On 12 January, the Irish privacy watchdog imposed a €5.5 million GDPR fine on WhatsApp. The fine decision was made after consultation with other European privacy authorities.
Want to know more about the valid reasons? Download the whitepaper
WhatsApp’s terms and conditions also mentioned this purpose, citing as the legal basis for the processing that it is “necessary” for the “performance of the contract”.
WhatsApp thereby failed to provide a transparent and honest description of how personal data is used. Nor is the legal basis valid.
- It should be made clear how personal data will be used.
- There must be a better basis for using the data than “necessary for the performance of the contract”.
Now, information security and improving a product in it can be a good reason for using certain personal data.
The obvious thing to do is to ask users for explicit permission to use their data.
Note two things here:
- Describe sufficiently specifically what the data will be used for.
So, provide a sufficiently clear description of process and purpose. Ask yourself the question: Do you yourself find your description transparent, clear and honest?
- Consent can be withdrawn at any time.
Take this into account in UX design: Is consent easily revoked?
Basis “legitimate interest”
Apart from consent, you can also consider using the “legitimate interest” basis: Information security and improvement of a product generally constitute a legitimate interest for processing personal data.
Note that this does not always mean that all data may be used for this purpose.
The “legitimate interest” basis requires a balancing of interests: Does the interest of using the data outweigh the users’ privacy?
The risk to privacy can be mitigated by anonymisation, pseudonymisation and/or aggregation of data.
Users’ personal data must – in short – be handled sensibly and carefully.
Will you now face a €5.5 million GDPR fine if you fail to comply?
Probably not. But even an investigation, a warning, negative publicity and a low(er) fine can have a significant impact on your reputation and business.
Want to know more about the GDPR legislation, GDPR penalty, how it fits together and what issues are important for your business? Get in touch with our specialists
Curious to see what we can do for your organization?