WhatsApp in Business - How to be GDPR-Compliant in 2023

WhatsApp is the world's most popular instant messenger and a daily companion for billions of people. Because of this, more and more companies also want to use this channel to reach their customers.

However, many companies fear that using WhatsApp is not compatible with the General Data Protection Regulation (GDPR). The concern is based on two things: one, the tarnished image of WhatsApp's parent company Facebook (now "Meta") and two, on the unclear legal situation following the repeal of the Privacy Shield agreement. This had served as the legal basis for data transfer to the USA until mid-2020.

Companies are also unsure how the WhatsApp Business App and WhatsApp Business API differ in terms of data protection. In fact, because these two business solutions are so different, the consequences for end users and companies vary in each case.

We’ll show you how to use WhatsApp Business - via the app or API - in your company in a data protection-compliant way.

  1. WhatsApp & data protection: what applies
  2. Using the WhatsApp Business App in a GDPR-compliant way
  3. Using the WhatsApp Business API in a GDPR-compliant way
  4. More about WhatsApp in business

WhatsApp & data protection: what applies

If you use WhatsApp as a contact channel, you become a personal data processor for the customers who write to you. This applies to the customer’s phone number stored on WhatsApp, and to the content shared in a conversation, such as a delivery or email address.

At first, it’s not a problem. By contacting a customer, you have, in a legal sense, a legitimate interest in securely processing their data. After all, GDPR-compliant processing is necessary so that they can write to and receive messages from you, just like with your other service channels.

cartoon of contract

If you use WhatsApp for customer communication, your own data processing efforts aren’t enough. According to the GDPR, WhatsApp processes the data on your behalf and you’ll receive a guarantee of sufficient protection.

This guarantee is given in a written processing contract or, since June 2021, in the new standard data protection clauses (or: standard contractual clauses). This is a replacement for the abolished Privacy Shield. WhatsApp adapted its data transfer conditions so that they comply with the EU Commission’s new requirements.

In our modern world, it is essential that data can be securely exchanged within and outside the EU. With these strengthened clauses, we are enabling companies to have more security and legal certainty in data transfers. The new standard contractual clauses will greatly help companies comply with the GDPR.

EU Justice Commissioner Didier Reynders of the European Commission

New standard contractual clauses enable GDPR-compliant use of WhatsApp Business

It’s guaranteed that WhatsApp conversations are end-to-end encrypted in each of its applications. This gives users and businesses peace of mind that no one is reading their private conversations, neither WhatsApp nor unwanted third parties such as Facebook or the US authorities (more on this in a moment). So what you discuss with your customers never falls into "unwanted" hands.

The situation is different for unencrypted metadata that is generated during cloud communication. This data includes the user's phone number, device, type and time of use, location and IP address.

cartoon of cloud with lock

WhatsApp currently transfers this data to other EU countries, such as to share it with its parent company Meta, to ensure the functionality and security of their service, for example. Due to unclear information in the terms and conditions published at the beginning of 2021, WhatsApp was accused of misusing the data for Facebook's advertising purposes. However, WhatsApp refuted these accusations.

Since the Privacy Shield agreement was canceled, the company now relies on the standard contractual clauses as the legal basis for data transfers. These certify to your users that both the responsible party (you), the data processor (WhatsApp) and any third countries and third-party organizations (USA, Meta) comply with all provisions of the GDPR.

Before we look at the specifics of the WhatsApp Business App and the WhatsApp Business API, here are the most important tips for using WhatsApp at your business in a privacy-compliant way.

  • Have the customer contact you and then respond to their request. If the initial contact comes from the customer, this is considered "clearly confirming" behavior, which satisfies the GDPR as a basis for subsequent data processing.
  • You may write to customers first if they have consented to receiving messages via a clear opt-in (such as an email newsletter sign-up). However, it is not sufficient to use the phone number of a WhatsApp contact who registered on your website, for example.
  • There are many privacy-compliant ways to make customers aware of your WhatsApp channel. For example, share your number on your website or set a click-to-chat link that your customers can use to reach you directly on WhatsApp.
  • No matter how you use WhatsApp as a contact channel - let your customers know about it in your privacy policy. Explicitly state the purpose and extent of your personal data processing and include a link to WhatsApp's privacy policy. Since customers who use WhatsApp for private use have already agreed to its privacy policy anyway, you are already on the safe side.

WhatsApp Business: Privacy, examples and first steps

In this guide, you'll find all the important info you need for using WhatsApp in business.

Download for free

Using the WhatsApp Business App in a GDPR-compliant way

The WhatsApp Business app is a mobile app for small business owners. It allows you to offer products and services, talk to customers and use simple automation options.

Basically, it’s a commercial version of the standard WhatsApp application. It’s currently available for Android and iOS devices and is free, but limited to five devices, one phone number and a few business features. You have to answer customer messages manually on a mobile device or on a desktop via WhatsApp Web. This, of course, isn’t suitable for large support volume management.

cartoon of safe

WhatsApp and WhatsApp Business are also similar in terms of data protection. Its automatic contact synchronization is an issue, however. As soon as you install WhatsApp Business, it wants to read your address book contacts to check for existing WhatsApp users.

Personal data of uninvolved users is then sent to WhatsApp and servers in the USA unencrypted, not anonymized and not pseudonymized.

Here’s how you can use the WhatsApp Business app in a privacy-compliant way:

  • Use the WhatsApp Business app only on dedicated mobile devices.
  • Make sure that the address book only contains WhatsApp contacts - at the time of installation and from then on
  • Alternatively, deny WhatsApp access to your contacts or do not store your WhatsApp customers in your address book (but then customers will be displayed without names)
  • Always install the latest updates
  • Refrain from enabling cloud backups (Google Drive/Apple iCloud).
  • Do not save attachments on the device’s internal or external memory (e.g. automatic photo saving )
infographic comparing the WhatsApp Business App to the WhatsApp Business API

Using the WhatsApp Business API in a GDPR-compliant way

WhatsApp’s Business API allows an unlimited number of employees to talk to customers on multiple desktop devices. It’s aimed at companies seeking professional and scalable WhatsApp support. Prominent examples include BMW, Vodafone and Otto.

WhatsApp doesn’t provide an application for using the API. Instead, you can use external customer messaging software and link WhatsApp's technical interface to it to talk to your customers. You can only obtain the API key via so-called "Business Solution Providers" (BSP), i.e. partner companies specially certified by WhatsApp. This is to ensure that the WhatsApp infrastructure is handled seriously.

Some BSPs offer API access as well as a simple user interface for communicating with your WhatsApp customers. Others partner with advanced customer messaging software providers, like Userlike. That way you can have all of your digital contact channels in one place, such as live chat and other messaging apps, and talk to customers from a central hub.

Learn more about the API’s benefits, functionality and costs in our post, "WhatsApp Business API: All you need to know."

From a data protection perspective, not using WhatsApp's native app is a big advantage. You don’t have to worry about automatic contact synchronization since non-WhatsApp users are definitely not involved with the API. Just like with the business app, however, metadata is transmitted to WhatsApp because it can’t offer service without the WhatsApp cloud. Also, the standard contractual clauses that have been in effect since 2021 are applicable.

How to use the WhatsApp Business API in a privacy-compliant way:

To meet the highest possible data protection standard, it is essential to choose a trusted WhatsApp BSP. When looking for a provider, here are the characteristics it should have:

  • Headquarters and certified server infrastructure in the EU or EEA
  • Ability to delete all data and communication with individual customers and block company contact on customer request

The customer messaging software your chosen BSP works with should have the same attributes. After all, apart from WhatsApp, up to two other companies process your customers' data on your behalf. All parts of this chain need to be within the scope of the GDPR in order for it to be completely compliant.

infographic showing how conversations are processed using 360 Dialog and Userlike
This is what GDPR-compliant WhatsApp communication looks like via the well-known business solution provider 360 Dialog and customer messaging software, Userlike.

WhatsApp Business API: simple and secure with Userlike

Connecting the API with Userlike has several advantages:

  • Easy integration and maintenance. We will be your personal contact and walk you through step-by-step.
  • Certified server infrastructure in Germany. As a German company, we understand the importance of data protection and security in customer communication.
  • Made for professional service. Userlike was developed for customer communication and offers you effective features for successful WhatsApp support.
  • Omni messaging in one software. Keep your customer conversations from all relevant channels in one place - Userlike is your central hub for website chat, WhatsApp, Facebook Messenger, Telegram, Threema and SMS.

At Userlike, you can get access to the WhatsApp Business API for as little as 90 Euros per month. If you’re interested, reach out to us on our website. We look forward to hearing from you and helping you get started with the WhatsApp Business API!

More about WhatsApp in Business

Customer communication via WhatsApp is currently a hot topic. These posts will help keep you up to speed:

Talk to your data protection officer

Please note that despite careful research, this article merely reflects our personal knowledge and does not constitute legally binding information. We therefore recommend that you always discuss your individual WhatsApp integration with your data protection officer.