Legal analysis of the use of instant messaging applications in the relation with the clients. Study case - WhatsApp.
In the context of the lockdown, online communications increased exponentially. One of the channels that has grown significantly was that of the mobile devices/smartphones which, though the installed applications, allow for the transmission of messages and complex documents (images, video, audio, etc.) among users.
This method of communication, known as instant messaging - IM, has grown significantly lately, most people making use of its functionalities. From children sending the homework to one another up to the insurance agents, inspectors or sales agents, there is no field or persons not to have rapidly embraced this form of communication.
Historically, the modern era of IM applications was marked after the 90s by several applications some of us might remember: PowWow, ICQ, and AOL Instant Messenger.
Nowadays, with the development of the smartphone applications, the following IM applications are the most commonly used: Messenger, WhatsApp, both owned by Facebook, WeChat, Viber, Discord, Telegram, Skype owned by Microsoft, Snapchat, etc.
With over 1.2 billion active users, WhatsApp, followed by Facebook Messenger - 1 billion and WeChat (China) – 0.9 billion, is the most commonly used application. This has led to it being extensively used in the trade environment, were economic operators have much higher demands, related to the processing of personal data of the clients and to the manner they communicate. When the economic operators process personal data either for marketing purposes or in order to comply with a legal or contractual requirement, they are defined from the point of view of the GDPR as controllers or processors, depending on the relation with the rights over the processed data.
The controllers have a series of obligations in the process of data processing, among which the most important one, with a significant impact in this analysis, is ensuring the safety of the processed data irrespective of their support – physical or IT, as for such data not to be sent to other receivers than those legally entitled. The internet, communications or applications providers are not entitled to access to such personal data, with a few exceptions strictly restricted through the GDPR Regulation.
A. Strictly legal issues
When you use the WhatsApp application you are the controller of all contacts in your agenda. As controller of your contacts, you must have a legal basis to process such data: contractual requirements, legitimate interest, consent or any other adequate legal basis stipulated under article 6 in the GDPR as to process these data, including for allowing the application used to store them on servers outside the EU or for distributing them in the communications network, as is the case of WhatsApp.
When you offer the WhatsApp application access to these contacts, WhatsApp is your processor as concerns processing these data. During the installation process, WhatsApp detects whether you allow access to your agenda and whether WhatsApp can share this data with other users of the messaging network.
B. Types of applications – WhatsApp, WhatsApp Business and WhatsApp Desktop/Web
Indeed, there are two basic types of WhatsApp applications: WhatsApp Messenger, which is used by most of us, which does not allow for the explicit delimitation of the data concerning the persons in the agenda and a WhatsApp version dedicated to business, WhatsApp Business, allowing for such delimitation and for the compliance with the GDPR regulation.
Besides the two basic versions, for a better management there is WhatsApp Desktop and WhatsApp Web. The last two versions are extensions for web or desktop of the version already installed on the smartphone of the user. You cannot install WhatsApp Desktop unless you have already installed WhatsApp on your telephone. It is worth mentioning that all versions are free of charge.
C. Management and control of the access to the contacts agenda in the telephone
There are several manners to control which contacts you provide to WhatsApp Business. For example, you can add to the telephone agenda, only those contacts for which you have a legal basis for personal data processing. A benefit of this approach is that this encourages you and your employees to have a proper data confidentiality conduct. Maintaining the business contacts and business devices separately helps preventing the improper use of the clients data or of the company devices for personal use (and the other way round).
If you wish to keep all the business and personal contacts on the same device, you can segment your agenda using a mobile devices management system (MDM), which allows to keep agenda separate agendas and addresses.
Therefore, in order to use the WhatsApp application in compliance with the GDPR, if a smartphone is used both for personal purposes and for business/work, you will need a mobile devices management system (MDM).
The account used for business/work must be separated by means of such a MDM solution in order to protect communication and business contacts. All mail and business contacts are then localised in the area managed on the smartphone and can be used strictly for the above-mentioned purposes.
At the same time, the IT department has to establish a data resources management policy to exclude the exchange of data between the monitored and unmonitored or unmanaged applications. This ensures that the technical protection of the corporate data, in line with the GDPR requirements, is implemented on the iOS or Android device and that the contact data used for business purposes are not sent to WhatsApp. It also provides the compliance with the GDPR regulations, even if the employees use WhatsApp Business on BYOD (Bring Your Own Device) or COPE (Corporate Owned Personally Enabled) devices.
D. Therefore, we recommend:
1. in communicating with the clients, partners or other entities maintaining trade relations with your company, you should only use mobile devices provided by the company.
2. these devices must be managed consistently through a mobile devices dedicated management system (MDM) – the Windows or Linux servers you are using know how to do this.
3. only WhatsApp Business versions must be installed on the mobile devices.
4. upon installation, the distribution of the contact agendas used have to be properly configured.
5. the telephone agendas of these devices must contain only data about clients, partners or other entities maintaining trade relations, not data of the persons with whom you do not have trade relations and/or have not consented or have not been informed in terms of GDPR.
6. possibly – this is not mandatory, the messages to the clients shall provide for the possibility to unsubscribe. However, in order to do this a messages management system has to be implemented.
7. it order to make the working and monitoring procedure more efficient to use WhatsApp within the company, you may install the WhatsApp Desktop application on the workstations, in compliance with the procedures related to the installation of software on the IT resources of the company.
8. a procedure concerning the above-mentioned issues has to be documented and implemented and has to be communicated to the employees/users.
9. a safety incidents permanent monitoring systems has to be implemented and documented in connection with the use of these communication methods.
Therefore, contrary to the rumours that appeared after the sanctioned applied by the National Authority for Personal Data Processing, the use of WhatsApp in the business relation with clients and/or partners complies with the GDPR Regulation, provided that the application used is correct - WhatsApp Business and is properly configured. Last, but not least, it is worth mentioning that the WhatsApp application is safe from the point of view of data safety.