WhatsApp Business Data Processing Terms ("Data Processing Terms")
Last Modified: September 20, 2021
These WhatsApp Business Data Processing Terms apply to you if you signed up for the WhatsApp Business Services (as defined in the WhatsApp Business Terms of Service) before September 27, 2021. If you signed up for the WhatsApp Business Services on or after September 27, 2021, WhatsApp provides the Business Services under these Terms of Service and Data Processing Terms.
- Definitions. For the purposes of these Data Processing Terms, the following terms have the meanings set out below:
"GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679) including as amended and incorporated into UK law after the GDPR ceases to apply in the UK. “LGPD” means “Lei Geral de Proteção de Dados” (Law 13.709/2018). "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" have the same meanings as in the GDPR or LGPD, as applicable to your case, and "Processed" and "Process" shall be construed in accordance with the definition of "Processing".
Other capitalized terms used but not defined herein have the meanings set forth in the WhatsApp Business Terms of Service ("Business Terms") or are otherwise defined contextually within these Data Processing Terms.
- Applicability. Where your Processing of Personal Data is subject to the GDPR or, to the extent WhatsApp LLC is your contracting entity, you are in Brazil and your Processing of Personal Data is subject to LGPD, you acknowledge that your use of our Business Services may involve sending Personal Data to WhatsApp. To the extent that we process such data as your Processor, these Data Processing Terms apply and are incorporated by reference into the Business Terms, and will govern to the extent of any conflict with the Business Terms.
- Our Obligations as Processor. To the extent that WhatsApp processes such Personal Data as your Processor, WhatsApp will:
a. implement appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing or accidental loss, alteration, disclosure, or destruction. These include the measures listed in the Data Security Terms (as updated from time to time, for example, to reflect technological developments) which are expressly incorporated into these Data Processing Terms.
b. notify you without undue delay of the discovery by WhatsApp of any Personal Data Breach;
c. assist you by appropriate and possible technical and organizational measures, taking into account the nature of the processing and the information available to WhatsApp, to enable you to fulfill any obligations to respond to requests for the exercise of Data Subject rights under GDPR or LGPD;
d. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR or Articles 46 to 49 of the LGPD, taking into account the nature of the processing and the information available to WhatsApp;
e. upon your request, make available to you all information that is reasonably necessary to demonstrate WhatsApp’s compliance with its legal obligations as a data Processor under Article 28 of the GDPR or under the LGPD;
f. subcontract its data processing obligations under these Data Processing Terms to a sub-processor only by way of a written agreement with the sub-processors, which subjects those sub-processors to the equivalent obligations imposed upon WhatsApp by these Data Processing Terms; where the sub-processor fails to fulfill such obligations, WhatsApp will remain fully liable to you for the performance of that sub-processor’s obligations. You hereby give WhatsApp a general authorization to engage WhatsApp LLC, other Facebook Companies, and third parties as its sub-processor(s). WhatsApp will notify you in advance of any changes related to its sub-processor(s). If you reasonably object to such changes, you may inform WhatsApp in writing and stop using our Business Services; and
g. upon termination of the Business Terms, cease processing and delete the Personal Data as soon as reasonably practicable; provided that WhatsApp may keep the Personal Data if WhatsApp is required to do so by applicable law, or to the extent that WhatsApp has a contractual right or obligation to use the Personal Data independent of the Business Terms.
- Transfer of Personal Data. To the extent GDPR or the data protection laws of Switzerland apply to your Processing under these Data Processing Terms as Controller, the WhatsApp Business Data Transfer Addendum is applicable to data transfers originating in the UK, EU, EEA or Switzerland, and forms part of, and is incorporated by reference into, these Data Processing Terms. To the extent that WhatsApp LLC is your contracting entity and LGPD applies to your Processing under these Data Processing Terms as Controller, Company acknowledges the global nature of the WhatsApp services as described in the "Our Global Operations" section of the "WhatsApp Business Terms of Service" and acknowledges that all international transfer will be made in accordance with LGPD principles and obligations and specific regulation, as applicable.