Last Modified: October 29, 2020
Definitions. For the purposes of these Data Processing Terms, the following terms have the meanings set out below:
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) including as amended and incorporated into UK law after the GDPR ceases to apply in the UK. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” have the same meanings as in the GDPR, and “Processed” and “Process” shall be construed in accordance with the definition of “Processing”.
Other capitalized terms used but not defined herein have the meanings set forth in the WhatsApp Business Terms of Service (“Business Terms”) or are otherwise defined contextually within these Data Processing Terms.
Applicability. Where your Processing of Personal Data is subject to the GDPR, you acknowledge that your use of our Business Services may involve sending Personal Data to WhatsApp. To the extent that we process such data as your Processor, these Data Processing Terms apply and are incorporated by reference into the Business Terms, and will govern to the extent of any conflict with the Business Terms.
Our Obligations as Processor. To the extent that WhatsApp processes such Personal Data as your Processor, WhatsApp will:
a. implement appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing or accidental loss, alteration, disclosure, or destruction. These include the measures listed in the Data Security Terms (as updated from time to time, for example, to reflect technological developments) which are expressly incorporated into these Data Processing Terms.
b. notify you without undue delay of the discovery by WhatsApp of any Personal Data Breach;
c. assist you by appropriate and possible technical and organizational measures, taking into account the nature of the processing and the information available to WhatsApp, to enable you to fulfill any obligations to respond to requests for the exercise of Data Subject rights under GDPR;
d. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to WhatsApp;
e. upon your request, make available to you all information that is reasonably necessary to demonstrate WhatsApp’s compliance with its legal obligations as a data Processor under Article 28 of the GDPR;
f. subcontract its data processing obligations under these Data Processing Terms to a sub-processor only by way of a written agreement with the sub-processors, which subjects those sub-processors to the equivalent obligations imposed upon WhatsApp by these Data Processing Terms; where the sub-processor fails to fulfill such obligations, WhatsApp will remain fully liable to you for the performance of that sub-processor’s obligations. You hereby give WhatsApp a general authorization to engage WhatsApp Inc., other Facebook Companies, and third parties as its sub-processor(s). WhatsApp will notify you in advance of any changes related to its sub-processor(s). If you reasonably object to such changes, you may inform WhatsApp in writing and stop using our Business Services; and
g. upon termination of the Business Terms, cease processing and delete the Personal Data as soon as reasonably practicable; provided that WhatsApp may keep the Personal Data if WhatsApp is required to do so by applicable law, or to the extent that WhatsApp has a contractual right or obligation to use the Personal Data independent of the Business Terms.
Transfer of Personal Data. To the extent GDPR or the data protection laws of Switzerland apply to your Processing under these Data Processing Terms as Controller, the WhatsApp Business Data Transfer Addendum is applicable to data transfers originating in the UK, EU, EEA or Switzerland, and forms part of, and is incorporated by reference into, these Data Processing Terms.