MercuryonJan 19, 2021

How businesses can use WhatsApp in compliance with GDPR

Messaging is one of the most important forms of communication today and messenger apps such as WhatsApp are among the most used apps on smartphones. For companies, too, these offer an interesting communication channel to their customers. 

The legal situation regarding data protection, not least the GDPR and some unfavorably worded regulations therein, give many companies the impression that data protection is a major hurdle to the use of these messaging channels. It is therefore important to simply show how companies can use messaging in a privacy-compliant manner to be able to offer service to their customers in this important communication channel as well.

In this respect, a messenger such as WhatsApp is not so different from other digital tools that are taken for granted in everyday corporate life, such as the website, the company app, or email marketing.

What data is processed? 

Every company is responsible for the personal data it collects and processes. Of course, this also applies to the use of messenger services such as WhatsApp or Facebook Messenger. 

For this processing to be legal, one of the permissible circumstances of the GDPR must be present and the users must be informed about the data collection per Art. 13 GDPR. 

In the beginning, therefore, is the question of what personal data is being processed at all. 

WhatsApp uses user names and cell phone numbers, while other messengers also use user IDs, which are necessary to "reach" users. 

But the content of the communication between user and company is also an important point here. It should be noted here that users can provide a wide range of information in chat via free text.

Finally, metadata, which is still collected by some messaging services, such as Facebook Messenger, should not be forgotten.  

The data and processing operations must now be documented in such a way that the lawfulness can be proven in case of doubt. So it should be documented in the processing directory.    

Lawfulness of processing. Check the legitimacy and obtain consent in case of doubt

For personal data to be processed, one of three bases for legitimacy must be fulfilled: 

Performance of a contract requires the data (Art. 6, section 1b GDPR). Thus, the data is required to fulfill an agreement made between the user and the company. 

There are legitimate interests that legitimize data processing (Art. 6, section 1f DSGVO). 

Users consent to the processing of their data. (Art. 6 section 1a DS-GVO). Here it is important to obtain active consent, as objection options (opt-out) are not sufficient.  Since there is sometimes some room for interpretation in the first two points, it is recommended in case of doubt to take the route via the user's consent and thus place Messenger communication on a legally secure basis.   

Informing the user

However, for consent to be truly valid under data protection law, users must be adequately and comprehensibly informed about who processes which data and for what purpose. This can be done electronically or and even by "clearly confirming behavior". 

Users must be informed by the company about further data processing as early as the first data collection. Here, users should be provided with the data protection statement containing all the information required under Article 13 of the GDPR. 

Protecting user data from being passed on to third parties

Here lies one of the most significant hurdles in the use of WhatsApp in companies and also the reason for widespread skepticism. 

WhatsApp is usually installed as an app on the smartphone and accesses the phone numbers in the device's address book and transfers them to WhatsApp. 

No distinction is made between phone numbers of users who use WhatsApp themselves and those who do not. There is also no consent from the respective contacts. This procedure is fundamentally problematic and is considered by the data protection authorities to be contrary to data protection in corporate use.

To use WhatsApp in accordance with data protection in the company, it is therefore essential to avoid this unsolicited forwarding of contact data to the messenger provider, such as WhatsApp. 

Apart from small-scale "security workarounds", the most secure and reliable solution to this problem is to use the WhatsApp Business API via specialized messaging software for companies, such as 

In this case, the company's entire messaging communication takes place via the Software as a Service (SaaS) platform, so that the company does not have to install WhatsApp on the respective mobile devices. 

All aspects relevant from a data protection perspective are regulated here in the data processing agreement and make the use of WhatsApp safe from a data protection perspective.  

Data transmission outside the European Union

Another point of criticism that is often held against the use of messengers - especially Whatsapp - is the transfer of data to the USA. 

Even under the application of the GDPR, a transfer of personal data to the USA is not ruled out but rather is permissible under the specific requirements for the transfer of personal data to third countries from Art. 44 GDPR is permissible without further ado. 

A data transfer to the USA is unproblematic if the receiving company offers the conclusion of the EU standard contractual clauses


In summary, it must be said that data protection is a topic that can be managed well and does not prevent the use of WhatsApp in customer service - provided that the data protection-compliant implementation is made a clear component of an implementation project and the internal persons responsible for legal and data protection issues are involved at an early stage.

Incidentally, the current changes to the WhatsApp privacy regulations are directly related to the increasing use of WhatsApp by companies. They, therefore, take into account the development that, in addition to the most private purposes of use between private individuals, corporate communication has now also become an important aspect. WhatsApp has summarized what the update means for the EU region here.

WhatsApp answers general questions about privacy here.