WhatsApp in companies – how can it be used in a legally compliant way?
But is this even legally permitted?
“You provide your mobile phone number and basic information (including a profile name) to create a WhatsApp account. You provide us, all in accordance with applicable laws, the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts”.
So, to be able to use WhatsApp at all, you not only need to give your own mobile phone number to WhatsApp – which has belonged to the Facebook Group since 2014 – but also all the phone numbers of every user who is stored in your contacts list. However, since phone numbers are also personal data, it is clear that data protection law comes into play here, particularly the General Data Protection Regulation, Article 4, Paragraph 1 GDPR.
According to Article 2, Paragraph 2 (c), the only time the GDPR does not apply is for use by natural persons to conduct exclusively (!) personal or family activities. Conversely, this means that, for business use, the provisions of the GDPR must be considered in full. By the way, this also applies to mixed use, i.e. if a personal mobile phone is used – even occasionally – for business purposes as well.
This, in turn, means that every single phone number in the WhatsApp user’s contact list can only be passed on with the prior consent to the stored contact (Article 6, Paragraph 2 (a) GDPR), whereby this consent also has to specifically cover the respective purpose; in short, every single contact in the contact list of the mobile phone that is (also) used for business purposes must expressly agree in advance for their phone number to be passed on to WhatsApp. The conditions under which consented is not necessary or to be expected are not given in the case of this passing on of personal data to WhatsApp.
If customer data is also to be accessed and sent to third parties via WhatsApp – for instance to process a service request –, this is an example of order data processing. This, in turn, is only legally permitted if a separate contract in this regard is concluded with the third party (Article 28 GDPR). This aims to ensure that the high level of data privacy is still maintained if third parties receive such personal data or if there is even just a possibility that they could access this data.
In summary, therefore, it can be asserted that the use of messenger services in a professional environment is only permitted if prior consent has been obtained from every single contact in the relevant user’s contact list specifically for this purpose and if a potential contract for order data processing has additionally been concluded.
As long as these requirements have not been met, we would advise against using such messenger services for legal reasons.
- Source (in German): https://www.heise.de/newsticker/meldung/WhatsApp-hat-eine-Milliarde-Nutzer- taeglich-3784578.html
- Can be found at: https://www.whatsapp.com/legal/#privacy-policy
Stephan Wiedorfer was born in 1967 in Munich. He studied law in Munich and, during his traineeship, worked in New York for six months for Germany’s largest record label. He has been a member of the bar since 1996 and founded his first law firm in 1999. He specialises in consulting in the field of computer and Internet law, including procedural enforcement of the relevant claims. His other areas of activity include trademark, copyright and competition law. Stephan Wiedorfer has been a certified specialist for industrial property rights since 4 February 2008. He is a member of the Deutsche Vereinigung für gewerblichen Rechtsschutz und Urheberrecht e. V. (GRUR; German Association for Industrial Property and Copyright), the Deutsche Gesellschaft für Recht und Informatik e. V. (DGRI; German Association for Law and Informatics)) and the Arbeitsgemeinschaft Informationstechnologie im Deutschen Anwaltverein (DAV-IT; Information Technology Working Group of the German Association of Lawyers).
Other articles by this author: