7.2.4 Analysis of the EDPB 7.2.4.1 Assessment of whether the objections were relevant and reasoned 179. Although the objection of the HU SA relating to the additional infringements of Articles 5(1)(a) and 5(2) GDPR is relevant and includes justifications concerning why and how issuing a decision with the changes proposed in the objection is needed and how the change would lead to a different conclusion in the draft decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left unchanged, would present risks for the fundamental rights and freedoms of data subjects. In addition, the EDPB notes that the HU SA’s objection does not explicitly elaborate why such a risk is substantial and plausible 171. Therefore, the EDPB concludes that the objection of the HU SA does not provide a clear demonstration of the risks as specifically required by Article 4(24) GDPR. *** 180. The EDPB notes that the objection of the IT SA concerns “whether there is an infringement of the GDPR” as it states that the Draft Decision should include an additional infringement of Article 5(1)(a) GDPR 172. The EDPB considers that the objection is to be considered “relevant” since if followed, it would lead to a different conclusion as to whether there is an infringement of the GDPR 173. More specifically, it includes a “disagreement as to the conclusions to be drawn from the findings of the investigation”, since it states that the “findings amount to the infringement of a provision of the GDPR [...] in addition to [...] those already analysed by the draft decision” 174. The EDPB is thus not swayed by the arguments put forward by WhatsApp IE which stated that this objection is not relevant because it does not refer to the “specific legal and factual content of the draft decision’’ and relates to “a matter that have not formed part of the Inquiry’’, since the objection clearly sets out a disagreement as to the conclusions reached by the IE SA 175. 181. The EDPB also considers the objection “reasoned” since it puts forward several legal arguments for the proposed additional infringement, clearly explaining the reasons for the objection 176 : the additional infringement stems from the scope and findings of the Draft Decision, which also mentions Article 5(1)(a) GDPR 177, and the overarching nature Article 5(1)(a) GDPR. Additionally, the EDPB finds that the objection of the IT SA clearly demonstrates the significance of the risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects, since it would create a dangerous precedent that would jeopardize the effective protection of the data subjects and thus entail flawed corrective actions. WhatsApp IE argues that the objection is “unsupported by clear reasoning”, as it is based on “the assumption that an infringement of Articles 12 to 14 GDPR must automatically qualify as an infringement of Article 5(1)(a) GDPR’’ 178, and considers that the objection does not adequately demonstrate the risk, since Article 5(1)(a) GDPR was outside the scope of the Inquiry and the findings of infringements in the Draft Decision address the concerns of the IT SA 179. Nonetheless, the EDPB considers the objection, instead, to be adequately reasoned and recalls that the assessment of merits Guidelines on RRO, paragraph 37. In this respect, the objection of the IT SA makes reference to specific passages of the Draft Decision that refer to Article 5(1)(a) GDPR. 173 Guidelines on RRO, paragraph 13. 174 Guidelines on RRO, paragraph 26. 175 WhatsApp Article 65 Submissions, paragraphs 11.2 and 11.3. 176 Guidelines on RRO, paragraphs 17 and 19. 177 The objection refers, in particular, to paragraphs 691, 699 and 769 of the Draft Decision. 178 WhatsApp Article 65 Submissions, paragraph 11.6. 179 WhatsApp Article 65 Submissions, paragraphs 11.11 and 11.12. 171 172
Adopted
38
