WhatsApp and GDPR
A Finish cleaning company was relying on WhatsApp instant messaging services to communicate to its employees information about its clients, including their name, address, telephone number, and in some instances, even the door code or key box code of its clients’ home.
The company had used WhatsApp to transmit customer data without informing its customers thereof. Moreover, the company had no means of controlling the use of personal data via WhatsApp, or otherwise imposing restrictions on such use. In addition, the Finnish DPA considered that the Company should have taken all potential risks into account, such as the possibility that employees would lose their phones, and that customers’ personal data could then become accessible to third parties.
Finally, after considering WhatsApp terms of use, the Finnish DPA noted that the use of the app was normally not compatible with business purposes, as it would create a contractual relationship between the employee and Facebook (now, “Meta”, the owner of WhatsApp).
Conclusion: WhatsApp and GDPR
Based on the above considerations, the Finnish DPA found that the use of WhatsApp to transmit customer data was in breach of the principle of integrity and confidentiality (Article 5(1)(f) GDPR), of the principle of privacy by design and by default (Article 25 GDPR) and of the obligation of the Company to implement appropriate organisational and technical measures to ensure the security of personal data (Article 32 GDPR).
In short, Whatsapp running on phones owned by your staff is not an appropriate means to transfer personal information of your customers. WhatsApp is owned by the Facebook company (Meta) and is really a social media tool. There are privacy focused messaging apps out there like Signal.org that are also free and do not track or harvest any of your data. You can set messages to expire by default, so data is not retained indefinitely.
Here is the link to original source on the Finnish DPA website
https://finlex.fi/fi/viranomaiset/tsv/2021/20211163
