WhatsApp and GDPR: the basics for businesses

WhatsApp and GDPR: the basics for businesses blog

By Maxine Hess

Writer | WhatsApp marketer | Creative

GDPR. We all know it's important for email and web. But it also applies to businesses talking with customers on WhatsApp. Here's what it is and what it means for your WhatsApp channel.


"Is WhatsApp GDPR compliant?"


...a common Google search term in 2024, and for good reason.


We can tell you that your WhatsApp channel will be GDPR compliant if approached in the right way. To help with that, we'll publish some more info soon. But essentially, brands need to get the right opt-ins, ensure easy opt-outs, and handle and store people's information in the right way. 


For now, we start with the basics of GDPR and WhatsApp. This article will explain:


What is GDPR?

The General Data Protection Regulation (GDPR, or "DSVGO" in Germany) is a law that ensures businesses in the EU protect consumer data. Introduced in 2018, it aims to ensure that "EU citizens have the right to protection of their personal data" as promised in the the EU Charter of Fundamental Rights.


Official wording by the European Commission: "Regulation (EU) 2016/679 of the European Parliament and of the Council1, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU."


Who needs to comply to GDPR?

The European Commission states that "the GDPR applies if:

  • Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
  • Your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU


Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU."


What businesses need to do to comply to GDPR

GDPR states that companies should use these principles when creating their data privacy policy:

  • Be lawful, fair and transparent – use data lawfully and be transparent with people and the businesses you work alongside
  • State a clear purpose – be clear about how and why your business collects personal data
  • Minimize data – only collect data if you intend to use it for a specific purpose
  • Be accurate – ensure the data your business processes is accurate and stored appropriately
  • Limit storage – don’t keep data forever, set a period when it’ll be deleted
  • Have integrity and confidentiality – store data securely to prevent “accidental loss, destruction or damage”
  • Be accountable – establish, record and communicate data protection policies


There are also some concrete requirements, like you may need to hire a "data protection officer," while others are more about correctly wording and designing your communications, data handling and message flows.


For your full responsibilities as a business, see this article on europa.eu.


What GDPR looks like in practice

🍪 GDPR – together with the EU ePrivacy Directive and its respective member state laws – is the reason that you have to click on cookie popups before entering a website for the first time.

🟩 It's the reason you need to tick the "yes I want to receive marketing communications" box when giving your email address to a business (and this shouldn't be preticked).

✋ And it's the reason there's an "Unsubscribe" button at the bottom of emails.  


It's also the reason when you ask a company to view, delete or correct your data, they're legally obliged to do so.


It may be annoying at times, but GDPR is there to keep our data safe, businesses in check and our inboxes safe from spam.


GDPR is an EU law but it's often used by conscientious businesses communicating with customers outside the EU – and enterprises generally follow it as good practice. This is because it's accepted to be the global gold standard data protection law.


Increasingly, customers across the world expect to be treated with the same respect GDPR ensures by law in the EU.


GDPR is not the same as preventing spam

GDPR is part of preventing spam, but it doesn't stop spam entirely.


It's there to protect your personal data and control how businesses contact you. It states that businesses needs to ask for permission clearly first, let people unsubscribe easily and manage customer information safely, responsibly and transparently.


It's unlikely you would do this 😅 But that part of preventing spam is up to you as a business.  


For more on WhatsApp and spam, see this article.


GDPR and WhatsApp: why is it relevant to businesses doing WhatsApp marketing?

When businesses open a WhatsApp marketing channel, they start collecting information about customers: phone numbers, names, perhaps information like address, location, purchasing history, names of pets, clothing size and more.


So naturally, GDPR data protection rules are going to apply here too, just as they do in other communication channels like email and SMS.


Same rules, new channel.


WhatsApp Business app vs platform (API): different approach to GDPR? 

Quick definition first: The WhatsApp Business app is a free app for small business or individuals messaging small numbers of people. The WhatsApp Business API (now WhatsApp Business Platform) is a rich-featured tech platform for larger businesses sending messages to 100,000s of people. See more details about both here. The charles software solution sits on top of the API, as an easy-to-use, browser-based user interface (UI) enabling you to use the functionality of the API, plus analytics and extra features.


Do you approach GDPR compliance differently when using the app or the API?

  • The principles remain the same for both: you need to handle consent in the right way and treat people's data safely and responsibly.
  • You can automate more easily in the API: with the WhatsApp Business app you will have to do a lot of manual work. With the API (WhatsApp Business Platform), you can set up automatic flows that help keep your WhatsApp communications GDPR compliant, store consent information automatically and make data easily available (using a feature like charles' Journeys).
  • Data storage is safer in the API: customer data should ideally be stored in EU servers to ensure data is held in a country considered “safe” under the GDPR. With the API/WhatsApp Business Platform delivered through a solution provider that stores data in the EU, that is the case  (unless you use the "on-premises" API and you store your data yourself, outside the EU). At charles, we store all customer data in the EU, in Frankfurt, Germany, so our clients have peace of mind that it's being held in a “safe country” under GDPR.


At charles, our WhatsApp marketing platform is built on the WhatsApp Business Platform (API) and we partner with medium to large businesses use. For more on GDPR compliance in the WhatsApp Business app, see this article from WhatsApp.


Can enterprises stay GDPR compliant in WhatsApp Business? 

Yes, enterprises can be GDPR compliant in WhatsApp. Global enterprises will often have the same GDPR obligations as small to medium businesses (SMBs) when it comes to dealing with EU citizens.


But there may be extra levels of complexity, for example with teams in different countries, different people managing different aspects of a channel (marketing, customer service, sales, brand...) and non-EU headquarters.


Enterprises have different and unique needs. We can share and discuss best practices of enterprise needs in a call, please speak with our Enterprise Sales team.


WhatsApp and GDPR: a summary

EU businesses need to comply to GDPR data privacy rules by law. If not, they risk big penalties. As best practice and to build customer trust, businesses outside the EU should also comply to GDPR as the global gold standard data privacy law.


WhatsApp is GDPR compliant for businesses – whether small, medium or enterprise – if they approach it in the right way (e.g. in the way they seek permissions and handle and store data)


charles is an EU-based WhatsApp marketing platform provider that pays great attention to GDPR. It has built in GDPR compliance into its software.


It's easier to stay GDPR compliant if you base your WhatsApp channel on the WhatsApp Business Platform (API) – managed by a WhatsApp Business Solution Provider (BSP)/Meta Business Partner in the EU.  


One last thing

Disclaimer: the information in this article is based on our experience and expertise and is not offered as legal or data privacy advice. For full information on your legal obligations under GDPR, please go to the European Commission's official GDPR site.



We hope this was useful for helping you understand the how WhatsApp and GDPR are connected. If you have specific questions, just book a call with us.


FAQs about GDPR and WhatsApp

Is WhatsApp for business GDPR compliant?

Yes, it can be used in line with GDPR. For instance, this requires a business to ensure proper opt-ins and opt-outs and handle personal data in the right way. There are other aspects too, please speak with your charles Success manager to get a better understanding of requirements and best practices.

Is it legal to use WhatsApp for business? 

Yes, it can be if you do it the right way (see above). However, we don't recommend using the WhatsApp consumer app for inter-team communications for work purposes.

What is the legal risk of using WhatsApp for business?

Same as any other channel, there are risks of fines, administrative orders or other legal proceedings for not complying to GDPR (e.g. fines of up to €20 million or 4% of your group's turnover from the previous year). Perhaps the risk of fines in WhatsApp is higher because conversations are so easy to screenshot and send. Even if you aren't fined, it may have a reputational effect and you risk being blocked by customers, which is also very easy for people do in WhatsApp, and will cause your WhatsApp Business quality rating to fall.

What is the difference between the WhatsApp Business app and API in terms of GDPR?

Please see a detailed answer to this above. In  essence though: your responsibilities are the same whatever form of WhatsApp Business you use. But the API is easier to automate at scale and data can be stored in the EU, whereas with the app, it may be held in the US or other third countries outside the EU.

Is WhatsApp GDPR compliant?

This is a big and nuanced question. We will try and answer it in a blog post soon. Essentially though, the ultimate responsibility is yours as a business. WhatsApp is a platform in which you can be GDPR compliant if you behave in the right way.


We hope this helps.

Want to see charles in action?