By Giorgos Skampoulos, LL.M. Associate
In addition, the Board, while recognizing fundamental principles underlying Community legislation on personal data, noted that, while the possibility of improving services may usually be included in the contractual terms, such processing cannot usually be considered objectively necessary for the performance of the contract with the user, nor was that demonstrated in the present case. Therefore, WhatsApp could not legitimately rely on the contract as a legitimate basis for processing the personal data.
In light of the above, the European Data Protection Board instructed the Irish Supervisory Authority to take appropriate remedial action, considering, but not limited to, the issue of imposing an administrative fine for the infringement in question, to conduct further investigations to determine whether special categories of personal data or data for advertising and marketing purposes are being processed, and to include in its final decision an instruction to WhatsApp to comply with the GDPR.