Sending messages via the WhatsApp Business API is attractive for many B2C use cases: reservation confirmations, shipping notifications, appointment reminders, customer service. At the same time, the channel raises data protection questions that you, as the controller, need to address before going live.
Auf einen Blick
- Messages are routed through Meta servers in the US. Legal basis: EU-US Data Privacy Framework, supplemented by Standard Contractual Clauses.
- You need a Data Processing Agreement (DPA) with seven.io and should be familiar with Meta's WhatsApp Business Terms and DPA.
- Sending to end users requires a documented consent, ideally via double opt-in.
- Your Privacy Policy must be extended with a WhatsApp section.
Who is involved?
| Party | Role | Location |
|---|---|---|
| You as a seven.io customer | Data controller | Your country |
| seven.io | Processor (Art. 28 GDPR) | Germany |
| Meta Platforms Ireland Ltd. | Contracting party for WhatsApp Business in the EEA | Ireland |
| Meta Platforms, Inc. | Operates the cloud infrastructure | USA |
| End recipient | Data subject | Worldwide |
This is how data flows:
Third-country transfer to Meta (USA)
With every send, personal data is necessarily transferred to Meta systems:
- the recipient's phone number,
- the content of the message (text, media, templates, variables),
- technical metadata (delivery timestamp, read/receipt status, error codes).
According to Meta, WhatsApp message content between business and end user is encrypted in transit, but accessible to Meta as the cloud operator to the extent necessary for providing the service. Processing in the US by Meta Platforms, Inc. is therefore technically unavoidable and constitutes a third-country transfer within the meaning of Chapter V GDPR.
Legal basis for the third-country transfer
Since 10 July 2023, the EU-US Data Privacy Framework (DPF) provides an adequacy decision by the EU Commission. Meta Platforms, Inc. states that it is certified under the DPF. Transfers to DPF-certified US recipients can therefore generally be based on Art. 45 GDPR.
In addition, Meta and seven.io continue to use EU Standard Contractual Clauses (SCCs, Art. 46 GDPR) as a fallback, in case DPF status lapses or specific processing activities are not covered.
Achtung
Despite the DPF, residual Schrems II risks remain: access powers of US security authorities (FISA 702, Executive Order 12333), the practical effectiveness of the legal remedy mechanisms created by Executive Order 14086, and possible future CJEU proceedings. For sensitive data, a documented risk assessment (Transfer Impact Assessment, TIA) is recommended.
Which agreements you need
1. Data Processing Agreement (DPA) with seven.io
Since seven.io sends messages on your behalf, you conclude a DPA according to Art. 28 GDPR. seven.io provides such an agreement.
2. Contractual basis with Meta
Usage is additionally governed by Meta's WhatsApp Business Terms of Service and WhatsApp Business Data Processing Addendum (DPA). For certain processing activities Meta acts as a processor, for others (platform security/integrity) potentially as an independent or joint controller. Which role Meta takes in any individual case follows from Meta's current contractual documents.
Tipp
Document Meta's role in each processing step in your Record of Processing Activities (RoPA).
Legal basis for sending to end users
The transfer to Meta is one side. Equally important: On what legal basis are you sending to your recipients in the first place?
Consent as the standard
For sending WhatsApp messages, a documented, explicit consent under Art. 6(1)(a) GDPR is generally required. WhatsApp is a private channel, so the threshold for direct contact is correspondingly high.
Additional rules apply:
- Ā§ 7 UWG (German Act Against Unfair Competition) - promotional contact requires prior consent.
- TDDDG (formerly TTDSG) - additional requirements as soon as the recipient's device is accessed or data is stored on it.
Transactional vs. promotional
| Criterion | Transactional | Promotional |
|---|---|---|
| Examples | Reservation confirmation, shipping status, appointment reminder | Promotions, discounts, newsletters, cross-selling |
| Legal basis | Contract/pre-contract (Art. 6(1)(b)), opt-in recommended | Consent required (Art. 6(1)(a)) |
| Ā§ 7 UWG | Generally not directly applicable | Applies |
| Best practice | Documented, channel-specific opt-in | Documented, channel-specific opt-in |
Wichtig
Example: A restaurant confirms reservations via WhatsApp. The reservation form contains a clear, unchecked checkbox "Send confirmation via WhatsApp". This is the clean approach, even if the message itself is transactional.
Recommendation: double opt-in
With double opt-in, the recipient enters their number and then actively confirms via WhatsApp (e.g. by sending a keyword or clicking a confirmation link). This proves that the number actually belongs to the consenting person.
For each consent, record at least: timestamp, wording, source (e.g. web form URL), IP address or comparable evidence, and a clear association with the phone number.
Updating your Privacy Policy
| Topic | What to include |
|---|---|
| Channel name | "WhatsApp Business API" |
| Recipients | Meta Platforms Ireland Ltd. and Meta Platforms, Inc. (USA) |
| Third-country transfer | Reference to the US, EU-US Data Privacy Framework, supplementary SCCs |
| Legal basis | Art. 6(1)(a) GDPR (or (b) for contract performance, where applicable) |
| Retention period | For phone numbers, message content, log data |
| Withdrawal | Reference to the right to withdraw at any time and an easy way to do so (e.g. "STOP" via WhatsApp) |
| Residual risk | Plain-language note on the US third-country transfer |
A possible direction for wording (not a finished legal text):
We use the WhatsApp Business API to contact you via the channels you have
chosen. In doing so, your phone number and the content of the message are
transferred to Meta Platforms Ireland Ltd. and Meta Platforms, Inc.
(USA). The legal basis is your consent under Art. 6(1)(a) GDPR.
The transfer to the US takes place on the basis of the EU-US Data Privacy
Framework, supplemented by Standard Contractual Clauses. You can withdraw
your consent at any time with effect for the future.Vorsicht
Have the specific wording reviewed by your data protection officer or a specialised lawyer. It does not replace legal advice.
Practical checklist
- Capture opt-in per recipient and channel with documentation (timestamp, wording, source).
- DPA with seven.io signed and stored in your DMS.
- WhatsApp Business Terms and DPA from Meta reviewed and roles assigned.
- Privacy Policy extended with a WhatsApp section.
- Record of Processing Activities (RoPA) extended for WhatsApp messaging.
- Processes for access, rectification, deletion, and withdrawal defined.
- Transfer Impact Assessment (TIA) for the US transfer prepared and kept up to date.
- Employees who send or reply to WhatsApp messages are trained on data protection.
Frequently asked questions
Do I also need an opt-in for pure order confirmations?
This is legally debated. Ā§ 7 UWG generally does not apply to purely transactional messages, and Art. 6(1)(b) GDPR generally supports the send. In practice, however, many supervisory authorities still recommend a channel-specific opt-in, because WhatsApp is a private channel and the recipient should explicitly agree to be contacted there.
Is the EU-US Data Privacy Framework sufficient as a legal basis?
For the third-country transfer alone, yes. Residual risks from US surveillance laws remain, which is why seven.io and Meta additionally rely on Standard Contractual Clauses and a Transfer Impact Assessment is advisable.
What happens when consent is withdrawn?
You must stop sending to the withdrawing number, mark the consent record as "withdrawn", and check whether you need to remove the number from active contact lists. For pure WhatsApp templates, the withdrawal only affects marketing templates - transactional messages within an existing contract remain permissible as long as a separate legal basis exists.
How long may I store WhatsApp messages?
There is no fixed deadline. Store data only as long as necessary for the purpose. Marketing logs are typically deleted upon withdrawal or after 3 years at the latest; transactional data is governed by commercial and tax law retention periods.
Disclaimer
This article is for general information and reflects the state at the time of publication. It does not replace individual legal advice. Coordinate concrete implementations with your own data protection officer or a specialised attorney.