Go back to the Europarl portal

Choisissez la langue de votre document :

  • bg - български
  • es - español
  • cs - čeština
  • da - dansk
  • de - Deutsch
  • et - eesti keel
  • el - ελληνικά
  • en - English (Selected)
  • fr - français
  • ga - Gaeilge
  • hr - hrvatski
  • it - italiano
  • lv - latviešu valoda
  • lt - lietuvių kalba
  • hu - magyar
  • mt - Malti
  • nl - Nederlands
  • pl - polski
  • pt - português
  • ro - română
  • sk - slovenčina
  • sl - slovenščina
  • fi - suomi
  • sv - svenska
Parliamentary questions
PDF 33kWORD 16k
3 March 2021
Answer given by Mr Reynders
on behalf of the European Commission
Question reference: P-000434/2021

Under the General Data Protection Regulation (GDPR)(1), the national supervisory authorities are responsible for monitoring compliance with the GDPR (Article 51(1) GDPR). In cases of cross-border data processing, the supervisory authority of the Member State where the controller has its main establishment acts as the lead supervisory authority, cooperating with the other supervisory authorities concerned in the consistency mechanism(2).

Neither the European Data Protection Board (EDPB) nor the Commission have enforcement powers under the GDPR vis-à-vis controllers — these are reserved to the national supervisory authorities.

As the main establishment of WhatsApp in the EU is located in Ireland, the Irish Data Protection Commission is the lead supervisory authority under the GDPR. The Irish Data Protection Commission is investigating the matter and keeps the EDPB, including the Commission, informed.

Due to this institutional setup and in full respect of the independence of the supervisory authorities, the Commission is not in a position to comment on the compliance of WhatsApp privacy terms with the GDPR. Similarly, should a breach of GDPR be established, enforcement action would be for the Irish Data Protection Commission to take.

As a general remark, the Commission refers to the proposals complementing the regulatory framework for digital services that were presented on 15 December 2020. Both the Digital Services Act, as well as the Digital Markets Act should provide additional transparency and safeguards around practices of cross-service data sharing and consumer profiling.

(1) OJ L 119 4.5.2016, p. 1
(2) Articles 56, 60 GDPR.
Last updated: 4 March 2021Legal notice - Privacy policy