Auratech Legal Solutions

Company WhatsApp groups and GDPR

Company WhatsApp groups and data protection

The use of company WhatsApp groups raises common data protection questions: can an employer add an employee without consent, can other colleagues see their phone number, and what happens if the group is used for non-work purposes?

The Spanish Data Protection Agency has analysed several cases involving phone numbers added to WhatsApp groups. The key issue is not only the tool used, but also the purpose, necessity of the processing and safeguards applied.

When it may be justified

In an employment context, adding an employee to a WhatsApp group may be justified when the group is necessary to organise work: delivery routes, shifts, operational incidents or strictly work-related communications.

In those cases, the legal basis may be linked to the performance of the employment contract or compliance with employment obligations, provided that the processing is proportionate and limited to what is necessary.

When it may lead to a fine

The situation changes when a person is added to a group without a work-related reason or without a legitimate purpose. The AEPD fined a sports club for adding a former user to WhatsApp groups without consent, breaching Article 6 GDPR and the storage limitation principle.

There may also be risk when groups are used for purposes unrelated to work, when former employees remain in the group, when excessive data is shared or when phone numbers are exposed to people who should not have access to them.

GDPR principles to comply with

Recommendations for companies

Before creating work-related WhatsApp groups, companies should:

WhatsApp can be useful for operational communications, but it should not become an informal channel without rules. The company should document necessity, provide proper information and apply security and confidentiality measures.

Auratech can help you review internal communication channels from a GDPR perspective.

Exit mobile version