Current: Are WhatsApp's new terms of use compliant with data protection?

WhatsApp plans to revise its rules on May 15, 2021. In it, the powers for data processing will be renewed and expanded. What WhatsApp presents as a small formality is quite questionable in view of the GDPR.

Should WhatsApp want to pass on its users' data (personal data as defined by the GDPR) to its parent company Facebook, which may be facilitated by the new regulations (at least according to the Hamburg Data Protection Commissioner, Prof. Dr. Johannes Caspar), there would have to be a legal basis for this.


The Group could invoke the users' consent (Art. 6 I lit. a DSGVO), which it is currently trying to obtain.

According to Caspar, however, there is a lack of transparency in this regard. The user's consent is not given in an informed manner. The voluntary nature of the consent is also very limited, since the scope of use is to be restricted step by step if consent is refused, even though consent is not required for the usage options offered to date.

Legitimate interest

However, the Group may have a legitimate interest within the meaning of Art. 6 I lit. f DSGVO.

Caspar emphasizes at this point that this is not the case. Rather, the interests of the users are more important.


Caspar initiated an emergency procedure pursuant to Art. 66 I GDPR. This lasted for three months. As part of this, he issued an order against the Group prohibiting the processing of personal data from WhatsApp insofar as this is done for its own purposes. Immediate enforcement was ordered. It remains to be seen how this will be reacted to (also by the actually responsible Irish authority).

For further information, the press release of the Hamburg Commissioner for Data Protection and Freedom of Information of 11.05.2021 is recommended.

DSB buchen