WhatsApp Business & GDPR: Privacy compliant use

WhatsApp is by far the most popular messenger among private individuals in Germany (source: Statista 2022). For some years now, WhatsApp owner Meta Platforms, Inc. (formerly Facebook) has also been offering companies a way to use the messenger for customer communication with its WhatsApp Business and WhatsApp Business API products. More and more companies can be reached via it and, for the most part, are very satisfied with WhatsApp as a communication channel. At 98%, the open rate of WhatsApp messages is significantly higher than that of emails (approx. 20%) (source: AiSensy.com). And in an increasingly competitive market environment, companies must increasingly position themselves on the platforms where consumers are already spending time anyway. However, the use of WhatsApp is not entirely trivial for companies due to the applicable data protection laws in Germany and the EU.

The General Data Protection Regulation(GDPR)has been in effect since May 25, 2018 and includes harmonized regulations for handling personal data throughout Europe. This strengthens consumers' control over their data. Companies that process personal data of EU citizens must comply with the GDPR and risk a heavy fine if they do not. How companies can avoid legal difficulties due to the GDPR and also enjoy higher customer confidence by complying with data protection laws is explained in this article.

‍

Critical with regard to the GDPR: WhatsApp collects various metadata

WhatsApp chats are usually end-to-end encrypted. This means that WhatsApp and its parent company Meta Platforms do not have direct access to the contents of conversations, such as texts, media and other data. Under certain conditions, however, chats can be cached on WhatsApp's servers. For example, if messages cannot be delivered to the receiving user temporarily due to a lack of Internet connection. Backups of chat histories uploaded to the cloud are also stored on WhatsApp servers. From a data protection perspective, the so-called metadata, which is also collected and stored, is particularly relevant. This includes the following information:

Smartphone model
Device name
Phone number
Profile picture
Profile name
Profile description
Address book
Position
Date & Time

Even if this data does not at first glance reveal any clear information about the content of the conversation, such information can be used to create relatively meaningful user profiles.

‍

Privacy issues when using WhatsApp

‍

Processing of personal metadata

A major problem is the aforementioned use and processing of metadata by WhatsApp. Data processing of personal data requires justification on a legal basis. Since services such as WhatsApp are not subject to telecommunications secrecy, the law does not explicitly exclude the use of this information, at least for the time being. This problem is usually solved by concluding a contract for commissioned processing within the meaning of Art. 28 GDPR. Put simply, the contract prohibits the independent use of customer data by the contractor. Through a contract for commissioned processing, the transfer of such metadata to the service provider (WhatsApp) is justified under data protection law. With AV contract, the processing of personal data is data protection compliant and does not require separate consent of the customer. The standard version of WhatsApp does not offer the option of concluding an order processing agreement. With WhatsApp Business, an AV contract is automatically concluded when the app is downloaded and the terms of use are accepted.

‍

Access to contact data

Perhaps the best-known privacy issue is the upload of user address book data to WhatsApp. Contact data is stored on WhatsApp servers in the USA and compared with the data of other users. Unlike some other messengers, WhatsApp stores contact data without encryption. Companies must be able to prove the legal basis for the data transfer of individual contacts. A transfer of contact data to WhatsApp is permissible on the basis of a balancing of interests within the meaning of Art. 6 (1) lit. f) GDPR, provided that the transferred contact uses WhatsApp. If the contact does not have his or her own WhatsApp account, this legal basis is not applicable, as the interests of the data subject outweigh the interests of the data subject due to the transfer of the data to a third country. In summary, access to contact data is therefore only unobjectionable under data protection law in the exceptional case that all transferred contacts already have a WhatsApp account. Therefore, the uploading of address data is also the main point of criticism from authorities in Germany and Europe.

‍

Unencrypted backups

Another problem concerns backups of message histories that are stored in the cloud. Even though all WhatsApp messages, voice memos, photos, videos, documents and other data are basically protected by end-to-end encryption, backups are usually not subject to this additional protection. The use of backups may seem sensible in terms of recovery in the event of a loss, but it is not compatible with the GDPR. This function should be permanently deactivated by companies in order to protect personal data of customers and to behave in a data protection compliant manner in this aspect.

‍

Ways to use WhatsApp in a GDPR-compliant way

The use of the standard version of WhatsApp is not permitted for companies according to the applicable T&Cs. Due to the lack of an option to sign a contract for order processing, this WhatsApp version is also highly problematic from a data protection perspective. Despite the strict regulations, there are two options for companies to use WhatsApp for customer communication.‍

‍

Use WhatsApp Business GDPR compliant

WhatsApp Business is a free app available for Android and Apple smartphones, designed specifically for the self-employed and small businesses. WhatsApp Business simplifies interaction with customers by providing tools to automate, sort, and quickly reply to messages. The user interface and many features are similar to those of the WhatsApp Messenger app for individuals, so using the WhatsApp Business app is very easy for most businesses.

With some restrictions, WhatsApp Business can be used in a GDPR-compliant manner. The described main problems of processing personal metadata, access to contact data and unencrypted backups can be avoided with the following tricks:

The WhatsApp business app should only be used on dedicated mobile devices
The address book may only contain contacts whose phone numbers are already linked to a WhatsApp account
The latest version of the app should always be installed
Cloud backups (via Google Drive/Apple iCloud) must be disabled
Automatic saving of photos and attachments to internal or external memory must be disabled
Linking of an imprint in the company profile in the WhatsApp Business App(§ 5 TMG) must be available
If in doubt, obtain consent from your customers for data processing of personal data

It should be noted that with the recommended settings, some WhatsApp Business functions cannot be used and the processing of customer inquiries may be less efficient. Some customers may even shy away from contacting you if you cannot guarantee end-to-end encryption of customer data. And despite all precautions, GDPR conflicts can never be ruled out when communicating via WhatsApp Business. That's why Mateo recommends a WhatsApp business account that works via API. This is because using the WhatsApp API is 100% data protection compliant and also the only way to use WhatsApp Messenger in a data protection compliant manner. This saves you the costs of external data protection consultants and lawyers and litigation costs in the event of a warning. And you don't have to obtain any consent from your customers to process the data. But that's just the beginning: The WhatsApp API has a number of other advantages to offer companies, as you will learn in the following section.

‍

Using the WhatsApp Business API in a GDPR-compliant way

To provide professional businesses with a secure, scalable and GDPR-compliant solution tailored to their needs, Facebook launched the WhatsApp Business API in August 2018. This application programming interface (API) allows businesses to receive and reply to unlimited WhatsApp messages from their customers.

Unlike the WhatsApp Business App, the API itself comes without a user interface. The API connects WhatsApp with a professional messaging tool, such as Mateo offers. Companies integrate the endpoint of the WhatsApp API into the software of an official WhatsApp Business Solution provider. Mateo is such a provider and offers enterprise customers the corresponding integration in a clear user interface with its in-house software.

The fact that the user interface, including all its technical peculiarities, is not provided by WhatsApp, but by a business solution provider, means that GDPR compliance can differ depending on the provider.

The use of Mateo's messaging software is 100% GDPR compliant. WhatsApp and third-party companies cannot access the address book stored in the end device. Cloud backup, which is problematic from a data protection perspective, is also disabled. For technical reasons, the transmission of metadata to WhatsApp cannot be avoided by all business solution providers, including Mateo. Through the contract for order processing with WhatsApp, Mateo's messaging tool is also data protection compliant in this aspect. The stationing of Mateo's servers in Germany and the possibility to delete individual or all communication and customer data offer additional security in terms of data protection.

‍

More advantages of WhatsApp Business API with Mateo

Mateo's messaging software offers much more than a simple WhatsApp API user interface. Various features and tools result in Mateo's centralized messaging software making customer communication much more efficient.

‍

Central user interface

Mateo bundles various communication channels such as WhatsApp Business, email, Instagram, SMS and Facebook Messenger in a central inbox. On the intuitive and clear user interface, you will find various helpful tools for particularly efficient customer communication. For the efficient use of our software, the management of your customer contacts is of course also integrated.

‍

Custom Message Templates

Thanks to various message templates that can be created individually, the amount of paperwork is minimized and the efficiency of customer communication is increased. This means that personnel resources in the service area can be deployed elsewhere.

‍

With Mateo's WhatsApp API solution, newsletters can be sent in a GDPR-compliant manner. Due to the first-class open rate of 98% for WhatsApp messages, marketing can thus be done much better than via email or other channels. For this purpose, WhatsApp newsletter marketing is integrated in Mateo. With Mateo, you can even segment your contacts into different groups and run your WhatsApp marketing in a target group-specific and highly effective way.

‍

Scalability for all company sizes

The scalability of the messaging tool has been confirmed by the large number of companies already using Mateo with high satisfaction. Whether customers have just a few employees or many hundreds, the software works smoothly and, depending on the package, with an unlimited number of end devices and users. The fact that Mateo significantly reduces the workload in the customer service area opens up new growth opportunities for many companies.

‍

Low cost provider for WhatsApp Business API

With an entry-level price of just 79 euros per month, Mateo is a cost-effective provider for WhatsApp Business API solutions on the German market. Combined with the integration of additional communication channels and various helpful tools, Mateo's application offers excellent value for money. Mateo's personal customer support assists companies with every step of the integration, ensuring very low barriers to entry.

‍

Note: All information in this article is without guarantee and does not constitute legal advice. If in doubt, please contact a data protection expert or your lawyer.

WhatsApp Business and GDPR - current opportunities for companies: Use in line with data protection