GDPR with WhatsApp Business
WhatsApp takes data protection seriously, and so does tyntec. Both parties ensure that the WhatsApp Business API is fully compliant with the GDPR.
We appreciate that GDPR requires our business partners when acting as data controllers, to make sure WhatsApp (when acting as the data processor) has the appropriate safeguards in place. We are committed to those safeguards and therefore meet those requirements.
WhatsApp acts as a Data Controller and/or Data Processor, depending on the circumstances:
- Data processor: Each Enterprise is a data controller of its consumer end-users. When the Enterprise provides its consumer end-users to WhatsApp via the WhatsApp Business API, WhatsApp is a data processor of those consumer end-users to deliver messages from the Enterprise Customer’s to those end-users.
When WhatsApp is the data processor, tyntec handles personal data as described in our data practices and our data processing terms.
Our Data Processing Terms align with GDPR requirements governing contracts between data controllers and data processors.
In addition, this is how tyntec and WhatsApp ensure all communications facilitated by WhatsApp Business is compliant with GDPR:
No access to user’s phone book
Differently from the consumer WhatsApp app, the Business API does NOT include access to the user’s phone book.
WhatsApp messages are encrypted from tyntec to the device and secured over HTTPS from your application to tyntec.
Media and messages are only stored for delivery and are deleted after 7/30 days, respectively. It’s at the discretion of the Enterprise to decide on customer data storage, chat message archiving, etc.
The content sent from enterprises to tyntec is secure and within the EU (datacenter in Dortmund, Germany). The transmission of data between the involved networks is done via HTTPS.
Active opt-ins are required and can be collected with existing communication channels used by the enterprise.
Users can report or block the enterprise on WhatsApp.
Multiple security transmission options like VPN or TLS, regular penetration tests, automated vulnerability scans, and more.