Do Your Staff Use WhatsApp For Customer Communication? You Could Have A Serious GDPR Breach

October 12, 2020

Messaging is one of the most significant ways of communication in today’s world, and messaging apps like WhatsApp are among the most popular. These provide a simple way for businesses to communicate with their customers.

Many businesses believe that data privacy is a big barrier to using these communications channels because to the legal circumstances around data protection, including the GDPR and some negatively phrased requirements therein. As a result, it’s critical to simply demonstrate how businesses can use messaging in a privacy-compliant manner in order to provide service to their customers through this crucial communication channel.

In this regard, a messenger like WhatsApp is similar to other digital tools that are commonplace in corporate life, such as the website, the company app, or email marketing.

What kind of information is processed?

Every business is in charge of the personal information it gathers and processes. This, of course, includes the usage of messaging apps like WhatsApp or Facebook Messenger.

One of the GDPR’s acceptable circumstances must be present for this processing to be legitimate, and users must be informed about the data collection per Art. 13 GDPR.

As a result, the first question is whether or not personal data is being processed at all.

User names and mobile phone numbers are used by WhatsApp, whereas user IDs are used by other messengers to “reach” users.

However, the content of the communication between the user and the company is equally crucial. Users can contribute a wide range of information in chat via free text, it should be emphasised.

Finally, metadata should not be overlooked, as it is still gathered by some messaging platforms, such as Facebook Messenger.

The data and processing processes must now be documented so that their legality may be demonstrated in the event of a dispute. As a result, the processing directory should include a note about it.

Processing that is legal. In case of uncertainty, verify the legality and seek consent.

One of three bases for validity must be met before personal data can be processed:

  1. A contract’s performance necessitates the collection of data (Art. 6, section 1b GDPR). As a result, the information is necessary to fulfil a contract between the user and the company.
  2. Data processing is justified by legitimate interests (Art. 6, section 1f DSGVO).
  3. Users give their permission for their data to be processed. (DS-GVO, Art. 6 section 1a). Objection options (opt-out) are insufficient in this case, hence active permission is required. Because the first two points can be interpreted in different ways, it’s best to choose the route via the user’s consent if you’re in question. This puts Messenger conversation on a legal footing.

Educating the user

Users must be fully and clearly informed about who processes whose data and for what purpose for consent to be truly valid under data protection law. This can be done in a variety of ways, either electronically or by “clearly confirming behaviour.”

Users must be informed about subsequent data processing by the company as soon as the initial data is collected. Users should be given a data protection statement that includes all of the information mandated by Article 13 of the GDPR.

Keeping user information from being shared with other parties

One of the most major roadblocks to the use of WhatsApp in businesses, as well as the source of widespread distrust, is found here.

WhatsApp is typically deployed as a smartphone app that accesses and transfers phone numbers from the device’s address book to WhatsApp.

There is no distinction made between users’ phone numbers who use WhatsApp and those who do not. The respective contacts have also given their consent. This process is fundamentally flawed, and the data protection authorities believe it to be incompatible with corporate data protection.

It is also critical to avoid this unsolicited transfer of contact data to the messenger provider, such as WhatsApp, in order to utilise WhatsApp in line with enterprise data protection policies.

Apart from small-scale “security workarounds,” the best secure and dependable answer to this problem is to use the WhatsApp Business API through dedicated business messaging software provided by Stitch AI.

In this example, the firm’s whole messaging communication is handled through the Software as a Service (SaaS) platform, which eliminates the need for the organisation to install WhatsApp on the appropriate mobile devices.

The data processing agreement regulates all areas essential from a data protection standpoint, making WhatsApp use safe from a data protection standpoint.

Transmission of data outside of the European Union

Another common concern levelled at the usage of messengers, particularly WhatsApp, is the data transmission to the United States.

Even if the GDPR is applied, a transfer of personal data to the United States is not prohibited, but rather is permitted under the special requirements for the transfer of personal data to third countries set forth in Art. 44 GDPR.

A data transfer to the United States is simple if the recipient company agrees to sign EU standard contractual terms.


In conclusion, data protection is a topic that can be effectively managed and does not preclude the use of WhatsApp in customer service if data protection-compliant implementation is made a clear component of an implementation project and internal persons responsible for legal and data protection issues are involved early on.

The new revisions to WhatsApp privacy restrictions are, incidentally, directly tied to the increased usage of WhatsApp by businesses. As a result, they take into account the fact that, in addition to the most personal uses between private individuals, corporate communication has now become a significant factor. What the update means for the EU region has been summarised by WhatsApp.

Take the next step

Book a Call