GDPR with WhatsApp Business

WhatsApp takes data protection seriously, and so does tyntec. Both parties ensure that the WhatsApp Business API is fully compliant with the GDPR.

We appreciate that GDPR requires our business partners when acting as data controllers, to make sure WhatsApp (when acting as the data processor) has the appropriate safeguards in place. We are committed to those safeguards and therefore meet those requirements.

WhatsApp acts as a Data Controller and/or Data Processor, depending on the circumstances:

  • Data controller: Concerning consumer end-users of WhatsApp Messenger, WhatsApp acts as a data controller, as outlined in the privacy policy applicable to WhatsApp Messenger consumer end-users. 
  • Data processor: Each Enterprise is a data controller of its consumer end-users. When the Enterprise provides its consumer end-users to WhatsApp via the WhatsApp Business API, WhatsApp is a data processor of those consumer end-users to deliver messages from the Enterprise Customer’s to those end-users.

When WhatsApp is the data processor, tyntec handles personal data as described in our data practices and our data processing terms

Our Data Processing Terms align with GDPR requirements governing contracts between data controllers and data processors.

In addition, this is how tyntec and WhatsApp ensure all communications facilitated by WhatsApp Business is compliant with GDPR:


Measure Description
No access to user’s phone book Differently from the consumer WhatsApp app, the Business API does NOT include access to the user’s phone book.
End-to-end encryption WhatsApp messages are encrypted from tyntec to the device and secured over HTTPS from your application to tyntec.
Data protection Media and messages are only stored for delivery and are deleted after 7/30 days, respectively. It’s at the discretion of the Enterprise to decide on customer data storage, chat message archiving, etc.
Data processing The content sent from enterprises to tyntec is secure and within the EU (datacenter in Dortmund, Germany). The transmission of data between the involved networks is done via HTTPS.
Opt-ins Active opt-ins are required and can be collected with existing communication channels used by the enterprise.
Opt-outs Users can report or block the enterprise on WhatsApp.
Additional security measures by tyntec Multiple security transmission options like VPN or TLS, regular penetration tests, automated vulnerability scans, and more.