Effects of GDPR on WhatsApp messages

The GDPR and the WhatsApp – problem

We have been confronted multiple times with the question of whether the use of WhatsApp is covered by data protection law. Unfortunately, this question cannot be answered clearly and legally at the current time. The data protection authority has also not provided any information on this to date.

According to some expert lawyers, the use of WhatsApp in the company is not unconditionally compliant with data protection, as it is accompanied by many fundamental data protection concerns.

If WhatsApp is used on business phones, all phone numbers in the phone's address book (i.e. also business contacts) are transferred to WhatsApp's servers in the USA. The USA is considered an unsafe third country in terms of data protection, as the local legal data protection regulations are interpreted significantly more weakly than in Austria and the EU. Also, messages that cannot be delivered immediately are stored on WhatsApp's servers for up to 30 days. This includes any information about the company and the respective business processes, if they are exchanged via this channel.

On the other hand, the communication is end-to-end encrypted, and WhatsApp has held Privacy Shield certification since March 2018 (https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active), which may potentially be used as a legal basis for the use of WhatsApp (the EU-U.S. Privacy Shield agreement governs data protection between the EU and the USA). The data protection notices and policies of WhatsApp itself are available at the link https://www.whatsapp.com/legal/#key-updates.

According to the General Data Protection Regulation (Art. 15 (3) GDPR), the data subjects have the right to request a copy of the personal data that is the subject of the processing. If the request is made in electronic form, the responsible body must make the information available in a common electronic format. According to WhatsApp, the legal requirement for the right of access should be implemented by May at the latest.

In our assessment, it would therefore be important to regulate what may be communicated via WhatsApp: internal company data, sensitive data, or data subject to professional secrecy, etc., should not be communicated via WhatsApp. It is necessary here that there is an explicit instruction from the management to the employees (e.g. via data protection and IT security guidelines) not to do so. However, we consider a simple appointment coordination or similar to be unproblematic.

A data protection opinion from the authority would certainly be welcome in order to clearly define rights and obligations in dealing with messenger services.