Facebook – Whatsapp: The EDPB requires the Irish SA  to carry out statutory investigation on Facebook

Facebook – Whatsapp: The EDPB requires the Irish SA  to carry out statutory investigation on Facebook

On July 15, 2021, the European Data Protection Baord (EDPB) adopted its first urgent binding decision in application of Art. 66(2) GDPR following a request from the Hamburg supervisory authority. 

In this case, the Hambourg Authority ordered a ban on processing WhatsApp users’ data by Facebook Ireland for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.

However, under article 66 GDPR, as the Irish supervisory authority is the the lead supervisory authority in this matter, the Hamburg Authority needed the validation of the EDPB for these  provisional measures to become final.

The EDPB rejected the Hamburg Auhtority’s request but requires further investigations to be carried out on Facebook and Whatsapp Ireland.

One-Stop-Shop under the GDPR: how does that work?

One-Stop-Shop under the GDPR: how does that work?

Under the General Data Protection Regulation (GDPR), organisations which carry out a « cross border data processing » must appoint a Lead Data Protection Authority.  This appointed Supervisory Authority  will act as their main point of contact.

Although initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State’s authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.  

Indeed, these provisions only apply to cross border processing activities and not to the organisation’s whole processing activities. Besides, if the organisation’s main establishment for this processing activities is outside of the EU, the organisation will not benefit from these provisions. It also entails the formal appointment of the Lead Auhtority where necessary.