WhatsApp Business Data Processing Agreement— all information for companies

Why is the AV contract with WhatsApp Business so important for companies?

Data protection has been GDPR Duty. As soon as companies communicate with customers via WhatsApp, they automatically personal data processed — and that requires legal protection from a Order processing contract (AV contract).

WhatsApp is omnipresent in Germany. More than 60 million people use Messenger regularly. Many customers expect that companies can also be reached there. No other channel achieves comparable opening rates — around 98% of all WhatsApp messages are read.

But this is exactly where the risk lies: Without an AV contract, companies are violating the GDPR, as WhatsApp (or Meta Platforms) processed customer data on their behalf. Among other things, the following information is collected:

• smartphone model
• device name
• phone number
• profile picture
• profile name
• Profile description
• address book
• position
• Date & time

This data is considered personal and may only be processed if there are clear contractual agreements. The AV contract in accordance with Art. 28 GDPR Determines that WhatsApp has the data exclusively on the instructions of the company thus uses and protects both sides — companies and customers.

If this contract is missing, there is a risk of severe Fines of up to 10 million euros or 2% of annual turnover.

‍

‍

What exactly is an order processing contract (AV contract)?

A Order processing contract is a central requirement of GDPR, regulated more precisely in Art. 28 of the GDPR. It obliges companies to contractually bind external service providers who process personal data on behalf of them.

‍

‍

What does “order processing” mean?

Whenever an external service provider has data not for own purposes, but on behalf of a company processed, there is order processing.
examples:

• Payroll from an external tax office
• Cloud storage of customer data
• Sending email or WhatsApp messages via third parties

The AV contract ensures that this service provider only after precept of the company acts and suitable technical and organizational measures applies to data protection.

‍

Responsible person vs. order processor

Die Distribution of roles is crucial:

• responsible person: The company that decides on the purposes and means of data processing.
• Contract processor: The service provider that processes the data on behalf of the company (e.g. WhatsApp/Meta).

The person responsible therefore remains responsible — even when a service provider is involved.
‍

When is an AV contract mandatory?

Whenever a company passes on personal data to an external provider. These include:

• Communication tools (such as WhatsApp Business)
• Cloud services and CRM systems
• Newsletter and marketing platforms

Without an AV contract, the legal basis for data processing is missing. This also applies to the use of WhatsApp Business or the WhatsApp API — both solutions where Meta Platforms data processed on behalf of the company.

‍

How does the AV contract work with WhatsApp Business in detail?

Not every WhatsApp version is suitable for business use. Depending on the variant, there are different data protection conditions — and only one of them even offers a AV contract in accordance with Art. 28 GDPR on.
‍

An overview of the three WhatsApp versions

• WhatsApp Messenger: intended for private use, no business use allowed.
  ‍
• WhatsApp business app: free app for small businesses; with basic functions and integrated AV contract.
  ‍
• WhatsApp Business Platform (API): professional interface for larger companies, offers the highest data protection standards.
  ‍

Just the Business app And the Business API make it possible to conclude an AV contract. With the normal messenger app, business use is explicit proscribed.

‍

How is the AV contract created with WhatsApp Business?

The contract is automatically completed as soon as a company installs the WhatsApp Business app and the Terms of use accepted. There is no separate signature.
In terms of content, the contract regulates that Meta Platforms Ireland Ltd. processes personal data on behalf of the company — i.e. as Contract processor.

‍

Problematic: Content gaps in the contract

Data protection experts criticize that the contract provided by Meta not completely meets the requirements of Art. 28 GDPR. Important points are missing or unclear, such as:

• No precise description of the purpose and type of data processing
• No clear regulation on Commitment to instructions
• unclear cancellation and return policies
• Data transfer to US servers Remains possible
• general permission for Meta, Sub-processor Deploy

As a result, the contract remains legally vulnerable — particularly in the case of strict data protection checks.
‍

‍

Meta's role as contract processor

Acts for EU companies Meta Platforms Ireland Ltd. as a contract partner. The company is therefore formally regarded as Contract processor and is responsible for technical data processing. Nevertheless, the user company continues to bear the Responsibility for data protection towards its customers.

‍

How can companies conclude the WhatsApp Business AV contract?

The AV contract WhatsApp does not sign manually, but automatically closed as soon as a company has WhatsApp business app or the WhatsApp Business API activated and the Terms of use accepted. There is no separate contract file — the contract is part of the general terms of Meta Platforms Ireland Ltd.
‍
‍

Step-by-Step Guide

• Set up a WhatsApp business app or API
• Terms of use read and validate
• This will make the AV contract automatically efficacious
• For internal purposes, the Conclusion documented will (e.g. in the data protection directory)

‍

How can WhatsApp Business be used in compliance with GDPR?

The use of Standard version of WhatsApp According to the terms and conditions, is only allowed privately. Commercial use is prohibited because no AV contract can be completed.
For companies, there are therefore only two options justifiable under data protection law:

‍

Option 1: WhatsApp Business App

Die WhatsApp business app In principle, allows the automatic completion of a AV agreement with Meta Platforms Ireland Ltdas soon as the app is installed and the terms of use are accepted.
However, this contract is considered as insufficiently, as essential information according to Art. 28 GDPR missing:

• No clear description of Processing purposes
• incomplete regulations on Commitment to instructions and deletion
• Data transfer to third countries (USA) still possible

With a few precautionary measures, the app can still be used in compliance with GDPR restrictions:

• Only on separate devices deploying
• Disable cloud backups
• Only save contacts that Using WhatsApp
• imprint Save in profile
• Customers, if applicable consent obtain for data processing

Nevertheless: This variant offers complete legal certainty not.

‍

Option 2: Use WhatsApp Business API interface

Die WhatsApp Business API is the professional solution for legally secure use. This is where the conclusion of the AV contract not with Meta directly, but via an official Business Solution Provider (BSP) — approximately Hellomateo.

The BSP itself concludes a comprehensive AV contract with Meta and then offers companies your own AV contract that fully meets GDPR requirements.
As a result, the processing of personal data is clearly regulated and documented.

Benefits of the API solution:

• Legally compliant AV contract about the Business Solution Provider
• No access to the address book of the terminal
• Server location Germany (at hellomateo)
• No cloud backup
• Technically secure communication via tested infrastructure

The API is therefore the only permanent GDPR-compliant and legally secure solution.

‍

Use WhatsApp in compliance with GDPR with hellomateo's WhatsApp API interface — including detailed AV contract

Die WhatsApp Business API Is the only way WhatsApp really GDPR-compliant to be used in the company. About certified third party like Hellomateo All communication runs via a secure server infrastructure — without access to the smartphone address book and without unencrypted cloud backups. All data is exclusively stored on servers in Germany processed.

With hellomateo, companies close a complete AV contract in accordance with Art. 28 GDPR who meets all legal requirements. This includes, among other things, the Purposes of data processing, the Commitment to instructions, technical and organizational measures as well as the Deleting or returning data. This makes the contract significantly more transparent and legally compliant than the standardized AV contract for the WhatsApp Business App.

In addition to legal protection, companies benefit from numerous features such as automated messages, WhatsApp newsletter marketing, AI chatbots and integrations with existing systems. In this way, hellomateo enables secure, scalable and at the same time efficient customer communication via WhatsApp — fully GDPR-compliant and legally protected.

‍

‍

• ‍Central user interface: hellomateo combines WhatsApp Business Platform, email, Instagram, SMS and Facebook Messenger in one central inbox. The intuitive user interface includes various tools for efficient customer communication and saves you valuable working time.
  ‍
• integrations: With hellomateo, you can use WhatsApp in integrate over 6,000 software programs and fully automated Customer trips create with invitations, order confirmations, shipping information, invoices, and reminders.
  ‍
• Newsletter marketing: Send GDPR-compliant Newsletter via WhatsApp or SMS and benefit from opening rates of over 95%.‍
  ‍
• Assessment management: hellomateo can Automatically request online reviews from your customers, which boosts your Google ranking and trust in your company.
  ‍
• ‍Data protection: hellomateo meets all German and European Data protection requirements and offers end-to-end encryption for secure customer communication.
  ‍
• scalability: Our software is suitable for Businesses of all sizes and can be extended indefinitely depending on the package.‍
  ‍
• ‍Diverse AI features: Our AI agent can automatically answer customer inquiries in chat, answer calls, help with the formulation of messages and much more.
  ‍

Arrange a non-binding and free consultation and we'll show you how hellomateo covers your communication needs! Simply book an appointment here or write to us via our web widget.