WhatsApp in companies – how can it be used in a legally compliant way?

But is this even legally permitted?

To answer this question, we first need to be familiar with the basic technical background of such applications. WhatsApp^[2], for instance, clarifies this in its privacy policy. Here, you can find the telling statement:

“You provide your mobile phone number and basic information (including a profile name) to create a WhatsApp account. You provide us, all in accordance with applicable laws, the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts”.

So, to be able to use WhatsApp at all, you not only need to give your own mobile phone number to WhatsApp – which has belonged to the Facebook Group since 2014 – but also all the phone numbers of every user who is stored in your contacts list. However, since phone numbers are also personal data, it is clear that data protection law comes into play here, particularly the General Data Protection Regulation, Article 4, Paragraph 1 GDPR.

According to Article 2, Paragraph 2 (c), the only time the GDPR does not apply is for use by natural persons to conduct exclusively (!) personal or family activities. Conversely, this means that, for business use, the provisions of the GDPR must be considered in full. By the way, this also applies to mixed use, i.e. if a personal mobile phone is used – even occasionally – for business purposes as well.

This, in turn, means that every single phone number in the WhatsApp user’s contact list can only be passed on with the prior consent to the stored contact (Article 6, Paragraph 2 (a) GDPR), whereby this consent also has to specifically cover the respective purpose; in short, every single contact in the contact list of the mobile phone that is (also) used for business purposes must expressly agree in advance for their phone number to be passed on to WhatsApp. The conditions under which consented is not necessary or to be expected are not given in the case of this passing on of personal data to WhatsApp.

And even if we were to assume that those contacts who are already WhatsApp customers themselves have issued this consent by agreeing to the WhatsApp privacy policy, this still leaves the remaining contacts who do not use WhatsApp. Since WhatsApp does not distinguish between whether a contact in the user’s contact list already uses WhatsApp themselves, or this check can only be performed after the phone number is transmitted to WhatsApp, there is no getting around obtaining the consent of all the contacts in the contact list in the event that you (also) use WhatsApp for business purposes.

If customer data is also to be accessed and sent to third parties via WhatsApp – for instance to process a service request –, this is an example of order data processing. This, in turn, is only legally permitted if a separate contract in this regard is concluded with the third party (Article 28 GDPR). This aims to ensure that the high level of data privacy is still maintained if third parties receive such personal data or if there is even just a possibility that they could access this data.

In summary, therefore, it can be asserted that the use of messenger services in a professional environment is only permitted if prior consent has been obtained from every single contact in the relevant user’s contact list specifically for this purpose and if a potential contract for order data processing has additionally been concluded.

As long as these requirements have not been met, we would advise against using such messenger services for legal reasons.

1. Source (in German): https://www.heise.de/newsticker/meldung/WhatsApp-hat-eine-Milliarde-Nutzer- taeglich-3784578.html
   
2. Can be found at: https://www.whatsapp.com/legal/#privacy-policy