How to comply with the GDPR if you use WhatsApp in your company?

We all use WhatsApp, you’d be hard pushed to find a company without at least one workplace WhatsApp group, or use it in correspondence with customers/clients. But did you know this can be fraught with privacy issues which, if neglected, can lead to a plethora of issues including fines, damage to your hard won reputation, as well as losing customers who are unable to trust you. In order to prevent this happening to you, in this article we’ll go over the data protection do’s and dont’s related to Whatsapp GDPR.

So let’s dive in!

If your intention is to use WhatsApp as a communication tool for business, keep in mind that you must comply with the principles of data protection:

  • Quality
  • Information
  • Consent
  • Confidentiality
  • Data security.

This leads us to the important question…

Is WhatsApp GDPR compliant?

Answer? It’s complicated.

WhatsApp has (rather shrewdly) taken steps to pass liability to users, rather than the app itself, and the ‘WhatsApp GDPR policy’ for want of a better phrase, states that non-personal use is against the terms of service.

Liability passes to you, the user. Meaning you must then assess how your company is using the app with regards to customers.

Is your customer data at risk of being unlawfully processed by the app? If so, then you’re going to receive a ton of messages from your data protection officer about GDPR and WhatsApp compliance.

Ireland’s Data Protection Commission (DPC) has recently submitted a draft to the EU supervisory authority regarding compliance issues with Artices 12, 13 & 14. So there are concerns regarding it’s compliance issues, regardless of them trying to pass the buck to users.

Make data protection compliance effortless by downloading the free GDPR starter pack that we’ve created for you.

What obligations must all companies comply with when using WhatsApp?

The WhatsApp GDPR policy pushes responsibility of compliance onto the user, and not WhatsApp themselves, so you have to be aware of the obligations.

1. Inform users that you intend to use this application with them.

Before using Whatsapp to process personal data, you should inform users of the purposes of such treatment. The processing in this case can be:

  • Commercial
  • Informative
  • Confirmation of appointments
  • A way of communicating or sending data.

The important points to remember are that the user must be informed that WhatsApp might be used and also why you’re using it.

2. Establish consent to process the data on WhatsApp.

To process customers’ data using WhatsApp, it is necessary to inform them and ask for consent. The commercial purpose is emphasized here. To submit commercial information, it is necessary in accordance with Article 22 of the LSSI to request the express consent of the affected party. The express consent is nothing other than a clear, informed, free and unambiguous answer in the affirmative.

Customer consent is essential to initiate communications via Whatsapp.

Ask yourself these questions to know if you really comply with the new GDPR when using Whatsapp with your customers:

  1. If you send advertisments, do you have the express consent of users/clients?
  2. Do you ask for the consent of the parties concerned before including them in a group?
  3. Do you ask for the consent to send personal information in this way?

3. Data Protection Rights

Companies – multi-nationals, SMEs and even freelancers – must ensure that the data they have sent is accurate and complies with data protection rights: access, deletion, objection and rectification.

cookie management 2021 webinar


FREE WEBINAR: GDPR Compliant Cookie and Consent Management



4. Confidentiality is key.

Confidentiality is a fundamental factor when processing data via WhatsApp. You must ensure that the data provided is kept safe and confidential. It must only be processed by authorized personnel and third persons must not, under any circumstances, have access.

If one of the answers to following questions is no, you should review your compliance with GDPR.

  1. Do you control the professional use of this app by personnel?
  2. Have you verified that the WhatsApp account through which your personnel communicates with the customer is a business number and not their personal one?
  3. Have you informed personnel that in groups with customers they should not be sharing personal data?
  4. Do you have a data processing policy online? The rules of use of these and other applications should be described in this policy.

5. Security measures for protection of data sent or stored.

You must safeguard yourself, you can do this easily by implementing security measures – or clauses – that comply with the requirements included in GDPR, but it should also be stipulated that the customer must read the legal notice and privacy policy of Whatsapp to subsequently use that their data is internationally given and transferred through the mentioned app.

Likewise, these measures must be associated with the procedure of custody of devices, which store data, as well as the control of app use by means of management measures associated with policy of use of the application and personal data protection.

That said, in order to avoid sanctions with regard to European Regulation 2016/679 of the European Parliament of 27 April 2016, regarding the protection of natural persons and the recently approved Royal Decree-Law 5/2018, of 27 July, about urgent measures for the adaptation of Spanish law to European Union regulation in the field of data protection, the company must demonstrate that the client has granted consent for the use of his or her personal and business data to be contacted by means of the mentioned tool.

It is recommended to take special care with the data processing via WhatsApp and be aware of the information that is shared and for what purposes.

It is well known that on 15 March 2018 the Spanish Data Protection Agency (AEPD) sanctioned Facebook and WhatsApp with a fine of €300,000 each because they mutually communicated data without the “free, specific and informed” consent of the users. The fine that the AEPD imposed on WhatsApp and Facebook has determined that the application is not secure, making it clear that it does not process user data as it should.

GDPR and WhatsApp Groups

It is not only customer data you need to consider in terms of data protection, most companies have WhatsApp work groups. Are there data protection considerations to make here?

Yes. The combination of WhatsApp and GDPR can be fraught with data protection complications, whether it be relating to consumers or employees.

A WhatsApp group potentially contains names, numbers, photos and various other contact information of up to 100 people. People who did not necessarily give their consent to be in this group and have their information shared.

The vast majority of organisations will have at least one, often several WhatsApp groups with the various teams and friendship groups, a seemingly harmless, well meaning activity can create privacy issues.

So how can we avoid data protection issues with WhatsApp groups and GDPR?

GDPR and WhatsApp privacy solution

Invitation links.

Instead of taking the individuals number and adding them to the group, instead use an invite link so your team members can choose whether to join and have their information shared.

Consent is the main issue here, and an invitation link provides this.

The complications that arise when using messaging services or applications in relation to GDPR, WhatsApp, Facebook Messenger, or another, for workplace communication are, well, complicated.

The important part for you, where you can protect yourself, is to ensure your customers and employees give informed consent with regards to their data and communications.

If you’re interested to find out how to comply with the new GDPR, feel free to continue browse our academy where you have access to more articles and webinars, as well as our recently launched podcast, the Pridatect Privacy Insider where we’re inteviewing industry experts so that you can effortlessly learn everything you need to know about data protection and GDPR compliance across various industries such as health tec, government, telecommunications and more.

You can also contact us here if you’ve got any questions related to WhatsApp GDPR compliance, or would like setup a quick demo to see how the software can take much of the work off your back.

Share this article


Ensuring GDPR compliance means being aware of all the risks, the constant updates, as well as the different obligations depending on the type of company or data you are dealing with. It is not an easy task, that is why we have created a free GDPR compliance package that provides you with material to start with data protection measures in your company.

Download now >>

Article written by

A. P.

This is an example of a biography, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars