to include a photograph). When all of these consequences are considered, it is clear that the right to receive information, even in the context of the limited processing envisaged by the Contact Feature, is inextricably connected with the right to exercise control over one’s personal data. 176. Considering, then, the burden that the finding set out above might place on WhatsApp, I note that the non-user data undergoing processing is very limited, as are the processing operations that are applied to the data concerned. Accordingly, I do not consider that the preparation of the required information will be particularly burdensome for WhatsApp. My view is that the role and utility of the right to be informed, as considered above, outweighs the limited burden that would be placed on WhatsApp, as regards the formulation of the required information. In relation to the burden that would result from the requirement for WhatsApp to deliver that information to the data subjects concerned, I note that WhatsApp could, if it wished, deliver the required information by way of its existing policies and procedures. I note, in this regard, that WhatsApp could, as part of its existing onboarding procedure through the app, inform any non-user, who is considering joining the Service, of the consequences of the processing of non-user mobile phone numbers pursuant to the Contact Feature. Further, I note that WhatsApp’s user-facing transparency information is already publicly available and, in the circumstances, the inclusion of the corresponding information required for nonusers should not be a particularly burdensome or onerous task (and certainly not so burdensome that it would outweigh the data subjects’ right to receive this information).
Finding: The extent to which WhatsApp complies with its obligations to non-users pursuant to Article 14 of the GDPR 177. Accordingly, for the reasons set out above, I find that WhatsApp has failed to comply with its obligation to provide non-users with the information prescribed by Article 14. For the avoidance of doubt, nothing in the above assessment should be interpreted as being an endorsement that the processing of non-user data, by WhatsApp, is conducted in reliance upon an appropriate legal basis. As already identified, the purpose of the within inquiry is to examine the extent to which WhatsApp complies with its transparency obligations pursuant to the GDPR and, in the circumstances, the assessment of the legal basis being relied upon to support any processing operation is outside of the scope of this inquiry.
Part 2: Transparency in the Context of Users Introduction 178. Under this heading, I will consider the extent to which WhatsApp complies with its obligations under Articles 13 and 12(1) of the GDPR, in the context of its processing of personal data relating to users of the Service. The issues that I will consider under this heading correspond to the matters covered by Conclusions 3 – 13 (inclusive) of the Final Report.
Relevant Provisions 179. Article 13 of the GDPR concerns transparency where the personal data in question “are collected from the data subject”. In such a case, Article 13 requires the data subject to be provided with the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
62
