1

By its appeal, WhatsApp Ireland Ltd (‘WhatsApp’) seeks to have set aside the order of the General Court of the European Union of 7 December 2022, WhatsApp Ireland v European Data Protection Board (T‑709/21, EU:T:2022:783; ‘the order under appeal’), by which that court dismissed as inadmissible its action seeking the annulment of Binding Decision 1/2021 of the European Data Protection Board (‘the EDPB’) of 28 July 2021 on the dispute between the supervisory authorities concerned arising from the draft decision regarding WhatsApp drawn up by the Data Protection Commission (DPC) (Ireland) (‘the Irish supervisory authority’) (‘the decision at issue’).

2

Recitals 10 and 143 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’) state:

…

3

Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides, in paragraph 1(a) thereof, that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 5(1)(c) of that regulation provides that those data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4

Article 6 of the GDPR, entitled ‘Lawfulness of processing’, lays down the conditions for lawfulness of the processing of personal data. Article 6(1) provides:

‘Processing shall be lawful only if and to the extent that at least one of the following applies:

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.’

5

Article 12 of the GDPR contains provisions on transparent information, communication and modalities for the exercise of the rights of the data subject. Article 12(1) provides:

‘The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.’

6

Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’, provides:

‘1.   Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

2.   In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

…’

7

Article 14 of the GDPR concerns information to be provided where personal data have not been obtained from the data subject.

8

Pursuant to Article 55(1) of the GDPR, each supervisory authority is competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.

9

Article 56 of that regulation, entitled ‘Competence of the lead supervisory authority’, provides:

‘1.   Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2.   By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3.   In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4.   Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5.   Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6.   The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.’

10

Article 57 of the GDPR, entitled ‘Tasks’, provides, in point (h) of paragraph 1 thereof, that each supervisory authority has, on the territory of its Member State, the task of conducting investigations on the application of the GDPR.

11

The investigative powers of that authority are listed in paragraph 1 of Article 58 of the GDPR, entitled ‘Powers’. Paragraph 2 of that article lists the corrective powers of that authority, including those, to which points (b), (d) and (i) of that paragraph refer, which consist, respectively, in reprimanding a controller or processor where processing operations have infringed provisions of the GDPR, ordering the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period, and imposing an administrative fine pursuant to Article 83 of the GDPR.

12

Article 60 of the GDPR, entitled ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides:

‘1.   The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2.   The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3.   The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4.   Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5.   Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6.   Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7.   The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the [EDPB] of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

8.   By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9.   Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.

10.   After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11.   Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

12.   The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.’

13

Under Article 63 of the GDPR, entitled ‘Consistency mechanism’:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism …’

14

Article 65 of the GDPR, entitled ‘Dispute resolution by the [EDPB]’, provides:

‘1.   In order to ensure the correct and consistent application of this Regulation in individual cases, the [EDPB] shall adopt a binding decision in the following cases:

2.   The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject matter by a two-thirds majority of the members of the [EDPB]. That period may be extended by a further month on account of the complexity of the subject matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them.

3.   Where the [EDPB] has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the [EDPB]. Where the members of the [EDPB] are split, the decision shall by adopted by the vote of its Chair.

4.   The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the [EDPB] under paragraph 1 during the periods referred to in paragraphs 2 and 3.

5.   The Chair of the [EDPB] shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the [EDPB] without delay after the supervisory authority has notified the final decision referred to in paragraph 6.

6.   The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the [EDPB] has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, shall inform the [EDPB] of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the [EDPB] in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.’

15

Article 68 of the GDPR, entitled ‘[EDPB]’, provides, in paragraph 1 thereof, that the EDPB is established as a body of the European Union and has legal personality.

16

Article 70 of the GDPR, entitled ‘Tasks of the [EDPB]’ provides, in point (a) of paragraph 1 thereof, that the EDPB is to ensure the consistent application of the GDPR. To that effect, the EDPB is, on its own initiative or, where relevant, at the request of the Commission, in particular, to monitor and ensure the correct application of the GDPR in the cases provided for in Articles 64 and 65 thereof, without prejudice to the tasks of national supervisory authorities.

17

Article 78 of the GDPR, entitled ‘Right to an effective judicial remedy against a supervisory authority’, provides:

‘1.   Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2.   Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to [an] effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3.   Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4.   Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the [EDPB] in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.’

18

Article 83 of the GDPR sets out the general conditions for imposing administrative fines.

19

The background to the dispute is set out in paragraphs 2 to 12 of the order under appeal and, for the purposes of the present proceedings, may be summarised as follows.

20

Following the entry into force of the GDPR, the Irish supervisory authority received complaints from users and non-users of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp. The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) (Federal Data Protection and Freedom of Information Officer, Germany) also requested the assistance of the Irish supervisory authority in relation to WhatsApp’s compliance with the obligations of transparency incumbent on controllers of personal data as regards any sharing of such data with other entities in the Facebook group, renamed ‘Meta’ as of September 2021.

21

In December 2018, the Irish supervisory authority initiated ex officio a general investigation into WhatsApp’s compliance with the obligation of transparency and the obligation to provide information with regard to individuals laid down in Articles 12 to 14 of the GDPR, without prejudice to the action it might take on the individual complaints or requests made to it. The Irish supervisory authority acted in that regard as ‘lead supervisory authority’, under Article 56(1) of the GDPR, since WhatsApp had its main establishment in Ireland as the controller for the operations of the ‘WhatsApp’ messaging service in Europe, and the processing carried out by it was of a cross-border nature.

22

After the investigation phase was completed in September 2019 with the submission of a final report by the investigator, the Irish supervisory authority, following intermediate procedural phases during which WhatsApp provided its observations, submitted a draft decision in December 2020 to all the other supervisory authorities involved in the case, for their opinion, in accordance with Article 60(3) of the GDPR.

23

In January 2021, eight of those other supervisory authorities expressed objections to certain aspects of that draft decision. The Irish supervisory authority issued a composite response to those objections, proposing compromise positions. Although, following that response, one of those eight supervisory authorities withdrew one of its objections, the Irish supervisory authority found that a consensus had not been reached concerning other aspects objected to. It decided to reject all the objections received and to refer the matter to the EDPB for it to resolve the dispute between the supervisory authorities concerned on the aspects covered by those objections, in accordance with Article 60(4) and Article 65(1)(a) of the GDPR.

24

In May 2021, after sending it all the documents exchanged in that regard, the Irish supervisory authority received WhatsApp’s written observations on the matters discussed between the supervisory authorities concerned and in turn forwarded those observations to the EDPB so that it could take them into consideration in the dispute resolution procedure, which the Irish supervisory authority launched in June 2021.

25

On 28 July 2021, the EDPB adopted the decision at issue on the basis of Article 65(2) of the GDPR.

26

After the Irish supervisory authority had received the decision at issue and was provided with WhatsApp’s observations regarding the fines which that authority ultimately intended to impose on it in the light of that decision, that authority adopted, on 20 August 2021, in accordance with Article 65(6) of the GDPR, a final decision addressed to WhatsApp (‘the final decision’).

27

In the final decision, the Irish supervisory authority found that WhatsApp had infringed the principle and the obligations of transparency laid down in Article 5(1)(a), Article 12(1), Article 13(1)(c) to (f), Article 13(2)(a), (c) and (e) and Article 14 of the GDPR. On the other hand, that authority stated that WhatsApp had complied with the obligations laid down in Article 13(1)(a) and (b) and Article 13(2)(b) and (d) of the GDPR. By way of corrective measures adopted on the basis of Article 58(2)(b), (d) and (i) of the GDPR, that authority imposed on WhatsApp a reprimand as well as an order to implement a number of actions, listed in an annex, intended to bring it into compliance, within a period of three months, with the provisions of the GDPR that had been infringed, and four administrative fines in relation to infringements of Article 5(1)(a) and Articles 12 to 14 of the GDPR, for a total amount of EUR 225 million.

28

In addition, in the final decision, the Irish supervisory authority identified the aspects in respect of which the decision at issue required it to review the assessment set out in its draft decision. In relation to those aspects, it decided to reproduce, in shaded boxes, the reasons given by the EDPB in the decision at issue as they stood and simply to draw the appropriate conclusions in each case in a concluding paragraph.

29

In accordance with Article 65(6) of the GDPR, the decision at issue was attached to the final decision.

30

In the decision at issue, the EDPB adopted a position on the issues regarding which relevant and reasoned objections had been made, within the meaning of Article 65(1)(a) of the GDPR, namely:

31

WhatsApp challenged the final decision before an Irish court.

32

By application lodged at the Registry of the General Court on 1 November 2021, WhatsApp brought an action based on Article 263 TFEU seeking annulment of the decision at issue.

33

By the order under appeal, made under Article 129 of its Rules of Procedure, the General Court dismissed that action as inadmissible.

34

While observing, in paragraphs 36, 37 and 40 of the order under appeal, that the decision at issue constituted an act of a body of the Union, intended to produce legal effects vis-à-vis third parties, and that WhatsApp was individually concerned by that decision, the General Court nevertheless held, in paragraph 42 of the order under appeal, that that decision was a preparatory, or intermediate, act in a procedure which was to be closed by the adoption of a final decision of the national supervisory authority. The General Court held, in paragraphs 43 and 44 of the order under appeal, that such an act did not constitute an ‘act open to challenge’ unless it produced independent legal effects in respect of which sufficient judicial protection could not be ensured in the context of an action against the decision terminating the procedure.

35

In that regard, the General Court took the view, in paragraph 45 of the order under appeal, that, in the present case, WhatsApp was afforded effective judicial protection in respect of the decision at issue by means of the remedy available to it before the national court against the final decision, it being possible for that national court, under Article 267 TFEU, to refer a question to the Court of Justice for a preliminary ruling seeking an assessment of the validity of the decision at issue. The General Court also stated, in paragraph 46 of the order under appeal, that the decision at issue had no legal effect vis-à-vis WhatsApp that was independent of the final decision of the Irish supervisory authority.

36

In addition, the General Court held, in paragraph 49 of the order under appeal, that the fact that such an intermediate act expresses the definitive position of an authority, that will have to be taken up in the final decision closing the procedure at issue, did not necessarily mean that that act itself brought about a distinct change in the applicant’s legal position.

37

Moreover, the General Court noted, in paragraph 50 of the order under appeal, that WhatsApp was not directly concerned by the decision at issue. The General Court observed, in paragraph 52 of that order, that that decision was not enforceable in a way that would allow it, without further procedural steps, to be a source of obligations for WhatsApp or, as the case may be, rights for other individuals, accordingly it did not directly produce legal effects on WhatsApp’s position. The General Court also stated, in paragraph 53 of that order, that, even though the decision at issue was binding on the Irish supervisory authority as regards the aspects to which it related, it nevertheless left a measure of discretion to that authority as to the content of the final decision.

38

Thus, in paragraphs 61 and 62 of that order, the General Court held that none of the conditions required in order for WhatsApp to be considered to be directly concerned by the measure against which its action had been brought were satisfied and that that action was, consequently, inadmissible.

39

Lastly, the General Court held, in paragraphs 66 to 70 of the order under appeal, that the result of its analysis was consistent with the logic of the system of judicial remedies established by the Treaties. The General Court found, in particular, that accepting that WhatsApp’s action against the decision at issue was admissible would result in a risk of parallel judicial proceedings before the EU judicature and the national court, that latter also being empowered to refer a question to the Court of Justice for a preliminary ruling on the validity of that decision.

40

By its appeal, WhatsApp claims that the Court should:

41

The EDPB, supported in the form of order it is seeking by the Federal Republic of Germany, contends that the Court should:

42

The EDPB submits that the action at first instance was brought out of time. In that regard, it argues that WhatsApp acquired knowledge of the relevant parts of the decision at issue at a date prior to the publication of that decision on the EDPB’s website and, specifically, on 13 August 2021. Consequently, irrespective of the date of publication of the decision at issue on the EDPB’s website, which moreover cannot be equiparated with publication in the Official Journal of the European Union, the time limit for bringing the action started to run as of 13 August 2021 and expired on 25 October 2021. Since WhatsApp brought its action for annulment on 1 November 2021, that action is out of time.

43

WhatsApp contends that the EDPB’s allegation as to its action being out of time is erroneous. Where the applicant is not the addressee of a measure, it is the date of publication of that measure which determines the point from which the time limit for bringing an action starts to run. The date on which the applicant acquired knowledge of that measure is a subsidiary criterion in that regard. Where that measure is published is also irrelevant. In the present case, the publication of the decision at issue was on any view carried out on the EDPB’s website on 2 September 2021 and the action was brought on 1 November 2021, in compliance with the time limit provided for in the sixth paragraph of Article 263 TFEU.

44

Under the sixth paragraph of Article 263 TFEU, the proceedings provided for in that article are to be instituted within two months of the publication of the measure, or of its notification to the plaintiff, or, in the absence thereof, of the day on which it came to the knowledge of the latter, as the case may be.

45

It is clear from the wording of that provision, in particular from the terms ‘as the case may be’ and ‘in the absence thereof’, that the starting point of the time limit for bringing proceedings is determined by reference to the situation in question and that the first two criteria capable of triggering that time limit are hierarchically superior to the third criterion. Thus, the time limit for bringing an action for annulment starts to run, primarily, from the publication of the measure or from its notification to the applicant. Those two primary criteria are placed, in the scheme of that provision, on an equal footing in that neither of those two criteria is subsidiary to the other. By contrast, the criterion of the date on which the measure being challenged came to the knowledge of the applicant as the starting point of the time limit for bringing an action is subsidiary to the criteria of publication or notification of that measure (see, to that effect, judgment of 26 September 2024, WEPA Hygieneprodukte and Others v Commission, C‑795/21 P and C‑796/21 P, EU:C:2024:807, paragraphs 61 to 63 and the case-law cited).

46

In the present case, it is common ground that the decision at issue was not notified to WhatsApp, the EDPB being solely required to notify such a decision to the supervisory authorities concerned, under the first sentence of Article 65(5) of the GDPR. It must accordingly be determined whether there was any ‘publication’ of that decision, within the meaning of the sixth paragraph of Article 263 TFEU.

47

In that regard, it must be specified that the concept of ‘publication’ does not cover publication in the Official Journal of the European Union exclusively and must, on the contrary, be interpreted broadly. It also covers, inter alia, publication on the website of an EU institution, body, office or agency where such publication is provided for under secondary legislation (see, to that effect, judgment of 26 September 2024, WEPA Hygieneprodukte and Others v Commission, C‑795/21 P and C‑796/21 P, EU:C:2024:807, paragraph 70 and the case-law cited).

48

In the present case, since the publication of the decision at issue is provided for in the third sentence of Article 65(5) of the GDPR, it is necessary to take into consideration the date on which that decision was published on the EDPB’s website, namely 2 September 2021. That interpretation is supported by the third sentence of recital 143 of the GDPR, from which it is apparent that the time limit for bringing proceedings must be calculated from the publication of the decision at issue of the EDPB on the latter’s website.

49

Since the action was brought on 1 November 2021, the time limit provided for in the sixth paragraph of Article 263 TFEU was not infringed. It is therefore necessary to examine whether the grounds of the present appeal are such as to call into question the General Court’s assessment in the order under appeal.

50

WhatsApp claims that the General Court erred in law in holding that the decision at issue was not an act open to challenge.

51

WhatsApp disputes, in particular, the relevance of the criterion accepted by the General Court in paragraph 41 of the order under appeal in order to determine whether an act is open to challenge or not. It argues that the General Court wrongly held that it was necessary to demonstrate that the decision at issue produces legal effects bringing about a distinct change in WhatsApp’s legal position and that it is of direct concern to WhatsApp. It would have been sufficient to conclude that that decision was intended to produce legal effects vis-à-vis one or more third parties to find that it constituted an act open to challenge, by reason of its definitive character. In any event, that decision does not merely constitute an intermediate measure, but expressed the definitive position of the EDPB.

52

According to WhatsApp, the General Court misapplied the case-law on the legal effect of intermediate acts by conducting a procedural test, under which such an act can only be open to challenge if an action brought against the final act does not enable sufficient judicial protection to be ensured, and by concluding that the decision at issue has no legal effect.

53

In that context, WhatsApp refers to the judgment of 11 November 1981, IBM v Commission (60/81, EU:C:1981:264, paragraphs 10 and 11), from which it is apparent, in particular, that an intermediate act is open to challenge if it is definitive in nature and independent of the final decision subsequently adopted. It is therefore necessary to examine the substance of that act and to assess its effects in the light of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution which adopted the act. WhatsApp cites, inter alia, in that regard, the judgment of 12 July 2022, Nord Stream 2 v Parliament and Council (C‑348/20 P, EU:C:2022:548, paragraph 63).

54

In particular, it is only where, first, as a matter of substance, such an act is of a provisional character, so that its author could change its position at the stage of the final decision subsequently adopted and, second, that final decision is adopted by the same EU institution or body, that the act is not open to challenge. Therefore, the concept of intermediate measure should not be applied to a decision adopted by an EU institution or body and addressed to a national authority responsible for implementing that decision vis-à-vis third parties.

55

In the present case, according to WhatsApp, the General Court restricted itself to examining whether, in procedural terms, WhatsApp was ensured effective judicial protection by means of the remedy before the national court. It thus incorrectly held, in paragraphs 48 and 49 of the order under appeal, that WhatsApp’s argument that the decision at issue expressed the definitive position of its author was of no relevance. By proceeding in that way, the General Court thus wrongly found that the decision at issue had no legal effects and that it was not independent of the final decision, without assessing the content and context of the decision at issue or the scope of its independent legal effects.

56

As regards the content of the decision at issue, it is not disputed that that decision was intended, as a binding decision adopted on the basis of Article 65 of the GDPR, to produce legal effects vis-à-vis third parties and that it represents the final position of the EDPB on the matters submitted to it. That position was such as to bring about a distinct change in WhatsApp’s legal position, inter alia on account of the finding that lossy hashed data constituted personal data, a finding which was binding on the Irish supervisory authority.

57

As regards the context of the decision at issue, it stems from the wording of Article 65 of the GDPR that that decision constitutes a binding decision. Recital 143 of the GDPR states that the decisions adopted by the EDPB may be of direct and individual concern to, inter alia, a controller, which implies that those decisions are such as to have external legal effects, going beyond the national supervisory authorities to which they are addressed. That is borne out both by the ratio of the binding effect of decisions of the EDPB, which is to ensure the correct and consistent application of the GDPR, and by the system of the procedure referred to in Article 65(1) of the GDPR.

58

As regards the independent legal effects of the decision at issue, going beyond those produced vis-à-vis its addressees, WhatsApp observes that that decision produces such effects in its regard, affecting inter alia the manner in which it approaches its GDPR compliance as regards lossy hashed data, such data being classified as personal data by the EDPB. The decision at issue also produces legal effects with regard to the national courts, which are not authorised to alter it or declare it invalid.

59

The EDPB disputes that line of argument. It submits that an action for annulment may only, in principle, be brought against a measure by which an institution, body, office or agency definitively determines its position upon the conclusion of an administrative procedure. On the other hand, intermediate acts whose purpose is to prepare for a definitive decision, cannot be treated as ‘acts open to challenge’, in that such acts are not intended to produce autonomous binding legal effects compared with those of the act of the EU institution which is thereby prepared, confirmed or enforced. In addition, according to the EDPB, an intermediate act is not capable of forming the subject matter of an action if the illegality attaching to that act can be relied on in support of an action against the final decision for which it represents a preparatory step.

60

In the present case, according to that party, the decision at issue is an intermediate act that is part of an indivisible decision-making procedure, which is conducted by the Irish supervisory authority and concludes in a final decision, adopted by that authority. In that context, although the EDPB’s assessments are binding, they are however not directly enforceable against WhatsApp and do not have any legal effect vis-à-vis WhatsApp that is independent of the final decision. Thus, the fact that the decision at issue contains a definitive position adopted by the EDPB as regards certain aspects which were chosen to be included in the final decision does not mean that the decision at issue itself brings about a distinct change in WhatsApp’s legal position. The decision at issue and the final decision were taken in the context of a unitary composite administrative procedure, composed of different interrelated steps at national and European levels turning on one subject matter, and not as a result of two independent procedures concerning distinct matters.

61

In that regard, the EDPB states that the dispute resolution procedure is intended to ensure consistency of the enforcement of the GDPR by the national authorities. In the present case, the decision at issue does not create any new legal obligations for WhatsApp. WhatsApp’s obligations are defined by the GDPR itself, and not by the decision at issue, and enforced by the Irish supervisory authority and not by the EDPB. Moreover, those obligations were applicable to WhatsApp before the infringements at issue were found.

62

As regards the purported external legal effects of the decision at issue, the EDPB asserts that its interpretations have binding effect only inter partes, that is to say, between the supervisory authorities concerned. Besides the fact that it does not have any direct legal effect on WhatsApp, the decision at issue concerns limited points of application of the GDPR, which are to be included and developed in the final decision. Although the interpretations of the GDPR adopted by the EDPB may thus have a certain degree of authority in subsequent cases, which concern similar legal issues, they do not, however, bind the national courts, which should, in the event of doubt, make a reference to the Court of Justice for a preliminary ruling.

63

The Federal Republic of Germany, intervening in support of the form of order sought by the EDPB, submits that the consistency mechanism provided for by the GDPR, including the dispute resolution procedure, is purely internal and is aimed solely at arbitrating disputes in the event of divergent opinions between supervisory authorities. In particular, it is apparent from the third sentence of Article 65(2) of the GDPR that a measure taken by the EDPB in that context has a legally binding effect only vis-à-vis the national supervisory authorities. Only the final decision is binding vis-à-vis the controller or processor concerned.

64

The first part of the first ground of appeal concerns the question of whether the General Court erred in law in holding, in paragraphs 41 to 49 of the order under appeal, that the decision at issue did not constitute an act open to challenge for the purposes of the first paragraph of Article 263 TFEU.

65

Under that provision, the Court is to review, inter alia, ‘the legality of acts of bodies, offices or agencies of the Union intended to produce legal effects vis-à-vis third parties’.

66

In accordance with settled case-law, the action for annulment established in Article 263 TFEU is available in the case of all measures adopted by the institutions, bodies, offices and agencies of the Union, whatever their nature or form, which are intended to have binding legal effects (see, to that effect, judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 62 and the case-law cited).

67

In order to determine whether an act produces such effects and may, accordingly, form the subject matter of an action for annulment under Article 263 TFEU, it is necessary to examine the substance of that act and to assess those effects in the light of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution, body, office or agency which adopted the act (see, to that effect, judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 63 and the case-law cited).

68

In that regard, as the Advocate General observed in points 79 and 121 of her Opinion, in the light of the first paragraph of Article 263 TFEU, the third party for which the act concerned has legal effects does not necessarily have to be the applicant. Any natural or legal person distinct from the author of that act is a third party. Therefore, in order to establish whether that act produces such effects, it is not necessary to ascertain whether those effects are capable of affecting the applicant’s legal situation, that verification being relevant only in the context of the examination of compliance with the conditions laid down in the fourth paragraph of Article 263 TFEU, according to which an action for annulment of an act is available to any person directly and individually concerned by it, where that latter provision applies (see, to that effect, judgment of 13 February 2025, Swissgrid v Commission, C‑121/23 P, EU:C:2025:83, paragraph 46). Whether an act is open to challenge must therefore be assessed objectively, on the basis of its substance, and not by reference to the applicant.

69

That said, it should be borne in mind that, in the case of acts drawn up in several procedural stages, an act is, in principle, open to challenge only if it definitively determines the position of the competent EU institution, body, office or agency, to the exclusion of intermediate measures whose aim is to prepare that final measure and which produce no independent legal effects vis-à-vis third parties. Acts expressing a provisional opinion of that EU institution, body, office or agency in particular constitute such intermediate measures (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 10; of 22 September 2022, IMG v Commission, C‑619/20 P and C‑620/20 P, EU:C:2022:722, paragraph 103; and of 18 June 2024, Commission v SRB, C‑551/22 P, EU:C:2024:520, paragraph 92).

70

According to the case-law, an intermediate measure is not capable of forming, in particular, the subject matter of an action for annulment if it is established that the illegality attaching to that measure can be relied on in support of an action against the final decision for which it represents a preparatory step. In such circumstances, the action brought against the decision terminating the procedure will provide sufficient judicial protection (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 12, and of 15 March 2017, Stichting Woonlinie and Others v Commission, C‑414/15 P, EU:C:2017:215, paragraph 46 and the case-law cited).

71

In the present case, as regards the content of the act concerned and the powers of the body in question, it is apparent from the very wording of Article 65(1)(a) and (2) of the GDPR and Article 68(1) of the GDPR that the decision at issue is an act which emanates from an EU body and is binding vis-à-vis third parties. That act is binding on the lead supervisory authority and all the supervisory authorities concerned, to which it is addressed and which are third parties in relation to the EDPB. Pursuant to Article 65(6) of the GDPR, the lead supervisory authority must adopt its final decision on the basis of the decision of the EDPB. That final decision must also refer to the EDPB’s decision, which must be attached to it.

72

Furthermore, as regards the context in which the decision at issue was adopted, it is common ground that that decision was drawn up in the context of a process involving several procedural stages, within the meaning of the case-law referred to in paragraph 69 above, in so far as it precedes the adoption of another act by the Irish supervisory authority. However, that decision definitively determines, within the meaning of that case-law, the position of the competent EU body, namely the EDPB, and deals exhaustively with all the issues which that body is required to resolve. It should be noted that such a decision, taken on the basis of Article 65(1)(a) of the GDPR, covers all the issues which are the subject of a relevant and reasoned objection by the supervisory authorities concerned, within the meaning of Article 60(4) of the GDPR, in particular whether there has been an infringement of the GDPR.

73

It follows from the foregoing that, although it is not the final stage of the consistency review procedure provided for in Articles 58, 60 and 65 of the GDPR, the decision at issue cannot be classified as an intermediate measure not open to challenge, within the meaning of the case-law cited in paragraph 69 above, contrary to what the General Court held in paragraph 42 of the order under appeal. Consequently, the case-law referred to in paragraph 70 above is irrelevant in the present case.

74

In that context, since the EDPB’s decision produces binding legal effects vis-à-vis third parties, it is of no bearing that the scope of the national supervisory authority’s final decision encompasses aspects which do not fall within the scope of the matters referred to the EDPB or the remit of the latter.

75

For the same reasons, the fact, noted by the General Court in paragraph 42 of the order under appeal, that, unlike the final decision of the Irish supervisory authority, the decision at issue is not enforceable against entities other than its addressees is also irrelevant for the purposes of the classification of that decision as an act open to challenge under the first paragraph of Article 263 TFEU. Such a fact, which concerns the appellant’s legal position with regard to the decision at issue, does not relate either to the substance of the decision at issue or to its binding legal effects in the light of objective criteria.

76

It follows from all those considerations that the decision at issue constitutes an act of an EU body intended to produce legal effects vis-à-vis third parties and expressing the definitive position of that body on the points to be decided by it, as the General Court, moreover, itself found in paragraphs 36, 37 and 49 of the order under appeal. Thus, that decision constitutes, in the light of the wording of the first paragraph of Article 263 TFEU and the case-law cited in paragraphs 66 to 69 above, an act open to challenge, without it being necessary to assess, at the present stage, whether that decision had the effect of bringing about a distinct change in WhatsApp’s legal position.

77

In that regard, it must be held that the General Court erred in law, first, in paragraph 38 of the order under appeal, by confusing the requirements resulting from the first and fourth paragraphs of Article 263 TFEU respectively and, second, in paragraph 42 of the order under appeal, by formulating an incorrect test, relating to the lack of direct enforceability of the act at issue against WhatsApp, and by classifying the decision at issue as an intermediate measure producing no independent legal effects.

78

Therefore, the first part of the first ground of appeal must be upheld.

79

WhatsApp submits that the General Court erred in law in holding that the decision at issue was not of direct concern to WhatsApp and that the latter’s action was therefore inadmissible.

80

First, as regards the condition that the act must directly affect the applicant’s legal situation, WhatsApp argues that the General Court incorrectly found, in paragraph 52 of the order under appeal, that the decision at issue was not of direct concern to WhatsApp on the ground that that decision was not enforceable against it and was not the final step of the procedure provided for in Articles 58, 60 and 65 of the GDPR.

81

Second, as regards the condition that an act must leave no discretion to the addresses entrusted with its implementation, WhatsApp takes the view that the General Court erred in law in holding, in paragraphs 53 to 60 of the order under appeal, that the decision at issue left the Irish supervisory authority a measure of discretion as to the content of its final decision, while accepting that the decision at issue bound that supervisory authority as regards the aspects to which it related.

82

As regards paragraphs 54 to 56 of the order under appeal, in which the General Court held that the content of the decision at issue was partial in comparison with the final decision, WhatsApp claims that the absence of a discretion should have been examined by reference to the substance of the decision at issue, without referring to the additional content of the final decision. The EDPB is claimed to have analysed only certain aspects of an individual case, namely the matters which were the subject of relevant and reasoned objections from the supervisory authorities concerned. The decision at issue therefore cannot cover the whole case and cannot encompass aspects which do not fall within the scope of the matters referred to the EDPB or the remit of the latter.

83

In addition, the General Court erred in law in holding, in paragraphs 57 to 59 of the order under appeal that the Irish supervisory authority exercised discretion to draw conclusions from the decision at issue. In the first place, as regards the classification of lossy hashed data as personal data, WhatsApp submits that that classification by the EDPB gives rise to additional obligations for WhatsApp under the GDPR, irrespective of the fact that the lead supervisory authority exercised a substantive discretion, going beyond such a classification, by verifying whether WhatsApp had acted as a controller or processor. In the second place, as regards the increase in the fines to be imposed on WhatsApp, that decision did not leave any discretion to the Irish supervisory authority, the latter being required to impose a fine higher than that initially envisaged. The fact that that authority retains a discretion as to the determination of the precise amount of the fine is irrelevant, since that task falls within the competence of that authority.

84

The EDPB disputes that line of argument and submits that two cumulative criteria must be satisfied for a natural or legal person who or which is not the addressee of an individual act to be directly concerned by an EU act. First, that act must have a direct effect on the legal situation of that person and, second, it must leave no discretion to the addressee entrusted with implementing it, such implementation being purely automatic, without the application of other intermediate rules.

85

As regards the first criterion, that party observes that the binding effect of an act must be considered in relation to its effect on the applicant’s own situation. In the present case, the decision at issue is not enforceable against WhatsApp in a way that would allow it, without further procedural steps, to be a source of obligations. That decision is not the final step of the procedure provided for in Articles 58, 60 and 65 of the GDPR and, inter alia, did not determine the final amount of the fine or define a new set of rules for WhatsApp’s activities. Thus, only the final decision is of direct concern to WhatsApp, the Irish supervisory authority being, under Article 56(6) of the GDPR, the sole interlocutor of that undertaking in the latter’s capacity as controller.

86

As regards the second criterion, the EDPB claims that the Irish supervisory authority retained genuine discretion as to the conclusions to be drawn in its final decision, which was broader in scope than the decision at issue and which contains findings on which the EDPB was not requested to express views, the matters referred to the latter being restricted to those which were the subject of relevant and reasoned objections. In any event, there is an interrelation between the decision at issue and the final decision. It is not possible to dissociate the parts of the latter decision which correspond to the EDPB’s instructions, which bears out the fact that the EDPB left a measure of discretion to the Irish supervisory authority on several aspects.

87

In such circumstances, a national court will be better equipped to review that final decision, and, if relevant, to refer questions to the Court of Justice for a preliminary ruling on provisions of the GDPR applied by the Irish supervisory authority both on its own motion and on the basis of the instructions of the EDPB.

88

According to the EDPB, the Irish supervisory authority also retained a margin of discretion as regards the issues addressed in the decision at issue, in particular those relating, first, to the legal consequences to be drawn from the classification of lossy hashed data as personal data and, second, the determination of the amount of the fines to be imposed on WhatsApp. As regards that first aspect, that authority retained discretion and made an independent assessment, inter alia as to compliance with Article 14 of the GDPR. It is incorrect, in that regard, to claim that the EDPB conducted a ‘complete’ assessment, the remit of the latter being restricted to the content of the relevant and reasoned objections, and not extending to the whole infringement procedure. As regards the second aspect, namely the determination of the fines, while the decision at issue contains general instructions pertaining to the fines, it does not deal with the operationalisation of those instructions, or with the computation of those fines.

89

The Federal Republic of Germany takes the view that, since the lead supervisory authority was WhatsApp’s sole interlocutor, the decision at issue cannot be considered to be of direct concern to WhatsApp. Such a decision is not intended to be implemented independently, but should always be followed by a final decision of that authority. The EU legislature deliberately opted for decentralised enforcement of the GDPR, and not for the creation of a central EU data protection authority.

90

The second part of the first ground of appeal concerns whether the General Court erred in law in finding, in paragraphs 50 to 60 of the order under appeal, that the decision at issue was not of direct concern to WhatsApp, within the meaning of the fourth paragraph of Article 263 TFEU, and that the action brought by WhatsApp was therefore inadmissible.

91

Under that provision, any natural or legal person may, under the conditions laid down in the first and second paragraphs of Article 263 TFEU, institute proceedings against an act addressed to that person or which is of direct and individual concern to them, and against a regulatory act which is of direct concern to them and does not entail implementing measures.

92

Thus, the admissibility of an action brought by a natural or legal person against an act which is not addressed to that person, in accordance with the fourth paragraph of Article 263 TFEU, is subject, inter alia, to the condition that that act is of direct and individual concern to that person (judgment of 3 December 2019, Iccrea Banca, C‑414/18, EU:C:2019:1036, paragraph 64 and the case-law cited).

93

In the present case, as the General Court found in paragraph 40 of the order under appeal, it is established that WhatsApp is individually concerned by the decision at issue, since that decision concerns certain aspects of the draft final decision which relate specifically to the situation of that undertaking. However, in paragraphs 52 and 53 of that order, the General Court held that the decision at issue was not of direct concern to WhatsApp, on the ground, first, that that decision was not enforceable against WhatsApp in a way that would allow it, without further procedural steps, to be a source of obligations for WhatsApp or, as the case may be, rights for other individuals, and, second, that even though the decision at issue was binding on the Irish supervisory authority as regards the aspects to which it related, it left that authority a measure of discretion as to the content of the final decision.

94

It must be borne in mind in that regard that, according to settled case-law, the condition that a natural or legal person must be directly concerned by the decision which that person is contesting requires that two cumulative conditions be satisfied, namely that the measure being contested, first, directly affects the legal situation of that person and, second, leaves no discretion to the addressees who are entrusted with the task of implementing it, such implementation being purely automatic and resulting solely from EU provisions without the application of other intermediate rules (judgment of 4 October 2024, Commission and Council v Front Polisario, C‑779/21 P and C‑799/21 P, EU:C:2024:835, paragraph 87 and the case-law cited).

95

Before examining whether those two conditions are satisfied in the present case, it must be stated that the fact that the challenged act is not directly enforceable against the applicant and the fact that that act is not the final stage of a composite procedure do not preclude that act from being of direct concern to the applicant where the addressee of that act has no discretion (see, to that effect, judgments of 4 June 1992, Infortec v Commission, C‑157/90, EU:C:1992:243, paragraphs 13 and 17; of 3 December 2019, Iccrea Banca, C‑414/18, EU:C:2019:1036, paragraphs 65 and 67; and of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 74).

96

Consequently, as the Advocate General observed in points 139 and 144 of her Opinion, the General Court erred in law in finding, in paragraph 52 of the order under appeal, that the decision at issue cannot be of direct concern to WhatsApp on the ground that that decision is not enforceable against WhatsApp and does not constitute the final stage of the procedure laid down in Articles 58, 60 and 65 of the GDPR.

97

As regards compliance with the first of the conditions referred to in paragraph 94 above, it is necessary to assess whether the challenged act is the source of a distinct change in the legal position of the natural or legal person in question, by examining the substance of that act and by assessing its effects in the light of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution, body, office or agency which adopted it (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 9, and of 18 June 2024, Commission v SRB, C‑551/22 P, EU:C:2024:520, paragraph 65 and the case-law cited).

98

In the present case, as stated in paragraph 30 above, the EDPB, in the decision at issue, inter alia, decided that WhatsApp had failed to comply with the obligations to provide information laid down in Article 13(1)(d) of the GDPR and infringed Article 13(2)(e) thereof. Consequently, that decision changes WhatsApp’s legal position, since WhatsApp was required, in particular, as a result of the EDPB’s intervention, to change its contractual relationship with the users of the messaging service provided by WhatsApp. It follows that there is a direct link between that decision and its effects on WhatsApp’s situation, for the purposes of the case-law cited in paragraphs 94 and 95 above.

99

Contrary to what the EDPB maintains, the fact that, under Article 56(6) of the GDPR, the Irish supervisory authority is the sole interlocutor of WhatsApp, in the latter’s capacity as controller, has no bearing on that finding. That provision is intended only to organise relations between a controller or processor, a lead supervisory authority and the supervisory authorities concerned, with the result that it does not concern the remedies available in respect of decisions of the EDPB.

100

As regards compliance with the second of the conditions referred to in paragraph 94 above, in order to assess whether an act leaves its addressees discretion with a view to its implementation, it is necessary to examine the legal effects produced by that act’s provisions, as referred to in the action, on the situation of the person pleading the right to bring proceedings, pursuant to the second limb of the fourth paragraph of Article 263 TFEU (judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 98 and the case-law cited).

101

The existence of such discretion will have to be discounted in particular if it is established that the provisions of the act which are the subject of the action had the direct consequence of subjecting that person to obligations the result of which could not be changed by the entity responsible for subsequently implementing that measure (see, to that effect, judgment of 12 July 2022, Nord Stream 2 v Parliament and Council, C‑348/20 P, EU:C:2022:548, paragraph 114).

102

In the present case, as is apparent from paragraphs 71 and 72 above, it must be borne in mind that the decision at issue is binding on the lead supervisory authority and the supervisory authorities concerned. They cannot depart from the position adopted by the EDPB in that decision and reiterated in paragraph 30 above. That decision determines the issues of law which are the subject of the matters referred to the EDPB and unconditionally binds those authorities, as regards, in particular, the finding of infringement of certain provisions of the GDPR, the classification of lossy hashed data as personal data and the obligation to increase the amount of the envisaged fines. Those authorities are not able to change the result of the assessments made, as regards those issues, by the EDPB, within the meaning of the case-law cited in the preceding paragraph.

103

In that regard, under Article 70(1)(a) of the GDPR, the task of the EDPB is to ensure the consistent application of the GDPR, by monitoring and ensuring, as is apparent from recital 10 thereof, a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of their personal data throughout the European Union, in the cases provided for, inter alia, in Article 65 of the GDPR, without prejudice to the tasks of the national supervisory authorities.

104

In that context, it is of little significance that the scope of the final decision extends to matters not falling within the scope of those referred to the EDPB, namely aspects which were not the subject of relevant and reasoned objections, within the meaning of Article 65(1)(a) of the GDPR, or matters not falling within the remit of that body, such as, inter alia, the determination of the precise amount of the fine to be imposed on the controller or a processor, responsibility for which lies with the supervisory authority to which the matter is referred pursuant to Article 58(2)(i) and Article 83 of the GDPR.

105

Furthermore, while it is true that there is an interrelation between the decision at issue and the final decision, the fact remains that they are separate acts and that the scope of the decision at issue is well defined, as is apparent from the list set out in paragraph 30 of the present judgment. In those circumstances, that interrelation is not such as to preclude a finding that the decision at issue is of direct concern to WhatsApp.

106

In particular, although the simultaneous bringing of an action for annulment before the EU judicature, on the basis of Article 263 TFEU, in respect of the binding decision of the EDPB, and before the national court, under Article 78 of the GDPR, with regard to the final decision adopted on the basis of that binding decision by the national supervisory authority, does indeed give rise to two parallel sets of proceedings, that situation does not mean that the effects of the EDPB’s decision should be regarded as indirect, in the present case, in relation to WhatsApp.

107

First, according to the Court’s case-law, when the outcome of the dispute before the national court depends on the validity of the decision of an EU body, it follows from the obligation of sincere cooperation that the national court should, in order to avoid reaching a decision that runs counter to that of that body, stay its proceedings pending final judgment in the action for annulment by the EU judicature, unless it considers that, in the circumstances of the case, a reference to the Court of Justice for a preliminary ruling on the validity of the decision of that body is warranted (see, to that effect, judgments of 14 December 2000, Masterfoods and HB, C‑344/98, EU:C:2000:689, paragraph 57, and of 25 July 2018, Georgsmarienhütte and Others, C‑135/16, EU:C:2018:582, paragraph 24).

108

Second, it must also be stated that, in the event of proceedings being brought concurrently before the General Court in the context of an action for annulment and the Court of Justice in the context of a request for a preliminary ruling, the principle of the sound administration of justice may warrant the Court of Justice having recourse, if it considers it appropriate to do so, to the third paragraph of Article 54 of the Statute of the Court of Justice of the European Union in order to stay the proceedings before it, in order to give preference to the proceedings before the General Court (judgment of 25 July 2018, Georgsmarienhütte and Others, C‑135/16, EU:C:2018:582, paragraph 25).

109

Consequently, since the two conditions referred to in paragraph 94 above are satisfied, the decision at issue is of direct concern to WhatsApp.

110

In the light of the foregoing considerations, the second part of the first ground of appeal must therefore be upheld and, therefore, the order under appeal must be set aside.

111

By the third part of its first ground of appeal, WhatsApp submits that the General Court’s finding, in paragraphs 66 to 70 of the order under appeal, that the inadmissibility of its action is consistent with the logic of the system of judicial remedies established by the TEU and TFEU is vitiated by an error of law.

112

In the light of the finding accepted in paragraph 110 above, there is no need to rule on the third part of the first ground of appeal.

113

Referring to the line of argument developed in the context of the first ground of appeal, WhatsApp claims that the General Court infringed Article 65(1) of the GDPR and the principle of consistent application of EU law by holding, in paragraphs 41 to 60 of the order under appeal, that the decision at issue did not produce legal effects other than its binding effects vis-à-vis the supervisory authorities concerned.

114

Since WhatsApp merely refers to the arguments put forward in support of its first ground of appeal and in the light of the conclusion reached in paragraph 110 above, there is no need to adjudicate on that second ground of appeal, since it is not capable of leading to a more extensive setting aside of the order under appeal.

115

In accordance with the first paragraph of Article 61 of the Statute of the Court of Justice of the European Union, if the decision of the General Court is set aside, the Court of Justice may itself give final judgment in the matter, where the state of the proceedings so permits.

116

That condition is satisfied here in so far as the case concerns only the admissibility of the action brought before the General Court.

117

In that regard, first, as is apparent from paragraph 76 above, the decision at issue constitutes an act open to challenge for the purposes of the first paragraph of Article 263 TFEU. Second, as has been held in paragraph 109 above, the decision at issue is of direct concern to WhatsApp, within the meaning of the fourth paragraph of Article 263 TFEU. Third, that decision is of individual concern to WhatsApp, as the General Court itself found in paragraph 40 of the order under appeal.

118

Consequently, since the conditions laid down in the first and fourth paragraphs of Article 263 TFEU are thus satisfied, and in the absence of any other ground of inadmissibility, the action for annulment is declared admissible.

119

However, given that the General Court did not consider the merits of the action before it, the determination of which requires a detailed assessment in fact and in law, the state of proceedings does not permit a ruling on the merits of the appellant’s action.

120

Accordingly, the case must be referred back to the General Court.

121

Since the case is being referred back to the General Court, the costs relating to the present appeal proceedings must be reserved.

On those grounds, the Court (Grand Chamber) hereby: