of any such engagement, it is not the Commission’s responsibility to carry out a detailed review of any material discussed or presented; neither is it appropriate for any data controller to expect the Commission to undertake any, or even partial, responsibility for ensuring that it is compliant with its obligations pursuant to the GDPR. As WhatsApp is aware, the function of the Commission’s Consultation Unit is not to approve, or forensically examine, policy documents for a data controller or processor. Rather, it envisages a process of high level engagement with data controllers and processors in which the output, on the part of the Commission’s Consultation Unit, is limited to the raising of questions or making of observations on the data protection aspects of the processing in issue. This approach reflects the accountability principle set out in Article 5(2) of the GDPR, which places the primary responsibility for compliance with the GDPR on the data controller or processor concerned. 231. For the sake of completeness, I note that WhatsApp has previously recognised that: “During this period of [pre-GDPR] engagement, the DPC made it clear that it was not providing conclusive guidance on WhatsApp’s proposed updates, and instead was providing an indication of issues which WhatsApp may have wished to consider while preparing its updates. We therefore acknowledge and understand that the feedback provided did not amount to approval of the approach WhatsApp was proposing112.” 232. In the circumstances, it is apparent that WhatsApp was clearly informed, at the relevant time, of the limited function and scope of any engagement with the Commission’s consultation function. I therefore find it surprising that WhatsApp, having previously, in the course of this inquiry, openly acknowledged the limitations and true nature of the engagement with the Commission, would subsequently seek to recast that engagement and place reliance at the door of the Commission for decisions around transparency which are squarely the responsibility of WhatsApp 233. Having addressed the Submissions of General Application raised by WhatsApp, I will now proceed with my assessment of the extent to which WhatsApp has complied with the obligations arising by reference to the individual categories of information prescribed by Article 13. To the extent that WhatsApp might have included reference to any of the above matters of general application as part of its submissions in response to any individual category assessment set out below, the above reflects the manner in which I have taken those Submissions of General Application into account in the context of the particular category of information under assessment.
Assessment: Article 13(1)(a) – the identity and contact details of the controller Required Information and WhatsApp’s Response to Investigator’s Questions 234. Article 13(1)(a) requires a data controller to provide the data subject with “the identity and the contact details of the controller … ”. 235. In its Response to Investigator’s Questions, WhatsApp confirmed, by reference to question 4, that:
112
The Inquiry Submissions, paragraph 2.3
75
