The Risk of GDPR Fines: Why Companies Need a Legally Compliant Messenger

The Risk of GDPR Fines: Why Companies Need a Legally Compliant Messenger

The Advantages of Instant Messaging for Companies

Organizations of all types and sizes have come to rely on messaging services as a quick and versatile means of communication. Employees use chat services all the time to exchange sensitive corporate data. The rise of remote and mobile work in the wake of the COVID-19 pandemic has led to a growing interest in chat apps for fast and straightforward communication in work environments.

Instant messaging offers significant benefits:

  • High flexibility: Information can be shared quickly and easily via instant messaging even with employees who work from home or are on the go.
  • Efficient one-to-many communication: Using group chats, distribution lists and news feeds, the entire workforce, certain departments, or individual employees and external contributors can be addressed in a fast and efficient manner. The information can be transmitted in various forms (texts, images, videos, files, links, and voice messages).
  • Employee satisfaction: The staff already uses instant messengers outside of the office and has no trouble adopting them in the workplace.

It is therefore almost impossible for companies to do without a chat service. The challenge is to find a secure and GDPR-compliant messenger that offers both the required functionality and sufficient ease of use. Because companies often lack the necessary expertise, there’s a lot of uncertainty about which popular chat apps can safely be adopted at work.

The Risk of GDPR Fines: Do Popular Messengers Conform with Data Protection Laws?

When using messengers like WhatsApp, a great deal of personally identifiable data is stored and processed. While users have to explicitly grant access to their address book, the services more often than not collect the metadata that accumulates when using the app and chatting with contacts. In view of the European General Data Protection Regulation (GDPR), this is more than problematic, and confidential corporate information frequently ends up in the hands of third parties.

To avoid GDPR fines, it is imperative for companies to get clear on the regulations regarding privacy compliance and messenger use in the workplace and take the necessary measures.

Study Confirms: Most Messaging Apps Are Not GDPR-Compliant

In November 2021 the renowned FZI Research Center for Information Technology in Karlsruhe published a comprehensive study on “data protection and the protection of trade secrets in corporate communication.” It sheds light on the current legal situation concerning the corporate use of instant messengers in the EU, particularly in Germany. There is also a practical guide based on the results of the study, which offers helpful advice on choosing a suitable, GDPR-compliant messenger for the workplace.

The FZI concludes:

“Especially instant messengers developed for private use do not meet the relevant legal requirements for data protection as well as the protection of trade secrets in the European Union.”

Dr. Manuela Wagner, lead author of the study

Download both the data protection study and the practical guide for free:

Breach of Data Protection Laws: Companies Face Heavy Fines

Companies can incur serious financial damage for non-compliance with the European data protection regulations: Violations can lead to fines of up to 20 million euros or 4% of the global turnover in the previous year.

77,000 GDPR fines imposed on German companies

In 2020, about 160 million euros worth of fines were issued for data protection violations. Germany recorded 77,000 GDPR violations, which is the largest number since the framework was introduced.

According to the “Datenschutzkanzlei,” the following penalties have been imposed on German businesses:

  • 14,500,000 euros against real-estate company Deutsche Wohnen SE
  • 1,240,000 euros against AOK Baden-Württemberg
  • 900,000 euros against telecommunications service provider 1&1 Telecom GmbH

Study: Privacy-Compliant Messengers for Business Communication

The current legal situation regarding the corporate use of instant messengers is complex and rather confusing. According to the study mentioned above, few messaging solutions are suitable for business communication because most do not comply with the GDPR.

However, full compliance with data protection laws is crucial to protect corporate data and trade secrets and to avoid hefty GDPR fines. The FZI study puts forward three main recommendations for companies:

Take Measures to Ensure Data Protection

Companies that want to use instant messengers are advised to study the relevant legal requirements in detail. They should only consider privacy-friendly technologies and make the necessary organizational, legal, and technical arrangements to protect both the sensitive data itself as well as any metadata from misuse.

At the same time, effective data protection depends on an awareness and responsible behavior among the staff. When a company introduces a messaging solution, all staff members should be educated about its lawful use.

Avoid Messenger Apps from Countries Outside the EU

The study strongly advises against using messenger services that involve the transfer of data to a country outside of the European Union if no adequacy decision has been adopted by the European Commission.

Particularly the transfer of personal data to the United States is deemed highly problematic ever since the EU–US Privacy Shield has become invalid. The CLOUD Act allows intelligence services and investigative authorities in the United States to access personal data from companies in the EU and Switzerland at any time if the data is stored on US servers.

All about EU–US data transfers

To find out which rules currently apply to data transfers to the US, read our blog post “1 Year Since the Invalidation of the Privacy Shield Agreement: 5 Recommended Actions for Privacy-Compliant and Secure Corporate Communication.”

Separate Personal and Professional Communication

The authors of the study also recommend keeping private and corporate communication strictly separate. That way, sensitive company data cannot fall into the hands of third parties by means of insecure chat apps. Businesses should introduce a GDPR-compliant messenger that was developed for corporate use and is reserved for sharing work-related information.

A GDPR-Compliant Messenger: The Safe Choice

In contrast to chat services developed for personal use, Threema Work fully meets the requirements for a secure and privacy-compliant messenger.

Therefore, Threema’s business messenger enables companies and organizations to communicate in line with legal requirements, protection their data, and benefit from all the advantages instant messaging has to offer.

Threema’s Business Messenger enables companies and organizations to communicate in a legally compliant and way and allows them to make use of instant messaging’s many benefits without giving up privacy and data protection.