Today, messaging is one of the most important forms of communication, and messenger apps such as WhatsApp are among the most frequently used apps on smartphones. For companies, they also offer an interesting communication channel to their customers.
The legal situation regarding data protection, not least the GDPR and some unfavorable formulations within its regulations, gives many companies the impression that data protection is a major hurdle to using these messaging channels. It is therefore important to demonstrate easily how companies can use messaging in compliance with data protection regulations in order to offer service to their customers in this important communication channel as well.
In this regard, a messenger like WhatsApp is not actually that different from other digital tools that are taken for granted in everyday business operations, such as the website, the corporate app, or email marketing. This is how you succeed in using WhatsApp in a data-protection-compliant manner.
Which data is being processed?
Every company is responsible for the personal data it collects and processes. This naturally also applies to the use of messenger services such as WhatsApp or Facebook Messenger.
For this processing to be lawful, one of the legal bases of the GDPR must exist, and users must be informed about the data collection in accordance with Art. 13 GDPR.
At the beginning, therefore, is the question of which personal data is processed at all.
Very obviously, this includes the WhatsApp username and mobile number, and for other messengers, user IDs, which are necessary to "reach" the users.
However, the contents of the communication between the user and the company are also an important point here. It should be noted that users can provide a wide range of information in the chat via free text.
Finally, we should not forget metadata, which is still collected by some messaging services, such as Facebook Messenger.
The data and processing activities must now be documented in such a way that lawfulness can be proven in case of doubt. It should therefore be documented in the record of processing activities,
Legal bases? Check the legal basis and, in case of doubt, obtain consent
In order for personal data to be processed, one of three legal bases must be met:
Performance of a contract requires the data (Art. 6 para. 1 lit. b GDPR). The data is therefore required to fulfill an agreement made between the user and the company.
There are legitimate interests that justify the data processing (Art. 6 para. 1 lit. f GDPR).
The users consent to the processing of their data (Art. 6 para. 1 lit. a GDPR). Here, it is important to obtain active consent, as opt-out options are not sufficient.
Since there is sometimes a certain room for interpretation in the first two points mentioned, it is recommended in case of doubt to go the route of obtaining the user's consent and thus place messenger communication on a legally secure foundation.
Information for users
However, for the consent to be valid under data protection law, users must be sufficiently and understandably informed about who processes which data for what purpose. However, this can be done electronically and even through "clear affirmative action."
The company must inform users about the further data processing at the time of the initial data collection. Here, users should be provided with the privacy policy containing all the information required under Art. 13 GDPR.
Protecting user data from transfer to third parties
This is one of the most significant hurdles when using WhatsApp in companies and also the reason for widespread skepticism.
As a rule, WhatsApp is installed as an app on the smartphone and accesses the phone numbers in the device's address book, transmitting them to WhatsApp.
No distinction is made between phone numbers of users who use WhatsApp themselves and those who do not. There is also no consent from the respective contacts for this. This practice is inherently problematic and is clearly rated as non-compliant with data protection regulations by data protection authorities for corporate use.
In order to use WhatsApp in accordance with data protection in the company, this unsolicited transfer of contact data to the messenger provider, such as WhatsApp, must absolutely be avoided.
Apart from small-scale "security workarounds," the safest and most reliable solution to this problem is using the WhatsApp Business API via specialized corporate messaging software, such as Mercury.ai.
In this case, all of the company's messaging communication takes place via the Software as a Service (SaaS) platform, meaning the company does not need to install WhatsApp on the respective mobile devices.
All aspects relevant from a data protection perspective are regulated here in the data processing agreement, making the use of WhatsApp completely sound under data protection law.
Data transfer outside the European Union
Another point of criticism often raised against the use of messengers – especially with WhatsApp – is the transfer of data to the USA.
Even under the GDPR, a transfer of personal data to the USA is not excluded, but is readily permissible under the specific requirements for the transfer of personal data to third countries in Art. 44 et seq. GDPR.
A data transfer to the USA is unproblematic if the receiving company offers the conclusion of EU Standard Contractual Clauses.
So...
In summary, it must be said that data protection is a highly manageable issue and does not stand in the way of using WhatsApp in customer service – provided that data-protection-compliant implementation is made a clear component of an implementation project and the internal stakeholders for legal and data protection matters are involved early on.
By the way, the current changes to WhatsApp privacy policies are directly related to the increasing use of WhatsApp by companies. They therefore take into account the development that corporate communication has now also become an important aspect alongside the mostly private uses between individuals. What the update means for the EU region has been summarized by WhatsApp here: https://www.whatsapp.com/legal/updates/key-updates-eea
By the way, WhatsApp answers general questions about privacy here.
