WhatsApp is installed on almost every smartphone, has long since overtaken SMS and has become an integral part of internal and external communication in many companies. There is often even awareness of the legally problematic data processing by the American meta group (including Facebook and Instagram).
We shed light on data protection issues in particular and explain solutions – so that you can benefit from the wide reach of WhatsApp with the lowest possible risk of damages and fines.
Initial situation
WhatsApp is often used on business and private smartphones within the company. Most managing directors tolerate its use because of the great advantages or even specify communication processes via this medium. Sales staff contact customers via WhatsApp, employees exchange rosters or support services are provided. The range of applications is diverse, as (product) photos, videos or other files such as presentations or price lists can be exchanged very easily.
However, data protection authorities have fundamental concerns about the use of WhatsApp in companies. For example, the security of WhatsApp’s processing of traffic and inventory data is inadequate. This widespread service should therefore be integrated into the company’s data security in a more conscious and data protection-compliant manner.
Data protection law
First of all, it is problematic in terms of data protection law to use services that “read” or at least evaluate background data in the context of communication traffic. WhatsApp’s privacy policy states that “end-to-end encryption” ensures confidentiality.
However, this approach falls short in terms of data protection law, as upstream and downstream processes are also relevant in addition to the processing of messages. WhatsApp evaluates metadata such as phone number, location or IP address – in other words, it processes users’ personal data. This triggers justification and information obligations in business correspondence.
Automatic contact matching in the phone book in particular is sometimes problematic without the prior consent of the contact person concerned. Consent would be required at least for people who have not yet agreed to WhatsApp’s terms of use.
In addition, the backup of chats – unlike the transmission of messages – is unencrypted. A data processing agreement would have to be concluded with third parties such as Apple, Samsung or Google, which store these backups, and this would have to be guaranteed by the company.
In any case, the data subjects affected by the processing must always be informed about the processes by means of a data protection declaration. In addition, an order processing contract must also be concluded with WhatsApp as a service provider, which is not possible in the standard version.
Possible solutions in customer contact
Regardless of data protection issues, companies should be aware that business use of WhatsApp is only permitted via the “WhatsApp Business” version, as stipulated in WhatsApp’s terms of use. Otherwise there is a theoretical threat of claims for damages. If there are more than 5 employee profiles, the service is subject to a charge.
However, the legal requirements can be better taken care of with this version: The required privacy policy can be stored as well as an imprint. The order processing contract is also available in the business version. However, the analysis of the address book remains problematic for people without their own WhatsApp account. You either have to work with a tool for separate address books or accept the collection of some data without a WhatsApp membership.
Competition law requirements for commercial communication must also always be observed. Cold calling via WhatsApp is also not permitted. This may be different for existing customers. We will deal with this in one of our next newsletters.
