Use of Whatsapp in the work environment
The use of WhatsApp in the work environment is a growing phenomenon that is difficult for companies to control, which undoubtedly raises a multitude of legal doubts in relation to their degree of compliance with the GDPR and Data Protection regulations.
Can my employees use WhatsApp to communicate with customers? And can the company communicate with its employees via this medium? Can employees share customer information on WhatsApp? Are there any differences between personal WhatsApp and WhatsApp Business? Let’s break it down bit by bit.
In order to perform this analysis, I believe it is important to differentiate between the type or types of possible communications:
- One-way company-client or lead communications.
- Multidirectional company-employee-company communication.
- Communication between employees sharing data or information on customers, patients, leads, etc.
Use of Whatsapp in the work environment: Use of personal Whatsapp for professional purposes.
Of the three cases or situations presented, the only one that, in my opinion, would justify the use of personal WhatsApp for professional purposes, is the second, i.e. those in which the company communicates with its employees or they with the company itself.
In these cases, INCIBE explains it very well: the company must obtain the prior consent of its employees to use WhatsApp for this purpose (as if the medium were personal email).
Even once consent is obtained, the company must bear in mind that, because it is a personal WhatsApp, it will lose control of any content it shares, so this must be considered before doing so.
Personal WhatsApp is hosted on the employee’s personal phone, so everything that is sent to him or her will certainly be under his or her control. It is wise, in this case, for the company to consider drafting and approving a BYOD or user Policy of personal devices for professional purposes.
Communications with customers or leads
There is no doubt that the main purpose of WhatsApp Business involves communications with customers or leads and, therefore, this can be a good tool for this purpose. In any case, remember that data protection regulations continue to apply, so:
- Inform customers that you will use this medium to communicate with them.
- If they are not customers and you want to send them commercial communications, obtain specific consent for this purpose.
Sharing third-party data between company employees
WhatsApp enables you to share any type of information, so it is really easy for two or more employees to use this application for this purpose. From a screenshot of a customer’s (or patient’s) file, to photos, videos or audios in which images or the voice of third parties (other employees, clients, etc.) appear.
This is, in my opinion, where the risk of using WhatsApp is higher and it is not solved with WhatsApp Business:
Company control: the GDPR clearly states that the company must control those devices and applications that are used to process (share, transmit) third-party data. In addition, the company must be able to audit and manage the permissions of users with access to this data.
WhatsApp (personal) has the significant difficulty that the company loses control of what is shared and who has access to this information. WhatsApp Business does not efficiently solve any of these problems.
It is important to remember, as a general rule, that the company must authorise employees to use WhatsApp (personal or Business) and that, if they have not done so, this use is prohibited.
Where is the data? From the moment data is shared by WhatsApp (personal or Business), the service provider (WhatsApp or Facebook) becomes a processor subject to the GDPR.
This means: (1) that a contract with the conditions of Art. 28 GDPR must be signed, or at least accepted, and (2) that if the data is hosted outside the EU, the rules and regulations of international data transfers must apply. The conditions and privacy policies of WhatsApp, without a doubt, do not foresee any of these points.
Use of Whatsapp in the work environment: As a conclusion for your company:
- Control which applications are used to communicate with your customers, leads or employees.
- Control how your employees share information on your customers, patients, etc.
- Assess whether the use of WhatsApp or similar applications is necessary and, if so, draw up a Policy of Use for it, in which authorised assumptions of use are established and indicating what to do if something goes wrong.
If you have doubts about this or any other issue, please contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.