Ireland’s Data Protection Commission has imposed a fine of €225 million (more than $267 million) on WhatsApp, a popular messaging app owned by Facebook.

Here are some key takeaways for companies subject to GDPR:

Drafting privacy notice disclosures

  • When providing disclosures in your privacy notice, make them easy to understand. It is important to keep the relevant disclosures in one place. Don’t make users click through many documents to collate information that is sometimes repetitive. Don’t make them scroll through a long ongoing scroll.
  • The fact that other peers in the industry are doing it doesn’t affect a determination of compliance with GDPR. Using such an argument is tantamount to saying that the standards of compliance required by the GDPR may be determined by the members of a particular sectors of industry instead of by the legislator.
  • When processing the information of non-users, you must provide sufficient disclosure about the use of the information, including purpose and manner of processing. You must provide it in a location where the non-users are likely to find it – not in the user privacy notice.
  • There needs to be a clear link between the category of personal data, the purpose of specific processing operation and the legal basis relied upon for this processing operation. Unrelated long lists of bullets for each of these items is not enough.
  • Describe the processing in a detailed granular way. For example: “(t)o promote safety and security” does not provide any indication as to what processing operations will be applied to the user’s personal data (i.e. specifically how it will be used and in what context) to meet this objective. Further, it does not enable a sufficient understanding as to what objectives are being pursued when personal data is processed for the general purpose of “[the promotion of] safety and security”.
  • Another example regarding location information: It must be clear whether the company will carry out any further processing operations on the user’s location data and, if so, what particular processing operations.

Regarding Data Retention:

  • “Until it is no longer necessary to provide our Services or until your account is deleted, whichever comes first” is somewhat misleading in that it gives the impression that, if the user deletes his/her account, the company will no longer process his/her data.
  • You need to to provide practical examples of how each of the criteria impact on the period of retention so as to demonstrate accountability for compliance with the storage limitation principle.

Regarding third country transfers:

  • State either (i) that the transfer is subject to an adequacy decision; or (ii) that the transfer is not subject to an adequacy decision and enable the data subject to access more information, in a meaningful way, about the adequacy decision(s) being relied on or the alternative method (i.e copy of SCCs.) It is not enough to say “may” rely on adequacy decisions, “if applicable”.
  • It is not sufficient to provide a link to a generic European Commission webpage.