WhatsApp is convenient, but not safe for personal data
It’s a familiar scenario: you run a cleaning company, home care organisation, or installation business. Employees need to know which customer they’re visiting today. So you quickly send the name, address, phone number, and perhaps an access code via the WhatsApp group. Easy, fast, everyone has it.
But under the GDPR, this is a serious problem. You’re sharing customers’ personal data via a platform over which your organisation has no control.
Finnish cleaning company: fined for WhatsApp use
This is not a theoretical risk. The Finnish supervisory authority handled a case against a cleaning company that used WhatsApp to share work assignments with staff. Via WhatsApp groups, customer names, addresses, phone numbers, and even home security codes were shared.
The Finnish DPA ruled that the company had breached three GDPR obligations:
- Integrity and confidentiality (Article 5(1)(f)) - personal data was shared via a channel without adequate security measures
- Privacy by design (Article 25) - the company had not set up a privacy-friendly system for sharing assignments
- Security measures (Article 32) - no appropriate technical and organisational measures were taken to protect the data
The company received a reprimand and the order to implement a suitable system. For repeat offences, a fine is threatened.
Why WhatsApp is unsuitable for business data
The problems with WhatsApp for business use of personal data are fundamental:
No control over data. Once you send a message in a group, every participant can forward, save, or screenshot it. You cannot remotely wipe messages from someone else’s phone.
Lost or stolen phones. If an employee loses their phone, all customer data from the WhatsApp group is exposed. You cannot remotely revoke access.
WhatsApp terms prohibit business use. WhatsApp’s terms of service do not allow sending third-party data for business purposes without additional arrangements. You cannot enter into a processing agreement with WhatsApp for this use.
Metadata goes to Meta. WhatsApp shares metadata (who communicates with whom, when, how often) with parent company Meta. Messages within the EU have end-to-end encryption, but the metadata is not protected.
No audit trail. You cannot demonstrate which data was shared with whom and when, or whether it was deleted. During an inspection, you cannot show you are “in control”.
What are the alternatives?
You don’t need to go back to pen and paper. There are plenty of suitable alternatives:
- Business communication platforms like Microsoft Teams or Slack, where you can manage users, revoke access, and enter into processing agreements
- Signal if you want a simple, encrypted messenger without data sharing with tech companies (though Signal also offers limited management capabilities)
- Planning software specifically designed for field workers, with role-based access and automatic deletion
- Secure portals where employees can view their assignments without data being stored on their personal phone
The key criterion: can you as an organisation manage access, wipe data, and demonstrate you have control?
What should you do now?
- Stop sharing personal data via WhatsApp. This applies to customer names, addresses, phone numbers, security codes, and all other data traceable to a person.
- Choose a suitable alternative and document why you chose this platform.
- Set up an internal policy on which communication tools employees may use for which data.
- Train your staff. Explain why WhatsApp is not suitable and how to use the alternative.
- Document this in your processing register. Which tools do you use to share personal data? With whom? On what legal basis?
GDPRWise helps you map which communication tools and systems you use for personal data. Including recommendations for secure alternatives.