Sanctions by the AEPD for the use of WhatsApp in breach of data protection legislation
Recently, the AEPD has imposed sanctions on various data controllers for conduct that has in common the use of WhatsApp with data subjects whose personal data protection rights have been violated.
The Spanish Data Protection Agency (AEPD) has been in the news recently for two sanctions imposed on different data controllers who have in common a use of the WhatsApp messaging application contrary to the provisions of the applicable regulations on personal data protection.
The use of WhatsApp has become widespread not only in personal and everyday environments, but has also become standardised in the professional and commercial sphere. This leads to a tendency for data controllers to deal more informally and closely with consumers or data subjects, but at the same time increases the risk of failing to comply with certain formal requirements under the GDPR, such as the obligation to inform the data subject about the processing of his or her personal data.
Below are two recent cases that the AEPD has resolved with penalties of €2,000 and €4,000 for the offending data controllers and which have a common nexus in the defective use of WhatsApp. In the first case, a job candidate complained to the AEPD that the company had not informed him about the processing it was going to carry out on his personal data or about his rights, as required by Article 13 of the GDPR.
The candidate sent his CV to the company responsible via WhatsApp to the telephone number given in the advertisement published by the company on the internet.
However, neither in the advertisement itself nor in subsequent WhatsApp conversations with the candidate did the company inform him about the processing of his personal data and his rights, in breach of Article 13 of the GDPR.
Once the complaint had been lodged by the data subject with the AEPD, the Agency sent the company a request for information on the incident, to which the company did not respond, so the AEPD notified the data controller of the initiation of a disciplinary procedure.
The company did not submit any allegations or evidence. In view of the breach of the obligation to inform (art. 13 RGPD) by the data controller and its total inactivity in the face of the requests made by the Agency, the Agency decided to impose a fine of 2,000 euros.
Regarding the second case, the former member of a tennis club reported to the AEPD that she had been added to a WhatsApp group by club officials without her consent and despite not having been a member for 10 years, in such a way that her telephone number, name and profile photo were shared with the rest of the group’s participants. In this case, the tennis club is in breach of multiple provisions of the GDPR.
Firstly, it infringes the principle of the limitation of the data retention period, provided for in Article 5(1)(e), since by adding the data subject to the WhatsApp group, it shows that it was still retaining her personal data despite the fact that no purpose for which they were originally processed was maintained, since she had ceased to be a member of the club 10 years earlier.
Secondly, it processes the data of the former member without being entitled to do so (art. 6 RGPD), as at no time has she given her consent to be added to the WhatsApp group, nor is there any other reason that could serve as a legal basis for such data processing.
Finally, the club infringed articles 32.1.b) and 32.1.d) of the GDPR, relating to the security measures to be taken by data controllers to ensure the integrity, availability and confidentiality of the data, as well as to carry out validation, evaluation and review processes of the technical security measures implemented. By adding the former member to the group, the confidentiality of her phone number, profile picture and name was breached, revealing that the security measures were deficient.
As a result of the complaint and the evidence provided by the interested party, the AEPD requested the tennis club to provide information on the incident and to present allegations; however, as in the previous case, the club ignored the AEPD’s notifications and did not provide any information.
Faced with this situation, the AEPD proceeded to sanction the data controller with 4,000 euros: 1,000 for the lack of a legitimate basis, 1,000 for non-compliance with the principle of limitation of data retention and 2,000 for deficient security measures. In conclusion, what these cases show is that it is necessary to be very cautious when using WhatsApp in professional environments and, under no circumstances, to avoid the formalities required by the applicable regulations on personal data protection in relations with data subjects.
Likewise, it is important to remember the importance of responding to the requirements of the AEPD and collaborating by providing the information requested by it, as few cases end in a sanction when the data controller demonstrates a predisposition to mitigate the incidents or breaches it may have committed in the processing of personal data of data subjects.