{"id":1301,"date":"2021-10-06T10:14:03","date_gmt":"2021-10-06T08:14:03","guid":{"rendered":"https:\/\/evertruststg.digidog.org\/?p=1301"},"modified":"2021-10-06T10:49:14","modified_gmt":"2021-10-06T08:49:14","slug":"gdpr-nytt-lardomar-fran-edpbs-beslut-avseende-whatsapp","status":"publish","type":"post","link":"https:\/\/evertrust.se\/en\/gdpr-nytt-lardomar-fran-edpbs-beslut-avseende-whatsapp\/","title":{"rendered":"GDPR NYTT: L\u00e4rdomar fr\u00e5n EDPB:s beslut avseende WhatsApp"},"content":{"rendered":"<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/evertruststg.digidog.org\/wp-content\/uploads\/2021\/10\/Namnlo\u0308s-design-1024x535.png\" alt=\"\" class=\"wp-image-1303\" srcset=\"https:\/\/evertrust.se\/wp-content\/uploads\/2021\/10\/Namnlo\u0308s-design-1024x535.png 1024w, https:\/\/evertrust.se\/wp-content\/uploads\/2021\/10\/Namnlo\u0308s-design-800x418.png 800w, https:\/\/evertrust.se\/wp-content\/uploads\/2021\/10\/Namnlo\u0308s-design-768x401.png 768w, https:\/\/evertrust.se\/wp-content\/uploads\/2021\/10\/Namnlo\u0308s-design.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Nyligen utf\u00e4rdade den irl\u00e4ndska dataskyddsmyndigheten (DPC) en sanktionsavgift om motsvarande 2.3 miljarder kronor mot WhatsApp Irland f\u00f6r att bolaget hanterat r\u00e4tten till information och \u00f6ppenhetsprincipen i strid med GDPR. DPC delade sitt utkast till beslut med \u00f6vriga dataskyddsmyndigheter redan i december 2020 men m\u00f6ttes av flertalet inv\u00e4ndningar de inte kunde bem\u00f6ta. Fr\u00e5gan h\u00e4nsk\u00f6ts d\u00e5 till europeiska dataskyddsstyrelsen (EDPB) som antog ett tvistel\u00f6sningsbeslut med st\u00f6d av artikel 65 under juli 2021. Nedan g\u00e5r vi igenom n\u00e5gra l\u00e4rdomar fr\u00e5n EDPB:s bindande beslut.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>F\u00f6rh\u00e5llandet mellan informationsplikten och \u00f6ppenhetsprincipen (artiklarna 12-14 och 5.1.a)<\/strong><\/li><\/ul>\n\n\n\n<p>EDPB klargjorde att en \u00f6vertr\u00e4delse av artiklarna 12\u201314 kan (men inte n\u00f6dv\u00e4ndigtvis) \u00e4ven, beroende p\u00e5 omst\u00e4ndigheterna, inneb\u00e4ra en \u00f6vertr\u00e4delse av \u00f6ppenhetsprincipen i artikel 5.1.a. I detta fall ans\u00e5g EDPB, mot bakgrund av \u00f6vertr\u00e4delsernas allvar och \u00f6vergripande karakt\u00e4r och konsekvenser, att det \u00e4ven f\u00f6rekommit en \u00f6vertr\u00e4delse av artikel 5.1.a.&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\" start=\"2\"><li><strong>Otydlig koppling mellan laglig grund och annan information<\/strong><\/li><\/ul>\n\n\n\n<p>EDPB ans\u00e5g att WhatsApps integritetspolicy inte inneh\u00f6ll tillr\u00e4cklig specifik information om kopplingen mellan ber\u00e4ttigat intresse som laglig grund och resterande information s\u00e5som vilken behandling det r\u00f6r, vilka kategorier av personuppgifter och f\u00f6r vems (WhatsApps eller tredje parts) intresse behandlingen utf\u00f6rs. Med andra ord ska det i informationen till de registrerade tydligt g\u00e5 att utl\u00e4sa kopplingen mellan varje personuppgift och behandling till ett \u00e4ndam\u00e5l och laglig grund. \u00d6ppenhetsprincipen kr\u00e4ver korrekt och tydlig presentation!<\/p>\n\n\n\n<ul class=\"wp-block-list\" start=\"3\"><li><strong>Ingen anonymisering om m\u00f6jlighet att omidentifiera personuppgifter\u00a0<\/strong><\/li><\/ul>\n\n\n\n<p>EDPB klargjorde att det var irrelevant f\u00f6r bed\u00f6mningen att WhatsApp saknade avsikt att omidentifiera icke-anv\u00e4ndares data. Bara det faktum att de hade m\u00f6jlighet att omidentifiera var tillr\u00e4ckligt f\u00f6r att konstatera att personuppgifter inte hade anonymiserats p\u00e5 korrekt s\u00e4tt.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\" start=\"4\"><li><strong>Ber\u00e4kning av sanktionsavgift<\/strong><\/li><\/ul>\n\n\n\n<p>EDPB beslutade att ett f\u00f6retags oms\u00e4ttning inte enbart \u00e4r relevant f\u00f6r fastst\u00e4llandet av det h\u00f6gsta b\u00f6tesbeloppet utan \u00e4ven kan beaktas vid ber\u00e4kningen av sj\u00e4lva b\u00f6terna, n\u00e4r s\u00e5 \u00e4r l\u00e4mpligt, f\u00f6r att s\u00e4kerst\u00e4lla att b\u00f6terna \u00e4r effektiva, proportionella och avskr\u00e4ckande. I detta fall fann EDPB att moderbolagets konsoliderade oms\u00e4ttning (Facebook Inc.) skulle tas med i ber\u00e4kningen av sanktionsavgiften.<\/p>\n\n\n\n<p>Vidare klargjorde EDPB f\u00f6r f\u00f6rsta g\u00e5ngen tolkningen av artikel 83.3. EDPB ans\u00e5g att n\u00e4r det g\u00e4ller flera \u00f6vertr\u00e4delser f\u00f6r samma eller sammanl\u00e4nkad behandling b\u00f6r alla \u00f6vertr\u00e4delser beaktas vid ber\u00e4kningen av sanktionsavgiften. Detta g\u00e4ller oberoende av tillsynsmyndigheternas skyldighet att ta h\u00e4nsyn till b\u00f6ternas proportionalitet och att respektera det h\u00f6gsta b\u00f6tesbelopp som fastst\u00e4lls i dataskyddsf\u00f6rordningen. Det inneb\u00e4r att sanktionen ber\u00e4knas separat f\u00f6r varje \u00f6vertr\u00e4delse, sl\u00e5s ihop och sedan s\u00e4kerst\u00e4lls att det totala beloppet inte \u00f6verstiger det belopp som fastst\u00e4lls f\u00f6r den allvarligaste \u00f6vertr\u00e4delsen. N\u00e4r det g\u00e4ller att titta p\u00e5 ett f\u00f6retags globala oms\u00e4ttning under f\u00f6reg\u00e5ende budget\u00e5r enligt artikel 83.5 fastslog EDPB att man ska utg\u00e5 fr\u00e5n datumet f\u00f6r tillsynsmyndighetens slutgiltiga beslut, dvs. 2020 i detta fall.<\/p>\n\n\n\n<p>Sammanfattningsvis kan konstateras att den irl\u00e4ndska dataskyddsmyndigheten var tvungen att \u00e4ndra stora delar av sitt beslut d\u00e5 de andra dataskyddsmyndigheterna inte var n\u00f6jda med utkastet till beslut. Trots att tillsynen var egeninitierad (dvs. inte hade sitt ursprung i ett klagom\u00e5l) visar EDPB:s beslut att den ansvariga tillsynsmyndigheten \u00e4nd\u00e5 m\u00e5ste s\u00f6ka samsyn om b\u00e5de tillsynens utredning samt slutsatser hos \u00f6vriga ber\u00f6rda dataskyddsmyndigheter.\u00a0<\/p>\n\n\n\n<p>L\u00e4nk till EDPB:s beslut:<a href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-09\/edpb_bindingdecision_202101_ie_sa_whatsapp_redacted_en.pdf\"> https:\/\/edpb.europa.eu\/system\/files\/2021-09\/edpb_bindingdecision_202101_ie_sa_whatsapp_redacted_en.pdf<\/a><\/p>\n\n\n\n<p>L\u00e4nk till DPC:s beslut:<a href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-09\/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf\"> <\/a><a href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-09\/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/edpb.europa.eu\/system\/files\/2021-09\/d<\/a><a href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-09\/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf\">pc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Nyligen utf\u00e4rdade den irl\u00e4ndska dataskyddsmyndigheten (DPC) en sanktionsavgift om motsvarande 2.3 miljarder kronor mot WhatsApp Irland f\u00f6r att bolaget hanterat r\u00e4tten till information och \u00f6ppenhetsprincipen i strid med GDPR. DPC delade sitt utkast till beslut med \u00f6vriga dataskyddsmyndigheter redan i december 2020 men m\u00f6ttes av flertalet inv\u00e4ndningar de inte kunde bem\u00f6ta. Fr\u00e5gan h\u00e4nsk\u00f6ts d\u00e5 till [&hellip;]<\/p>","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1301","post","type-post","status-publish","format-standard","hentry","category-blogg"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/posts\/1301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/comments?post=1301"}],"version-history":[{"count":0,"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/posts\/1301\/revisions"}],"wp:attachment":[{"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/media?parent=1301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/categories?post=1301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/evertrust.se\/en\/wp-json\/wp\/v2\/tags?post=1301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}