GDPR and WhatsApp Business Records

Millions of businesses use WhatsApp to communicate with clients, suppliers, and colleagues. It is fast, familiar, and available on every smartphone. But every WhatsApp conversation containing personal data is subject to GDPR, and archiving those conversations - whether for legal hold, regulatory compliance, or dispute resolution - creates data protection obligations that many businesses have not properly considered.

GDPR and Business Communications

WhatsApp messages exchanged in a business context almost always constitute personal data. The sender's name or phone number, the recipient's contact details, and any personal information discussed in the conversation all fall within the GDPR definition of personal data. This is true regardless of whether the conversation takes place on a business WhatsApp account or a personal one used for work purposes.

Processing personal data requires a lawful basis under GDPR Article 6. When a business creates an archive of WhatsApp conversations, that archiving is itself a processing activity and must be justified. The most commonly applicable bases for archiving business communications are legitimate interests, legal obligation, and the performance of a contract.

The Lawful Basis for Archiving

Legitimate interests under Article 6(1)(f) is the most flexible basis and can justify archiving where the business has a genuine need to retain records - for example, to defend against future legal claims or to demonstrate regulatory compliance. A legitimate interests assessment should be documented, weighing the business's interest against any potential impact on the individuals whose data is being retained.

Legal obligation under Article 6(1)(c) applies where a law or regulation requires the retention of business communications. Financial services firms regulated by the FCA, for example, have specific record-keeping obligations that may require them to archive client communications including those conducted via WhatsApp. Where a legal obligation exists, it must be identified and documented as the basis for retention.

Data Minimisation - Article 5(1)(c)

GDPR Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. When archiving WhatsApp business records, this principle requires you to consider whether you need to retain the entire conversation or only the substantive content. Personal data in a conversation that is not relevant to the business purpose of the archive should be redacted before storage.

In practice, data minimisation means reviewing archived chats for personal data that is peripheral to the business purpose and removing it. A contract negotiation chat may contain personal health information shared incidentally - that data is not relevant to the contract record and should be redacted. Automatic PII redaction applied at the point of archiving is an efficient way to meet this requirement at scale.

Retention Periods

GDPR Article 5(1)(e) requires that personal data be kept no longer than is necessary for the purposes for which it is processed. For business WhatsApp archives, the appropriate retention period depends on the purpose of the archive. Records kept for contract performance can generally be deleted once the contract has ended and any limitation period for claims has expired. In the UK, the standard contractual limitation period is six years.

Industry-specific requirements may impose longer or shorter retention periods. Solicitors and legal professionals may be required to retain client communication records for six years or more after a matter closes. Financial services firms may face different requirements depending on the type of transaction or advice. Healthcare providers may be subject to medical records retention requirements even for informal communication channels. Whichever period applies, it should be documented in a retention schedule and enforced systematically.

Third-Party Data in Business Chats

Business WhatsApp conversations frequently contain personal data belonging to individuals who are not party to the conversation. A client might share a colleague's contact details, a supplier might disclose information about an employee, or a contractor might forward details about a third party. When that conversation is archived, the third party's data is being processed without their knowledge.

Handling this third-party data compliantly requires considering whether it is necessary to retain it. Where a third party's contact details or personal information appear in a business conversation but are not relevant to the business record being kept, redacting that data before archiving is the correct approach. This reduces the organisation's processing footprint and mitigates the risk of a third-party data subject making a complaint about data they did not consent to share.

Data Subject Access Requests

When a client or other data subject makes a Subject Access Request under GDPR Article 15, they are entitled to receive a copy of all personal data you hold about them. WhatsApp business records may fall within scope. Before disclosing a chat record in response to a SAR, you must redact the personal data of any other individuals in the conversation - unless those individuals have consented to disclosure or another specific condition applies.

For organisations that hold large volumes of WhatsApp records, responding to SARs can be resource-intensive. Having a consistent archiving process - with PII redaction applied at the point of archiving - makes SAR responses significantly faster. If each archived record has already had third-party data removed, you can produce the document with minimal additional effort rather than having to review and redact each message manually in response to a request.

Practical Compliance Steps

A defensible GDPR-compliant archiving process for WhatsApp business records follows a clear sequence. First, export the relevant chat from WhatsApp. Second, apply PII redaction to remove third-party personal data that is not necessary to the business record. Third, convert the chat to a structured, tamper-evident format such as a PDF. Fourth, store the PDF in a secure, access-controlled location. Fifth, record the retention period in your organisation's retention schedule and implement a deletion process for records that have reached the end of their retention period.