On July 28th, the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. This binding decision seeks to address the dispute arisen following a draft decision issued by the Irish (IE) SA as lead supervisory authority (LSA) regarding WhatsApp Ireland Ltd. (WhatsApp IE) and the subsequent objections expressed by a number of concerned supervisory authorities (CSAs). In accordance with the GDPR, the EDPB’s binding decision has now been published, following the notification of the IE SA’s final decision to the company.
Following its assessment, the EDPB was of the opinion that the IE SA should amend its draft decision regarding infringements of transparency, the calculation of the fine, and the period for the order to comply.
Regarding transparency, the draft decision of the IE SA already identified a severe breach of Art. 12-13-14 GDPR. The EDPB identified additional shortcomings with the information provided, impacting users’ ability to understand the legitimate interests being pursued. Therefore, the EDPB requested the IE SA to include a finding of an infringement of Art. 13(1)(d) GDPR in its decision.
In addition, the EDPB clarified that, while not every infringement of Art. 12-14 GDPR necessarily entails an infringement of Art. 5 (1) (a) GDPR, in this particular case, in light of the gravity and the overarching nature and impact of the infringements, there has been an infringement of the transparency principle enshrined in Art. 5(1)(a) GDPR.
Regarding WhatsApp IE’s collection of data of non-users – when users decide to use the Contact Feature functionality – the EDPB found that in the present case, the procedure used by WhatsApp IE does not lead to anonymisation of the collected personal data.
Regarding the imposed fine and the calculation of the fine, the EDPB decided that the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Art. 83(4)-(6) GDPR, but it may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Art. 83(1) GDPR. In this case, the EDPB found the consolidated turnover of the parent company (Facebook Inc.) is to be included in the turnover calculation.