Back to Blog

WhatsApp – is it GDPR & business compliant?

April 10, 2020

By: mirabiliscorp

1. WhatsApp and GDPR compliance

The main reasons that WhatsApp is not compliant with GDPR privacy regulation are:

  • Lack of explicit consent 1 – you can be added to a WhatsApp group without your explicit consent. Only very recently WhatsApp added the ability for you to prevent specific users from doing this but this option is not enabled by default.
  • Lack of explicit consent 2 – your contacts can upload your data to WhatsApp/Facebook if they give access to their contacts/address book and you are in it, even though you have not given consent.
  • Lack of ability to delete information – after a certain time you cannot delete content you have posted to WhatsApp.
  • Lack of ability to get your own data back (SAR – Subject Acccess Request) – WhatsApp cannot provide you with messages you have posted only your profile info.
  • Your data transferred outside the EU zone – it is not very clear where exactly WhatsApp/Facebook move your data.

Articles/resources covering this:

2. WhatsApp and proper record keeping of business conversations

Depending on the jurisdiction, and industry sector, businesses have varying degrees of legal obligation to keep a record of conversations that their employees, suppliers or other stakeholder have with them in case there are legal challenges or other problems whereby they need to provide a record of these conversations.

Clearly with WhatsApp there is no such record of conversations so businesses risk failing in their legal obligations.

Articles/resources covering this:

3. WhatsApp and corporate governance

Businesses also have legal obligations around protecting their employees and ensuring adequate levels of oversight, governance and control e.g. to protect against bullying in the workplace, harassment or inappropriate behaviours. Businesses also need to protect and adequately control access to sensitive commercial information.

With WhatsApp businesses do not even know what groups exist, let alone who is in them, or whether former employees or contractors still have access to corporate information that they should not.

Furthermore businesses cannot delete messages which might be inappropriate or damaging. And even if a business admin removes a member from a WhatsApp group they cannot revoke access to the content, which might be commercially sensitive, unless the user deletes that content manually him/herself.

Source: Guild

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

Follow us


Contact Us
First Name*
Last Name*
Mobile Number*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
I agree to the Privacy Policy and Terms of Service.