In this article we will discuss...
Fine for adding someone to a WhatsApp group without consent
The Spanish Data Protection Agency fined a sports club 4,000 euros for adding a former user to several WhatsApp groups without asking for her consent.
The case shows that a phone number is personal data and that adding someone to a WhatsApp group may disclose that data to third parties, because the number becomes visible to other participants.
What did the AEPD consider unlawful?
The AEPD found that the club had processed personal data without a valid legal basis. In particular, adding the person to the groups was not covered by consent or by another lawful ground.
The authority also considered that the affected person had not been a user of the club for years. Keeping her data and using it for a later purpose breached the storage limitation principle.
GDPR provisions involved
- Article 6 GDPR: lawfulness of processing. A valid legal basis is required to use a person’s phone number and add them to a group.
- Article 5.1.e GDPR: storage limitation. Personal data should not be kept longer than necessary.
- Confidentiality and security: exposing the phone number to other participants may amount to an unauthorised disclosure of data.
Commercial messages through WhatsApp
When WhatsApp is used for commercial or promotional purposes, organisations should be particularly careful. Having a phone number is not enough: there must be an appropriate legal basis and rules on commercial communications must also be respected.
The organisation should also offer recipients a simple and free way to object to the processing of their data for commercial purposes.
Recommendations to avoid fines
- Do not add clients, former users or third parties to groups without a legal basis.
- Regularly review members of groups and broadcast lists.
- Delete data when it is no longer necessary.
- Use broadcast lists or alternative channels when they are less intrusive.
- Clearly inform people about the purpose and data processing.
- Do not use WhatsApp for unsolicited commercial communications.
WhatsApp can make communication with clients or users easier, but it must be used with clear rules. Convenience does not remove the obligation to comply with the GDPR.