Go back to the Europarl portal

Choisissez la langue de votre document :

  • bg - български
  • es - español
  • cs - čeština
  • da - dansk
  • de - Deutsch
  • et - eesti keel
  • el - ελληνικά
  • en - English (Selected)
  • fr - français
  • ga - Gaeilge
  • hr - hrvatski
  • it - italiano
  • lv - latviešu valoda
  • lt - lietuvių kalba
  • hu - magyar
  • mt - Malti
  • nl - Nederlands
  • pl - polski
  • pt - português
  • ro - română
  • sk - slovenčina
  • sl - slovenščina
  • fi - suomi
  • sv - svenska
Parliamentary questions
PDF 26kWORD 21k
20 March 2019
Answer given by Ms Jourová on behalf of the European Commission
Question reference: E-000054/2019

When reviewing the merger of Facebook and WhatsApp, the Commission assessed the importance of the addition of the WhatsApp dataset to the data that Facebook already controlled, and the impact of such addition on competition in the relevant markets.

Data brokers may act as controllers or processors depending on the degree of control they have over the processing. Under the General Data Protection Regulation (GDPR)(1), organisations acting as controllers must ensure that their processing of personal data is lawful, fair and transparent.

Consent is only one of the legal basis for processing under the GDPR. Processing by data brokers in the electoral context will often involve special categories of data such as data revealing political opinions or religious beliefs; however, such processing is prohibited, except where one of the justifications in Article 9(2) GDPR, such as explicit consent, can be relied upon(2).

Article 5(3) of Directive 2002/58/EC provides that the storing of information or the gaining of access to information stored in the terminal equipment (e.g. geographical location) is only allowed when the user has given consent(3), or where this is necessary to transmit the communication or to provide an information society service explicitly requested by a user.

The monitoring and enforcement of the application of data protection and privacy legislation falls within the competence of national authorities and courts, without prejudice to the competences of the Commission as guardian of the Treaties.

It is for the competent national authorities to verify compliance of data brokers with the privacy and data protection rules.

(1)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
(2)Commission guidance on the application of Union data protection law in the electoral context, adopted on 12.9.2018, COM(2018) 638 final.
(3)Directive 2002/58/EC refers to GDPR as far as the validity of consent is concerned. Pursuant to Article 4 (11) GDPR, consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject has the right to withdraw his or her consent at any time (Article 7 GDPR).

Last updated: 3 April 2019Legal notice