320. WhatsApp thirdly submitted that the Proposed Approach “results in an approach that cannot be reconciled with the proportionality principle that governs the interpretation of this provision133.” It submitted, in this regard, that: “The highly prescriptive notification provisions expressly embodied in Article 13 impose onerous burdens on controllers and, consistent with the proportionality principle, it is not possible to apply Article 13(1)(c) GDPR in the manner suggested by the Commission without arriving at a disproportionate result going beyond what is necessary to achieve the GDPR’s objectives. Consequently, to the extent that Article 13(1)(c) GDPR is open to interpretation, it should be construed narrowly rather than the broad interpretation adopted by the Commission134.” 321. As is evident from the analysis of the Proposed Approach set out above, my assessment already takes account of the requirement for proportionality. 322. WhatsApp fourthly submitted that the rationale underpinning the Proposed Approach, namely the need to ensure that meaningful information is provided to empower data subjects to assess or exercise their rights and grounds for complaint, “appears not to take into account the fact that WhatsApp does provide information on the categories of data it collects and processes to data subjects in the “Information We Collect” section of the Privacy Policy.135” 323. WhatsApp is correct that, when formulating and assessing the Proposed Approach, I did not take account of the extent of information that WhatsApp provides to data subjects. This is because, when considering the issue, it was appropriate for me to do so in the abstract so as to identify the applicable requirements, against which I could assess the extent to which WhatsApp has complied with same. That assessment of compliance is set out below. 324. Having considered the various submissions made by WhatsApp, in relation to the Proposed Approach, I maintain my view that the Proposed Approach correctly reflects the requirements of Article 13(1)(c). That being the case, I will now proceed to assess the extent to which WhatsApp complies with its obligations pursuant to Article 13(1)(c).
Assessment: Application of the Proposed Approach to Article 13(1)(c) 325. As set out above, the information required to be provided by Article 13(1)(c), by reference to the Proposed Approach, is as follows: a. The purpose(s) of the specified processing operation/set of operations for which the specified category/categories of personal data are intended; and b. The legal basis being relied on to support the identified processing operation/set of operations. 326. As set out in its Response to Investigator’s Questions, WhatsApp asserts that it provides the required information by way of the Privacy Policy and Legal Basis Notice. Turning firstly to the Privacy Policy, I note that the following information is provided under the heading “How The General Data Protection Regulation Applies To Our European Region Users”: 133
The Preliminary Draft Submissions, paragraph 6.5 The Preliminary Draft Submissions, paragraph 6.17 135 The Preliminary Draft Submissions, paragraph 6.15 134
93
