Data protection
Since April 2016, WhatsApp messages and calls are end-to-end encrypted, provided both users have installed the most recent version of this app. This means, messages sent by a user can only be read by the recipient. The complete transfer from one user's device to the recipient's device is encrypted so that third parties and, in particular, WhatsApp cannot read the messages. Undelivered messages are stored on WhatsApp servers for up to 30 days.
If the user is in Europe, it has to be assumed that data protection laws based on the European Data Protection Directive of 1995, such as BDSG in Germany, also apply for receiving and sending data through WhatsApp. For data sent through WhatsApp, this mainly refers to personal data, i.e. also the phone number used to register a user with WhatsApp. Please note that the owners of phone numbers have to consent to the use of their data for each form of communication, both internally and with customers.
WhatsApp also for concluding contracts
In general, it is possible to conclude contracts through WhatsApp or send offers that will result in a valid contract if not any particular form for signing a contract is required. Make sure to observe rights of cancellation and revocation instructions as well as other requirements for distance selling deals. In addition, exchanging sensitive data between the contracting parties might be required, such as payment data (credit card data) or precise location data. This does not only affect data privacy but also payment security. Consequently, parties providing services or selling products through WhatsApp will have additional (due diligence) duties.
Data transfer to WhatsApp servers in the United States
When you register, your phone number will be transmitted to the servers of WhatsApp in the United States. However, the US server does not only collect the number entered by the user to register for WhatsApp, but simultaneously synchronises all other phone numbers stored in the phone address book or contacts of the user's end device with the WhatsApp database to decide whether these phone numbers are WhatsApp contacts, i.e. whether these other numbers have already been registered for the service, so that these contacts can be added to the user's WhatsApp contacts. When you use WhatsApp for company purposes, use a phone on which only numbers that are already registered for WhatsApp are saved. This avoids that numbers of uninvolved parties are transmitted to WhatsApp servers because they have not agreed to the standardised synchronisation with the WhatsApp database and transmission of their phone numbers to the United States.