluded from receiving.The EDPB recallsthat non-materialdamageis explicitly regardedas relevant

    in recital75 GDPR and that such damage may result from situations “where data subjects might be
    deprivedof their rights and freedomsor prevented from exercising controlover their personal data”.

    Giventhe nature andgravityof the infringement ofArticle 6(1)GDPR,arisk of damagecausedtodata
    subjects is, insuch circumstances,consubstantial withthe finding of the infringementitself.

312.In the light of the nature and gravity of the infringement pursuant to Article 83(2)(a) GDPR as

     identified inthe paragraphsabove, inthe view of theEDPBthe combination ofthe mentionedfactors
     alreadyclearlytipthe balance infavourofimposinganadministrativefine.

313.For conduct infringing data protection rules, the GDPR does not provide for a minimum fine. Rather,
     the GDPR only provides for maximum amounts in Article 83(4)–(6) GDPR, in which several different

     typesof conduct aregrouped together.Afine canultimatelyonly be calculatedbyweighing upallthe
     elementsexpressly identified in Article83(2)(a)–(j) GDPR,relevanttothe case andany other relevant

     elements, even if not explicitly listed in the said provisions (as Article 83(2)(k) GDPR requires togive
     due regardto any other applicable factor). Finally, the final amount of the fine resulting from this
     assessment must be effective, proportionate and dissuasive in each individual case (Article 83(1)

     GDPR).Anyfine imposedmust sufficiently takeintoaccountallofthese parameters,whilstatthesame
     time not exceedingthe legalmaximum provided for inArticle 83(4)–(6)GDPR      382.

314.Inlight ofthe above, the EDPBinstructstheIESAtoimposeanadministrativefine, remaining inline

     with the criteria provided for by Article 83(2) GDPR and ensuring it is effective, proportionate and
     dissuasive in line with Article 83(1) GDPR, in accordance withthe conclusions reached by the EDPB,

     namelythe identified infringementof Article6(1) GDPR.

     8.4.2.1.2  Assessment of whetheranadministrativefine should be imposedfor the infringementof
                the fairnessprinciple under Article5(1)(a)GDPR


315.The EDPB recalls its conclusion in this Binding Decision on the infringement by WhatsApp IE of the
     fairness principle under Article 5(1)(a) GDPR383 and that the objection raised by the IT SA, which is

     found to be relevant and reasoned, requested the IE SA to exercise its power to impose an
     administrative fine38.

316.The EDPB takesnote of WhatsApp IE’sview that the IT SA objection is not relevant and reasoned       385
     and also notes that WhatsApp IE takes that view that inappropriate, clearly disproportionate, and

     unnecessary toimpose anadministrative fine   386.








     382SeeGuidelinesoncalculationoffines,paragraph16.
     383Section5.4.2ofthisBindingDecision.
     384Paragraphs289-293ofthisBindingDecision.
     385
     386Paragraph138ofthisBindingDecision.
        WhatsAppIE'sArticle65Submissions,Annex1,p.109.



     Adopted                                                                                            65317.The EDPBagainrecallsthat the decisiontoimpose anadministrative fine needs tobe takenon acase-
                                                                          387
     by-case basis in light of the circumstances andis not anautomatic one   and the specificities of the
     case have tobe takeninto account.

318.As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically
     linked totheprinciples of lawfulness andtransparencyunder thesame provision, hasanindependent
             388
     meaning    .

319.Considering the EDPB’s findings in Section 5.4.2 that WhatsApp IE has not complied with key
     requirementsof the principle of fairness, the EDPB reiteratesitsview that WhatsApp IEhas infringed
     the principle of fairness under Article 5(1)(a) GDPR and agreeswith the IT SA that this infringement

     should be adequately taken into account by the IE SA in the calculation of the amount of the
     administrative fine tobe imposed following the conclusion ofthis inquiry.

320.Therefore, the EDPB instructsthe IE SA to take intoaccount the infringement by WhatsApp IE of the

     fairnessprinciple enshrinedinArticle5(1)(a)GDPRasestablishedabove whendeterminingthe fine for
     the violation of Article 6(1) GDPR asinstructed above. If, however, the IE SA considers an additional
     fine for the breachofthe principle offairness isanappropriatecorrectivemeasure,theEDPBrequests
     the IE SA toinclude this in its final decision. Inanycase, the IE SA must take into account the criteria

     providedfor byArticle83(2)GDPRandensuringit iseffective,proportionateanddissuasive inline with
     Article83(1) GDPR.



     9 BINDINGDECISION

321.Inlight of the above andin accordancewiththe taskof the EDPBunder Article70(1)(t) GDPRtoissue

    binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision in
    accordancewithArticle65(1)(a) GDPR.

322.The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in
    accordancewithArticle65(2) GDPR.

323. On the objections concerning whether the LSA should have found an infringement for lack of

    appropriatelegalbasis

         1. The EDPB decidesthat the objections of the DE SA, FI SA, FR SA, NL SA and NO SA regarding
     WhatsApp relianceon Article6(1)(b) GDPR,meettherequirementsof Article4(24) GDPR.

         2. The EDPB decides that WhatsApp IE has inappropriately relied on Article 6(1)(b) GDPR to
     process the Complainant’spersonal data for the purpose of service improvement and securityin the

     contextofitsTermsofService andthereforelacksalegalbasis toprocess thesedata.WhatsAppIEhas
     consequently infringed Article6(1)GDPRby unlawfully processing personal data.

         3. The EDPB instructsthe IE SA to alter its Finding 2 of its Draft Decision, which concludes that
     WhatsAppIEmayrelyonArticle6(1)(b) inthecontextofitsoffering ofTermsofService,andtoinclude

     aninfringement ofArticle6(1)GDPR,onthebasisoftheconclusion reachedbytheEDPBinthisBinding
     Decision.




     387Seeaboveparagraph305ofthisBindingDecision.
     388Seeparagraph147-149ofthisBindingDecision.



     Adopted                                                                                         66324.Onthe objectionsconcerningthepotentialadditionalinfringement oftheprinciple offairness


         4. The EDPB decides thatthe objection of the IT SA regardingthe infringement by WhatsApp IE
     of theprinciple of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR.

         5. The EDPB instructs the IE SA to find in its final decision an additional infringement of the
     principle offairness under Article 5(1)(a)GDPRbyWhatsApp IE.

325. On the objection concerning the potential additional infringement of the principles of purpose

    limitationand dataminimisation

         6. OntheobjectionbytheITSAconcerningthe possible additionalinfringementsoftheprinciples
     of purpose limitationanddataminimisation under Article5(1)(b) and(c) GDPR,theEDPBdecides this
     objection does not meetthe requirementsofArticle 4(24)GDPR.

326. Onthe objectionsconcerningthepotentialneedfor furtherinvestigation:

         7. The EDPB decides that the objections of the IT SA, FR SA and FI SA regarding the lack of

     investigationof WhatsApp’sprocessing operationsin itsservice ofspecial categoriesofpersonal data
     (Article 9 GDPR), of data processed for the purposes of behavioural advertising, for marketing
     purposes, aswellasfortheprovision ofmetricstothirdpartiesandtheexchangeofdatawithaffiliated

     companies for the purposes of service improvements, meetthe requirementsof Article4(24)GDPR.

         8. The EDPB decides that the IE SA shall carry out an investigation into WhatsApp’s processing
     operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article
     9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well

     asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for
     the purposes of service improvements, and in order to determine if it complies with the relevant
     obligations under the GDPR.Basedon the results of thatinvestigationandthe findings theIE SA shall

     issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR.

327. On correctivemeasuresotherthan administrative fines

         9. TheEDPBdecidesthattheobjectionoftheFI SArequesting correctivemeasurestobe imposed
     incompliance withtheArticle 58(2)GDPRmeetthe requirementsof Article4(24)GDPR.

         10.On the objections by the DE and NO SAs requesting corrective measures to be imposed in

     compliance with the Article 58(2) GDPR, the EDPB decides that these objections do not meet the
     requirementsof Article4(24)GDPR.

         11.The EDPB instructsthe IESA to include in its finaldecision anorder for WhatsApp IEto bring
     its processing of personal data for the purposes of service improvement and security featuresin the

     context of its Terms of Service into compliance with Article 6(1) GDPR in accordance with the
     conclusion reachedby theEDPB   389withina specified periodof time 39.

328.Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis

         12.The EDPB decides that the objections of the FR SA regarding the imposition of an
     administrative fine for the infringement of Article 6(1) GDPRmeetsthe requirements of Article 4(24)

     GDPR.



     38As establishedaboveinSubsection4.4.2.
     39Seeabovefootnote334onparagraph272.


     Adopted                                                                                         67          13.The EDPB decidesthat the relevant partsof the objections of the NO and DE SAs specifically

     relatingto anadministrative fine for the lackof legalbasis donot meet the threshold of Article 4(24)
     GDPR.

          14.The EDPBinstructsthe IESA tocover theadditional infringement ofArticle 6(1)GDPRwithan
     administrative fine, which is effective, proportionate and dissuasive in accordance withArticle 83(1)

     GDPR. In determining the fine amount, the IE SA must give due regardto all the applicable factors
     listedinArticle 83(2)GDPR,inparticularthenatureandgravityofthe infringementandthe number of
     datasubjects affected.

329. On theobjectionconcerningtheimpositionofan administrativefinefor theinfringementofthefairness

    principle underArticle5(1)(a) GDPR

          15.The EDPBdecidesthattheobjection ofthe ITSA regardingthe impositionofanadministrative
     fine for the infringementof Article5(1)(a) GDPRmeetsthe requirementsof Article4(24)GDPR.

          16.The EDPB instructs the IE SA to take into account the infringement by WhatsApp IE of the

     fairness principle enshrined in Article 5(1)(a) GDPR when determining the fine for the violation of
     Article6(1)GDPRasinstructedabove.If,however,theIESA considers anadditionalfine for thebreach
     oftheprinciple of fairnessisanappropriatecorrectivemeasure,theEDPBrequeststheIESA toinclude

     thisinitsfinaldecision. Inanycase,theIESA must takeintoaccountthe criteriaprovidedforby Article
     83(2)GDPRandensuring it iseffective,proportionate and dissuasive in line withArticle 83(1)GDPR.

330. On the objection concerning the imposition of an administrative fine for the infringement of Article
    5(1)(b) and (c) GDPR

          17.The EDPB decides that it does not need to examine the objection of the IT SA regarding the

     imposition of anadministrative fine for the infringement of Article5(1)(b) and(c)GDPR.


     10 FINAL REMARKS


331.This Binding Decisionis addressedtothe IESA andthe CSAs. The IE SA shall adopt itsfinaldecision on
    the basis ofthis binding decision pursuant toArticle65(6) GDPR.

332.Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the
    EDPBdoes not take anyposition on the meritof anysubstantial issues raised bythese objections. The

    EDPBreiteratesthat itscurrent decisioniswithout anyprejudice toanyassessments the EDPBmaybe
    calledupon tomake in other cases, including with the same parties, taking into account the contents
    of therelevant draftdecision and theobjections raised bythe CSAs.

333.According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding

    Decision without undue delay and at the latest by one month after the EDPB has notified its Binding
    Decision.

334.The IE SA shall inform the EDPBof the date when its finaldecision is notified to the controller or the
    processor 391. This Binding Decision will be made public pursuant to Article 65(5) GDPR without delay
                                                                392
    afterthe IESA hasnotified itsfinaldecision tothe controller    .



     391Article65(6)GDPR.
     392Article65(5)and(6)GDPR.



     Adopted                                                                                            68                                                             393
335.The IESA willcommunicate its finaldecision to theBoard      .Pursuant to Article70(1)(y) GDPR,theIE
    SA’s final decision communicated tothe EDPB willbe included in the registerof decisions which have
    beensubject totheconsistency mechanism.




     For the EuropeanDataProtectionBoard

     The Chair



     (Andrea Jelinek)



















































     39Article60(7)GDPR.


     Adopted                                                                                          69