Privacy on the company cell phone despite WhatsApp

Manage business contacts in compliance with the GDPR and avoid fines

For private individuals, communication via WhatsApp is free of charge, but it can be very costly in a business context. This was the recent experience of employees at a number of major banks who used messenger services such as WhatsApp to exchange information about business affairs. The supervisory authorities of the financial institutions regarded this as a serious breach of the rules and at the end of last year imposed fines amounting to two billion dollars. This involved a total of 16 Wall Street banks, including Deutsche Bank.


The case of Deutsche Bank: Why is the business use of WhatsApp in violation of the law?

One of the reasons cited by the supervisory authorities is the statutory retention obligations. The German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung) set out retention obligations in business dealings to the extent that communication includes information relevant to a contract, such as orders, order confirmations, the conclusion of contracts, and payment transactions. If such communication takes place via a messenger service, encrypted messages are often only stored on the servers for a short period of time and thereafter are no longer easily retrievable on the mobile device. This means that adequate documentation and proper fulfillment of retention obligations are not assured.

But that’s not all. Data protection authorities see clear violations of compliance guidelines in using WhatsApp for business purposes. According to the GDPR, not only does the requirement apply to business and customer data that each contact must consent to the storage of his or her data, but automatic transfer of the data to third parties must also be prevented. This can be tricky, because commissioned processing also involves the automatic synchronization of stored contact data with messenger services. While this is convenient for users because they don’t have to manually enter the data into the app again, this sets off alarm bells with data protection officers. Specifically, there is no possibility of concluding a commissioned data processing agreement, and for another, it is virtually impossible in daily business to obtain written consent from every business contact. It becomes even more complicated if not all of the contacts give their consent. In this case, a smartphone without WhatsApp would have to be used for those contacts who have not given their consent.


Privacy vs. usability: Can messenger services remain on the company cell phone?

The use of WhatsApp for business purposes is therefore virtually unfeasible from a privacy perspective. Does this portend the end of WhatsApp on company cell phones?

We have examined four possible solutions in detail for GDPR-compliant use of smartphones:

1. Prohibit the use of WhatsApp on company cell phones

In order to avoid heavy fines, many German companies have reacted and summarily prohibited the use of messenger services on company cell phones. If WhatsApp and the like are nevertheless installed, employees are threatened with formal warnings. While a ban on COBO devices used exclusively for business purposes may be easily enforced, it imposes significant restrictions on users of BYOD or COPE devices used for both private and business purposes. This means that companies are effectively prohibiting their employees from using WhatsApp for private purposes as well.


2. Regulate the use of messenger services with compliance policies

In the case of Deutsche Bank, the installation of messenger services was not prohibited, but an attempt was made to address the issue by regulating their use. Employees were regularly reminded not to use messenger services for professional purposes. Those who didn’t want to go without them despite all the policies should at least ensure adequate documentation of the relevant exchange of messages. Completely unaffected by this, however, are violations of privacy policies that are already committed when the applications are installed, through the automatic forwarding of contact data to companies such as Meta. These can also be subject to official warnings.

3. Refrain from storing contact data on the company cell phone

It is not presently possible to implement a ban of WhatsApp for all smartphones used for business purposes, nor can internal usage policies rule out every violation of the law. What’s left would be a regulation that only allows business contacts to be stored in the address book of the company cell phone with a previously concluded commissioned data processing agreement, or a complete ban on storing business data. However, this is accompanied by a tremendous reduction in usability for employees, because callers can no longer be identified by name for incoming calls from business partners or customers. Even for outgoing calls, a search must first be made for the number in the CRM or the Outlook address book. This not only takes time, but is also a nuisance.


4. Prevent unintentional data loss with an additional secure app

The solution to the problem lies in an additional application where all corporate contacts from Outlook, the company address book, MS Teams, and CRM are pooled and centrally managed, while preventing them from being synced with third-party apps, thereby eliminating the risk of unintentional data loss.

The Secure Contacts app makes this possible. By consolidating data from different storage locations, all contacts are kept up to date and there is no need to spend any effort in manually storing new contacts. All contacts that are used for private purposes only can be stored in the smartphone address book. They are subject to the privilege of personal and family activities with no relevance to the GDPR. This makes it is possible to install WhatsApp on the company cell phone and use it privately with no compliance risks.

Try it now


Request your free trial license with the full range of features and convince yourself of the many benefits for your daily work.

Request trial license

Interested in the details?

Your primary contact
Alexandros Garoufis | Sales Manager

Interested in the details?

Your primary contact
Alexandros Garoufis | Sales Manager
Want to protect your business contacts without compromising the work of your employees? We can help!