WhatsApp Business Data Processing Terms ("Data Processing Terms")
Last modified: September 27, 2021
Definitions. For the purposes of these Data Processing Terms, the following terms have the meanings set out below:
“Controller” means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of Personal Information.
“Personal Information” means any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier or to one or more factors specific to that natural person. The term “Personal Information” also covers information relating to deceased natural persons and/or juristic persons where this is required under applicable Data Privacy Law.
“Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed under these Data Processing Terms.
“Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processed” and “Process” shall be construed in accordance with the definition of “Processing”.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the Controller.
Other capitalized terms used but not defined herein have the meanings set forth in the Business Terms or are otherwise defined contextually within these Data Processing Terms.
Applicability. These Data Processing Terms apply to the extent that the Business Terms state that WhatsApp Processes Personal Information in your Customer Data as your Processor. In the case of an express conflict between these Data Processing Terms and the Business Terms, these Data Processing Terms will govern solely to the extent of the conflict.
Our Obligations as Processor. To the extent required by applicable Data Privacy Law, WhatsApp and you agree to the following:
WhatsApp shall only Process Personal Information in accordance with your instructions as set out in the Business Terms and these Data Processing Terms.
WhatsApp confirms that:
the duration, subject matter, nature and purpose of the Processing shall be as specified in the Business Terms;
the types of Personal Information Processed comprise customer contact information as described in the Business Terms;
the categories of Data Subjects comprise customers with whom you communicate using the WhatsApp service; and
your obligations and rights as Controller in relation to this Personal Information are as set out in these Data Processing Terms.
WhatsApp shall ensure that any person authorised to Process Personal Information under these Data Processing Terms is bound by appropriate obligations of confidentiality.
WhatsApp will implement appropriate technical and organizational measures to protect the Personal Information processed under these Data Processing Terms including against unauthorized or unlawful Processing or accidental loss, alteration, disclosure, or destruction. These include the measures listed in the Data Security Terms (as updated from time to time, for example, to reflect technological developments) which are expressly incorporated into these Data Processing Terms;
WhatsApp will notify you without undue delay of the discovery by WhatsApp of any Personal Information Breach;
Taking into account the nature of the Processing and the information available to WhatsApp, WhatsApp will assist you in your role as a Controller, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling any obligations under Data Privacy Law applicable to you as a Controller to respond to requests from Data Subjects regarding the exercise of their Data Subject rights;
To the extent required by Data Privacy Law applicable to you as the Controller, the Processor agrees to support your obligations as a Controller, in particular regarding the security of the Processing or regarding Personal Information Breaches, by providing you with reasonable assistance, taking into account the nature of the Processing and the information available to WhatsApp;
Upon your request, WhatsApp will make available to you all information and provide all assistance that is reasonably necessary to demonstrate WhatsApp’s compliance with its legal obligations as a Processor under these Data Processing Terms;
WhatsApp may subcontract its Processing obligations under these Data Processing Terms to a sub-processor, who may be based in a country other than the one in which you or WhatsApp are located given the global nature of the WhatsApp service, including the European Economic Area or the United States, only by way of written agreement that shall impose obligations on the sub-processor that are no less rigorous than the obligations imposed upon WhatsApp by these Data Processing Terms. WhatsApp will remain fully liable to you for the performance of that sub-processor’s obligations. Where WhatsApp Ireland is your contracting entity, the WhatsApp Business Data Transfer Addendum applies and is incorporated by reference into these Data Processing Terms.
Without limiting Section 3.i. above, you hereby authorize WhatsApp to engage other Meta Companies and third parties as its sub-processor(s). Subject to applicable Data Privacy Law, WhatsApp will notify you in advance of any changes related to its sub-processor(s). If you reasonably object to such changes, you may inform WhatsApp in writing and stop using our Business Services; and
Upon termination of the Business Terms, WhatsApp shall cease Processing Personal Information and shall delete it within the time period set forth in the Business Terms unless applicable law requires further storage or to the extent that WhatsApp has a right or obligation to use the Personal Information independent of the Business Terms.