Data, Privacy & GDPR
Security and GDPR with tyntec's WhatsApp Business API

What is WhatsApp's position on GDPR?

WhatsApp takes data protection seriously and we comply with data protection laws that apply to us. To that end, we have ensured that our services align with the GDPR. We appreciate that the GDPR requires our business partners, when acting as data controllers, to make sure WhatsApp (when acting as the data processor) has the appropriate safeguards in place. We are committed to those safeguards and meet those requirements.

Find out more in tyntec's GDPR and Security Guide.

Does WhatsApp see itself as a Data Controller, Data Processor or both?

Both - depending on the circumstances. Below, we've outlined details about WhatsApp's role in each of these designations.

  • Data controller: With respect to consumer end users of WA Messenger, WhatsApp acts as a data controller, as set forth in the privacy policy applicable to WA Messenger consumer end users.
  • Data processor: Each Client is a data Controller of its customer contacts. When the Client provides its customer contacts to WhatsApp via the WhatsApp Business Solution, WhatsApp is a data Processor of those customer contacts, and processes those customer contacts for the purpose of delivering the client's WhatsApp messages to those customers.

Our Data Processing Terms align with GDPR requirements governing contracts between data controllers and data processors.

Is personal data being stored on European servers?

Facebook operates a global infrastructure and processes data in both EU and US-based servers. WhatsApp stores data in the United States and stores encrypted media worldwide to increase efficiency. This processing is supported by strict legal compliance for safeguarding any transfers of personal data outside of the EU. WhatsApp has certified for cases in which it acts as a data Processor under Privacy Shield, as explained further in its Privacy Shield Addendum and certification.

Where is a client's customer data being stored?

Clients are responsible for storing their own customer contacts and messages. WhatsApp does not store this data for any longer than necessary to route and deliver messages. If a message cannot be delivered immediately, we may keep it on our servers for up to 30 days as we try to deliver it. If a message is still undelivered after 30 days, we delete it. To improve performance and deliver media messages more efficiently, we may retain them on our servers for a longer period of time.

What is tyntec’s role in data privacy, security, and GDPR compliance?

Security is a priority for both WhatsApp and tyntec. Data privacy, data storage, and secure transmission are meant to identify security flaws and adhere to GDPR and other regulations.

WhatsApp has provided full encryption to personal communications — and will also extend this feature to businesses. In addition, media and messages are only stored for delivery and deleted after 7/30 days respectively. Find out more information about GDPR and security here.