WhatsApp for your business: what is legally allowed and how to stay GDPR-compliant

Your customers already message you on WhatsApp anyway. The only question is whether you do it officially and cleanly or keep running it through an employee’s private phone that no one keeps track of. That is exactly where most businesses get stuck: they sense that something might be tricky under data-protection law, and decide to leave it. A shame, because the channel works, and it can be made legally sound too.

Why the private phone is the real problem

The most common state in small businesses is not “we do not use WhatsApp” but “an employee uses it privately for the company.” That is the worst variant. Customer data sits on a private device, the address book gets uploaded to Meta unasked, and when the employee leaves, half the customer contact leaves with them. Control: none.

A blanket ban does not solve this, it only drives the matter further underground. Better is an official, controlled path.

What actually applies legally

Three points decide whether the use is clean:

• The right solution. The normal WhatsApp app is not built for business use. What you need is access through the official WhatsApp Business Platform (the API), connected via a reputable provider. Then no private address book is read out, and communication runs through a controlled system.
• A data processing agreement (DPA). With the provider you use to connect WhatsApp, you sign a DPA. That is mandatory, but in practice a checkbox or a PDF, not a major project.
• Transparency and consent. Your privacy policy must name the channel, and the customer must know what they are getting into when they message you. Anyone who wants to actively reach out (advertising) needs prior consent. Replying to a message a customer sent you, on the other hand, is unproblematic.

That is the short version. The exact setup depends on your industry and your data types, but the framework is always the same.

One inbox instead of five channels

Once the channel is set up cleanly, the real gain follows: bundling. Customers today write via WhatsApp, email, the contact form, Instagram, sometimes by SMS. If every channel lands somewhere else, something inevitably falls through the cracks.

For this we work with Superchat, a solution from Germany that brings exactly these channels together in a shared inbox. The team sees all messages in one place, can assign them, and nothing gets lost in one person’s private chat any more. In terms of data protection that is a clear step forward, because communication is back inside the company rather than on private devices.

What you can achieve with it

• Faster replies, because all enquiries arrive in one place
• Cover during holidays or sick leave, without passing a phone around
• Templates for recurring questions, without sounding impersonal
• A clean separation of private and business that also eases the employment-law side

Where caution is warranted

Here too: no magic bullet. Sensitive data (health, finances, contract details) belongs in a messenger only if the customer explicitly wants it that way and the matter allows it. And a channel no one tends is worse than no channel, because it makes a promise of availability that then goes unmet. Whoever offers WhatsApp must also reply promptly.

How we set it up

We set up the channel in a legally sound way, take care of the DPA and privacy policy, bundle the channels into one inbox and, on request, connect the whole thing to the rest of your processes, for example so an enquiry lands in the CRM automatically. That turns a tricky grey area into a clean, controlled customer channel.

If you are unsure whether your current handling of WhatsApp is sound: I am happy to take a look and tell you honestly where you stand.

Tobias Wissen

Owner, WISSEN BERATUNG

→ Book a free intro call