For private individuals, communication via WhatsApp is free of charge, but it can be very costly in a business context. This was the recent experience of employees at a number of major banks who used messenger services such as WhatsApp to exchange information about business affairs. The supervisory authorities of the financial institutions regarded this as a serious breach of the rules and at the end of last year imposed fines amounting to two billion dollars. This involved a total of 16 Wall Street banks, including Deutsche Bank.
The case of Deutsche Bank: Why is the business use of WhatsApp in violation of the law?
One of the reasons cited by the supervisory authorities is the statutory retention obligations. The German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung) set out retention obligations in business dealings to the extent that communication includes information relevant to a contract, such as orders, order confirmations, the conclusion of contracts, and payment transactions. If such communication takes place via a messenger service, encrypted messages are often only stored on the servers for a short period of time and thereafter are no longer easily retrievable on the mobile device. This means that adequate documentation and proper fulfillment of retention obligations are not assured.
But that’s not all. Data protection authorities see clear violations of compliance guidelines in using WhatsApp for business purposes. According to the GDPR, not only does the requirement apply to business and customer data that each contact must consent to the storage of his or her data, but automatic transfer of the data to third parties must also be prevented. This can be tricky, because commissioned processing also involves the automatic synchronization of stored contact data with messenger services. While this is convenient for users because they don’t have to manually enter the data into the app again, this sets off alarm bells with data protection officers. Specifically, there is no possibility of concluding a commissioned data processing agreement, and for another, it is virtually impossible in daily business to obtain written consent from every business contact. It becomes even more complicated if not all of the contacts give their consent. In this case, a smartphone without WhatsApp would have to be used for those contacts who have not given their consent.
Privacy vs. usability: Can messenger services remain on the company cell phone?
The use of WhatsApp for business purposes is therefore virtually unfeasible from a privacy perspective. Does this portend the end of WhatsApp on company cell phones?