CURIA - Documents

JUDGMENT OF THE COURT (Grand Chamber)

10 February 2026 (*)

( Appeal – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 63 – Consistency mechanism – Article 65 – Dispute resolution by the European Data Protection Board – Binding decision – Action for annulment – First paragraph of Article 263 TFEU – Act open to challenge – Fourth paragraph of Article 263 TFEU – Condition that the measure against which the action has been brought must be of direct concern to the applicant )

In Case C‑97/23 P,

APPEAL under Article 56 of the Statute of the Court of Justice of the European Union, brought on 17 February 2023,

WhatsApp Ireland Ltd, established in Dublin (Ireland), represented by E. Egan McGrath, Senior Counsel, C. Geoghegan, Senior Counsel, D. McGrath, Senior Counsel, P. Sreenan, Senior Counsel, B. Johnston, C. Monaghan and P. Nolan, Solicitors, H.-G. Kamann, Rechtsanwalt, F. Louis and A. Vallery, avocats,

appellant,

the other party to the proceedings being:

European Data Protection Board, represented by C. Foglia, M. Gufflet, G. Le Grand and I. Vereecken, acting as Agents, and G. Haumont, E. de Lophem, P. Vernet, avocats, and G. Ryelandt, advocaat,

defendant at first instance,

supported by:

Federal Republic of Germany, represented initially by J. Möller and P.‑L. Krüger, and subsequently by J. Möller, acting as Agents,

intervener in the appeal,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, T. von Danwitz (Rapporteur), Vice‑President, K. Jürimäe, C. Lycourgos, I. Jarukaitis, I. Ziemele, O. Spineanu‑Matei and M. Condinanzi, Presidents of Chambers, S. Rodin, E. Regan, N. Piçarra, A. Kumin, N. Jääskinen, B. Smulders, and N. Fenger, Judges,

Advocate General: T. Ćapeta,

Registrar: A. Lamote, Administrator,

having regard to the written procedure and further to the hearing on 26 November 2024,

after hearing the Opinion of the Advocate General at the sitting on 27 March 2025,

gives the following

Judgment

1 By its appeal, WhatsApp Ireland Ltd (‘WhatsApp’) seeks to have set aside the order of the General Court of the European Union of 7 December 2022, WhatsApp Ireland v European Data Protection Board (T‑709/21, EU:T:2022:783; ‘the order under appeal’), by which that court dismissed as inadmissible its action seeking the annulment of Binding Decision 1/2021 of the European Data Protection Board (‘the EDPB’) of 28 July 2021 on the dispute between the supervisory authorities concerned arising from the draft decision regarding WhatsApp drawn up by the Data Protection Commission (DPC) (Ireland) (‘the Irish supervisory authority’) (‘the decision at issue’).

Legal context

2 Recitals 10 and 143 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’) state:

‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

…

(143) Any natural or legal person has the right to bring an action for annulment of decisions of the [EDPB] before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the [EDPB] are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the [EDPB], in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State’s procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.

Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the [EDPB] is challenged before a national court and the validity of the decision of the [EDPB] is at issue, that national court does not have the power to declare the [EDPB’s] decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the [EDPB] at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.’

3 Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides, in paragraph 1(a) thereof, that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 5(1)(c) of that regulation provides that those data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4 Article 6 of the GDPR, entitled ‘Lawfulness of processing’, lays down the conditions for lawfulness of the processing of personal data. Article 6(1) provides:

‘Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.’

5 Article 12 of the GDPR contains provisions on transparent information, communication and modalities for the exercise of the rights of the data subject. Article 12(1) provides:

‘The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.’

6 Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’, provides:

‘1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the [European] Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

…’

7 Article 14 of the GDPR concerns information to be provided where personal data have not been obtained from the data subject.

8 Pursuant to Article 55(1) of the GDPR, each supervisory authority is competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.

9 Article 56 of that regulation, entitled ‘Competence of the lead supervisory authority’, provides:

‘1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.’

10 Article 57 of the GDPR, entitled ‘Tasks’, provides, in point (h) of paragraph 1 thereof, that each supervisory authority has, on the territory of its Member State, the task of conducting investigations on the application of the GDPR.

11 The investigative powers of that authority are listed in paragraph 1 of Article 58 of the GDPR, entitled ‘Powers’. Paragraph 2 of that article lists the corrective powers of that authority, including those, to which points (b), (d) and (i) of that paragraph refer, which consist, respectively, in reprimanding a controller or processor where processing operations have infringed provisions of the GDPR, ordering the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period, and imposing an administrative fine pursuant to Article 83 of the GDPR.

12 Article 60 of the GDPR, entitled ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides:

‘1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the [EDPB] of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.

10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.’

13 Under Article 63 of the GDPR, entitled ‘Consistency mechanism’:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism …’

14 Article 65 of the GDPR, entitled ‘Dispute resolution by the [EDPB]’, provides:

‘1. In order to ensure the correct and consistent application of this Regulation in individual cases, the [EDPB] shall adopt a binding decision in the following cases:

(a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

(b) where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;

(c) where a competent supervisory authority does not request the opinion of the [EDPB] in the cases referred to in Article 64(1), or does not follow the opinion of the [EDPB] issued under Article 64. In that case, any supervisory authority concerned or the Commission may communicate the matter to the [EDPB].

2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject matter by a two-thirds majority of the members of the [EDPB]. That period may be extended by a further month on account of the complexity of the subject matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them.

3. Where the [EDPB] has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the [EDPB]. Where the members of the [EDPB] are split, the decision shall by adopted by the vote of its Chair.

4. The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the [EDPB] under paragraph 1 during the periods referred to in paragraphs 2 and 3.

5. The Chair of the [EDPB] shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the [EDPB] without delay after the supervisory authority has notified the final decision referred to in paragraph 6.

6. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the [EDPB] has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, shall inform the [EDPB] of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the [EDPB] in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.’

15 Article 68 of the GDPR, entitled ‘[EDPB]’, provides, in paragraph 1 thereof, that the EDPB is established as a body of the European Union and has legal personality.

16 Article 70 of the GDPR, entitled ‘Tasks of the [EDPB]’ provides, in point (a) of paragraph 1 thereof, that the EDPB is to ensure the consistent application of the GDPR. To that effect, the EDPB is, on its own initiative or, where relevant, at the request of the Commission, in particular, to monitor and ensure the correct application of the GDPR in the cases provided for in Articles 64 and 65 thereof, without prejudice to the tasks of national supervisory authorities.

17 Article 78 of the GDPR, entitled ‘Right to an effective judicial remedy against a supervisory authority’, provides:

‘1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to [an] effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the [EDPB] in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.’

18 Article 83 of the GDPR sets out the general conditions for imposing administrative fines.

The background to the dispute and the decision at issue

19 The background to the dispute is set out in paragraphs 2 to 12 of the order under appeal and, for the purposes of the present proceedings, may be summarised as follows.

20 Following the entry into force of the GDPR, the Irish supervisory authority received complaints from users and non-users of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp. The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) (Federal Data Protection and Freedom of Information Officer, Germany) also requested the assistance of the Irish supervisory authority in relation to WhatsApp’s compliance with the obligations of transparency incumbent on controllers of personal data as regards any sharing of such data with other entities in the Facebook group, renamed ‘Meta’ as of September 2021.

21 In December 2018, the Irish supervisory authority initiated ex officio a general investigation into WhatsApp’s compliance with the obligation of transparency and the obligation to provide information with regard to individuals laid down in Articles 12 to 14 of the GDPR, without prejudice to the action it might take on the individual complaints or requests made to it. The Irish supervisory authority acted in that regard as ‘lead supervisory authority’, under Article 56(1) of the GDPR, since WhatsApp had its main establishment in Ireland as the controller for the operations of the ‘WhatsApp’ messaging service in Europe, and the processing carried out by it was of a cross-border nature.

22 After the investigation phase was completed in September 2019 with the submission of a final report by the investigator, the Irish supervisory authority, following intermediate procedural phases during which WhatsApp provided its observations, submitted a draft decision in December 2020 to all the other supervisory authorities involved in the case, for their opinion, in accordance with Article 60(3) of the GDPR.

23 In January 2021, eight of those other supervisory authorities expressed objections to certain aspects of that draft decision. The Irish supervisory authority issued a composite response to those objections, proposing compromise positions. Although, following that response, one of those eight supervisory authorities withdrew one of its objections, the Irish supervisory authority found that a consensus had not been reached concerning other aspects objected to. It decided to reject all the objections received and to refer the matter to the EDPB for it to resolve the dispute between the supervisory authorities concerned on the aspects covered by those objections, in accordance with Article 60(4) and Article 65(1)(a) of the GDPR.

24 In May 2021, after sending it all the documents exchanged in that regard, the Irish supervisory authority received WhatsApp’s written observations on the matters discussed between the supervisory authorities concerned and in turn forwarded those observations to the EDPB so that it could take them into consideration in the dispute resolution procedure, which the Irish supervisory authority launched in June 2021.

25 On 28 July 2021, the EDPB adopted the decision at issue on the basis of Article 65(2) of the GDPR.

26 After the Irish supervisory authority had received the decision at issue and was provided with WhatsApp’s observations regarding the fines which that authority ultimately intended to impose on it in the light of that decision, that authority adopted, on 20 August 2021, in accordance with Article 65(6) of the GDPR, a final decision addressed to WhatsApp (‘the final decision’).

27 In the final decision, the Irish supervisory authority found that WhatsApp had infringed the principle and the obligations of transparency laid down in Article 5(1)(a), Article 12(1), Article 13(1)(c) to (f), Article 13(2)(a), (c) and (e) and Article 14 of the GDPR. On the other hand, that authority stated that WhatsApp had complied with the obligations laid down in Article 13(1)(a) and (b) and Article 13(2)(b) and (d) of the GDPR. By way of corrective measures adopted on the basis of Article 58(2)(b), (d) and (i) of the GDPR, that authority imposed on WhatsApp a reprimand as well as an order to implement a number of actions, listed in an annex, intended to bring it into compliance, within a period of three months, with the provisions of the GDPR that had been infringed, and four administrative fines in relation to infringements of Article 5(1)(a) and Articles 12 to 14 of the GDPR, for a total amount of EUR 225 million.

28 In addition, in the final decision, the Irish supervisory authority identified the aspects in respect of which the decision at issue required it to review the assessment set out in its draft decision. In relation to those aspects, it decided to reproduce, in shaded boxes, the reasons given by the EDPB in the decision at issue as they stood and simply to draw the appropriate conclusions in each case in a concluding paragraph.

29 In accordance with Article 65(6) of the GDPR, the decision at issue was attached to the final decision.

30 In the decision at issue, the EDPB adopted a position on the issues regarding which relevant and reasoned objections had been made, within the meaning of Article 65(1)(a) of the GDPR, namely:

– whether WhatsApp had failed to comply with the obligations to provide information laid down in Article 13(1)(d) of the GDPR, relating to certain information to be provided to data subjects where personal data have been collected from them. Such a failure to comply had not been established by the Irish supervisory authority in its draft decision. The EDPB took the view, on the contrary, that WhatsApp had failed to comply with that provision;

– the classification as personal data of the material resulting from the ‘lossy hashing procedure’, applied to the data concerning the ‘contacts’ who are non-users of WhatsApp contained in the address books on the devices of WhatsApp users. The Irish supervisory authority had not classified that material as such in its draft decision. The EDPB considered, on the contrary, that it still constituted personal data. According to the EDPB, that aspect had a potential impact on the possible finding of an infringement by WhatsApp of Article 5(1)(c) and Article 6(1) of the GDPR and an impact on the extent of WhatsApp’s infringement of Article 14 of the GDPR, as well as on the level of the fine incurred on those grounds;

– whether WhatsApp infringed the principle of transparency laid down in Article 5(1)(a) of the GDPR, which the Irish supervisory authority had not established in its draft decision. The EDPB took the view, on the contrary, that that principle had been infringed by WhatsApp;

– the finding of an infringement by WhatsApp of Article 13(2)(e) of the GDPR, relating to certain information to be provided to data subjects where personal data have been collected from them, which the Irish supervisory authority had not considered itself able to make, since the investigator had not taken a position on the issue during the investigation, and in respect of which it had considered itself able only to issue a recommendation. The EDPB considered, on the contrary, that the investigation covered all the provisions of Article 13 of the GDPR and that an infringement of that provision had to be established;

– whether WhatsApp had infringed Article 6(1) of the GDPR, concerning the conditions for lawful processing of personal data, on which the Irish supervisory authority had not ruled. The EDPB took the view that, for procedural reasons, it was not possible to rule on the matter or to find that there had been such an infringement;

– the extension of the grounds for WhatsApp’s failure to comply with the obligations to provide information laid down in Article 14 of the GDPR, on the information to be provided where personal data have not been obtained from the data subject, as a result of the analysis relating to the second indent of the present paragraph. The EDPB confirmed the impact that such extension would have on the behavioural corrective measures and the fine imposed on WhatsApp;

– whether WhatsApp infringed the principle, laid down in Article 5(1)(c) of the GDPR, of collecting only data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, on which the Irish supervisory authority did not rule. The EDPB took the view that such an infringement had not been demonstrated on the basis of the file, in particular in view of the scope of the investigation with regard to WhatsApp;

– the period, set at six months by the Irish supervisory authority, within which, by way of corrective measures, WhatsApp was required to bring its processing into compliance with those requirements of the GDPR with which it had failed to comply. The EDPB reduced that period to three months;

– as regards corrective measures, the methods of providing information to non-users of WhatsApp regarding the processing of their personal data by WhatsApp, the EDPB having confirmed the assessment made by the Irish supervisory authority in that regard in its draft decision;

– as regards corrective measures, the statement of the additional grounds for WhatsApp’s failure to comply with the obligations laid down in Article 14 of the GDPR, the EDPB having indicated that that statement was necessary to ensure that WhatsApp adopts appropriate corrective actions in that regard;

– the criteria for the quantum of the fines to be imposed on WhatsApp, in the light of Article 83 of the GDPR, relating to the ‘general conditions for imposing administrative fines’. The EDPB took the view that the Irish supervisory authority had misinterpreted the criterion relating to the worldwide annual turnover of the undertaking concerned; that it had correctly interpreted the concept of ‘preceding financial year’; that it had misinterpreted the rule that, if several provisions of the GDPR are infringed in the context of the same or linked processing operations, the total amount of the administrative fine cannot exceed the amount specified for the gravest infringement; and that it had correctly interpreted certain criteria set out in Article 83(1) and (2) of the GDPR for determining the fine, namely the intentional or negligent character of the infringements and the gravity of the infringements, but had misinterpreted other of those criteria, such as the taking into account of turnover in order to quantify the penalty independently of the calculation of its upper limit and, more generally, the need for the penalty to be effective, proportionate and dissuasive; and

– the level of the fines, the EDPB having considered that, in the light of the Irish supervisory authority’s misinterpretation of certain criteria relating to the quantum of the fine and the necessary finding of additional failures by WhatsApp to comply with its obligations, the amounts of the fines envisaged by that authority at a total level of between EUR 30 and EUR 50 million had to be increased.

31 WhatsApp challenged the final decision before an Irish court.

Proceedings before the General Court and the order under appeal

32 By application lodged at the Registry of the General Court on 1 November 2021, WhatsApp brought an action based on Article 263 TFEU seeking annulment of the decision at issue.

33 By the order under appeal, made under Article 129 of its Rules of Procedure, the General Court dismissed that action as inadmissible.

34 While observing, in paragraphs 36, 37 and 40 of the order under appeal, that the decision at issue constituted an act of a body of the Union, intended to produce legal effects vis-à-vis third parties, and that WhatsApp was individually concerned by that decision, the General Court nevertheless held, in paragraph 42 of the order under appeal, that that decision was a preparatory, or intermediate, act in a procedure which was to be closed by the adoption of a final decision of the national supervisory authority. The General Court held, in paragraphs 43 and 44 of the order under appeal, that such an act did not constitute an ‘act open to challenge’ unless it produced independent legal effects in respect of which sufficient judicial protection could not be ensured in the context of an action against the decision terminating the procedure.

35 In that regard, the General Court took the view, in paragraph 45 of the order under appeal, that, in the present case, WhatsApp was afforded effective judicial protection in respect of the decision at issue by means of the remedy available to it before the national court against the final decision, it being possible for that national court, under Article 267 TFEU, to refer a question to the Court of Justice for a preliminary ruling seeking an assessment of the validity of the decision at issue. The General Court also stated, in paragraph 46 of the order under appeal, that the decision at issue had no legal effect vis-à-vis WhatsApp that was independent of the final decision of the Irish supervisory authority.

36 In addition, the General Court held, in paragraph 49 of the order under appeal, that the fact that such an intermediate act expresses the definitive position of an authority, that will have to be taken up in the final decision closing the procedure at issue, did not necessarily mean that that act itself brought about a distinct change in the applicant’s legal position.

37 Moreover, the General Court noted, in paragraph 50 of the order under appeal, that WhatsApp was not directly concerned by the decision at issue. The General Court observed, in paragraph 52 of that order, that that decision was not enforceable in a way that would allow it, without further procedural steps, to be a source of obligations for WhatsApp or, as the case may be, rights for other individuals, accordingly it did not directly produce legal effects on WhatsApp’s position. The General Court also stated, in paragraph 53 of that order, that, even though the decision at issue was binding on the Irish supervisory authority as regards the aspects to which it related, it nevertheless left a measure of discretion to that authority as to the content of the final decision.

38 Thus, in paragraphs 61 and 62 of that order, the General Court held that none of the conditions required in order for WhatsApp to be considered to be directly concerned by the measure against which its action had been brought were satisfied and that that action was, consequently, inadmissible.

39 Lastly, the General Court held, in paragraphs 66 to 70 of the order under appeal, that the result of its analysis was consistent with the logic of the system of judicial remedies established by the Treaties. The General Court found, in particular, that accepting that WhatsApp’s action against the decision at issue was admissible would result in a risk of parallel judicial proceedings before the EU judicature and the national court, that latter also being empowered to refer a question to the Court of Justice for a preliminary ruling on the validity of that decision.

Forms of order sought by the parties

40 By its appeal, WhatsApp claims that the Court should:

– set aside the order under appeal;

– declare the action at first instance admissible;

– refer the case back to the General Court for it to give judgment; and

– order the EDPB to pay the costs of the appeal proceedings.

41 The EDPB, supported in the form of order it is seeking by the Federal Republic of Germany, contends that the Court should:

– dismiss the appeal;

– order WhatsApp to pay the costs of the proceedings; and

– in the alternative, refer the case back to the General Court for it to give judgment.

The appeal

The claim that the action at first instance was brought out of time

Arguments of the parties

42 The EDPB submits that the action at first instance was brought out of time. In that regard, it argues that WhatsApp acquired knowledge of the relevant parts of the decision at issue at a date prior to the publication of that decision on the EDPB’s website and, specifically, on 13 August 2021. Consequently, irrespective of the date of publication of the decision at issue on the EDPB’s website, which moreover cannot be equiparated with publication in the Official Journal of the European Union, the time limit for bringing the action started to run as of 13 August 2021 and expired on 25 October 2021. Since WhatsApp brought its action for annulment on 1 November 2021, that action is out of time.

43 WhatsApp contends that the EDPB’s allegation as to its action being out of time is erroneous. Where the applicant is not the addressee of a measure, it is the date of publication of that measure which determines the point from which the time limit for bringing an action starts to run. The date on which the applicant acquired knowledge of that measure is a subsidiary criterion in that regard. Where that measure is published is also irrelevant. In the present case, the publication of the decision at issue was on any view carried out on the EDPB’s website on 2 September 2021 and the action was brought on 1 November 2021, in compliance with the time limit provided for in the sixth paragraph of Article 263 TFEU.

Findings of the Court

44 Under the sixth paragraph of Article 263 TFEU, the proceedings provided for in that article are to be instituted within two months of the publication of the measure, or of its notification to the plaintiff, or, in the absence thereof, of the day on which it came to the knowledge of the latter, as the case may be.

45 It is clear from the wording of that provision, in particular from the terms ‘as the case may be’ and ‘in the absence thereof’, that the starting point of the time limit for bringing proceedings is determined by reference to the situation in question and that the first two criteria capable of triggering that time limit are hierarchically superior to the third criterion. Thus, the time limit for bringing an action for annulment starts to run, primarily, from the publication of the measure or from its notification to the applicant. Those two primary criteria are placed, in the scheme of that provision, on an equal footing in that neither of those two criteria is subsidiary to the other. By contrast, the criterion of the date on which the measure being challenged came to the knowledge of the applicant as the starting point of the time limit for bringing an action is subsidiary to the criteria of publication or notification of that measure (see, to that effect, judgment of 26 September 2024, WEPA Hygieneprodukte and Others v Commission, C‑795/21 P and C‑796/21 P, EU:C:2024:807, paragraphs 61 to 63 and the case-law cited).

46 In the present case, it is common ground that the decision at issue was not notified to WhatsApp, the EDPB being solely required to notify such a decision to the supervisory authorities concerned, under the first sentence of Article 65(5) of the GDPR. It must accordingly be determined whether there was any ‘publication’ of that decision, within the meaning of the sixth paragraph of Article 263 TFEU.

47 In that regard, it must be specified that the concept of ‘publication’ does not cover publication in the Official Journal of the European Union exclusively and must, on the contrary, be interpreted broadly. It also covers, inter alia, publication on the website of an EU institution, body, office or agency where such publication is provided for under secondary legislation (see, to that effect, judgment of 26 September 2024, WEPA Hygieneprodukte and Others v Commission, C‑795/21 P and C‑796/21 P, EU:C:2024:807, paragraph 70 and the case-law cited).

48 In the present case, since the publication of the decision at issue is provided for in the third sentence of Article 65(5) of the GDPR, it is necessary to take into consideration the date on which that decision was published on the EDPB’s website, namely 2 September 2021. That interpretation is supported by the third sentence of recital 143 of the GDPR, from which it is apparent that the time limit for bringing proceedings must be calculated from the publication of the decision at issue of the EDPB on the latter’s website.

49 Since the action was brought on 1 November 2021, the time limit provided for in the sixth paragraph of Article 263 TFEU was not infringed. It is therefore necessary to examine whether the grounds of the present appeal are such as to call into question the General Court’s assessment in the order under appeal.

The first ground of appeal, alleging errors of law in the interpretation and application of the concept of an act open to challenge and of the condition that measure against which the action has been brought must be of direct concern to the applicant

First part of the first ground of appeal

– Arguments of the parties

50 WhatsApp claims that the General Court erred in law in holding that the decision at issue was not an act open to challenge.

51 WhatsApp disputes, in particular, the relevance of the criterion accepted by the General Court in paragraph 41 of the order under appeal in order to determine whether an act is open to challenge or not. It argues that the General Court wrongly held that it was necessary to demonstrate that the decision at issue produces legal effects bringing about a distinct change in WhatsApp’s legal position and that it is of direct concern to WhatsApp. It would have been sufficient to conclude that that decision was intended to produce legal effects vis-à-vis one or more third parties to find that it constituted an act open to challenge, by reason of its definitive character. In any event, that decision does not merely constitute an intermediate measure, but expressed the definitive position of the EDPB.

52 According to WhatsApp, the General Court misapplied the case-law on the legal effect of intermediate acts by conducting a procedural test, under which such an act can only be open to challenge if an action brought against the final act does not enable sufficient judicial protection to be ensured, and by concluding that the decision at issue has no legal effect.

53 In that context, WhatsApp refers to the judgment of 11 November 1981, IBM v Commission (60/81, EU:C:1981:264, paragraphs 10 and 11), from which it is apparent, in particular, that an intermediate act is open to challenge if it is definitive in nature and independent of the final decision subsequently adopted. It is therefore necessary to examine the substance of that act and to assess its effects in the light of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution which adopted the act. WhatsApp cites, inter alia, in that regard, the judgment of 12 July 2022, Nord Stream 2 v Parliament and Council (C‑348/20 P, EU:C:2022:548, paragraph 63).

54 In particular, it is only where, first, as a matter of substance, such an act is of a provisional character, so that its author could change its position at the stage of the final decision subsequently adopted and, second, that final decision is adopted by the same EU institution or body, that the act is not open to challenge. Therefore, the concept of intermediate measure should not be applied to a decision adopted by an EU institution or body and addressed to a national authority responsible for implementing that decision vis-à-vis third parties.

55 In the present case, according to WhatsApp, the General Court restricted itself to examining whether, in procedural terms, WhatsApp was ensured effective judicial protection by means of the remedy before the national court. It thus incorrectly held, in paragraphs 48 and 49 of the order under appeal, that WhatsApp’s argument that the decision at issue expressed the definitive position of its author was of no relevance. By proceeding in that way, the General Court thus wrongly found that the decision at issue had no legal effects and that it was not independent of the final decision, without assessing the content and context of the decision at issue or the scope of its independent legal effects.

56 As regards the content of the decision at issue, it is not disputed that that decision was intended, as a binding decision adopted on the basis of Article 65 of the GDPR, to produce legal effects vis-à-vis third parties and that it represents the final position of the EDPB on the matters submitted to it. That position was such as to bring about a distinct change in WhatsApp’s legal position, inter alia on account of the finding that lossy hashed data constituted personal data, a finding which was binding on the Irish supervisory authority.

57 As regards the context of the decision at issue, it stems from the wording of Article 65 of the GDPR that that decision constitutes a binding decision. Recital 143 of the GDPR states that the decisions adopted by the EDPB may be of direct and individual concern to, inter alia, a controller, which implies that those decisions are such as to have external legal effects, going beyond the national supervisory authorities to which they are addressed. That is borne out both by the ratio of the binding effect of decisions of the EDPB, which is to ensure the correct and consistent application of the GDPR, and by the system of the procedure referred to in Article 65(1) of the GDPR.

58 As regards the independent legal effects of the decision at issue, going beyond those produced vis-à-vis its addressees, WhatsApp observes that that decision produces such effects in its regard, affecting inter alia the manner in which it approaches its GDPR compliance as regards lossy hashed data, such data being classified as personal data by the EDPB. The decision at issue also produces legal effects with regard to the national courts, which are not authorised to alter it or declare it invalid.

59 The EDPB disputes that line of argument. It submits that an action for annulment may only, in principle, be brought against a measure by which an institution, body, office or agency definitively determines its position upon the conclusion of an administrative procedure. On the other hand, intermediate acts whose purpose is to prepare for a definitive decision, cannot be treated as ‘acts open to challenge’, in that such acts are not intended to produce autonomous binding legal effects compared with those of the act of the EU institution which is thereby prepared, confirmed or enforced. In addition, according to the EDPB, an intermediate act is not capable of forming the subject matter of an action if the illegality attaching to that act can be relied on in support of an action against the final decision for which it represents a preparatory step.

60 In the present case, according to that party, the decision at issue is an intermediate act that is part of an indivisible decision-making procedure, which is conducted by the Irish supervisory authority and concludes in a final decision, adopted by that authority. In that context, although the EDPB’s assessments are binding, they are however not directly enforceable against WhatsApp and do not have any legal effect vis-à-vis WhatsApp that is independent of the final decision. Thus, the fact that the decision at issue contains a definitive position adopted by the EDPB as regards certain aspects which were chosen to be included in the final decision does not mean that the decision at issue itself brings about a distinct change in WhatsApp’s legal position. The decision at issue and the final decision were taken in the context of a unitary composite administrative procedure, composed of different interrelated steps at national and European levels turning on one subject matter, and not as a result of two independent procedures concerning distinct matters.

61 In that regard, the EDPB states that the dispute resolution procedure is intended to ensure consistency of the enforcement of the GDPR by the national authorities. In the present case, the decision at issue does not create any new legal obligations for WhatsApp. WhatsApp’s obligations are defined by the GDPR itself, and not by the decision at issue, and enforced by the Irish supervisory authority and not by the EDPB. Moreover, those obligations were applicable to WhatsApp before the infringements at issue were found.

62 As regards the purported external legal effects of the decision at issue, the EDPB asserts that its interpretations have binding effect only inter partes, that is to say, between the supervisory authorities concerned. Besides the fact that it does not have any direct legal effect on WhatsApp, the decision at issue concerns limited points of application of the GDPR, which are to be included and developed in the final decision. Although the interpretations of the GDPR adopted by the EDPB may thus have a certain degree of authority in subsequent cases, which concern similar legal issues, they do not, however, bind the national courts, which should, in the event of doubt, make a reference to the Court of Justice for a preliminary ruling.

63 The Federal Republic of Germany, intervening in support of the form of order sought by the EDPB, submits that the consistency mechanism provided for by the GDPR, including the dispute resolution procedure, is purely internal and is aimed solely at arbitrating disputes in the event of divergent opinions between supervisory authorities. In particular, it is apparent from the third sentence of Article 65(2) of the GDPR that a measure taken by the EDPB in that context has a legally binding effect only vis-à-vis the national supervisory authorities. Only the final decision is binding vis-à-vis the controller or processor concerned.

– Findings of the Court

64 The first part of the first ground of appeal concerns the question of whether the General Court erred in law in holding, in paragraphs 41 to 49 of the order under appeal, that the decision at issue did not constitute an act open to challenge for the purposes of the first paragraph of Article 263 TFEU.

65 Under that provision, the Court is to review, inter alia, ‘the legality of acts of bodies, offices or agencies of the Union intended to produce legal effects vis-à-vis third parties’.

66 In accordance with settled case-law, the action for annulment established in Article 263 TFEU is available in the case of all measures adopted by the institutions, bodies, offices and agencies of the Union, whatever their nature or form, which are intended to have binding legal effects (see, to that effect, judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 62 and the case-law cited).

67 In order to determine whether an act produces such effects and may, accordingly, form the subject matter of an action for annulment under Article 263 TFEU, it is necessary to examine the substance of that act and to assess those effects in the light of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution, body, office or agency which adopted the act (see, to that effect, judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 63 and the case-law cited).

68 In that regard, as the Advocate General observed in points 79 and 121 of her Opinion, in the light of the first paragraph of Article 263 TFEU, the third party for which the act concerned has legal effects does not necessarily have to be the applicant. Any natural or legal person distinct from the author of that act is a third party. Therefore, in order to establish whether that act produces such effects, it is not necessary to ascertain whether those effects are capable of affecting the applicant’s legal situation, that verification being relevant only in the context of the examination of compliance with the conditions laid down in the fourth paragraph of Article 263 TFEU, according to which an action for annulment of an act is available to any person directly and individually concerned by it, where that latter provision applies (see, to that effect, judgment of 13 February 2025, Swissgrid v Commission, C‑121/23 P, EU:C:2025:83, paragraph 46). Whether an act is open to challenge must therefore be assessed objectively, on the basis of its substance, and not by reference to the applicant.

69 That said, it should be borne in mind that, in the case of acts drawn up in several procedural stages, an act is, in principle, open to challenge only if it definitively determines the position of the competent EU institution, body, office or agency, to the exclusion of intermediate measures whose aim is to prepare that final measure and which produce no independent legal effects vis-à-vis third parties. Acts expressing a provisional opinion of that EU institution, body, office or agency in particular constitute such intermediate measures (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 10; of 22 September 2022, IMG v Commission, C‑619/20 P and C‑620/20 P, EU:C:2022:722, paragraph 103; and of 18 June 2024, Commission v SRB, C‑551/22 P, EU:C:2024:520, paragraph 92).

70 According to the case-law, an intermediate measure is not capable of forming, in particular, the subject matter of an action for annulment if it is established that the illegality attaching to that measure can be relied on in support of an action against the final decision for which it represents a preparatory step. In such circumstances, the action brought against the decision terminating the procedure will provide sufficient judicial protection (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 12, and of 15 March 2017, Stichting Woonlinie and Others v Commission, C‑414/15 P, EU:C:2017:215, paragraph 46 and the case-law cited).

71 In the present case, as regards the content of the act concerned and the powers of the body in question, it is apparent from the very wording of Article 65(1)(a) and (2) of the GDPR and Article 68(1) of the GDPR that the decision at issue is an act which emanates from an EU body and is binding vis-à-vis third parties. That act is binding on the lead supervisory authority and all the supervisory authorities concerned, to which it is addressed and which are third parties in relation to the EDPB. Pursuant to Article 65(6) of the GDPR, the lead supervisory authority must adopt its final decision on the basis of the decision of the EDPB. That final decision must also refer to the EDPB’s decision, which must be attached to it.

72 Furthermore, as regards the context in which the decision at issue was adopted, it is common ground that that decision was drawn up in the context of a process involving several procedural stages, within the meaning of the case-law referred to in paragraph 69 above, in so far as it precedes the adoption of another act by the Irish supervisory authority. However, that decision definitively determines, within the meaning of that case-law, the position of the competent EU body, namely the EDPB, and deals exhaustively with all the issues which that body is required to resolve. It should be noted that such a decision, taken on the basis of Article 65(1)(a) of the GDPR, covers all the issues which are the subject of a relevant and reasoned objection by the supervisory authorities concerned, within the meaning of Article 60(4) of the GDPR, in particular whether there has been an infringement of the GDPR.

73 It follows from the foregoing that, although it is not the final stage of the consistency review procedure provided for in Articles 58, 60 and 65 of the GDPR, the decision at issue cannot be classified as an intermediate measure not open to challenge, within the meaning of the case-law cited in paragraph 69 above, contrary to what the General Court held in paragraph 42 of the order under appeal. Consequently, the case-law referred to in paragraph 70 above is irrelevant in the present case.

74 In that context, since the EDPB’s decision produces binding legal effects vis-à-vis third parties, it is of no bearing that the scope of the national supervisory authority’s final decision encompasses aspects which do not fall within the scope of the matters referred to the EDPB or the remit of the latter.

75 For the same reasons, the fact, noted by the General Court in paragraph 42 of the order under appeal, that, unlike the final decision of the Irish supervisory authority, the decision at issue is not enforceable against entities other than its addressees is also irrelevant for the purposes of the classification of that decision as an act open to challenge under the first paragraph of Article 263 TFEU. Such a fact, which concerns the appellant’s legal position with regard to the decision at issue, does not relate either to the substance of the decision at issue or to its binding legal effects in the light of objective criteria.

76 It follows from all those considerations that the decision at issue constitutes an act of an EU body intended to produce legal effects vis-à-vis third parties and expressing the definitive position of that body on the points to be decided by it, as the General Court, moreover, itself found in paragraphs 36, 37 and 49 of the order under appeal. Thus, that decision constitutes, in the light of the wording of the first paragraph of Article 263 TFEU and the case-law cited in paragraphs 66 to 69 above, an act open to challenge, without it being necessary to assess, at the present stage, whether that decision had the effect of bringing about a distinct change in WhatsApp’s legal position.

77 In that regard, it must be held that the General Court erred in law, first, in paragraph 38 of the order under appeal, by confusing the requirements resulting from the first and fourth paragraphs of Article 263 TFEU respectively and, second, in paragraph 42 of the order under appeal, by formulating an incorrect test, relating to the lack of direct enforceability of the act at issue against WhatsApp, and by classifying the decision at issue as an intermediate measure producing no independent legal effects.

78 Therefore, the first part of the first ground of appeal must be upheld.

Second part of the first ground of appeal

– Arguments of the parties

79 WhatsApp submits that the General Court erred in law in holding that the decision at issue was not of direct concern to WhatsApp and that the latter’s action was therefore inadmissible.

80 First, as regards the condition that the act must directly affect the applicant’s legal situation, WhatsApp argues that the General Court incorrectly found, in paragraph 52 of the order under appeal, that the decision at issue was not of direct concern to WhatsApp on the ground that that decision was not enforceable against it and was not the final step of the procedure provided for in Articles 58, 60 and 65 of the GDPR.

81 Second, as regards the condition that an act must leave no discretion to the addresses entrusted with its implementation, WhatsApp takes the view that the General Court erred in law in holding, in paragraphs 53 to 60 of the order under appeal, that the decision at issue left the Irish supervisory authority a measure of discretion as to the content of its final decision, while accepting that the decision at issue bound that supervisory authority as regards the aspects to which it related.

82 As regards paragraphs 54 to 56 of the order under appeal, in which the General Court held that the content of the decision at issue was partial in comparison with the final decision, WhatsApp claims that the absence of a discretion should have been examined by reference to the substance of the decision at issue, without referring to the additional content of the final decision. The EDPB is claimed to have analysed only certain aspects of an individual case, namely the matters which were the subject of relevant and reasoned objections from the supervisory authorities concerned. The decision at issue therefore cannot cover the whole case and cannot encompass aspects which do not fall within the scope of the matters referred to the EDPB or the remit of the latter.

83 In addition, the General Court erred in law in holding, in paragraphs 57 to 59 of the order under appeal that the Irish supervisory authority exercised discretion to draw conclusions from the decision at issue. In the first place, as regards the classification of lossy hashed data as personal data, WhatsApp submits that that classification by the EDPB gives rise to additional obligations for WhatsApp under the GDPR, irrespective of the fact that the lead supervisory authority exercised a substantive discretion, going beyond such a classification, by verifying whether WhatsApp had acted as a controller or processor. In the second place, as regards the increase in the fines to be imposed on WhatsApp, that decision did not leave any discretion to the Irish supervisory authority, the latter being required to impose a fine higher than that initially envisaged. The fact that that authority retains a discretion as to the determination of the precise amount of the fine is irrelevant, since that task falls within the competence of that authority.

84 The EDPB disputes that line of argument and submits that two cumulative criteria must be satisfied for a natural or legal person who or which is not the addressee of an individual act to be directly concerned by an EU act. First, that act must have a direct effect on the legal situation of that person and, second, it must leave no discretion to the addressee entrusted with implementing it, such implementation being purely automatic, without the application of other intermediate rules.

85 As regards the first criterion, that party observes that the binding effect of an act must be considered in relation to its effect on the applicant’s own situation. In the present case, the decision at issue is not enforceable against WhatsApp in a way that would allow it, without further procedural steps, to be a source of obligations. That decision is not the final step of the procedure provided for in Articles 58, 60 and 65 of the GDPR and, inter alia, did not determine the final amount of the fine or define a new set of rules for WhatsApp’s activities. Thus, only the final decision is of direct concern to WhatsApp, the Irish supervisory authority being, under Article 56(6) of the GDPR, the sole interlocutor of that undertaking in the latter’s capacity as controller.

86 As regards the second criterion, the EDPB claims that the Irish supervisory authority retained genuine discretion as to the conclusions to be drawn in its final decision, which was broader in scope than the decision at issue and which contains findings on which the EDPB was not requested to express views, the matters referred to the latter being restricted to those which were the subject of relevant and reasoned objections. In any event, there is an interrelation between the decision at issue and the final decision. It is not possible to dissociate the parts of the latter decision which correspond to the EDPB’s instructions, which bears out the fact that the EDPB left a measure of discretion to the Irish supervisory authority on several aspects.

87 In such circumstances, a national court will be better equipped to review that final decision, and, if relevant, to refer questions to the Court of Justice for a preliminary ruling on provisions of the GDPR applied by the Irish supervisory authority both on its own motion and on the basis of the instructions of the EDPB.

88 According to the EDPB, the Irish supervisory authority also retained a margin of discretion as regards the issues addressed in the decision at issue, in particular those relating, first, to the legal consequences to be drawn from the classification of lossy hashed data as personal data and, second, the determination of the amount of the fines to be imposed on WhatsApp. As regards that first aspect, that authority retained discretion and made an independent assessment, inter alia as to compliance with Article 14 of the GDPR. It is incorrect, in that regard, to claim that the EDPB conducted a ‘complete’ assessment, the remit of the latter being restricted to the content of the relevant and reasoned objections, and not extending to the whole infringement procedure. As regards the second aspect, namely the determination of the fines, while the decision at issue contains general instructions pertaining to the fines, it does not deal with the operationalisation of those instructions, or with the computation of those fines.

89 The Federal Republic of Germany takes the view that, since the lead supervisory authority was WhatsApp’s sole interlocutor, the decision at issue cannot be considered to be of direct concern to WhatsApp. Such a decision is not intended to be implemented independently, but should always be followed by a final decision of that authority. The EU legislature deliberately opted for decentralised enforcement of the GDPR, and not for the creation of a central EU data protection authority.

– Findings of the Court

90 The second part of the first ground of appeal concerns whether the General Court erred in law in finding, in paragraphs 50 to 60 of the order under appeal, that the decision at issue was not of direct concern to WhatsApp, within the meaning of the fourth paragraph of Article 263 TFEU, and that the action brought by WhatsApp was therefore inadmissible.

91 Under that provision, any natural or legal person may, under the conditions laid down in the first and second paragraphs of Article 263 TFEU, institute proceedings against an act addressed to that person or which is of direct and individual concern to them, and against a regulatory act which is of direct concern to them and does not entail implementing measures.

92 Thus, the admissibility of an action brought by a natural or legal person against an act which is not addressed to that person, in accordance with the fourth paragraph of Article 263 TFEU, is subject, inter alia, to the condition that that act is of direct and individual concern to that person (judgment of 3 December 2019, Iccrea Banca, C‑414/18, EU:C:2019:1036, paragraph 64 and the case-law cited).

93 In the present case, as the General Court found in paragraph 40 of the order under appeal, it is established that WhatsApp is individually concerned by the decision at issue, since that decision concerns certain aspects of the draft final decision which relate specifically to the situation of that undertaking. However, in paragraphs 52 and 53 of that order, the General Court held that the decision at issue was not of direct concern to WhatsApp, on the ground, first, that that decision was not enforceable against WhatsApp in a way that would allow it, without further procedural steps, to be a source of obligations for WhatsApp or, as the case may be, rights for other individuals, and, second, that even though the decision at issue was binding on the Irish supervisory authority as regards the aspects to which it related, it left that authority a measure of discretion as to the content of the final decision.

94 It must be borne in mind in that regard that, according to settled case-law, the condition that a natural or legal person must be directly concerned by the decision which that person is contesting requires that two cumulative conditions be satisfied, namely that the measure being contested, first, directly affects the legal situation of that person and, second, leaves no discretion to the addressees who are entrusted with the task of implementing it, such implementation being purely automatic and resulting solely from EU provisions without the application of other intermediate rules (judgment of 4 October 2024, Commission and Council v Front Polisario, C‑779/21 P and C‑799/21 P, EU:C:2024:835, paragraph 87 and the case-law cited).

95 Before examining whether those two conditions are satisfied in the present case, it must be stated that the fact that the challenged act is not directly enforceable against the applicant and the fact that that act is not the final stage of a composite procedure do not preclude that act from being of direct concern to the applicant where the addressee of that act has no discretion (see, to that effect, judgments of 4 June 1992, Infortec v Commission, C‑157/90, EU:C:1992:243, paragraphs 13 and 17; of 3 December 2019, Iccrea Banca, C‑414/18, EU:C:2019:1036, paragraphs 65 and 67; and of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 74).

96 Consequently, as the Advocate General observed in points 139 and 144 of her Opinion, the General Court erred in law in finding, in paragraph 52 of the order under appeal, that the decision at issue cannot be of direct concern to WhatsApp on the ground that that decision is not enforceable against WhatsApp and does not constitute the final stage of the procedure laid down in Articles 58, 60 and 65 of the GDPR.

97 As regards compliance with the first of the conditions referred to in paragraph 94 above, it is necessary to assess whether the challenged act is the source of a distinct change in the legal position of the natural or legal person in question, by examining the substance of that act and by assessing its effects in the light of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution, body, office or agency which adopted it (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 9, and of 18 June 2024, Commission v SRB, C‑551/22 P, EU:C:2024:520, paragraph 65 and the case-law cited).

98 In the present case, as stated in paragraph 30 above, the EDPB, in the decision at issue, inter alia, decided that WhatsApp had failed to comply with the obligations to provide information laid down in Article 13(1)(d) of the GDPR and infringed Article 13(2)(e) thereof. Consequently, that decision changes WhatsApp’s legal position, since WhatsApp was required, in particular, as a result of the EDPB’s intervention, to change its contractual relationship with the users of the messaging service provided by WhatsApp. It follows that there is a direct link between that decision and its effects on WhatsApp’s situation, for the purposes of the case-law cited in paragraphs 94 and 95 above.

99 Contrary to what the EDPB maintains, the fact that, under Article 56(6) of the GDPR, the Irish supervisory authority is the sole interlocutor of WhatsApp, in the latter’s capacity as controller, has no bearing on that finding. That provision is intended only to organise relations between a controller or processor, a lead supervisory authority and the supervisory authorities concerned, with the result that it does not concern the remedies available in respect of decisions of the EDPB.

100 As regards compliance with the second of the conditions referred to in paragraph 94 above, in order to assess whether an act leaves its addressees discretion with a view to its implementation, it is necessary to examine the legal effects produced by that act’s provisions, as referred to in the action, on the situation of the person pleading the right to bring proceedings, pursuant to the second limb of the fourth paragraph of Article 263 TFEU (judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 98 and the case-law cited).

101 The existence of such discretion will have to be discounted in particular if it is established that the provisions of the act which are the subject of the action had the direct consequence of subjecting that person to obligations the result of which could not be changed by the entity responsible for subsequently implementing that measure (see, to that effect, judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 114).

102 In the present case, as is apparent from paragraphs 71 and 72 above, it must be borne in mind that the decision at issue is binding on the lead supervisory authority and the supervisory authorities concerned. They cannot depart from the position adopted by the EDPB in that decision and reiterated in paragraph 30 above. That decision determines the issues of law which are the subject of the matters referred to the EDPB and unconditionally binds those authorities, as regards, in particular, the finding of infringement of certain provisions of the GDPR, the classification of lossy hashed data as personal data and the obligation to increase the amount of the envisaged fines. Those authorities are not able to change the result of the assessments made, as regards those issues, by the EDPB, within the meaning of the case-law cited in the preceding paragraph.

103 In that regard, under Article 70(1)(a) of the GDPR, the task of the EDPB is to ensure the consistent application of the GDPR, by monitoring and ensuring, as is apparent from recital 10 thereof, a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of their personal data throughout the European Union, in the cases provided for, inter alia, in Article 65 of the GDPR, without prejudice to the tasks of the national supervisory authorities.

104 In that context, it is of little significance that the scope of the final decision extends to matters not falling within the scope of those referred to the EDPB, namely aspects which were not the subject of relevant and reasoned objections, within the meaning of Article 65(1)(a) of the GDPR, or matters not falling within the remit of that body, such as, inter alia, the determination of the precise amount of the fine to be imposed on the controller or a processor, responsibility for which lies with the supervisory authority to which the matter is referred pursuant to Article 58(2)(i) and Article 83 of the GDPR.

105 Furthermore, while it is true that there is an interrelation between the decision at issue and the final decision, the fact remains that they are separate acts and that the scope of the decision at issue is well defined, as is apparent from the list set out in paragraph 30 of the present judgment. In those circumstances, that interrelation is not such as to preclude a finding that the decision at issue is of direct concern to WhatsApp.

106 In particular, although the simultaneous bringing of an action for annulment before the EU judicature, on the basis of Article 263 TFEU, in respect of the binding decision of the EDPB, and before the national court, under Article 78 of the GDPR, with regard to the final decision adopted on the basis of that binding decision by the national supervisory authority, does indeed give rise to two parallel sets of proceedings, that situation does not mean that the effects of the EDPB’s decision should be regarded as indirect, in the present case, in relation to WhatsApp.

107 First, according to the Court’s case-law, when the outcome of the dispute before the national court depends on the validity of the decision of an EU body, it follows from the obligation of sincere cooperation that the national court should, in order to avoid reaching a decision that runs counter to that of that body, stay its proceedings pending final judgment in the action for annulment by the EU judicature, unless it considers that, in the circumstances of the case, a reference to the Court of Justice for a preliminary ruling on the validity of the decision of that body is warranted (see, to that effect, judgments of 14 December 2000, Masterfoods and HB, C‑344/98, EU:C:2000:689, paragraph 57, and of 25 July 2018, Georgsmarienhütte and Others, C‑135/16, EU:C:2018:582, paragraph 24).

108 Second, it must also be stated that, in the event of proceedings being brought concurrently before the General Court in the context of an action for annulment and the Court of Justice in the context of a request for a preliminary ruling, the principle of the sound administration of justice may warrant the Court of Justice having recourse, if it considers it appropriate to do so, to the third paragraph of Article 54 of the Statute of the Court of Justice of the European Union in order to stay the proceedings before it, in order to give preference to the proceedings before the General Court (judgment of 25 July 2018, Georgsmarienhütte and Others, C‑135/16, EU:C:2018:582, paragraph 25).

109 Consequently, since the two conditions referred to in paragraph 94 above are satisfied, the decision at issue is of direct concern to WhatsApp.

110 In the light of the foregoing considerations, the second part of the first ground of appeal must therefore be upheld and, therefore, the order under appeal must be set aside.

Third part of the first ground of appeal

111 By the third part of its first ground of appeal, WhatsApp submits that the General Court’s finding, in paragraphs 66 to 70 of the order under appeal, that the inadmissibility of its action is consistent with the logic of the system of judicial remedies established by the TEU and TFEU is vitiated by an error of law.

112 In the light of the finding accepted in paragraph 110 above, there is no need to rule on the third part of the first ground of appeal.

The second ground of appeal, alleging an error of law in the interpretation and application of Article 65 of the GDPR and the principle of consistent application of EU law

113 Referring to the line of argument developed in the context of the first ground of appeal, WhatsApp claims that the General Court infringed Article 65(1) of the GDPR and the principle of consistent application of EU law by holding, in paragraphs 41 to 60 of the order under appeal, that the decision at issue did not produce legal effects other than its binding effects vis-à-vis the supervisory authorities concerned.

114 Since WhatsApp merely refers to the arguments put forward in support of its first ground of appeal and in the light of the conclusion reached in paragraph 110 above, there is no need to adjudicate on that second ground of appeal, since it is not capable of leading to a more extensive setting aside of the order under appeal.

Referral of the case back to the General Court

115 In accordance with the first paragraph of Article 61 of the Statute of the Court of Justice of the European Union, if the decision of the General Court is set aside, the Court of Justice may itself give final judgment in the matter, where the state of the proceedings so permits.

116 That condition is satisfied here in so far as the case concerns only the admissibility of the action brought before the General Court.

117 In that regard, first, as is apparent from paragraph 76 above, the decision at issue constitutes an act open to challenge for the purposes of the first paragraph of Article 263 TFEU. Second, as has been held in paragraph 109 above, the decision at issue is of direct concern to WhatsApp, within the meaning of the fourth paragraph of Article 263 TFEU. Third, that decision is of individual concern to WhatsApp, as the General Court itself found in paragraph 40 of the order under appeal.

118 Consequently, since the conditions laid down in the first and fourth paragraphs of Article 263 TFEU are thus satisfied, and in the absence of any other ground of inadmissibility, the action for annulment is declared admissible.

119 However, given that the General Court did not consider the merits of the action before it, the determination of which requires a detailed assessment in fact and in law, the state of proceedings does not permit a ruling on the merits of the appellant’s action.

120 Accordingly, the case must be referred back to the General Court.

Costs

121 Since the case is being referred back to the General Court, the costs relating to the present appeal proceedings must be reserved.

On those grounds, the Court (Grand Chamber) hereby:

1. Sets aside the order of the General Court of the European Union of 7 December 2022, WhatsApp Ireland v European Data Protection Board (T‑709/21, EU:T:2022:783);

2. Refers the case back to the General Court of the European Union;

3. Reserves the costs.

Lenaerts

von Danwitz

Jürimäe

Lycourgos

Jarukaitis

Ziemele

Spineanu-Matei

Condinanzi

Rodin

Regan

Piçarra

Kumin

Jääskinen

Smulders

Fenger

Delivered in open court in Luxembourg on 10 February 2026.

A. Calot Escobar

K. Lenaerts

Registrar

President

* Language of the case: English.