Is the WhatsApp Business API GDPR-compliant?

Statement by Johannes Mansbart, armin technologies co-founder and managing director, 17.04.2024

This statement claims to provide an overview of the dynamics between the GDPR (European General Data Protection Regulation, version 1 of May 25, 2018) of the EU on the one hand, and the WhatsApp Commerce Policy, the WhatsApp Business Terms of Use (September 27, 2021), the WhatsApp Business Data Processing Terms (September 27, 2021), the WhatsApp Business Data Processing Terms (September 27, 2021), and the WhatsApp Business Data Processing Terms (September 27, 2021). September 2021), the WhatsApp Business Data Processing Terms (27.09.2021), the WhatsApp Business Data Transfers Addendum (27.09.2021), as well as the role of the List of Sub-Processors of WhatsApp Ireland Limited on the other hand. In summary, these WhatsApp Ireland Limited documents are referred to by us as WhatsApp "house rules" for ease of reading.

All paragraphs or sections of the GDPR that do not appear to have any direct interdependence with the "WhatsApp House Rules" are omitted from this statement. Conversely, content that does not appear to be relevant to the debate "Is the WhatsApp Business API GDPR-compliant?" is also not covered. In the author's opinion, the content of the source texts listed above that is not covered falls under "standard clauses" or "standard legalese".

The structure of this opinion is based on the order of the eleven chapters of the GDPR, with relevant excerpts from the "WhasApp House Rules" compared in each case.

Does prohibited profiling take place through the WhatsApp Business API? Is there sufficient "pseudonymization" of personal data?

Article 4 of the GDPR refers to the "Definitions" as follows:

4. "...'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements... ".

So-called "profiling", i.e. the identification of the "end user" based on their user behavior and the user data stored and processed by the "processor", is provided by WhatsApp as a "feature", but such data is only used by WhatsApp for the following purposes. Here is an excerpt from the "WhatsApp Data Practices":

Paragraph 3 a.

"WhatsApp will only process personal information in accordance with your instructions as set out in the Business Terms and these Data Processing Terms. ".

See the related paragraph from the WhatsApp Business Terms of Service, paragraph 7 "Our Data Practices", paragraph 4:

"Other Information. You understand and agree that WhatsApp may collect, store and use: (a) information about your Business Account and registration; (b) usage, log and functional information generated by your use of our Business Services; (c) performance, diagnostic and analytics information; (d) information related to your technical or other support requests; and (e) information about you from other sources such as other WhatsApp users, businesses, third party companies and the other Meta Companies. ".

This, in turn, is in line with the GDPR, as it approves the use of user data for statistical purposes, research purposes, development purposes, etc. as follows in Chapter 1, Art. 4(5):

"'pseudonymization' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; "

and GDPR Art. 5(1)(b)

"collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes ('purpose limitation') pursuant to Article 89(1); "

as paragraph 5 of the WhatsApp Business API Terms of Service reads as follows:

Paragraph 5 Licenses and Intellectual Property

"You grant WhatsApp and its subsidiaries and affiliates a worldwide, non-exclusive, sublicensable and transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute and publicly perform or display the Company Content, which includes the Company Content, and you agree that WhatsApp and its subsidiaries and affiliates may use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute and publicly perform or display the Company Content. You may use, reproduce, modify, adapt, translate, create derivative works of, distribute, publicly perform or display the Business Content that you upload, submit, store, send or receive on or through our Business Services solely for the purposes of providing, operating, developing, highlighting, updating and improving our Business Services and researching and developing new services, features or uses. ".

Is the WhatsApp Business API processing of personal data lawful?

Article 6 of the GDPR refers to the lawfulness of the processing. The following paragraph is significantly relevant here:

"(1) Processing is lawful only if at least one of the following conditions is met:

(a) the data subject has given consent to the processing of personal data relating to him or her for one or more specific purposes; "

The WhatsApp Business Terms of Use provide for paragraph 4, which clearly states that the "Company" is responsible for ensuring that the end customer has given sufficient consent:

"Paragraph 4 The Company's legal responsibility and obligations regarding data protection and security

The business must also obtain all necessary rights, consents and authorizations (e.g. opt-in) to share its customers' contact details and other personal data with WhatsApp and to communicate with its customers via the WhatsApp service using this information. WhatsApp is not liable for any acts or omissions by the Company that violate applicable laws. The Company shall also respect and honor any requests by WhatsApp users to terminate or opt-out of receiving certain or all types of WhatsApp messages from the Company. ".

We know from practical experience that the WhatsApp Business API provides sufficient basis to offer customized end solutions that not only enable prior user opt-in, but also guarantee it and make it documentable. In practice, this is done by documenting the time of the opt-in in the respective "user profile" and by confirming consent through a "2-step welcome automation" that welcomes the user to the WhatsApp chat with the company.

Article 7 of the GDPR refers to the "conditions for consent" as follows:

"(1) Where the processing is based on consent, the controller must be able to demonstrate that the data subject has given consent to the processing of his or her personal data. "

...

(3) The data subject shall have the right to withdraw consent at any time. "

As described above, there is the option of ensuring a so-called "double opt-in" in the WhatsApp chat through clear "welcome automation". In addition, the user can request the termination of the mailings at any time and determine their preferences regarding mailings from the company.

How can I inform the end user about the use, the duration of use and the dedication of use for business WhatsApp purposes? What information rights does the end user have and how can I use them as a company?

Article 13 of the GDPR reads "Obligation to provide information when collecting personal data from the data subject" and reads as follows

a) the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;

b) the existence of a right of access by the controller to the personal data concerned and of rectification or erasure or restriction of processing or a right to object to processing and the right to data portability;

Article 15 of the GDPR reads "Right of access by the data subject" as follows

"(1) The data subject shall have the right to obtain from the controller confirmation as to whether [and how] personal data concerning him or her are being processed; "

These two articles and three paragraphs respectively state that the end user has the right to full information about the use of their data at any time. In practice, we recommend setting up a dedicated telephone or email service hotline to deal with such specific individual cases. Here is a link to a "Best Practice" of the REWE Group to fully implement Article 13 of the GDPR via WhatsApp Business API.

What does the "right to erasure" look like in practice?

Article 17 of the GDPR is called "Right to erasure ("right to be forgotten")" and states:

(1) "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay... ".

Since WhatsApp Ireland Limited demonstrably only uses end user data as described above for "providing, operating, developing, highlighting, updating and improving our business services and researching and developing new services, features or uses ", the deletion of individual data is entirely the responsibility of the company. The company must have a data management system in place that demonstrably and sustainably guarantees the deletion of individual customer data from both front-end screens and back-end databases and the associated legacy documentation.

What does the "right to restriction of processing" mean?

Article 18 of the GDPR reads "Right to restriction of processing" as follows:

(1) "...The data subject shall have the right to obtain from the controller restriction of processing... "

This paragraph offers no room for dispute either in theory or in practice, as on the one hand the end user is free to determine his own preferences regarding communication with the company. On the other hand, adapting the communication strategy with both user cohorts and individual end user accounts in standard WhatsApp Business API user masks is not a problem.

How does the "right to data portability" work?

Article 20 of the GDPR reads "Right to data portability" as follows:

(1) "...The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format... "

This article also poses no practical hurdles for the company, as a personal usage profile including documentation of the interaction between the company and the end user can be exported in various formats and thus also sent.

How does the "right to object" work?

Article 21 of the GDPR reads "Right to object" as follows:

"...The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1)... "

This article is easy to implement in practice because, as described in "What does the right to erasure look like in practice", ideally a help hotline should be set up by the company to ensure that the end user can have their sensitive data sent, deleted, adapted or otherwise modified for future use at their own request.

WhatsApp's "data transfer on the basis of an adequacy decision"

Article 45 of the GDPR reads "Transfer of data on the basis of an adequacy decision" as follows:

(1) "A transfer of personal data to a third country or an international organization may take place if the Commission has decided that the third country, a territory or one or more specified sectors within that third country or the international organization in question offers an adequate level of protection. Such a transfer of data shall not require specific authorization. "

In our opinion, this article is also in line with the "WhatsApp House Rules", which lists "list of sub-processors" all of WhatsApp's contractual partners who are entrusted with guaranteeing services to ensure the functionality of the WhatsApp Business API. These are located in the USA, Denmark and Sweden.

The last article of the GDPR - in our opinion relevant for the "WhatsApp House Rules" - is Article 89(1), as follows:

""shall ensure that technical and organizational measures are in place to ensure, in particular, respect for the principle of data minimization. These measures may include pseudonymization where it is possible to achieve these purposes in this way. In all cases where these purposes can be fulfilled by further processing where the identification of data subjects is not or no longer possible, these purposes shall be fulfilled in this way. ".

Here, too, there is nothing left to do but refer to paragraphs 5 and 7 of the WhatsApp Business Terms of Use already quoted above, which read:

Paragraph 5 Licenses and Intellectual Property

"You grant WhatsApp and its subsidiaries and affiliates a worldwide, non-exclusive, sublicensable and transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute and publicly perform or display the Company Content, which you may use for any purpose. You may use, reproduce, modify, adapt, translate, create derivative works of, distribute, publicly perform or display the Company Content that you upload, submit, store, transmit or receive on or through our Business Services solely for the purposes of providing, operating, developing, highlighting, updating and improving our Business Services and researching and developing new services, features or uses. ".

Paragraph 7 our data practices

"Other information. You understand and agree that WhatsApp may collect, store and use: (a) information about your business account and registration; (b) usage, log and functional information generated by your use of our Business Services; (c) performance, diagnostic and analytics information; (d) information related to your technical or other support requests; and (e) information about you from other sources such as other WhatsApp users, businesses, third party companies and the other Meta Companies. ".

Conclusion on the GDPR compliance of the WhatsApp Business API

It is important to note that the difference between "WhatsApp Private", "WhatsApp Business" and the "WhatsApp Business API" must be understood. Only the latter is GDPR-compliant. This statement only refers to the latter. The "WhatsApp Business API" is subject to a fee, but conversely offers GDPR compliance and the possibility of scalable communication between companies and end users, as well as the implementation of complicated automated and individualized use cases by individual IT service providers.

Johannes Mansbart, 17.04.2024