How to use WhatsApp in my company in compliance with data protection regulations?

How to use WhatsApp in my company in compliance with data protection regulations?

WhatsApp is the instant messaging application par excellence, with more than 35 million users in Spain and more than 2 million active users worldwide at the beginning of this year. Therefore, it should come as no surprise that it has become the most widely used means of communication in our day-to-day lives, not only in the domestic or personal sphere, but also in the professional or business sphere.

This application has the WhatsApp Messenger and WhatsApp Business version, the latter being the version designed to meet the needs of business or corporate environments.

It is possible to use the WhatsApp Business and WhatsApp Messenger applications simultaneously, as long as the accounts are associated with different phone numbers.

If you decide to use this tool as a means of communication with your employees and/or clients, you must do so in compliance with the RGPD, the LOPDGDDD, the LSSICE and the Meta terms of service.

Below, we set out some recommendations, as well as issues that you should take into account to avoid non-compliance and/or risks from the use of this application in a business environment:

• Read and comply with Meta’s terms and conditions of service. We know they are extensive and can be a bit boring, but in case of non-compliance, the company may suspend or terminate your account.
• Always use the official application. This is grounds for sanction by the company. The use of unofficial versions poses a risk to the privacy and security of the data you process, as unauthorised third parties may have access to it.
• Ensure data confidentiality. It is advisable to use secure devices, as well as to establish a series of parameters with the aim of reinforcing the idea that this medium is used to share strictly professional information.
• Implement security measures. The company as data controller must implement technical and organisational security measures to mitigate risks that may cause possible security breaches.

In addition to the above, it is advisable to carry out, prior to its use, an impact analysis that allows the company to determine the risks derived from the processing of data through said application, as well as the specific security measures to mitigate them.

Points to take into account for the use of whatsapp with customers and employees

• Use of the application with customers

Ensure that there is a legitimate basis for using the application. Firstly, you must ensure that the processing is lawful and complies with the conditions of Art. 6 GDPR, i.e. that the customer has given prior consent to such processing or, where applicable, if it is necessary for the performance of a contract to which the data subject is a party or for the implementation, at the request of the data subject, of pre-contractual measures.

Secondly, the provisions of art. 13 of the GDPR must be complied with, i.e. data subjects must be informed about the identity of the data controller, the purpose and the basis of legitimacy, among other aspects.

WhatsApp Business API has mechanisms that facilitate the management of user consent before starting to interact with them by this means.

In the event that you wish to use WhatsApp to send commercial communications to your customers, you must take into account the provisions of art.21 of the LSSICE:

– You must refrain from sending advertising or promotional communications if they have not been previously requested or expressly authorised by the customer;

– The above will not be necessary when there is a prior contractual relationship that allows you to do so;

– In any case, you must offer customers the possibility to unsubscribe or oppose the sending of the same, by means of a visible, easy and free process.

• Use of the application with employees.

In order to establish whether or not it is legitimate to include an employee in a WhatsApp group, first of all, it must be taken into account who owns the device and the telephone line.

In the event that it is the company that provides the employee with the corporate telephone, the company can include the employee in an instant messaging group, as in other tools for corporate use.

However, in the case of the employee’s personal telephone, this question changes.

The recent resolution of procedure AI-00050-2022 of the AEPD seemed to open the door to the possibility of including workers in WhatsApp groups at the free choice of the company, as long as it is convenient for them. Although the Agency did not expressly state in its decision what the applicable basis of legitimation was for such a case, it pointed out that in the labour sphere the processing of personal data is legally based, principally, on the execution of the employment contract.

The decision does not seem to take into account case law criteria established by the Social Chamber of the Supreme Court and lesser case law. However, in order for such use to be based on the performance of the employment relationship, the following must be taken into account:

⇒ that it is actually necessary for the performance of the contract;

⇒ that there is an agreement between the employer and the employee and;

⇒ the employer bears the costs of the device and its use.

That said, in order to establish the appropriate basis of legitimacy for such processing, it will have to be studied on a case-by-case basis and always taking into account the intended purpose and the data processed.

In the event that you decide to use WhatsApp as a communication tool in your company, do not forget to take into account the above recommendations.

Article written by:

Estefanía Asensio

Intellectual property and data protection lawyer

estefania.asensio@metricson.com