WhatsApp in companies – how can it be used in a legally compliant way?

Messenger services are incredibly popular. As early as July 2017, 1.3 billion users worldwide used WhatsApp daily. Each day, they sent 55 billion messages, 4.5 billion photos and one billion videos[1]. Given the ease of use that these messaging services provide combined with the option to send media content of almost any size and type to contacts quickly, and potentially even to track whether the message was actually read, it is, of course, tempting to want to make use of such easy communication methods in a business environment, too.
WhatsApp Datenschutzrichtlinie

But is this even legally permitted?

To answer this question, we first need to be familiar with the basic technical background of such applications. WhatsApp[2], for instance, clarifies this in its privacy policy. Here, you can find the telling statement:

“You provide your mobile phone number and basic information (including a profile name) to create a WhatsApp account. You provide us, all in accordance with applicable laws, the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts”.

So, to be able to use WhatsApp at all, you not only need to give your own mobile phone number to WhatsApp – which has belonged to the Facebook Group since 2014 – but also all the phone numbers of every user who is stored in your contacts list. However, since phone numbers are also personal data, it is clear that data protection law comes into play here, particularly the General Data Protection Regulation, Article 4, Paragraph 1 GDPR.

According to Article 2, Paragraph 2 (c), the only time the GDPR does not apply is for use by natural persons to conduct exclusively (!) personal or family activities. Conversely, this means that, for business use, the provisions of the GDPR must be considered in full. By the way, this also applies to mixed use, i.e. if a personal mobile phone is used – even occasionally – for business purposes as well.

This, in turn, means that every single phone number in the WhatsApp user’s contact list can only be passed on with the prior consent to the stored contact (Article 6, Paragraph 2 (a) GDPR), whereby this consent also has to specifically cover the respective purpose; in short, every single contact in the contact list of the mobile phone that is (also) used for business purposes must expressly agree in advance for their phone number to be passed on to WhatsApp. The conditions under which consented is not necessary or to be expected are not given in the case of this passing on of personal data to WhatsApp.

Informationstechnologie und Immobilien (IT&I) Ausgabe Nr. 37 / Mai 2024

Would you like to receive our magazine regularly? 

Our specialist magazine “IT&I – Informationstechnologie und Immobilien” is published every six months and informs you about the background and basics of current topics, details about applications for the real estate industry and the latest IT developments relating to specialist topics for the real estate industry. Sign up for the online or the printed edition here!

And even if we were to assume that those contacts who are already WhatsApp customers themselves have issued this consent by agreeing to the WhatsApp privacy policy, this still leaves the remaining contacts who do not use WhatsApp. Since WhatsApp does not distinguish between whether a contact in the user’s contact list already uses WhatsApp themselves, or this check can only be performed after the phone number is transmitted to WhatsApp, there is no getting around obtaining the consent of all the contacts in the contact list in the event that you (also) use WhatsApp for business purposes.

If customer data is also to be accessed and sent to third parties via WhatsApp – for instance to process a service request –, this is an example of order data processing. This, in turn, is only legally permitted if a separate contract in this regard is concluded with the third party (Article 28 GDPR). This aims to ensure that the high level of data privacy is still maintained if third parties receive such personal data or if there is even just a possibility that they could access this data.

In summary, therefore, it can be asserted that the use of messenger services in a professional environment is only permitted if prior consent has been obtained from every single contact in the relevant user’s contact list specifically for this purpose and if a potential contract for order data processing has additionally been concluded.

As long as these requirements have not been met, we would advise against using such messenger services for legal reasons.

  1. Source (in German): https://www.heise.de/newsticker/meldung/WhatsApp-hat-eine-Milliarde-Nutzer- taeglich-3784578.html
  2. Can be found at: https://www.whatsapp.com/legal/#privacy-policy


Stephan Wiedorfer

Stephan Wiedorfer-Rode

was born in 1967 in Munich. He studied law in Munich and, during his traineeship, worked in New York for six months for Germany’s largest record label. He has been a member of the bar since 1996 and founded his first law firm in 1999. He specialises in consulting in the field of computer and Internet law, including procedural enforcement of the relevant claims. His other areas of activity include trademark, copyright and competition law. Stephan Wiedorfer has been a certified specialist for industrial property rights since 4 February 2008. He is a member of the Deutsche Vereinigung für gewerblichen Rechtsschutz und Urheberrecht e. V. (GRUR; German Association for Industrial Property and Copyright), the Deutsche Gesellschaft für Recht und Informatik e. V. (DGRI; German Association for Law and Informatics)) and the Arbeitsgemeinschaft Informationstechnologie im Deutschen Anwaltverein (DAV-IT; Information Technology Working Group of the German Association of Lawyers).

Please wait