What is GDPR?

The General Data Protection Regulation (GDPR) is a framework that seeks to create consistent data protection rules across the European Union (EU). The regulations apply to companies globally — both those based in the EU and those who interact with individuals in the EU. It also adds significant enforcement authority, giving a company's lead supervisory authority the ability to seek fines of up to 4% of global annual revenues for certain violations.

What does it mean to be a “controller” or “processor” under the GDPR?,

  • A “data controller” is a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
  • A “data processor” processes personal data on behalf of the controller
  • The distinction is important for compliance: the GDPR generally treats the data controller as the principal party for key responsibilities (e.g., collecting consent, enabling right to access, etc.) A data subject who wishes to revoke consent for his or her personal data will contact the data controller to initiate the request, even if such data resides on the data processor’s servers. The data controller would then proceed to request the data processor remove the revoked data from their servers
  • The WhatsApp Business Data Processing Terms align with GDPR requirements governing contracts between data controllers and data processors.

What role does WhatsApp play under GDPR with regards to a WhatsApp Business Account (WABA) Client?,

Does WhatsApp’s role under GDPR change when a Client works with a Business Solution Provider (BSP)?,

  • No, using a BSP does not change WhatsApp’s role under GDPR. WhatsApp remains a data controller with respect to consumer end users of WA Messenger, as set forth in the privacy policy applicable to WA Messenger consumer end users.
  • In addition, WhatsApp continues to be a data processor of a Client’s customer contacts that the Client provides to WhatsApp, either directly or through the BSP, via the WhatsApp Business Solution for WhatsApp to process for purposes of delivering the Client’s WhatsApp messages to those customers.

How can a Client ensure it is in compliance with GDPR when working with a BSP?,

  • The Client is a data controller of its customer contacts and as the data controller, the Client may delegate data processing activities to multiple data processors (e.g., WhatsApp and the BSP).
  • It is incumbent upon the Client to ensure appropriate agreements are in place with each data processor that clearly outline the scope of data processing activities to be carried out by that data processor.
  • Additionally, the WhatsApp Business Solution Terms set forth the Client’s responsibilities when utilizing a BSP to manage the Client’s WABA.

Is personal data being stored on European servers?,

  • Facebook operates a global infrastructure and processes data in both EU and US-based servers for and on behalf of WhatsApp. WhatsApp stores data in the United States and stores encrypted media worldwide to increase efficiency. This processing is supported by strict legal compliance for safeguarding any transfers of personal data outside of the EU.
  • WhatsApp has certified for cases in which it acts as a data Processor under Privacy Shield, as explained further in its Privacy Shield Addendum and certification.

Contact Us

Is your business already running on WhatsApp or plan to do so? if GDPR is applicable for you, we can surely help assess or manage the engagement with you making sure all GDPR norms are adhered & provide detailed audit report when required.