4 minute read
Relevant Provisions
to include a photograph). When all of these consequences are considered, it is clear that the right to receive information, even in the context of the limited processing envisaged by the Contact Feature, is inextricably connected with the right to exercise control over one’s personal data.
176. Considering, then, the burden that the finding set out above might place on WhatsApp, I note that the non-user data undergoing processing is very limited, as are the processing operations that are applied to the data concerned. Accordingly, I do not consider that the preparation of the required information will be particularly burdensome for WhatsApp. My view is that the role and utility of the right to be informed, as considered above, outweighs the limited burden that would be placed on WhatsApp, as regards the formulation of the required information. In relation to the burden that would result from the requirement for WhatsApp to deliver that information to the data subjects concerned, I note that WhatsApp could, if it wished, deliver the required information by way of its existing policies and procedures. I note, in this regard, that WhatsApp could, as part of its existing onboarding procedure through the app, inform any non-user, who is considering joining the Service, of the consequences of the processing of non-user mobile phone numbers pursuant to the Contact Feature. Further, I note that WhatsApp’s user-facing transparency information is already publicly available and, in the circumstances, the inclusion of the corresponding information required for nonusers should not be a particularly burdensome or onerous task (and certainly not so burdensome that it would outweigh the data subjects’ right to receive this information).
Advertisement
Finding: The extent to which WhatsApp complies with its obligations to non-users pursuant to Article 14 of the GDPR
177. Accordingly, for the reasons set out above, I find that WhatsApp has failed to comply with its obligation to provide non-users with the information prescribed by Article 14. For the avoidance of doubt, nothing in the above assessment should be interpreted as being an endorsement that the processing of non-user data, by WhatsApp, is conducted in reliance upon an appropriate legal basis. As already identified, the purpose of the within inquiry is to examine the extent to which WhatsApp complies with its transparency obligations pursuant to the GDPR and, in the circumstances, the assessment of the legal basis being relied upon to support any processing operation is outside of the scope of this inquiry.
Part 2: Transparency in the Context of Users
Introduction
178. Under this heading, I will consider the extent to which WhatsApp complies with its obligations under Articles 13 and 12(1) of the GDPR, in the context of its processing of personal data relating to users of the Service. The issues that I will consider under this heading correspond to the matters covered by Conclusions 3 – 13 (inclusive) of the Final Report.
Relevant Provisions
179. Article 13 of the GDPR concerns transparency where the personal data in question “are collected from the data subject”. In such a case, Article 13 requires the data subject to be provided with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
(g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(i) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(j) the right to lodge a complaint with a supervisory authority;
(k) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(l) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
180. Article 12(1) complements this by requiring that:
“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. … .”
181. Thus, while Article 13 addresses the information that must be communicated to the data subject, Article 12 addresses the way in which this information must be communicated.
