Inquiry into WhatsApp Ireland Ltd. - January 2023

SectionDecisions made under data protection act 2018
In the matter of the General Data Protection Regulation
DPC Inquiry Reference: IN-18-5-6
In the matter of JG, a complainant, concerning a complaint directed ag ainst WhatsApp Ireland Limited
in respect of the WhatsApp Service
Decision of the Data Protection Commission made pursuant to Sec tion 113 of the Data Protection Act,
2018 and Articles 60 and 65 of the General Data Protection Regulation
Further to a complaint-based inquiry commenced pursuant to Secti on 110 of the Data Protection Act
Decision-Maker for the Commission:
Helen Dixon
Commissioner for Data Protection
Dated the 12th day of January 2023
Data Protection C ommission
21 Fitzwilliam Square South
Dublin 2, Ireland
1.1 This document is a decisio n (“the Decision”) of the Data Protection Commission (“the
Commission), made in accordance with Section 113 of the Data Protection Act 2018 (“the 2018
Act), arising from an inquiry conducted by the Commission, pursuant to Section 110 of t he 2018
Act (“the Inquiry).
1.2 The Inquiry, which commenced on 20 August 2018, examined whether WhatsApp Ireland Limited
(“WhatsApp”) complied with its obligations under the EU General Data Protection Regulation
(Regulation (EU) 2016/679 of the European Parliament and of the Council) (“the GDPR) in respect
of the subject matter of a complaint made by Mrs. J.G. (“the Complainant”). The complaint was
referred to the Commission by the Hamburg Data Protection Authority: Der Hamburgische
Beauftragte für Datenschutz und Informationsfreiheit (“the Hamburg DPA“) on 25 May 2018 (“the
Complaint“). The Hamburg DPA subsequently passed the Complaint to the German Federal Data
Protection Authority, the relevant national authority: Bundesbeauftragter für den Datenschutz
und die Informationsfreiheit (“the Germ an Federal DPA“). The Complainant is at all times
represented by noyb European center for digital rights.
1.3 This Decision further reflects the binding decision that was made by the European Data Protection
Board (the “EDPBor, otherwise, the “Board”), pursuant to Article 65(2) of the GDPR1 (the
Article 65 Decision”), which directed changes to certain of the positions reflected in the draft
decision that was presented by the Commission fo r the purposes of Article 60 GDPR (“the Dr aft
Decision”) as detailed further below. The Article 65 Decision will be publ ished on the website of
the EDPB, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at Schedule
2 to this Decision.
1.4 Further details of procedural matters are set out in Schedule 1 to this Decision.
2.1 WhatsApp is an online instant messaging platform. In o rder to access the WhatsApp service, a
prospective user must create a WhatsApp account. To create a WhatsApp account, a prospective
user is required to accept a series of terms and conditions, referred to by WhatsApp as its Terms
of Service (the “Terms of Service”). When a prospective user accepts the Terms of Service, the
terms contained therein constitute a contract between the (new) user and WhatsApp. It is only
on acceptance of the Terms of Service that the individual becomes a registered WhatsApp user.
1 Binding Decision 5/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited, adopted 5
December 2022
2.2 In April 2018, WhatsApp updated the Terms of Service to give effect to changes it sought to
implement to comply with the obligations which would arise when the GDPR became applicable
from 25 May 2018. Obligations introduc ed by the GDPR include, inter alia, a requirement that
organisations processing personal data have a lawful basis for any such processing. Legal base s
provided for in the GDPR include consent of t he data subject, necessity based on the requirement
to fulfil a contract with the data subject or processing based on the legitimate interests of the
data controller. In addition, such organisations are required to provide detailed information to
users at the time personal data is obtained in relation to the purposes of any data processing and
the legal basis for any such processing. In essence, there must be a legal basis for each processing
operation or sets of operations (of personal data) and there are transparency requirements in
respect of the communication of such information to individual us ers.
2.3 To continue to access the WhatsApp service, all users were required to accept the updated Terms
of Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of
existing users by way of a series of information notices and options, referred to as an
“engagement flow” or “user flow”. The engagement flow was designed to guide users through
the processing of accepting the updated Terms of Service; the option to accept the updated
termswas presented to users at the final stage of the engagement flow. As referenced in the
full text of the Terms of Service, a separate Privacy Policy provides information to users on
WhatsApp’s processing of personal data in respect of the service.
2.4 Existing users were not provided with an opportunity to disagree and continue to use the service,
to copy their account, or to delete their account. The only available choice was to accept the
Terms of Service, stop using the app or uninstall the app. 2
2.5 Figures 2.1 below is a screenshot of the final stage of the “engagement flow” which brought an
existing user, the Complainant, through the process of accepting the updated Terms of Service.
The screenshot is in German; an English translation can be found below.
2 Complaint, paragraph 1.4.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT