EDPB publishes Binding Decision concerning WhatsApp

24 January 2023
EDPB Adopted documents

Following the EDPB’s binding dispute resolution decision of December 5th, WhatsApp IE was issued a 5.5 million euro fine by the Irish Data Protection Authority (DPA).

In its Binding Decision, the EDPB instructed the IE DPA to amend its draft decision with respect to the findings concerning lawfulness of the processing and the principle of fairness, and to the corrective measures envisaged.

Regarding the lawfulness of processing for Service improvement purposes, the EDPB decided that WhatsApp IE inappropriately relied on contract as a legal basis to process personal data. As a consequence, the EDPB instructed the IE DPA to add an infringement of Art. 6(1) GDPR. Additionally, the EDPB instructed the IE DPA to include an infringement of the principle of fairness under Art. 5(1)(a) GDPR.

The EDPB further decided that the IE DPA must carry out an investigation into WhatsApp IE’s processing operations in order to determine whether it processes special categories of personal data (Art. 9 GDPR); whether it processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements.

With respect to corrective measures, the EDPB requested the IE SA to include in its final decision an order for WhatsApp IE to bring its processing of personal data for the purposes of service improvement in the context of its Terms of Service into compliance with Art. 6(1) GDPR within a specified period of time, and to cover the infringements of Art. 6(1) GDPR with an administrative fine.  

The final decision taken by the IE DPA are available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.