← zurück zur Übersicht

Messenger & GDPR: You have to keep this in mind when it comes to data protection

Messenger GDPR data protection (Image: Freepik)

Does your company use a messenger for customer communication? Therefore, you have to adhere to the GDPR requirements.

Messenger and your data protection problem

WhatsApp, Telegram, Skype and the like have been on the rise for a few years. The messengers replace communication via SMS, email, and in many cases even exchange via telephone. No wonder: Messenger are easy to use, young and old understand how to use them immediately. In addition to text messages, users can also use it to exchange voice and picture messages.

That is why messengers are not only used in private environments, but also in corporate communications. Understandable, after all, almost everyone owns a smartphone and has at least one chat tool installed on it.

This advantage can also be a disadvantage, because: Some messengers are not GDPR-compliant. That means, they violate the data protection regulations of the EU. Thus, the wrong use is a risk. One that companies shouldn’t go into.

Why you have to pay attention to data protection

If your company exchanges data with business contacts or private end customers, you have to pay attention to compliance with data protection, among other things. The GDPR (General Data Protection Regulation) stipulates how the protection of personal data can be properly fulfilled.

The GDPR is a decree of the European Union that has been in force in all EU member states since May 2018. If your company does not adhere to the guidelines or violations occur, this can be punished with high fines. In the worst case, these can run into the millions.

Failure to comply with data protection in accordance with the GDPR is not a trivial offense, but a criminal offense. One that can become very expensive for your business.

The penalties are a response from the legislature to the various data protection violations in the past. They also want to prevent companies from acting like “data octopuses”. Instead, the self-employed and companies are encouraged to use customer data as sparingly as possible and to make processing transparent.

Why some messengers violate the GDPR

WhatsApp is the world’s best known and most popular messenger. At the same time, it is discredited: On the one hand, the app reads the address book of the user in order to show them contacts who also use WhatsApp. To do this, the messenger transmits the address book data to WhatsApp Inc., a subsidiary of Facebook, in the USA. On the other hand, WhatsApp and Facebook process the personal data for user analysis and for advertising purposes.

Reading out the contact lists, sending the data to non-EU countries and processing it also occurs with other messengers. If your company uses such applications, it violates the legal data protection requirements and thus the GDPR.

Is the use of messengers in companies prohibited?


However, your company has to rely on GDPR-compliant solutions. These can be messenger apps and online applications that comply with data protection.

What distinguishes a GDPR-compliant messenger

There are a few criteria that a communication program has to offer in order for it to meet European and German data protection requirements. These are for example:

  • The messenger should not read the address book of the user
  • The application uses end-to-end encryption
  • The provider’s servers are located within the EU
  • The provider may not use the personal data for advertising purposes
  • Ideally, the data is stored locally and not in the cloud

Does WhatsApp comply with data protection regulations?

Yes, but only with the WhatsApp Business API . This is a variant with which companies in particular can meet the high data protection requirements.

However, the “private” version of WhatsApp does not meet the requirements.

GDPR-compliant messengers for companies: Secure alternatives to WhatsApp

WhatsApp is very important for messenger marketing and conversational commerce. There are some safe alternatives for businesses that you can use without much concern. For example:

WhatsApp Business API

If you want to communicate with your customers and business contacts via WhatsApp despite some concerns, Facebook has a GDPR-compliant alternative up its sleeve: the WhatsApp Business API. This is a special variant of WhatsApp that meets all data protection requirements.

The WhatsApp Business API is not available as a standalone app. But you can use them in all-in-one solutions like Chatwerk.


No data collection, focus on privacy: these are Threema’s promises. The provider is a Swiss company that relies on local servers. Switzerland does not belong to the European Union, but data processing is GDPR-compliant. All communication is encrypted, and users can prevent the address book from being read out.


The smartphone app is recommended by data protectionists and security experts. This is due, among other things, to the data economy and the very good encryption of the data. The operator of Signal is based in the United States, but the non-profit company operates servers worldwide.

Further data protection-compliant messengers for companies

Wire, Rocket Chat, ginlo and Teamwire are also very good and privacy-compliant messengers that are suitable for corporate use. However, they are not widely used. You would have to persuade many of your customers to switch to a messenger that they do not know.

Messenger for business: how to use it according to GDPR

As you can see, there are some GDPR-compliant alternatives to WhatsApp on the market. Even WhatsApp, by far the most popular messenger, has a WhatsApp Business API variant that you can use without hesitation.

Nevertheless, there are a few things you should consider before using a messenger:

  • Talk to your data protection officer and / or an IT lawyer about the messenger solution that you want to introduce in your company. Your contact person will give you important tips on how to use the new communication application correctly. And he can inform you about current legal pitfalls.
  • Train your employees on data protection and GDPR. Educate them about the consequences of improper handling of personal data.
  • Never use a chat and communication application for private and business purposes on one device. For example, if you have Threema installed on your company cell phone, you can only use it to communicate professionally and not privately. Likewise, you should not save any private contact data on your business smartphone or business addresses on your private mobile phone.
  • Adjust the settings of your messenger. Make sure that as little data as possible is transmitted to third parties (for example to the operator).

[adrotate banner=”3″]

Jetzt Kontakt aufnehmen

Ein Login – alle Kommunikationskanäle. Bereit für deine Inbox?