his/her data subject rights, if he/she wishes to do so. I secondly disagree that a requirement to provide such information will result in the data subject being overwhelmed with “details”. As noted above, all a controller is required to do is identify any legislative provisions pursuant to which it (actually, rather than potentially) processes personal data. Once this information is provided in a clear and concise manner (as required by Article 12), it is difficult to see how this would operate to overwhelm a data subject. Accordingly, I do not agree that it would be necessary or appropriate for me to conclude that it would be more beneficial for data subjects if controllers were to “at most, describe the categories or types of law engaged, and explain how these categories or types of laws could result in the processing of their data”, as suggested by WhatsApp.
Identified Legal Basis 5: The vital interests of the data subject or those of another person What information has been provided? 380. In this section, I examine whether there has been compliance with Article 13(1)(c) insofar as WhatsApp refers to reliance on the legal basis set out in Article 6(1)(d) (vital interests of the data subject or another person). In this regard, the Legal Basis Notice provides the following information under this heading: “The other legal bases we rely on in certain instances when processing your data are: … The vital interests we rely on for this processing include protection of your life or physical integrity or that of others, and we rely on it to combat harmful conduct and promote safety and security, for example, when we are investigating reports of harmful conduct or when someone needs help.”
How has the information been provided? 381. The information has been provided by way of the above statement.
Assessment of Decision-Maker 382. I note that the text quoted above suggests that the vital interests basis will be used to ground processing in the context of combatting “harmful conduct” and to “promote safety and security, for example, when we are investigating reports of harmful conduct”. Given that these objectives have already been referenced in the contractual necessity and legitimate interests sections, the expected processing operation(s) should be set out with greater granularity so that the user can identify which ‘safety and security’ objectives will be grounded on vital interests, as distinct from other similar objectives for which another legal basis is relied on. Further, the user should be provided with some indication of what categories of his/her personal data might need to be processed under this heading. Again, I appreciate that the processing that might be necessitated under this heading is entirely dependent on the occurrence of particular events however WhatsApp should be able to, at the very least, provide the user with some examples of the type of data that has been processed by reference to the vital interests legal basis in the past. WhatsApp’s Response to Assessment of Decision-Maker 383. WhatsApp, by way of the Preliminary Draft Submissions, confirmed its disagreement with the above assessment, submitting that it does not consider that:
110
