Nowadays, “WhatsApp” is the leading instant messaging application. The application in 2021, according to Statista (State of Digital, 2021,) has reached 2 billion users worldwide and every day more than 175 million messages are sent to companies according to the Head of WhatsApp at Facebook.

Its global dominance is questionable to say the least.

WhatsApp for businesses 

Also, according to estimates by Sensor Tower, in January 2021 “WhatsApp Business”, the free-to-download mobile application for small businesses, was downloaded 18 million times on Google Play and Apple Store. This is a clear indication that more and more entities are choosing to use “WhatsApp Business” to communicate with their customers.

Businesses can automate, organize and respond with greater immediacy to messages, offering options and functions to customers with specific characteristics of the company, labels to organize contacts, automated responses, etc.

It should be noted that the free “WhatsApp Business” application is designed for small businesses and freelancers offering a number of features such as:

  • Product Catalog
  • Automatic responses
  • Automatic messages
  • Customer labels

The WhatsApp Business API platform is designed for medium and large scale business communication. The latter has several stages of verification of the entity and its business exercise by Meta in order to use this tool according to the platform’s own policies.

Data protection

In addition to the numerous advantages for communication with customers and other users, the use of this instant messaging tool entails the need to comply with current data protection regulations.

Especially when there is a continuous exchange of information (files, images, etc.) involving personal data.

In this regard, we will attend to the criteria of the Spanish supervisory authorities (specifically, the Spanish and Catalan Data Protection Authority). In addition to the own national and European regulations, which highlight that the use of the free application “WhatsApp Business”, entails (in addition to accepting the own conditions of use of the tool) compliance with a series of obligations by the entity in its capacity as data controller, among which the following should be highlighted:

Risk analysis

Conduct an assessment of the risks of personal data being processed through the “WhatsApp” tool.

Among other issues, the technical and organizational measures adopted by the tool to preserve the security of the information, such as end-to-end encryption, as well as the possible vulnerabilities of the tool and its possible impact on the privacy of personal data, should be analyzed.

Data protection from design

Without prejudice to the technical and organizational measures that the tool has to preserve the security of personal data, the data controller itself must use the tool diligently, so that its use does not compromise the confidentiality of the information.

In this sense, the Catalan Data Protection Agency recently admonished and required a City Council (PS 28/2021) precisely for the creation of a “WhatsApp” group in which the data of the people who joined the group (mobile number, profile picture, user name) were fully accessible to the rest, not being able to guarantee the principle of confidentiality with the creation of a “WhatsApp” group to send institutional information.

 The Agency is in favor of considering that, in the case of using a tool such as “WhatsApp”, the options that the tool makes available should be used, and that to a greater extent allow guaranteeing the principle of confidentiality, such as the use of diffusion lists in which the data of the members of the group cannot be accessed. In this regard, it should be noted that the WhatsApp Business platform does not allow to create groups, but to send messages via WhatsApp to mailing lists, and it is the obligation of the entity to obtain the prior consent of the recipients to be subscribed to these lists.

Information and transparency

Comply with these principles  by making basic information available to users in the tool itself, allowing access to other information in a simple and immediate way, for example, through a link to the data protection policy.

    Lawful processing

    According to the terms of use of the tool, contact with individuals through the tool may only be carried out if authorized by the users or if they have provided their telephone number to the data controller.


    Taking into consideration the above, data controllers must bear in mind the importance of compliance and guarantee of data protection obligations, and assess the functionalities provided to businesses by the “WhatsApp Business” application tool and the “WhatsApp Business platform” (WhatsApp Business API) and choose the most suitable one according to their activity and size.