+ INFORMATION

New Eip Logo
Events EIP Talent Student access
  • es_ES
  • en_GB

Share on social networks!

WhatsApp groups and their consequences

by
WhatsApp

In light of the AEPD

For more than 10 years, the WhatsApp instant messaging group has been installed in all the nooks and crannies of our lives as a premise sine qua non to be able to relate to others. And not only with our family and friends, but as a catalyst for public administrations and companies that include it in their services as a competitive advantage in order to serve the client/citizen immediately.   

Millions of people expose their personal data (photos, name and surname, ID number, geolocation, videos, WhatsApp statuses...) without really knowing the consequences that this entails, who can access their data and how the limits should be established. . Let us then analyze several important aspects from the prism of data protection: 

Is consent alone enough to allow me include in a WhatsApp group?

To analyze the issues that now arise, it is first important to clarify that our telephone number is personal data that uniquely and unequivocally identifies us and, therefore, also deserves to be worthy of legal protection.

The Spanish Data Protection Agency[1] On several occasions he has stated that consent alone is not enough to include us in a WhatsApp group if we have not explicitly given it for that purpose.

Let's look at an example where the AEPD imposes a sanction[2] €4,000 to a Córdoba sports club for violating up to four articles of the General Data Protection Regulation[3] "having processed the claimant's personal data without her consent." Specifically, it considered that Club Deportivo Sansueña violated article 6 (relating to the legality of the treatment), 5.1.e (violation of the principle of limitation of the conservation period), 32.1 b) and 32.1 d) (relating to security of processing) of the RGPD: firstly, for not having requested the express consent of the former partner. Also, for having saved the former client's personal data during that time without it being necessary to do so. And finally, for not having guaranteed that this information has been kept securely during those years in which the parties had not had any type of relationship for more than ten years.

City councils and the use of WhatsApp as a channel for citizen participation

In the case explained above, we are talking about a private company. But, what happens if a public administration, such as a city council, creates a WhatsApp group as a channel for citizen participation?

As we have already mentioned, WhatsApp groups managed without the relevant authorizations by each member (administrators and users) can become a real danger to our privacy: this is clear from resolution 03041/2017 of the AEPD; in which he reprimands the Boecillo City Council[4] (from the south of Valladolid and with barely 4,100 inhabitants) for creating a WhatsApp group in which a town councilor included 255 people to inform them of possible topics of interest to the municipality[5] without “consent or authorization for such treatment.”

But in the case explained below, the Tiana City Council, despite having the explicit consent of each of the members of the WhatsApp group and informing them how their personal data would be treated, is sanctioned by the Catalan Authority of Data Protection[6] by not taking into account art. 25 of the GDPR. Specifically, for not taking into account and violating the principle of data protection from the design, and also alludes to another important aspect: the distinction between "group" and "distribution list", both WhatsApp functions being similar to each other without become the same.

Let's give some background: in July 2021, those responsible for the Tianence town hall created the WhatsApp group called 'Tiana News' with the aim of communicating institutional information and information of general interest to the people to its citizens (even having this "communication" channel). official” up to 257 people) Regarding data protection, the city council partially complied with the provisions of article 13.1.c of the RGPD (layered information) and only informed users through a message containing the link to join the group; indicating the identity of the person responsible for the treatment, the legal basis, the purpose of the treatment, the period of conservation of the data, the possibility of exercising ARCO-LIPO rights[7] through a link that redirected to the electronic headquarters[8] of the City Council, and the means of contact with the data protection delegate. However, it did not explicitly include the right to file a claim with the APDCAT.

The main mistake that the municipal entity made was “not implementing adequate technical and organizational measures to effectively apply the principle of confidentiality. Specifically, it was not guaranteed that the people who joined the WhatsApp group created by the City Council could not access the mobile number, profile photo and username of the rest of the members” as stated in the same resolution of the procedure. sanctioner[9].

Despite this, the municipal entity assured the APDCAT that although it was aware that it created a WhatsApp group without taking into account the deserved security measure to prevent the data of the people who participated from being accessible to the rest of the participants, understood that those who joined it directly assumed such consequences as users. That is, the city council would not have breached data protection regulations if it had opted for the distribution list instead of the WhatsApp group; since in the distribution list communication occurs unidirectionally, with administrators being the only ones who can send messages and who have true control over the security of the information that is published. Thanks to that, “the people included in the diffusion list do not know who the other members of the list are and, therefore, cannot access the data of the rest”, the functionality of the groups not being ideal for the purposes of such matters.

Finally, the city council is condemned for an infraction provided for in article 83.5.b) in relation to article 13; and other infringement provided for in article 83.4.a) in relation to article 25.1 of the RGPD

What happens with WhatsApp groups of family and friends? And those at school and those at companies?

The above does not work for WhatsApp groups of family or friends; since, as the GDPR itself comments, domestic or private activities are outside its scope of application.

As far as school parents' WhatsApp groups are concerned, data protection regulations do not apply either. This does not mean that the consent of each user is always necessary to be included in the group. It is recommended that from the first moment you set limits on its content and establish its purpose.

A different question is, if it is the school itself as a teaching institution that decides to create the WhatsApp group motu proprio. In that case, as already noted in the previous paragraph, express, specific and informed consent (in advance) is mandatory to include the parents and/or legal representatives in the group. If it is not done that way, you can report it to the AEPD.

Regarding the use of WhatsApp in the business environment, it is advisable to use WhatsApp Business; since it allows different functions to be integrated, among which the function that allows obtaining the user's consent would stand out, before starting to communicate with them. This would serve as a means of proof to prove that the company has previously expressly requested its consent, thus complying with the principle of accountability or the principle of transparency.

Therefore, in accordance with everything stated above, it is essential to take into account the multifaceted nature of data protection. Analyze all its faces and its transversality in the practical application of these. Staying on the “surface” with the duty to inform in layers is not enough, we must know how to look beyond and anticipate possible future events that pose a risk and therefore a danger that threatens our fundamental rights and freedoms.

Bibliography

[1] From now on AEPD

[2] Procedure No.: PS/00260/2021  https://www.aepd.es/es/documento/ps-00260-2021.pdf (Last visited May 28, 2022)

[3] From now on GDPR

[4] Boecillo City Council, Province of Valladolid, Autonomous Community of Castilla y León.

[5]Condemning resolution: R/03041/2017https://www.aepd.es/es/documento/aapp-00023-2017.pdf (Last visited May 28, 2022) 

[6] Hereinafter APDCAT 

[7] Arts. 15 -22 of the GDPR; where the rights of: Access, Rectification, Deletion (Forgetting), Limitation of Treatment, Portability and Opposition are made explicit.

[8] http://tiana.eadministracio.cat

[9] PS 28/2021 https://apdcat.gencat.cat/web/.content/Resolucio/Resolucions_Cercador/Resolucions/Documents/ca_ps_2021_028.pdf (Last visited May 28, 2022) 

Leave a comment

Members of 

Latin American Council Schools Admission Logo
Business School Logo
Euphe 1
Euphe 2

Recognitions

Qs Rating Horizontal 0
Qs Rating Horizontal 4
Qs Rating Horizontal 1
Qs Rating Horizontal 2
Qs Rating Horizontal 3
Qualificam Logo Footer

Educational partners

Harvard Negative (1)
Microsoft Academy (1)
Aws Academy Logo Footer
Cisco Networking Academy White
Wca Logo
Ausape Logo
Logo Compliant Professional Association White
Logo Aeca Footer
Buildingsmart Rgb Spain Chapter Member V2
Sage50 Cloud Logo Footer
Pmp Logo Footer
Global Suite Logo White
Minsoit Sap Svg
Nominasol Logo Footer
Cype Logo
Pvsyst Logo
Logo Capman Footer
Toeic Logo White
Python Institute Logo White
Its Logo White
Ccsp Badge
Cdpp
Cpcc
Legal warning Use of Cookies Privacy Policy Quality politics Complaint channel Registration Conditions join us

EIP Teatinos University Campus - Málaga - Spain

© EIP | International Business School 2010-2024

Trademark registered with the OEPM. No. 3,735,191