AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

GDPR fine: WhatsApp faces €225 million for transparency violation

GDPR fine WhatsApp faces €225 million for transparency violation

On 2 September 2021, Ireland’s data protection authority Data Privacy Commission (DPC), announced that it has issued a decision to fine Facebook-owned instant messaging service WhatsApp Ireland €225 million (or $267 million) after a three-year investigation.

The binding decision was issued after the European Data Protection Board (EDPB) intervened and required the DPC (lead supervisory authority for WhatsApp Ireland), to reassess the initially proposed fine regarding infringements of transparency, the calculation of the fine, as well as the timeframe for WhatsApp to comply.

It is the second-largest GDPR fine issued so far, surpassed only by the €746 million ($888 million) fine issued to Amazon.com.

[RELATED TOPIC: 20 biggest GDPR fines so far]

1. Infringements of transparency

In addition to the DPC’s findings, the EDPB stated that WhatApp had committed a severe breach of the General Data Protection Regulation (Article 12, Article 13, and Article 14) related to the information to be provided to individuals.

EDPB identified additional shortcomings with the information provided, impacting individuals’ ability to understand the legitimate interests being pursued.

2. Calculation of the fine

The EDPB decided that the turnover of an undertaking, although not exclusively relevant for the determination of the fine amount, has to be taken into consideration to ensure the fine is proportionate and effective.

In this case, the EDPB decided to include the consolidated turnover of the parent company (Facebook Inc.) into the calculation.

3. Compliance timeframe

The initial DPC decision provided a six-month compliance period for Whataspp to bring its processing operations into compliance.

However, under the influence of the EDPB, DPC shortened the compliance period to three months in order to highlight the importance of GDPR’s transparency obligations.

WhatsApp’s response

WhatsApp has objected to the penalty as disproportionate and said that it would file an appeal stating: “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.

On November 10, WhatsApp was granted permission to challenge the fine in Ireland’s High Court.

Update December 14, 2021

WhatsApp has updated its User Privacy Notice adding more detail and showcasing transparency about how it is processing users’ personal data, despite appealing the decision.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top