GDPR - Sanctions

How to comply with the GDPR if you use WhatsApp in your company?

How to comply with the GDPR if you use WhatsApp in your company?

The well-known instant messaging application, WhatsApp, was primarily designed for personal use. Nevertheless, day by day there are more companies, professionals and businesses that make use of it to interact with their customers, communicate with staff, etc.

If your intention is to use WhatsApp in your company, institution or business, keep in mind that you must comply with the principles of data protection. These are the principles of quality, information, consent, confidentiality and data security, among others.

What obligations must all companies comply with when using WhatsApp?

1. Inform the users that you will use this application with them.

Before using Whatsapp to process persons’ personal data, you should inform them of the purposes of such treatment. The processing in this case can be commercial, informative, confirmation of appointments, a way of communicating or sending data. In any case, the data holder must know about the use of this tool and the purpose for which it is foreseen.

2. Ask for consent to process the data in this way.

To process customers’ data by WhatsApp, it is necessary to inform them and ask for consent. The commercial purpose is emphasized here. To submit commercial information, it is necessary in accordance to Article 22 of the Spanish Law of Information Society Services (LSSI) to request the express consent of the affected party. The express consent is nothing other, but a clear affirmative, informed, free and unambiguous action that yes, they want to receive publicity.

The customer’s consent will be essential to initiate communications through Whatsapp.

Ask yourself these questions to know if you really apply the new GDPR when using Whatsapp with your customers:

  1. If you send publicity, do you have the express consent of persons?
  2. Do you ask for the consent of the parties concerned before including them in a group?
  3. Do you ask for the consent to send personal information in this way?

3. Data Protection Rights

Companies – also SMEs and freelancers – must ensure that the datat they have sent is truthful and they have to comply with the correct exercise of data protection rights: access, deletion, objection and rectification.

4. Take care of confidentiality of the data you process on Whatsapp.

Confidentiality is one of the most special requirements that are required from a company, business or organization. You must ensure that the data that you have provided to us is kept safe and confidential. They may only be processed by authorized personnel and third persons may not access them.

If one of the answers to following questions is no, you should review the compliance with the GDPR.

  1. Do you control the professional use of this app by personnel?
  2. Have you verified that the WhatsApp through which your personnel communicates with the customer is from company and not personal phone number?
  3. Have you informed your personnel that in groups with customers they should avoid sharing personal data?
  4. Do you have a data processing policy online? The rules of use of these and other applications in the field of the company should be described in this policy.

5. Security measures for protection of data sent or stored.

As a business we can put security measures – or clauses – that comply not only with the requirements included in the GDPR, but also that the customer has read the legal notice and privacy policy of Whatsapp to subsequently use that their data is internationally given and transferred through the mentioned app.

Likewise, these measures must be associated with the procedure of custody of devices, which store the data, as well as the control of app use by means of management measures associated with policy of use of the application and personal data protection.

That said, in order to avoid sanctions with regard to European Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of natural persons and the recently approved Royal Decree-Law 5/2018, of 27 July, about urgent measures for the adaptation of Spanish law to European Union regulation in the field of data protection, the company must demonstrate that the client has granted consent for the use of his or her personal and business data to be contacted by means of the mentioned tool.

It is recommended to take special care with the data processing via WhatsApp and be aware of the information that is shared and for what purposes.

It is already known that on 15 March 2018 the Spanish Data Protection Agency (AEPD) sanctioned Facebook and WhatsApp with a fine of 300,000€ each because they mutually communicated data without the “free, specific and informed” consent of the users. The fine that the AEPD imposed on WhatsApp and Facebook has determined that the application is not secure, making it clear that it does not process the user data as it should.  

If you want to expand your knowledge about how to comply with the new GDPR, make sure to check our website and find out more by clicking here. You can also contact us here.