Assessment: Article 13(2)(a) – Retention Criteria/Retention Periods Required Information and WhatsApp’s Response to Investigator’s Questions 458. Article 13(2)(a) requires the data controller to provide the data subject with information in relation to “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.” 459. In its Response to Investigator’s Questions, WhatsApp confirmed, by reference to question 6, that: “[WhatsApp] explains the period for which personal data will be stored and how this is determined in the ‘Managing and Deleting Your Information’ section of the Privacy Policy.”
The Investigator’s Proposed Finding, WhatsApp’s Inquiry Submissions and the Investigator’s Conclusion 460. The Investigator considered the extent to which WhatsApp complies with its obligations under this heading by reference to Proposed Finding 12. She expressed the view that the information provided by WhatsApp, in this regard, was “generic”. Further, the language used was “wide-ranging” in that there was no indication as to the circumstances that might constitute “operational retention needs”. 461. Accordingly, the Investigator proposed a finding that WhatsApp failed to comply with the requirements of Article 13(2)(a). 462. WhatsApp rejected this proposed finding. It submitted185 that this information was “clearly” explained to users in the Privacy Policy. Further, it submitted186 that: “Where possible, WhatsApp also provides users with additional contextual information on retention. For example the “Deleting your account” FAQ also sets out the process which follows deletion of an account, in that it “may take up to 90 days to delete data stored in backup systems” and that “personal information shared with the other Facebook Companies will also be deleted”. The reality for WhatsApp (and the vast majority of online companies of any significant size) is that it is not in a position to inform a data subject at the time their personal data is collected of the specific time period for which it will be stored, in a way that would accord with the principles of Article 12(1) GDPR (i.e. ensuring the notice is concise, transparent, intelligible and in clear and plain language). This is because there are too many variables to do this at scale in a concise and accessible way via a privacy policy. This is precisely why Article 13(2)(a) GDPR does not require controllers to provide specific retention periods to data subjects where it is not possible to do so.” 463. The Investigator was unconvinced by WhatsApp’s submissions and noted that she had not suggested that precise retention periods were required for all personal data. She confirmed, by way of Conclusion 12, that she remained of the view that WhatsApp failed to comply with its obligations pursuant to Article 13(2)(a) in circumstances where it failed to furnish sufficient detail in relation to the retention periods, or the criteria used to determine such retention periods, in operation in relation to the personal data it processes.
185 186
The Inquiry Submissions, paragraph 14.1 The Inquiry Submissions, paragraphs 14.2 and 14.3
128
