Easily navigate data protection rules in Switzerland, France, Portugal, and Spain.
WhatsApp has over 3 billion users worldwide, with a penetration rate of 75 to 85% in most European countries.
For businesses, it’s a must-have channel.
But it also comes with strict legal obligations regarding data protection (GDPR, nLPD, DSA…).
Here’s what you need to know before launching a WhatsApp Business strategy in Europe.
Understanding roles and responsibilities
When you use WhatsApp Business via Sandra, the roles are clearly defined:
- Your company (Data Controller)
You decide the objectives: why, when, and to whom to send messages. You remain the owner of the customer relationship.
- Sandra (Data Processor)
We operate on your behalf, ensuring technical compliance, data security, and user privacy.
- Meta / WhatsApp (Sub-processor)
Provides the technical messaging infrastructure.
In short:
👉 You (the company) are responsible for the legal basis (“why”).
👉 We ensure security, confidentiality, and technical compliance (“how”).
Your main obligations:
Obtain consent
You may not send messages without prior authorization.
According to GDPR and nLPD:
- Marketing messages: explicit consent is mandatory
- Unchecked opt-in boxes
- Clear language
- Easy opt-out
- Proof of consent must be recorded
- Service or support messages: allowed if initiated by the user or necessary for order processing.
Be transparent
Inform your customers about:
- Data collected (number, content, metadata)
- Purpose of processing (customer service, orders, tracking)
- Data retention periods
- Their rights (access, deletion, objection)
A clear privacy notice in your first message or on your website is enough.
Collect only what is necessary
Request only the information needed for the specific purpose.
Delete data when it is no longer necessary.
Protect the data
WhatsApp encrypts messages, but that’s not enough.
You must:
- Secure team access
- Train your staff
- Limit access rights
- Plan for incident response
- Report any breach within 72h if there’s a risk to users
Respect user rights
European and Swiss customers may request:
- Access to or deletion of their data
- Correction of errors
- Portability of their conversations
- Objection to certain processing activities
Requests must be addressed within 30 days.
What Sandra provides for you on WhatsApp
As your technical processor, Sandra guarantees:
- Enterprise-grade encryption and secure Swiss hosting
- GDPR and nLPD compliant infrastructur
- Built-in privacy controls
- Clear and transparent Data Processing Agreement (DPA)
- Ongoing legal compliance monitoring and updates
We only process necessary data – and never for our own use.
What about the Digital Services Act (DSA)?
Since February 2024, the DSA regulates large digital platforms in the EU.
WhatsApp, now classified as a “Very Large Online Platform” (VLOP) since 2025, is subject to enhanced transparency and content moderation requirements.
👉 For your business, this has no direct impact:
The DSA applies to Meta, not you.
Your regulatory framework remains GDPR and nLPD for customer data management.
Pre-launch checklist
Before going live
- Write a clear privacy notice
- Set up consent collection
- Sign the data processing agreement with Sandra
- Define data retention policies
- Limit internal access rights
Ongoing
- Document the legal basis for each message type
- Train your teams
- Respond to user data requests within 30 days
- Regularly update your compliance practices
At each interaction
- Include a link to your privacy policy
- Offer a simple opt-out option
- Keep conversations only as long as needed
- Respect customer data privacy
Key takeaway
WhatsApp Business compliance relies on 4 simple principles:
- Get permission before contacting
- Be transparent about data usage
- Protect what you collect
- Respect user rights
At Sandra, we handle the technical and regulatory complexity so you can focus on what matters most: useful, compliant, and profitable conversations.
About Sandra WhatsApp
Sandra is the WhatsApp Business platform designed for Swiss and European companies.
We combine AI, automation, and GDPR compliance to help brands sell, interact, and build loyalty on WhatsApp – securely.
100% Swiss hosting, built-in compliance, and local support.
📩 Contact: hello@sandra.ch
This article provides general information and does not constitute legal advice. For specific cases, please consult a data protection expert.