1. Infringements of transparency
In addition to the DPC’s findings, the EDPB stated that WhatApp had committed a severe breach of General Data Protection Regulation Articles 12-13-14 related to the information to be provided to individuals, and identified additional shortcomings with the information provided, impacting individuals’ ability to understand the legitimate interests being pursued.
2. Calculation of the fine
The EDPB decided that the turnover of an undertaking, although not exclusively relevant for the determination of the fine amount, has to be taken into consideration to ensure the fine is proportionate and effective. In this case, the EDPB decided to include the consolidated turnover of the parent company (Facebook Inc.) into the calculation.
3. Compliance timeframe
The initial DPC’s decision provided a six-month compliance period for Whataspp to bring its processing operations into compliance. However, under the influence of the EDPB, DPC shortened the compliance period to three months in order to highlight the importance of GDPR’s transparency obligations.