26 09 2019
The well-known instant messaging application, WhatsApp, was primarily designed for personal use. Nevertheless, day by day there are more companies, professionals and businesses that make use of it to interact with their customers, communicate with staff, etc.
If your intention is to use WhatsApp in your company, institution or business, keep in mind that you must comply with the principles of data protection. These are the principles of quality, information, consent, confidentiality and data security, among others.
Before using Whatsapp to process persons’ personal data, you should inform them of the purposes of such treatment. The processing in this case can be commercial, informative, confirmation of appointments, a way of communicating or sending data. In any case, the data holder must know about the use of this tool and the purpose for which it is foreseen.
To process customers’ data by WhatsApp, it is necessary to inform them and ask for consent. The commercial purpose is emphasized here. To submit commercial information, it is necessary in accordance to Article 22 of the Spanish Law of Information Society Services (LSSI) to request the express consent of the affected party. The express consent is nothing other, but a clear affirmative, informed, free and unambiguous action that yes, they want to receive publicity.
The customer’s consent will be essential to initiate communications through Whatsapp.
Ask yourself these questions to know if you really apply the new GDPR when using Whatsapp with your customers:
Companies – also SMEs and freelancers – must ensure that the datat they have sent is truthful and they have to comply with the correct exercise of data protection rights: access, deletion, objection and rectification.
Confidentiality is one of the most special requirements that are required from a company, business or organization. You must ensure that the data that you have provided to us is kept safe and confidential. They may only be processed by authorized personnel and third persons may not access them.
If one of the answers to following questions is no, you should review the compliance with the GDPR.
Likewise, these measures must be associated with the procedure of custody of devices, which store the data, as well as the control of app use by means of management measures associated with policy of use of the application and personal data protection.
That said, in order to avoid sanctions with regard to European Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of natural persons and the recently approved Royal Decree-Law 5/2018, of 27 July, about urgent measures for the adaptation of Spanish law to European Union regulation in the field of data protection, the company must demonstrate that the client has granted consent for the use of his or her personal and business data to be contacted by means of the mentioned tool.
It is recommended to take special care with the data processing via WhatsApp and be aware of the information that is shared and for what purposes.
It is already known that on 15 March 2018 the Spanish Data Protection Agency (AEPD) sanctioned Facebook and WhatsApp with a fine of 300,000€ each because they mutually communicated data without the “free, specific and informed” consent of the users. The fine that the AEPD imposed on WhatsApp and Facebook has determined that the application is not secure, making it clear that it does not process the user data as it should.