GDPR applies even if your business is outside Europe
If you message customers based in the European Economic Area, GDPR applies regardless of where your business is headquartered. WhatsApp does not exempt you from this. The platform is just the channel; the law follows the data subject.
Lawful basis for processing
Every WhatsApp interaction with an EEA customer needs a lawful basis under Article 6. For marketing messages, that is almost always consent. For utility and service messages tied to a contract or legal obligation, contract performance or legitimate interest may apply. Document the basis you rely on for each type of message.
Consent done right
Consent under GDPR must be specific, informed, freely given and unambiguous. A pre-ticked box does not work. Bundling WhatsApp consent with general terms of service does not work. The customer must take a clear affirmative action that names WhatsApp as the channel and your business as the sender.
Right of access
European customers can ask for a copy of all their personal data you hold, which includes WhatsApp message history. Build a process to export this data on request, typically within one month. Storing chats in a searchable CRM rather than only inside agent inboxes makes this far easier.
Right to erasure
Customers can ask you to delete their personal data. WhatsApp message history must be included unless you have an overriding legal reason to retain it. Make sure your message storage system supports per-customer deletion and not just bulk wipes.
Data processing agreements
Your BSP, AI vendor, CRM provider and any other third party touching the messages is a data processor. You need a written data processing agreement with each. Without it, you breach Article 28 and the regulator will take it seriously.
Cross-border transfers
If your messaging stack stores data outside the EEA, transfer mechanisms like Standard Contractual Clauses are required. WhatsApp itself uses approved mechanisms for its global infrastructure, but your downstream tools may not. Audit every link in the chain.
Privacy notices
Publish a privacy notice that specifically covers your WhatsApp practices. Cover what you collect, why, how long you retain it, with whom you share it, and how customers exercise their rights. Link to the notice in your opt-in flow.
Data breach response
If WhatsApp messages are exposed in a security incident, GDPR requires you to notify the relevant data protection authority within 72 hours and, if the risk to individuals is high, the affected customers as well. Have an incident response plan ready before you need it.
Working with the platform
Meta provides documentation and contractual terms aligned with GDPR for WhatsApp Business Platform customers. Use them as a starting point, then add your own controls and policies on top.