The question of whether WhatsApp may be used on the company phone, is often asked. The answer is no. However, we would like to explain in more detail why the use according to DSGVO is not permitted.
WhatsApp terms and conditions
The basis of the use of WhatsApp are their terms and conditions. There it says among other things e.g.:
In accordance with applicable laws, you periodically provide us with the phone numbers of WhatsApp users and other contacts in your mobile phone address book, including both the numbers of our service users and those of your other contacts.
In previous versions of the Terms, it was even said that the user explicitly states that he has obtained the consent of his contacts. This passage has been removed in the current pleading (as of 08.11.2018).
Legal assessment
Regardless of the wording in the WhatsApp Terms and Conditions, this data sharing is problematic for companies. The DSGVO prohibits such data transfer unless an exception according to article 44 can be asserted. For example, it requires explicit consent from those affected.
However, even then there are legal difficulties, Whatsapp writes namely:
The Privacy Policy sets out the legal basis for our processing of personal information about you, including the collection, use, processing and sharing of such information and the transfer and processing of such information to the United States and other countries worldwide where we have facilities, service providers, affiliates or partners, regardless of where you use our services.
Data transfer to a third country, such as the USA, is only permitted if the recipient country has a similar level of data protection as the European Union (excl. explicit consent of the data subjects). The processing in the USA is legally uncritical, as the PrivacyShield Agreement exists here (for further information, see our article EU-US Privacy Shield). However, WhatsApp states that it will also transfer data to other third countries without explicitly enumerating them. This makes it unclear whether the required level of data protection has been achieved and companies cannot obtain explicit consent, as at least the recipient country must be mentioned.
Outlook
It is questionable whether WhatsApp or Facebook specify their terms and conditions and thus enable the use of WhatsApp by companies. As long as this is not improved, we do not recommend its use. Otherwise, companies risk penalties from the regulatory authorities. The DSGVO provides for a maximum penalty of up to 4% of the worldwide annual turnover or € 20 million.