EDPB publishes Binding Decision concerning WhatsApp

Jan 24, 2023

Source: European Data Protection Board

Following the EDPB’s binding dispute resolution decision of December 5th, WhatsApp IE was issued a 5.5 million euro fine by the Irish Data Protection Authority (DPA).

In its Binding Decision, the EDPB instructed the IE DPA to amend its draft decision with respect to the findings concerning lawfulness of the processing and the principle of fairness, and to the corrective measures envisaged.

Regarding the lawfulness of processing for Service improvement purposes, the EDPB decided that WhatsApp IE inappropriately relied on contract as a legal basis to process personal data. As a consequence, the EDPB instructed the IE DPA to add an infringement of Art. 6(1) GDPR. Additionally, the EDPB instructed the IE DPA to include an infringement of the principle of fairness under Art. 5(1)(a) GDPR.

The EDPB further decided that the IE DPA must carry out an investigation into WhatsApp IE’s processing operations in order to determine whether it processes special categories of personal data (Art. 9 GDPR); whether it processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements.

With respect to corrective measures, the EDPB requested the IE SA to include in its final decision an order for WhatsApp IE to bring its processing of personal data for the purposes of service improvement in the context of its Terms of Service into compliance with Art. 6(1) GDPR within a specified period of time, and to cover the infringements of Art. 6(1) GDPR with an administrative fine.  

The final decision taken by the IE DPA are available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

Recent news

EDPB calls for coherence of digital legislation with the GDPR

Brussels, 04 December - During its December 2024 plenary, the European Data Protection Board (EDPB) adopted a statement on the second report of the European Commission on the application of the General Data Protection Regulation (GDPR).* In its statement, the EDPB...

read more

EDPB stakeholder event AI models

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics.    During today’s event, the EDPB will collect input for of the preparation of a...

read more