What is GDPR?

Helpdesk Updated by Helpdesk

What is GDPR?

GDPR (General Data Protection Regulation) governs the use and storage of personal data of EU citizens, regardless of the location where it was acquired. The way data is collected—either by text message, web form, or onscreen prompt—must also illustrate how it will be used. Companies must provide a way for users to opt-out of communications and process these requests quickly.

Until the introduction of the GDPR, real-time communication methods such as SMS and live chat allowed organizations (public, private companies, governments, etc.) to collect data through their interactions with website visitors or customers. Organizations could then continue communications with customers and store the information collected for as long as they wanted.

Now, companies must change how they interact with users and store the data gathered over time. Examining this historical data is ideal for determining the sort of information users tend to provide.

The WhatsApp Business API, provides you with the complete framework to implement this new channel— without compromising your GDPR compliance or security policies.

GDPR with Whatsapp Business API

WhatsApp takes data protection seriously.

WhatsApp acts as a Data Controller and/or Data Processor, depending on the circumstances. When the Enterprise provides its consumer end-users with WhatsApp via the WhatsApp Business API, WhatsApp is a data processor of those consumer end-users to deliver messages from the Enterprise Customers to those end-users. Whatsapp ensures all communications facilitated by WhatsApp Business are compliant with GDPR.

Regarding where an enterprise’s customer data (end-user contacts and messages) is stored, this is the sole responsibility of the Enterprise. 

WhatsApp does not store this data for any longer than necessary, with the sole purpose to route and deliver messages. If a message cannot be delivered immediately, WhatsApp may keep it on our servers for up to 30 days—as WhatsApp continues trying to deliver it. If a message is still not delivered after 30 days, WhatsApp then deletes it. To improve performance and deliver media messages more efficiently, WhatsApp may retain them on our servers for a more extended period. 

In a nutshell, the Enterprise can use its corporate phone numbers, maintaining control of customer data and conversations: It is at the Enterprise’s discretion to create and sustain chat archives for audit trails and analysis according to industry requirements and standards. 


The GDPR has introduced stronger rights and protections for individuals as well as creating new obligations for businesses in terms of how they process individuals’ personal data. We are excited about doing what is best for our customers.

WATI also employs applicable privacy principles and has introduced certain changes to support additional user rights and satisfy all of our obligations. Some example of those changes are set out below.

We will continue to increase transparency and communication with our users to provide you with as clear an understanding as possible about how your personal data is processed.

We will remain dedicated to the approach of “privacy by design and default” through the consistent application of the privacy principles in the GDPR, and the adoption of a privacy-friendly approach in how we operate.

How did we do?