Data protection at WhatsApp as an entrepreneur:
With the new General Data Protection Regulation (GDPR), many entrepreneurs are asking themselves whether they should delete WhatsApp from their company smartphone, because it is not without reason that WhatsApp has long been considered questionable or problematic in terms of data protection.
Hamburg data protection officer Johannes Caspar banned Facebook from accessing the data of German WhatsApp users. At the end of June, the Bad Hersfeld District Court (ref. F 111/17 EASO ) ruled that the use of WhatsApp alone violates German data protection law.
The problem has not only existed since the start of the new GDPR. But what exactly is so “bad” about using WhatsApp as an entrepreneur?
Sloppy handling of data protection?
Facebook's subsidiary WhatsApp transmits data from the respective user, which ultimately ends up in the USA and is evaluated there. The specific purpose for which the data is processed is currently not sufficiently known.
WhatsApp takes the liberty of reading data from the WhatsApp contact directory as well as numbers and contacts that do not access WhatsApp. The app also allows access to location data, information about the smartphone model, operating system used or mobile network.
And not only that - WhatsApp ignores the German data protection rules because the user has to accept a lower level of data protection if he wants to use the service:
“You acknowledge that the laws, regulations and standards of the country in which your information is stored or processed may differ from those of your own country.”
Users are usually not really aware of the extent of WhatsApp's total data access.
WhatsApp is not only a popular communication tool for private individuals
According to data protection experts, WhatsApp does not adhere to the legally established principle of data economy.
If an entrepreneur uses WhatsApp, be it for communication between employees as well as between customers or suppliers, he has to ask himself whether he is committing a criminal offense.
the YouGouv study, consumers are largely open to WhatsApp communication with companies, especially in the areas of customer service and advice.
According to an online survey by Deutsche Handwerks Zeitung , 59 percent of the 391 participants stated that they already use messengers such as WhatsApp to communicate with and between employees or to contact customers.
Attorney Dr. Hauke Hansen, specialist lawyer for IT law, explains:
“WhatsApp allows use in a business context in its terms and conditions. However, the US company must first agree to non-private use. Anyone who has not obtained this consent has so far been spared any consequences. WhatsApp does not prosecute unauthorized commercial use. In the worst case, companies risk having their WhatsApp account blocked.”
In January, the company launched its new WhatsApp Business .
It is intended to make communication with customers even easier for entrepreneurs, including a comprehensive company profile and statistics on how often a message was successfully sent, transmitted and read.
Private users can recognize entrepreneurs by means of a seal next to the contact name.
Nevertheless, the same data protection requirements apply to WhatsApp Business as to the “normal” version, as no changes have been made by the Facebook subsidiary.
Possible solution for entrepreneurs?
Hansen, for example, cites so-called exchange containers as a possible solution.
These prevent apps within the container from synchronizing with apps outside of it. So if WhatsApp comes into this protected area, no comparison can be made with the contact details from the address book outside the container.
The disadvantage would be that you would have to enter all WhatsApp contacts manually, the big advantage:
No more unauthorized data processing!
However, it is questionable whether Exchange containers represent a solution for the general public.
“The container solution is certainly the safest, but also a little complex. Large companies tend to do this because it involves time and costs,”
says Hansen.
An alternative could be to deny WhatsApp access to the contact details. However, you have to keep in mind that WhatsApp has already synchronized existing contacts before access is deactivated...
As an iPhone user, you can prevent this via the settings. In the Data Protection menu item, this is done individually for each app using a slider.
On Android devices, this can only be done with the help of apps.
What are the penalties for a data breach?
Let's summarize again: If the company does not have the consent of each individual contact, nor a corresponding solution to the problem of unauthorized data processing by WhatsApp on the smartphone, you will have to face fines of up to 20 million euros or four percent of the amount from May 25, 2018 Calculate annual sales.
So what am I really allowed to do as an entrepreneur and what am I not allowed to do?
Are companies allowed to communicate with their employees via WhatsApp?
“To contact employees via WhatsApp, the boss must give his employees a work cell phone ,”
Hansen points out.
“However, companies should ask themselves whether they can accept that a lot of potentially sensitive data is passed on to third parties abroad in an uncontrolled manner,”
warns the lawyer.
Because users assign their rights to the content they post; according to the terms and conditions, these can theoretically be used for advertising purposes.
Are companies allowed to communicate via WhatsApp if the initial contact came from the customer?
“If the customer writes to the tradesman via WhatsApp, he consciously chooses this communication channel,”
explains Hansen.
“Theoretically, both of them also know that data is being transmitted to the USA. After all, you agreed to the terms and conditions beforehand.”
There is therefore mutual consent.
Can a company send advertising via WhatsApp?
Attorney Dr. Hauke Hansen sees no problem here either, as long as WhatsApp's permission and the customer's consent were lawfully obtained.
“So you need the data protection law and the advertising law according to Section 7 UWG. Both consents can also be summarized and combined in one text.”
It should also be noted that the advertiser may have to provide better information than WhatsApp itself and must point out that recipients can revoke their consent to advertising at any time.
If you send a WhatsApp newsletter via a service provider such as WhatsBroadcast, Hansen advises the following:
“If the data is held exclusively by the service provider and an order data processing contract has been concluded with them, sending the newsletter is harmless to the company. It is important that the contract data processor also guarantees that it will take “technical-organizational measures (TOM)” to ensure the security of the data.”
Does a company WhatsApp channel need an imprint?
“The person responsible must be named. The rule applies to homepages: a maximum of two clicks to the legal notice. Most apps fail due to this requirement because the imprint cannot be displayed on every page. It is currently assumed that it is sufficient for the user to access the imprint via the home view,”
said Hansen.
So it is not yet entirely clear whether an imprint in the status could be sufficient. But if you use WhatsApp Business, you can also put relevant information in the company profile.
Statement from the State Data Protection Officer of Thuringia on the use of WhatsApp (page 375)
Conclusion:
As a company (this also includes freelancers, for example) you can definitely use WhatsApp. Above all, but not only because of the new GDPR, you should pay close attention to what is actually in WhatsApp's terms and conditions.
The biggest problem is that WhatsApp has access to customer contacts and this data is processed in the USA.
It is therefore important that:
- you obtain the consent of all contacts and
- provides all employees with their own work cell phones.
If in doubt, you could definitely forego WhatsApp and look for alternatives.
Sources:
Handelsblatt
Lawyer for data protection
German craft newspaper
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

