← zurück zur Übersicht

Messenger & GDPR: You have to keep this in mind when it comes to data protection

Messenger-DSGVO und Datenschutz

Does your company use a messenger for customer communication? It is therefore essential that you comply with the GDPR requirements.

Messenger and their privacy problem

WhatsApp, Telegram, Skype and the like have been on the rise for a few years. The messengers replace communication via SMS, e-mail, and in many cases even exchanges over the phone. No wonder: messengers are easy to use, young and old understand how to use them immediately. And in addition to text messages, users can also exchange voice and picture messages.

That is why messengers are not only used in the private sphere, but also in corporate communication. Understandable, after all, almost everyone owns a smartphone and has at least one chat tool installed on it.

This advantage can also be a disadvantage, because some messengers are not GDPR-compliant. This means that they violate the data protection regulations of the EU. Thus, the wrong use is a risk. One that companies should better not go into.

Why you have to pay attention to data protection

If your company exchanges data with business contacts or private end customers, you must observe data protection compliance, among other things. The GDPR (General Data Protection Regulation) stipulates how the protection of personal data can be properly fulfilled.

The GDPR is a European Union decree that has been in effect in all EU member states since May 2018. If your company does not comply with the guidelines or if there are violations, this can result in high fines. In the worst case, these can run into the millions.

Failure to comply with data protection in accordance with the GDPR is not a trivial offense, but a criminal offence. One that can become very expensive for your company.

The penalties are a response by the legislator to the various data protection violations in the past. They also want to prevent companies from acting like “data octopuses”. Instead, the self-employed and companies are encouraged to use customer data as sparingly as possible and to make processing transparent.

Why some messengers violate the GDPR

WhatsApp is the world’s most famous and popular messenger. At the same time, it is discredited: On the one hand, the app reads the address book of the users to show them contacts who also use WhatsApp. To do this, Messenger sends the address book data to WhatsApp Inc., a subsidiary of Facebook, in the USA. On the other hand, WhatsApp and Facebook process the personal data for user analysis and advertising purposes.

Reading out the contact lists, sending the data to non-EU countries and processing also occurs with other messengers. If your company uses such applications, it violates the legal data protection requirements and thus the GDPR.

Is it forbidden for companies to use messengers?

No! However, your company must rely on GDPR-compliant solutions. These can be messenger apps and online applications where data protection is observed.

What distinguishes a GDPR-compliant messenger

There are a few criteria that a communication program must offer in order for it to meet European and German data protection requirements. These are for example:

  • The messenger should not read the address book of the users
  • The application uses end-to-end encryption
  • The provider’s servers are located within the EU
  • The personal data may not be used by the provider for advertising purposes
  • Ideally, the data is stored locally and not in the cloud

Does WhatsApp comply with data protection regulations?

Yes, but only with the WhatsApp Business API. This is a variant with which companies, in particular, can meet the high data protection requirements.

However, the “private” version of WhatsApp does not meet the requirements.

GDPR-Compliant Messengers for Businesses: Secure Alternatives to WhatsApp

WhatsApp is very important for messenger marketing and conversational commerce. For businesses, there are some safe alternatives that you can use without much hesitation. For example:

WhatsApp Business API

If you want to communicate with your customers and business contacts via WhatsApp despite some concerns, Facebook has a GDPR-compliant alternative up its sleeve: the WhatsApp Business API. This is a special variant of WhatsApp that meets all data protection requirements.

The WhatsApp Business API does not exist as a standalone app. But you can use them in all-in-one solutions like Chatwerk.


No data collection, focus on privacy: These are Threema’s promises. The provider is a Swiss company that uses local servers. Although Switzerland is not part of the European Union, data processing is GDPR-compliant. All communication is encrypted, and users can prevent the address book from being readout.


The smartphone app is recommended by data protection and security experts. This is partly due to the data economy and the very good encryption of the data. Signal is based in the US, but the non-profit company operates servers worldwide.

More privacy-compliant messengers for companies

Wire, Rocket Chat, ginlo and Teamwire are also very good and privacy-compliant messengers that are suitable for corporate use. However, they have a low distribution. You would therefore have to persuade many of your customers to switch to a messenger that they do not know.

Messengers for companies: How to use them according to GDPR

As you can see, there are a number of GDPR-compliant alternatives to WhatsApp on the market. Even WhatsApp, by far the most popular messenger, has a variant with WhatsApp Business API that you can use without hesitation.

Nevertheless, you should consider a few things before using a messenger:

  • Talk to your data protection officer and/or an IT lawyer about the messenger solution you would like to introduce in your company. Your contact person will give you important tips on how to use the new communication application correctly. And he can inform you about current legal pitfalls.
  • Train your employees on data protection and GDPR. Educate them about the consequences of improper handling of personal data.
  • Never use a chat and communication application privately and for business on one device. For example, if you have installed Threema on your work cell phone, you may only use it to communicate professionally and not privately. Likewise, you should not save any private contact data on your business smartphone and no business addresses on your private mobile phone.
  • Adjust your messenger’s settings. Make sure that as little data as possible is transmitted to third parties (e.g. to the operator).

Demo Buchen und jetzt 50 % Rabatt erhalten!

Führe ein kurzes Demo Call mit unserem CEO durch und bekomme alle Frage zu Messengern antwortet: