The Irish Data Protection Commission DPC has imposed a fine of 225 million Euros on Whatsapp for violations of the provisions of the European General Data Protection Regulation (GDPR).
The investigation against Whatsapp, which has its European headquarters in Ireland, was initiated by the DPC in 2018 when the GDPR came into force. The background to the investigation were complaints from both Whatsapp users and third parties as well as a request for assistance from Der Bundesbeauftragte für Datenschutz und Informationsfreiheit (the German Federal Data Protection Authority) to the DPC, which were in connection with requests for information to Whatsapp. This also involved the transfer of personal data to other Facebook companies.
In its final Decision of 20 August 2021, the DPC came to the conclusion that Whatsapp violated the provisions of the GDPR on transparency in data processing and on information obligations towards Whatsapp users and third parties. Specifically, Whatsapp violated the transparency and information obligations according to the provisions of Art. 5 (1)(a), Art. 12 (1), Art. 13 (1)(c) to (f), (2)(a), (c) and (e) as well as Art. 14 GDPR. The violations identified go to the heart of general principles of the GDPR and affected an extremely high number of people, which influenced the amount of the fine. In addition to the fine, a reprimand was issued and Whatsapp was ordered to bring its processing operations into compliance with the provisions of the GDPR through a series of remedial measures within 3 months. These measures concern in particular the obligation to inform about the recipients of personal data and about the intention to transfer personal data to a third country as well as the information obligations when processing personal data of third parties, i.e. of persons who do not use Whatsapp themselves. According to the media, Whatsapp has announced to take legal action against the decision.