10 points to comply with GDPR while using WhatsApp by a school or university

If you are interested in using WhatsApp and wonder about the why or the how in more general, you find more about it in this post (WhatsApp Business App tailored to universities). The post and some other research were also the basis for a workshop held last week at #SPacademy, where I got many questions on GDPR. Therefore, now this article is to help schools and universities being in-line with GDPR while using WhatsApp – ordered according to a typical customer journey:

  1. If the prospective students contact you on a fair, via an email, through your contact form on your website, with a call, from an agent, Skype etc. – basically everything but via WhatsApp, then you are not allowed to reach out to them through WhatsApp unless you have an explicit opt-in (e.g. via a check box or a non-required field in the form as in the screenshot above – from a test though). Based on Article 6.1 and 7.2 GDPR
  2. If the students contact you directly through WhatsApp (e.g. with a form or a direct link), their action is a sign of “a clear affirmative action” (Article 4.11) to have the data being processed by you.
  3. If you want to reach to students whose details you got from another party – simply do not reach out to them on WhatsApp, unless they have given consent to this to the other party, which I doubt at this point. If they have given you their mobile number without an explicit WhatsApp consent, you can write them one message on WhatsApp telling them that they can reach you also on WhatsApp now for questions regarding studying at your institution and that you will delete their contact details on WhatsApp after this message (based on Article 6..1 f). A response from them automatically starts a new conversation and can be interpreted again as a clear confirmative action.
  4. Where WhatsApp is storing the (encrypted) data is an issue for WhatsApp, not for the education institution and WhatsApp is working on adhering to the law.
  5. Still you are storing the personal information at least on your phone (maybe also the contact details on Google) and you are obliged to inform the students about the data stored, especially about the following points (plus making sure these data storage points are considered in your data handling and securing procedures):
    1. Person responsible for the data protection at your institution,
    2. The purpose of the storing of the information,
    3. Its legal basis,
    4. How long you store it,
    5. The rights to have it deleted and to complain to the authorities
  6. We have put together an example declaration text for the greeting message available in WhatApp Business App. If you set it up accordingly the student will receive the following text automatically at the beginning of your WhatsApp conversation. Feel free to use/modify it your needs/your interpretation of the law (but beware of the character limit):
    • “Thank you for your interest. To comply with the EU law on data protection, we happily tell you that we store your information/ this conversation together with your phone number to answer questions you have about our university. We can only do this, because you have given us consent in a form or by reaching out first. We will keep this information until we haven’t heard from you for 1 year or until you want us to delete it. For any further questions on storing this information you can reach John Doe at john.doe@princes-education.com. In case of a complaint, there is an authority for this.”
  7. The text omits some points consciously. Here are the points omitted and the reasons behind:
    1. If any of the data collected is necessary for the collaboration – This is left out, because the nature of WhatsApp indicates a storage of data for non-legal information. If you use it for students to send and receive application documents or similar important information, you should mention this point though.
    2. WhatsApp allows you seeing, when a person was last online or is typing something at this moment – left out, as it is not really stored, but can be overwritten at any time by the student. The same logic is applied relating to the profile picture. As the student voluntarily uses WhatsApp in the conversation with you and your institution, all WhatsApp features become visible to the institution and all can be changed by the student at any time.
    3. There is a conscious trade-off made to provide clear or concise information to the student and how unaware is the student of information being shared with the institution; especially as some functions in WhatsApp have character limits, which ensure this initial declaration is received timely and by all your WhatsApp contacts (i.e. with the “Greeting message” function)
  8. After you have informed the students about their rights, you can start contacting them.
  9. If you want them to join a group, you are not allowed to simply add them to a group. You can invite them with a group invitation link and at some point there might be a feature, where other group members do not see each other’s details, but for now this feature is not live.
  10. If you write to delete their data at a certain point, you also need to put a process in place, to delete the data. Luckily, WhatsApp sorts the conversations by recency, so you can easily find the students, with whom you haven’t spoken for a year and then delete their contact details as well as the chats. But someone needs to have this in their job description.

These are recommendations based on the interpretation of the law. It is still to be seen, how the law is going to be interpreted by courts and how the law might be modified in the next years. But for now, I would be delighted to hear in the comments, where this interpretation of the law differs from yours, how much you like it and anything else that comes to your mind on this topic.

Leave a Reply