Whatsapp versus GDPR

Posted by Schott-DCT on Wednesday, March 27, 2019

Often it has been reported that WhatsApp does not comply with GDPR.
But how exactly to verify this fact? Check the legal terms of WhatsApp

According to GDPR, personal data can be used only with specific and explicit consent by the data subject, the person concerned. Personal contact data stored in a smartphone is such data - inclusive data of those contacts, that are not using WhatsApp.
Indeed, WhatsApp uses all contact data from a smartphone – not only those of WhatsApp contacts. WhatsApp declares and details that in their own legal terms here bzw. here

Section “Your Account Information”
“You provide us, all in accordance with applicable laws, the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts.”

Such “other contacts” are those contacts not using WhatsApp – at least not with this user. Even if a WhatsApp user could presuppose consent by all his WhatsApp contacts, the data protection rights of all the non-WhatsApp-users in contacts list will be violated.
Side note: The wording “all in accordance with applicable laws” is at least dubious – on the contrary: the described procedure is most likely illegal.

Propagation of personal data to Facebook and others
WhatsApp propagates personal data from the smartphone to Facebook and other:
“WhatsApp Inc. shares information globally, both internally within the Facebook Companies, and externally with businesses, service providers, and partners…”

Every WhatsApp user shares all contacts data with WhatsApp and Facebook and their business partners – and most probably does not have the “informed consent” of the data subject, the concerned person. For sure not from his/her non-WhatsApp contacts.

WhatsApp is not GDPR compliant.

WhatsApp terms and policies as by 26. March 2019: