23.05.2023

Efficient and DSGVO-compliant management of business contacts on the company cell phone

The digitization of the working world holds a host of new opportunities for companies and their employees. Mobile devices have long since become an integral part of everyday working life. The boundaries between work and private life are also becoming increasingly blurred. More and more companies are therefore offering their employees scenarios that allow private use of business devices. Whether it’s Bring Your Own Device (BYOD) or Corporate Owned Private Enabled (COPE), the benefits for users pose considerable risks for companies in terms of data protection. As the number of devices increases, so does the number of mobile applications on smartphones and the like.

The undisputed number one among apps is the messenger service WhatsApp. No wonder, because WhatsApp enables quick and easy communication. Many sales employees therefore use WhatsApp not only to communicate with family and friends, but also to get in touch with customers and colleagues in an uncomplicated way. They are often unaware that they are violating GDPR guidelines in the process.

What should be considered when it comes to data protection on the company cell phone? We clarify!

The legal framework: Data processing according to DSGVO

With the entry into force of the General Data Protection Regulation (GDPR), the EU has standardized the regulations for processing personal data. Personal data is information that can be clearly assigned to a person and thus allows conclusions to be drawn about that person. Examples include name, address, date of birth, telephone number, email address, credit card number or IP addresses.

The processing of personal data includes the collection, use, modification, transmission and storage as well as the deletion of data by a company. These activities may only be carried out if the data subject consents to them or they are permitted by law. The latter is the case if contractual obligations such as supply relationships exist between the parties.

In the course of commissioned processing, the processing of personal data is not carried out by the company itself, but by third parties, such as external service providers. The consent of the persons concerned is also required for this.

Violations of these guidelines can cost companies dearly. If personal data is lost or falls into the hands of third parties without permission, they will be held liable. The penalties are severe: up to 20 million euros or four percent of global sales – whichever is higher – may be due.

The challenge: Compliance risks through data synchronization

In the case of business or customer data, therefore, the requirement is that it may only be stored with the prior consent of the contact. In addition, the automatic transfer of data to third parties must also be prevented. But caution is required here, because commissioned processing by no means covers only the obvious cases of external data processing. Everyday actions that have become standard often remain under the radar, because data processing happens here unnoticed.

Automatic synchronization with messengers

According to the Mobile Work Index 38 percent of employees use messenger services on their company cell phones. The problem with WhatsApp & Co. is that the apps automatically gain access to all stored contact data from the address book and store it on their own servers in the cloud for data synchronization. What is practical for users, since they do not have to manually transfer the individual contacts to the app, is highly problematic in terms of data protection. After all, according to DSGVO, this is commissioned processing, which requires the consent of each contact. And since apps like WhatsApp read out the entire smartphone phone book, regardless of whether the respective contact uses the messenger or not, and without checking whether consent has been given, this is a violation of data protection guidelines that can give rise to a warning.

Personal profiles in rental cars and car sharing

Rental cars and car sharing are also becoming increasingly popular. In addition to navigation and radio, smartphone pairing with the infotainment system is usually offered here. In the course of automatic synchronization with the address book of the smartphone, the contacts are stored in the system of the vehicle. Data loss after a synchronization can only be prevented by manually resetting the system to factory settings after the trip. However, according to a report by the ADAC, such a reset can vary fundamentally from car model to car model and can sometimes be a significant undertaking. This is an effort that many users do not make, if they are aware of the problem at all.

This is what data protection specialist Wilfried Reiners (PRW Legal Tech GmbH) says:

“Given the increasing relevance of data protection and data security, organizations must ensure that the use of company cell phones takes place within a legally compliant framework. The General Data Protection Regulation (GDPR) specifies the conditions under which personal data may be processed. If mobile devices are used both professionally and privately, the data stored on them and information transferred must also be protected in accordance with DSGVO. However, there are always use cases here that offer insufficient security. To avoid possible and presumably high fines, companies are therefore well advised to take special precautions. Because if sensitive data, such as the personal contact data of customers or business partners, is transferred to third parties when synchronizing the smartphone address book without the consent of the persons concerned, the DSGVO’s catalog of sanctions is opened up.”

The solution: Usability & data protection thanks to containers

So can companies ensure data protection without restricting employees in the use of their company cell phones? A ban on messenger services and car sharing would be accompanied by significantly reduced usability and would be difficult to implement on BYOD and COPE devices.

This is remedied by an additional app that separates private and business data. This is a mobile application that separates a separate area (container) on the mobile device. For users, this means that they can only access business data on their smartphones within a protected and encrypted environment. The app thus enables end-to-end data protection-compliant use of business contacts. These are protected against unwanted data leakage and synchronization with third-party apps such as WhatsApp, Google, etc. as well as rental cars and car sharing is prevented.

Users do not have to store a single business contact in the address book of their smartphones. All business data from the company address book, personal Outlook address book and customer data from any CRM systems or other sources can be merged and centrally managed in a container app. Once in the system, all company members have access to the contacts authorized for them. Thanks to automated data maintenance, there is no need to manually enter new contacts, duplicate contacts are consolidated, and data is consistently updated.

All contacts that are used purely privately can be stored in the smartphone’s address book. These are subject to the privilege of personal and family activities and are not GDPR relevant. This means that the installation and private use of WhatsApp on the company cell phone is possible without compliance risks.

Try it now

30 DAY FREE TRIAL LICENSE—FULL RANGE OF FEATURES WITH NO OBLIGATION

Request your free trial license with full functionality directly from us now and convince yourself of the many benefits for your everyday work.

Request test lens

Other content

Data protection
Privacy on the company cell phone despite WhatsApp
We have examined four possible solutions in detail for GDPR-compliant use of smartphones.
->
New feature
Secure Contacts app: Now also with vCard
A digital business card is flexible and effective—and always available as a QR code. Find out how it works on this page.
->
Data protection
The rental car and car sharing data privacy nightmare
Rental car and car sharing services are becoming increasingly popular. However, this comes with a significant data risk.
->
Interview
Secure Contacts app: More than a telephone book
We now have an app. The application grew out of a seemingly simple internal Provectus requirement.
->

Get the app here