WhatsApp is the most popular Messenger. But is WhatsApp also good for employee communication in the company? And can you use alternatives like Signal or Telegram without any problems? The Football Association (DFB) recently announced that employees could no longer use WhatsApp for internal communication. The reason?
“It is important to the DFB to comply with the data protection regulations and guarantee a high level of data protection overall,” said the DFB to BASIC thinking. That is not necessarily the case with WhatsApp. Now the association is looking for alternatives. But is it even possible for any service to combine data protection, Messenger and simple employee communication?
Which aspects of data protection companies must consider in internal messenger communication, why no messenger can be used without hesitation and why completely legally secure data protection with messengers is never possible.
WhatsApp In The Company: These Legal Bases Apply
The companies that we advise with our HK2 law firm are very sensitive to the topic and do not deal with it carelessly. But that does not mean that they have a solution to the problem of corporate messenger use and data protection. If we only limit ourselves to internal employee communication, what do companies generally have to pay attention to if they want to introduce a messenger service?
First of all, you should be aware that in addition to the General Data Protection Regulation (GDPR), other legal aspects of messengers in the company must also be observed – namely civil law such as labor law or contract law. However, concerning the GDPR and data protection, a company must first see what the legal basis is to use messenger services in this regard in a data protection-compliant manner. This also applies if messengers are only used for internal employee communication.
The most important legal bases for this can be found in Article six of the GDPR and in Section 26 of Section 26 in the Federal Data Protection Act, which says:
Personal data of employees may be processed for the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination of the exercise or fulfilment of a law or a collective agreement, an operating or Service agreement (collective agreement) resulting in rights and obligations of the interests of the employees is required.
The word “required” is very important here. Because required means – in short – there is no better option in terms of data protection law to implement the planned processing. And that is usually not the case with Whats App, for example. The fact that a messenger service is needed in the company can generally be well justified.
WhatsApp In The Company: A Legal Risk?
Where Exactly Are The Risks Or Hurdles Concerning The GDPR?
WhatsApp is often the choice for Messenger. And WhatsApp processes personal data when uploading the address book stored on the smartphone. Technically, you can prevent this upload. However, in practice, this is not done because WhatsApp can then no longer be used effectively. As soon as personal data is processed, there are strict requirements for processing and use due to data protection laws.
In a business context, one should not only have to demonstrate that the Service is necessary for performing the employment. The Messenger should also only be used for business purposes. For example, employees cannot have private conversations or speak to their WhatsApp contacts. This applies if the use is to be implemented without the employee’s consent. If you want to work with permission, you have more leeway. Still, the problem is that the approval of employees is difficult to obtain effectively under data protection law – and this could be revoked at any time.
VPN Server And Dual SIM
Couldn’t employees create a separate WhatsApp account on a company cell phone and only use it for internal communication? Theoretically yes. In practice, I don’t know of any company where this works. It starts with the fact that many employees find the use of two cell phones too cumbersome and, in the end, are only willing to use their smartphones.
Wherever company cell phones are used, there is still the challenge that many employees log in with their private WhatsApp account and then, in turn, incorporate personal contact details that are not purely business-related into business communication. Further mixing of private and business use of business devices is complex in terms of data protection law and can hardly be resolved properly.
Even if all employees only communicate with company cell phones exclusively via company accounts and only with their colleagues, the employer, as the person responsible for data protection, has to ensure that the user only takes place within the framework of the GDPR. That is possible, but with various requirements. It is legally easier if the data processing is technically separated. Companies implement this, for example, with dual SIM-capable smartphones and VPN access, which relocates all company-related processing to the employer’s server.
The encrypted channel can be switched off remotely when employees leave the company. If the cell phone is lost, company data is not at risk because it is not stored on the device. However, this solution is technically a little more complex and may not be an option for every company.
Signal, Telegram And Co .: Good Alternatives To WhatsApp In The Company?
Suppose the main problem with WhatsApp in the company is processing personal data. Would companies be on the safe side with other messengers such as Signal or Telegram, which anonymize data?
In any case, you have a few fewer problems with data protection. Because the more clearly a messenger service says which data it transmits or stores in encrypted form, the easier it is for companies to assess whether the services are GDPR-compliant and what legal risk they are taking when using them.
So here, you have to look at the individual messenger services and check carefully whether and to what extent data protection compliance appears feasible. Hardly any company will infer from the product description alone whether encryption is implemented following state of the art and whether, for example, the service provider has no access to the key. On the other hand, the provider’s data protection agreements are easier to find. However, it isn’t easy to validly check this without the help of an IT lawyer.
Problem: Server Location The USA
The DFB has stated that the server location of the services in the USA is legally problematic for the use of messengers in the company. This is because the USA is an “unsafe third country” from an EU data protection point of view. Can this problem be solved at all? Often not. Because even if a company could implement the business use of a messenger service internally according to the requirements of the GDPR, exporting data to a company based in the USA is problematic.
The reason for this is that the requirements set by the European Court of Justice for data export to the USA cannot be met. In the USA, there is a lack of state structures and measures to protect the fundamental right of EU citizens to data protection. This misalignment cannot be compensated for by standard contractual clauses of the EU Commission, which are otherwise quite applicable.
Some US companies, for example, offer cloud services at least to guarantee technical processing within the EU. This contributes to the risk assessment under data protection law. It is not a solution to the problems of data protection law. And messenger services could hardly guarantee that either.
But there are also some messengers such as Threema or Wire that use European servers. That’s correct. This does not mean that all use is legally compliant. However, the company’s data protection risk assessment is shorter here. But: In everyday life, these messenger services are not relevant, especially in comparison to WhatsApp. Unfortunately.
Messenger Use In The Company: Better Not?
If there are all these problems with messengers and especially WhatsApp, why don’t companies say: We don’t use messengers? Companies certainly say that. In practice, however, many hardly have a choice. If the operational business depends on it – and the communication channels already arise in the pitch – you can either talk a lot about data protection or get the contract.
Since many clients have significantly higher demands elsewhere simultaneously, it is a challenge to find the right way here. In addition, there are often expectations of the employees. Many, mainly younger employees, expect to use Messenger and, above all, WhatsApp.
However, companies can now handle that certain services are not unproblematic in terms of data protection law. It is important not to remain inactive – for example, because everyone uses the Service and there is nothing you can do here. It is important to describe and check the specifically planned use. A risk assessment in text form helps. Because you can track them occasionally or show them to the inspecting supervisory authority. Over time, many services are better “discontinued” by the provider regarding data protection law.
If a messenger service is used, it is also important to inform employees how their data will be processed. Often there are also training courses in companies to make employees aware of the legally compliant use of WhatsApp and Co. An IT policy is a useful tool for defining clear and legible guard rails. Yes, and you have to be aware of this when you use Messenger in a company: there is no such thing as zero risk in data protection law. Just shades of grey.