How to comply with the GDPR if you use WhatsApp in your company?

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

The well-known instant messaging application, WhatsApp, was primarily designed for personal use. Now more companies make use of it to interact with their customers and staff, we must be aware of data protection rules related to Whatsapp GDPR.

If your intention is to use WhatsApp in your company, institution or business, keep in mind that you must comply with the principles of data protection. These are the principles of quality, information, consent, confidentiality and data security, among others.

This leads us to the important question…

Is WhatsApp GDPR compliant?

Answer? It’s complicated.

WhatsApp has taken steps to pass liability to users, rather than the app itself, and the WhatsApp GDPR policy for want of a better phrase, states that non-personal use is against the terms of service.

Liability passes to you, the user. Meaning you must then assess how your company is using the app with regards to customers.

Is your customer data at risk of being unlawfully processed by the app? If so, then you’re going to receive a ton of messages from your data protection officer about GDPR and WhatsApp compliance.

Ireland’s Data Protection Commission (DPC) has recently submitted a draft to the EU supervisory authority regarding compliance issues with Artices 12, 13 & 14. So there are concerns regarding it’s compliance issues, regardless of them trying to pass the buck to users.

Make data protection compliance effortless by downloading the free GDPR starter pack that we’ve created for you.

What obligations must all companies comply with when using WhatsApp?

The WhatsApp GDPR policy pushes responsibility of compliance onto the user, and not WhatsApp themselves, so you have to be aware of the obligations.

1. Inform the users that you will use this application with them.

Before using Whatsapp to process persons’ personal data, you should inform them of the purposes of such treatment. The processing in this case can be commercial, informative, confirmation of appointments, a way of communicating or sending data. In any case, the data holder must know about the use of this tool and the purpose for which it is foreseen.

2. Ask for consent to process the data in this way.

To process customers’ data using WhatsApp, it is necessary to inform them and ask for consent. The commercial purpose is emphasized here. To submit commercial information, it is necessary in accordance to Article 22 of the Spanish Law of Information Society Services (LSSI) to request the express consent of the affected party. The express consent is nothing other, but a clear affirmative, informed, free and unambiguous action that yes, they want to receive publicity.

The customer’s consent will be essential to initiate communications through Whatsapp.

Ask yourself these questions to know if you really comply with the new GDPR when using Whatsapp with your customers:

  1. If you send advertisments, do you have the express consent of persons?
  2. Do you ask for the consent of the parties concerned before including them in a group?
  3. Do you ask for the consent to send personal information in this way?

3. Data Protection Rights

Companies – also SMEs and freelancers – must ensure that the data they have sent is truthful and they have to comply with data protection rights: access, deletion, objection and rectification.

GDPR Compliant cookie and consent management

4. Take care of confidentiality of the data you process on Whatsapp.

Confidentiality is one of the pivotal factors that are required from a company, business or organization. You must ensure that the data provided is kept safe and confidential. They may only be processed by authorized personnel and third persons may not access them.

If one of the answers to following questions is no, you should review the compliance with the GDPR.

  1. Do you control the professional use of this app by personnel?
  2. Have you verified that the WhatsApp through which your personnel communicates with the customer is from company and not personal phone number?
  3. Have you informed your personnel that in groups with customers they should avoid sharing personal data?
  4. Do you have a data processing policy online? The rules of use of these and other applications in the field of the company should be described in this policy.

5. Security measures for protection of data sent or stored.

As a business we can put security measures – or clauses – that comply not only with the requirements included in the GDPR, but also that the customer has read the legal notice and privacy policy of Whatsapp to subsequently use that their data is internationally given and transferred through the mentioned app.

Likewise, these measures must be associated with the procedure of custody of devices, which store the data, as well as the control of app use by means of management measures associated with policy of use of the application and personal data protection.

That said, in order to avoid sanctions with regard to European Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of natural persons and the recently approved Royal Decree-Law 5/2018, of 27 July, about urgent measures for the adaptation of Spanish law to European Union regulation in the field of data protection, the company must demonstrate that the client has granted consent for the use of his or her personal and business data to be contacted by means of the mentioned tool.

It is recommended to take special care with the data processing via WhatsApp and be aware of the information that is shared and for what purposes.

It is well known that on 15 March 2018 the Spanish Data Protection Agency (AEPD) sanctioned Facebook and WhatsApp with a fine of €300,000 each because they mutually communicated data without the “free, specific and informed” consent of the users. The fine that the AEPD imposed on WhatsApp and Facebook has determined that the application is not secure, making it clear that it does not process the user data as it should.

GDPR and WhatsApp Groups

It is not only customer data you need to consider in terms of data protection, most companies have WhatsApp work groups. Are there data protection considerations to make here?

Yes. The combination of WhatsApp and GDPR can be fraught with data protection complications.

A WhatsApp group potentially contains names, numbers, photos and various other contact information of up to 100 people. People who did not necessarily give their consent to be in this group and have their information shared.

So how can we avoid data protection issues with WhatsApp groups and GDPR?

GDPR and WhatsApp privacy solution

Invitation links.

Instead of taking the individuals number and adding them to the group, instead use an invite link so your team members can choose whether to join and have their information shared.

Consent is the main issue here, and an invitation link provides this.

The complications that arise when using messaging services or applications in relation to GDPR, WhatsApp, Facebook Messenger, or another, for workplace communication are, well, complicated.

The important part for you, where you can protect yourself, is to ensure your customers and employees give informed consent with regards to their data and communications.

If you’re interested to find out how to comply with the new GDPR, feel free to browse the site where you have free access to more articles and webinars given by industry experts so that you can effortlessly learn everything you need to know about data protection and GDPR compliance.

You can also contact us here if you’ve got any questions related to WhatsApp GDPR compliance, or would like a free demo of our software to see how it can help you.

Share this article


Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter
Ensuring GDPR compliance means being aware of all the risks, the constant updates, as well as the different obligations depending on the type of company or data you are dealing with. It is not an easy task, that is why we have created a free GDPR compliance package that provides you with material to start with data protection measures in your company.

Download now >>

Article written by

Lisa Hofmann

Chief of Legal Operations at Pridatect and certified data protection officer

Related articles


Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars