Fine for adding someone to a WhatsApp group without consent

WhatsApp group and GDPR fine for adding someone without consent.

Fine for adding someone to a WhatsApp group without consent

The Spanish Data Protection Agency fined a sports club 4,000 euros for adding a former user to several WhatsApp groups without asking for her consent.

The case shows that a phone number is personal data and that adding someone to a WhatsApp group may disclose that data to third parties, because the number becomes visible to other participants.

What did the AEPD consider unlawful?

The AEPD found that the club had processed personal data without a valid legal basis. In particular, adding the person to the groups was not covered by consent or by another lawful ground.

The authority also considered that the affected person had not been a user of the club for years. Keeping her data and using it for a later purpose breached the storage limitation principle.

WhatsApp group and GDPR fine for adding someone without consent.

GDPR provisions involved

  • Article 6 GDPR: lawfulness of processing. A valid legal basis is required to use a person’s phone number and add them to a group.
  • Article 5.1.e GDPR: storage limitation. Personal data should not be kept longer than necessary.
  • Confidentiality and security: exposing the phone number to other participants may amount to an unauthorised disclosure of data.

Commercial messages through WhatsApp

When WhatsApp is used for commercial or promotional purposes, organisations should be particularly careful. Having a phone number is not enough: there must be an appropriate legal basis and rules on commercial communications must also be respected.

The organisation should also offer recipients a simple and free way to object to the processing of their data for commercial purposes.

Recommendations to avoid fines

  • Do not add clients, former users or third parties to groups without a legal basis.
  • Regularly review members of groups and broadcast lists.
  • Delete data when it is no longer necessary.
  • Use broadcast lists or alternative channels when they are less intrusive.
  • Clearly inform people about the purpose and data processing.
  • Do not use WhatsApp for unsolicited commercial communications.

WhatsApp can make communication with clients or users easier, but it must be used with clear rules. Convenience does not remove the obligation to comply with the GDPR.

AEPD decision on the case.

/0 Comments/by
You might also like
Anonymisation and GDPR concept illustrating identification through web browsing patterns. Identifying people through anonymous web browsing patterns
Healthcare professional illustrating the right to be forgotten for cancer survivors in Spain. Right to be forgotten for cancer survivors in Spain
Twitter metadata and anonymisation concept illustrating privacy risks for users. Twitter metadata is a privacy nightmare
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *