The question of whether WhatsApp may be used on the company phone is frequently asked. The answer is no. However, we would like to explain in more detail why the use is not permitted under the GDPR.
The basis of the use of WhatsApp are their T&Cs. Among other things, it states there:
In accordance with applicable law, you regularly provide us with the phone numbers of WhatsApp users and other contacts in your cell phone address book, including both the numbers of users of our Services and those of your other contacts.
Earlier versions of the T&Cs even stated that the user explicitly declares that he has obtained the consent of his contacts. This passage has been removed in the current brief (as of 08/11/2018).
Regardless of the wording in WhatsApp’s terms and conditions, this data transfer is problematic for companies. The GDPR prohibits such data transfer, unless an exception according to Article 44ff can be invoked. For example, explicit consent is required from those affected.
However, even then there are legal difficulties, Whatsapp writes namely further:
A data transfer to a third country, such as the USA, is only permitted if the recipient country has a similar level of data protection as the European Union (excl. explicit consent of the data subject). Processing in the USA is legally uncritical, since here the PrivacyShield agreement exists (for more information, see our article EU-US Privacy Shield). However, WhatsApp states that it also transfers data to other third countries without explicitly listing them. This makes it unclear whether the required level of data protection has been achieved, and companies cannot obtain explicit consent, since at least the recipient country must be cited for this.
It is questionable whether WhatsApp or Facebook specify their T&Cs and thus enable the use of WhatsApp for companies. As long as this is not improved, we do not recommend using it. Otherwise, companies risk penalties from the regulatory authority. The GDPR provides for up to 4% of the annual turnover achieved worldwide or € 20 million as a maximum penalty.