CDE Almería - Centro de Documentación Europea - Universidad de Almería

Centro de Documentación Europea de la Universidad de Almería

On July 28th, the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. This binding decision seeks to address the dispute arisen following a draft decision issued by the Irish (IE) SA as lead supervisory authority (LSA) regarding WhatsApp Ireland Ltd. (WhatsApp IE) and the subsequent objections expressed by a number of concerned supervisory authorities (CSAs). In accordance with the GDPR, the EDPB’s binding decision has now been published, following the notification of the IE SA’s final decision to the company.

Following its assessment, the EDPB was of the opinion that the IE SA should amend its draft decision regarding infringements of transparency, the calculation of the fine, and the period for the order to comply.

Regarding transparency, the draft decision of the IE SA already identified a severe breach of Art. 12-13-14 GDPR. The EDPB identified additional shortcomings with the information provided, impacting users’ ability to understand the legitimate interests being pursued.  Therefore, the EDPB requested the IE SA to include a finding of an infringement of Art. 13(1)(d) GDPR in its decision.

In addition, the EDPB clarified that, while not every infringement of Art. 12-14 GDPR necessarily entails an infringement of Art. 5 (1) (a) GDPR, in this particular case, in light of the gravity and the overarching nature and impact of the infringements, there has been an infringement of the transparency principle enshrined in Art. 5(1)(a) GDPR.

Regarding WhatsApp IE’s collection of data of non-users – when users decide to use the Contact Feature functionality – the EDPB found that in the present case, the procedure used by WhatsApp IE does not lead to anonymisation of the collected personal data.

Regarding the imposed fine and the calculation of the fine, the EDPB decided that the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Art. 83(4)-(6) GDPR, but it may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Art. 83(1) GDPR. In this case, the EDPB found the consolidated turnover of the parent company (Facebook Inc.) is to be included in the turnover calculation.

More information

Press release – European Data Protection Board

Publicaciones relacionadas:

EUROPEAN AGENDA: Legal Affairs Virtual Event – Fundamental Rights in the EU: 20 years of the European Charter and its application in Spain Spain is ordered to pay a lump sum of € 15 million and a daily penalty payment of € 89.000 Successive amendments to the Polish Law on the National Council of the Judiciary are liable to infringe EU law Women’s rights in the EU

“This is a space for debate. All comments, for or against publication, that are respectful and do not contain expressions that are discriminatory, defamatory or contrary to current legislation will be published”.

Reader Interactions

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.