risk, as regards the defensibility of such amended finding in the event of a legal challenge before the Irish Courts 36. 34.
Concerning the objection of the PL SA, the IE SA argued that the findings of the Investigator cannot be reinstated as this would create a position whereby WhatsApp IE is found to have infringed Article 13 GDPR twice, but in respect of the same conduct as there is already a finding of infringement of Article 13 (1)(c) GDPR 37.
35.
Regarding the IT SA’s objection, the IE SA stressed that it has clearly set out its reasons for its proposed finding of compliance with Article 13(1)(d) GDPR and the objection does not have enough reasoning to support a contrary finding 38.
5.1.4 Analysis of the EDPB 36.
37.
5.1.4.1 Assessment of whether the objections were relevant and reasoned The EDPB considers that the objection of the DE SA concerns “whether there is an infringement of the GDPR” as it argues that the IE SA should have found an infringement of Article 13(1)(d) GDPR. As it demonstrates that, if followed, the objection would lead to a different conclusion as to whether there is an infringement of the GDPR or not, the objection is to be considered as “relevant” 39. The objection is also considered to be “reasoned” since the objection puts forward several factual and legal arguments for the proposed change in legal assessment. Specifically it argues that there is a lack of intelligibility because WhatsApp IE relies upon a variety of different legitimate interests, yet WhatsApp IE fails to make sure that all of the legitimate interests listed are described in a manner that is clear and transparent enough for the data subject to understand. The objection provides several examples where the legitimate interests are not described in a transparent and intelligible form, which fails to ensure the purpose of the right to information. The objection also points out that the Draft Decision incorrectly focused on whether the information was clear enough for children. As to the requirement for the objection to be “reasoned”, WhatsApp IE submitted that the DE SA objection did not meet this requirement because its statements “are not accurate” and “cannot be sufficient to satisfy the [...] threshold”, the objection “relies on unsupported descriptions of the information provided by” WhatsApp IE and on “two misplaced understandings of the requirements of Article 13(1)(d)” 40. The EDPB considers the objection to be adequately reasoned and recalls that the assessment of the merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR 41. As for the criterion of demonstrating the significance of the risks posed for the rights and freedoms of individuals, WhatsApp IE submitted that the objection did not meet this threshold, stating that there was no evidence provided for this 42. The EDPB finds that the objection raised by the DE SA clearly demonstrates the significance of the risks posed for the rights and freedoms of individuals as it points out consequences for the data subjects, such as not being able to fully exercise their other data subject rights due to the lack of information under Article 13(1)(d) GDPR.
IE SA Composite Response, paragraph 33. IE SA Composite Response, paragraph 34. 38 IE SA Composite Response, paragraph 36. 39 Guidelines on RRO, paragraph 13. 40 WhatsApp Article 65 Submissions, paragraph 20.5. 41 See footnote 21 above. 42 WhatsApp Article 65 Submissions, paragraph 20.9. 36 37
Adopted
13
