Mervinskiy 437

Page 82

272. By reference to Proposed Finding 9, the Investigator set out her views in relation to the information that had been provided concerning WhatsApp’s reliance on the legitimate interests ground. The Investigator expressed the view, in this regard, that the Article 13(1)(d) requirement to identify the legitimate interests being pursued was: “a cumulative requirement, which results in Articles 13(1)(c) and 13(1)(d) operating together to place upon the data controller a requirement to set out the purposes of the processing in relation to the legitimate interests legal basis, along with the legitimate interests being pursued in carrying out the processing operations.” 273. The Investigator formed the view that the Legal Basis Notice “[conflated] the purposes of the processing of personal data with the legitimate interests relied upon to process personal data, without setting out any specific information in relation to the processing operation(s) or set of operations involved.” 274. Accordingly, the Investigator proposed a finding that WhatsApp failed to fully comply with its obligation to provide information in relation to the legitimate interests legal basis, pursuant to Articles 13(1)(c) and 13(1)(d) of the GDPR. 275. WhatsApp disagreed with the Investigator’s views. It submitted120 that: “In assessing the adequacy of the information provided, the Draft Report also fails to take into account that the description of the purpose of the processing will often, in and of itself, necessarily identify the nature of the legitimate interest in issue. The proposed finding is also based on a mischaracterisation of the obligation on a controller under Article 13(1)(c) – i.e. there is no need to specify “processing operations” ….” 276. The Investigator was unconvinced by WhatsApp’s submissions and confirmed her view, by way of Conclusion 9, that WhatsApp failed to fully comply with its obligation to provide information in relation to the legitimate interests legal basis, pursuant to Articles 13(1)(c) and 13(1)(d) of the GDPR.

Preliminary Issue: What information must be provided pursuant to Article 13(1)(c)? 277. As set out above, there was substantial disagreement, as between WhatsApp and the Investigator, in relation to what information is required to be provided by Article 13(1)(c). In the Investigator’s view, this provision requires a data controller to set out: a. “A description of the purposes of processing; b. A description of the operation, or set of operations, underlying that purpose, undertaken by the data controller; and c.

The legal basis relied upon by the data controller in order to carry out that processing operation, or set of operations.”

278. The Investigator was of the view that “this information must be provided in such a manner so that the link between the operation (or set of operations), its purpose and the legal basis is clear.” 120

The Inquiry Submissions, paragraph 11.1

82

Turn static files into dynamic content formats.

Create a flipbook

Articles inside

The Decision-Making Stage

2hr
pages 143-220

Article 83(5) and the applicable fining “cap”

14min
pages 248-256

Decision: Whether to impose an administrative fine and, if so, the amount of the fine

18min
pages 225-237

Appendix C – Terms of Order to bring processing operations into compliance, made pursuant to Article 58(2)(d

3min
pages 264-265

Summary of Corrective Powers to be Exercised

0
pages 257-258

Article 83(2)(k): any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement

10min
pages 221-224

Assessment: Article 13(2)(a) – Retention Criteria/Retention Periods

2min
page 128

Assessment: Article 13(2)(b) – the existence of the data subject rights

2min
page 132

Assessment of Decision-Maker: What information has been provided?

2min
page 129

Identified Legal Basis 5: The vital interests of the data subject or those of another person

2min
page 110

Assessment of Decision-Maker: What information has been provided?

2min
page 124

Assessment: Article 13(1)(f) – Transfers of personal data to a third country

2min
page 123

Assessment of Decision-Maker: What information has been provided?

1min
page 120

Identified Legal Basis 6: Tasks carried out in the public interest

8min
pages 111-113

Identified Legal Basis 1: Contractual Necessity

17min
pages 94-99

Identified Legal Basis 2: Consent

5min
pages 100-101

Identified Legal Basis 4: Compliance with a Legal Obligation

11min
pages 106-109

Identified Legal Basis 3: Legitimate Interests

10min
pages 102-105

Preliminary Issue: What information must be provided pursuant to Article 13(1)(c)?

26min
pages 82-92

Assessment: Application of the Proposed Approach to Article 13(1)(c

2min
page 93

Review of the Materials being relied upon by WhatsApp

10min
pages 64-67

Assessment: Article 13(1)(c) – the purposes of the processing for which the personal data are intended as well as the legal basis for the processing

7min
pages 79-81

Assessment of Decision-Maker: What information has been provided?

1min
page 76

Methodology for Part 2: Assessment and Questions for Determination

19min
pages 68-74

Relevant Provisions

4min
pages 62-63

Assessment: Article 13(1)(a) – the identity and contact details of the controller

2min
page 75
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.