In this blog post, you will find out what you need to bear in mind in order to use WhatsApp in a GDPR-compliant manner in a business environment and what risks there are when using it.
Use WhatsApp in compliance with GDPR with SecurePIM
Around 1.67 billion people used the messaging service “WhatsApp” to send and receive text messages in Germany every day in 2021, and not just for private communication. WhatsApp is also increasingly being used for business purposes. With the introduction of WhatsApp for Business in 2018, business use has experienced a significant upswing – whether companies want it or not.
Legal challenges: Using WhatsApp in compliance with GDPR
Ever since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, companies have had to think about how to deal with the issue. There are a number of legal challenges:
1. data protection
WhatsApp and other social media apps access users’ personal data, such as address book entries. As this is personal data, this procedure falls under the GDPR, which stipulates that this personal data may not simply be processed and forwarded without consent. In the case of WhatsApp, every user would actually have to obtain the consent of every person in their address book to share the data and document this. The “right to information” required by the GDPR is also neglected by WhatsApp and the complete deletion of data, i.e. the “right to be forgotten”, is likely to be difficult to enforce.
In addition, the GDPR stipulates a strict separation of business and private data, which becomes difficult if the employee uses WhatsApp on their smartphone for both business and private purposes as part of a bring-your-own-device (BYOD) policy.
2. copyright protection
According to Section 99 of the German Copyright Act (UrhG), the owner of the company is responsible if an employee infringes a copyright. For example, a copyright could be infringed if an employee uses software professionally that they have purchased privately and that is only licensed for private use, which is usually the case with WhatsApp accounts.
3. storage obligations
The statutory retention obligations, for example in accordance with Section 257 HGB and Section 147 AO as well as the “Principles for the proper keeping and storage of books, records and documents in electronic form and for data access” (GoBD) must be complied with. All business communication must be conducted via the business email account; business-related communication must be prevented from “bypassing” the employer.
GDPR-compliant WhatsApp use – possible solutions
Nowadays, communication via messengers such as WhatsApp is as much a part of everyday life as making phone calls or writing letters used to be. So what can companies and authorities do to steer this communication in the right direction?
General ban on WhatsApp on business devices
In the wake of the GDPR, some companies have simply banned the use of WhatsApp and similar services on business smartphones or tablets. This is certainly the most efficient method, but not always the most sensible. If the use of WhatsApp on work smartphones is banned, employees will have to increasingly use private smartphones for private communication and therefore carry two devices with them. In addition, employees will then have to forego the advantages of instant messaging in the business/office area.
SecurePIM Messenger makes WhatsApp private and GDPR-compliant again
A container app such as SecurePIM allows WhatsApp to be used for private purposes on the mobile device, as the business data is stored in the container app and cannot be accessed by any other app. Contacts, calendar entries, photos, emails, documents and chat messages are encrypted in SecurePIM both on the device and during transmission and are safe from data breaches. The integrated messenger module also enables business instant messaging in compliance with the GDPR.
With this approach, companies and authorities no longer have to worry about business/service data or the leakage of personal data. Outside of containerized apps such as SecurePIM, employees can continue to use WhatsApp or other private apps to their full extent at their own risk.
Would you like to introduce BYOD in your company/authority? Our newly updated white paper “Securing BYOD models legally” provides you with valuable information on data protection, IT security and employment law. Download now free of charge.
This blog article was originally published on February 12, 2020 and last updated on February 22, 2022.