II.i Information about the purposes and legal basis of processing and pursued legitimate interests
Pursuant to GDPR article 13.1 (c), the controller must provide data subjects with information about the purposes and legal basis of the processing. There are six legal bases for processing personal data and WhatsApp was found lacking in transparency in relation to all of them.
Pursuant to DPC's decision, a controller must identify and specify what categories of personal data and what processing operations rely on any given legal basis as well as the purpose for said processing. The information must be provided in a way that informs data subjects of what processing operations uses which categories of data and on what legal basis said processing operation rests on. Otherwise, the information provided would not be specific or concrete enough to enable data subjects to hold the controller responsible for the processing, which would fail to hold up the principle of transparency. In other words, the purpose, legal basis, processing operations and categories of personal data must not be given separately from each other (e.g., under separate sections of the policy). A data subject must be able to clearly understand the purpose of each processing operation, what categories of data are concerned and what legal basis for processing the processing operation relies on.
To fulfill these requirements means providing the reader with a lot of information. In response to WhatsApp's objection that providing such an amount of information would cause the reader information fatigue and thereby in itself be a cause for lack of transparency, the DPC answered simply that such was not the case if the text was written in a clear and accessible way. Furthermore, between the lines the DPC recommended the use of tables, particularly in the case of an information requirement comprising a number of linked elements - such as, e.g., the information required under GDPR article 13.1 (c).
II.ii Information on data retention
WhatsApp was further deemed to be in breach of article 13.2(a) requiring that controllers inform data subjects regarding data retention periods, or if they cannot, the criteria used for the determination of such periods.
The DPC notes that information provided pursuant to transparency under the GDPR should be meaningful to the data subject. When it comes to retention periods, this means that a data subject should be able to understand the basis for any retention of data by way of practical examples on how data retention criteria impact the retention period. As such, a controller must provide key information regarding whether certain information will be retained and explain if and how such retained records are disassociated from personal identifiers.
Most critically, this places a larger information duty on controllers retaining personal data after the provision of services to or contact with the data subject have ceased. It is not sufficient to state that personal data may be kept as required by law. Instead, retention periods should be given by way of specific examples that clarify how the period for retention is calculated.
II.iii Transparency when transferring personal data to third countries (a.13(1)(f))
Since the Schrems II-decision and the revised standard contractual clauses, third country transfers have been on everyone's radar. However, the DPC decision now further develops the requirements for transfers of personal data outside the EU/EEA, this time from a transparency viewpoint.
WhatsApp, as well as many of its contemporaries, inform data subjects about third country transfer by way of saying something along the lines of "any transfers of personal data to countries outside the EU/EEA, including the US, is done according to the EU approved standard contract clauses, an adequacy decision or other safeguards as applicable." This is not sufficient, according to the DPC decision.
When relying on an adequacy decision for the transfer of personal data, the DPC writes that a controller should identify the country of transfer, provided this information enables the data subject to receive transparent and meaningful information as to those transfers, even if there is not. The DPC does not further elaborate on in what situations the provision of such information wouldn't enable the data subject transparent and meaningful information. However, the DPC further states that even if the receiving countries are not specified, the controller must find another way to enable data subjects to access information regarding the specific adequacy decision supporting the transfer in question.
As such, the DPC decision makes it clear that in most cases the controller is incumbent to clearly inform the data subjects of the country of transfer or otherwise find a way to inform the data subjects of the specific adequacy decision supporting the transfer in question.
When transferring personal data pursuant to a safeguard other than adequacy decisions, the controller must be able to provide further information enabling data subjects detailed information about the safeguards being used to protect the personal data. For example, this includes being able to provide the data subject with the applicable standard contractual clauses entered into for the transfer in question. Furthermore, the DPC quotes Working Party 29's transparency guidelines stating that the third countries be named, so that the information provided can be as meaningful as possible to data subjects.
And lastly, but not least, a controller must specify the categories of personal data that will be transferred, if need be on a transfer by transfer basis, so that the data subject may hold the controller responsible in relation to the transfer mechanism relied on.