WhatsApp has so far been used by many companies in their business operations, but the question of whether WhatsApp can be used in companies in accordance with GDPR must be answered with a clear NO. Under certain circumstances, its use can lead to considerable fines. In this blog article and our video, we answer the reasons for this and how WhatsApp can still be used to a limited extent in companies.
GDPR-compliant use of WhatsApp not possible
Even if some companies allow the use of WhatsApp on company cell phones or for exchanging information on business topics – WhatsApp cannot be used in companies in a GDPR-compliant manner.
The reasons for this are diverse. One of the most obvious reasons is that the instant messaging service automatically sends the contacts in address books to its server and stores them. However, there is no legal basis for making this contact information available to WhatsApp. As a rule, there is no documented consent.
Even if consent was given, the company with WhatsApp would still violate fundamental provisions of the GDPR. The instant messaging service also collects location data. There is no legal basis for this either. The risk here is particularly high, since a movement profile can easily be created using the location data.
Data transfer to the USA
It is also very problematic that all data that WhatsApp collects is transmitted to the USA. 45 GDPR are to be considered. WhatsApp is also not certified according to the EU-US Privacy Shield in the HR area, which would, however, be necessary for use in a corporate context. WhatsApp does not offer adequate guarantees for the protection of personal data in any other way. It is also unclear how the instant messaging service ensures the right to be forgotten. WhatsApp also does not adequately comply with the information obligations provided for in Art. 13 GDPR. For example, there is a lack of transparency about the use of the data transmitted to Facebook by WhatsApp.
GDPR fines when using WhatsApp in a corporate context
For the reasons mentioned above, companies face fines from the supervisory authorities when using WhatsApp. It is not only problematic that the data of the customers of companies that use WhatsApp is affected. Employee data is also recorded by WhatsApp and labor law problems follow from the use of the instant messaging service. Both points prevent WhatsApp from being used in companies in compliance with GDPR and pose high risks for fines by the supervisory authorities.
It is therefore very advisable for companies to take a look at competing products from other providers of instant messaging services, which are tailored to business use.
If, despite this multitude of serious concerns, companies still believe that they absolutely need WhatsApp, for example to be easily accessible to customers, there are ways of reducing the risk to data through WhatsApp to a minimum – if not entirely eliminating it . You can find out more about the problems and the solutions, how it works to use WhatsApp at least partially in accordance with GDPR, e.g. containers, in our video.
Do you have any questions on this topic? Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!
Die Diplomjuristin Désirée Eder studierte Rechtswissenschaften an der Universität Passau und war mehrere Jahre in Berlin in einem landeseigenen Unternehmen für Immobilienprojekte als Projektmanagerin Recht und Datenschutzbeauftragte tätig. Désirée Eder bereichert das Team nicht nur mit ihrem juristischen Know-How sondern ist auch im Bereich der Organisation und Dokumentation, sowie im Rahmen der immer wichtiger werdenden DIN-ISO Normen und für Zertifizierungsprozesse erste Ansprechpartnerin. „Für das Wohl unserer Kunden sind mir offene Kommunikation sowie eine strukturierte, effiziente und gründliche Arbeitsweise wichtig.“
This post is also available in: German