Who is the data controller?
In the WhatsApp Business API context, your company is the data controller for your clients' data. The BSP provider (Chat API) is a data processor acting on your behalf. Meta is a further data processor for the WhatsApp infrastructure.
This responsibility chain must be formalized through DPA with each party. Chat API provides a GDPR-compliant standard DPA. Update your processing register with a new entry for WhatsApp Business API data processing.
Legal basis for different communication types
For transactional communications, the most appropriate legal basis is contract performance (Art. 6.1.b GDPR). For marketing and promotional WhatsApp communications, the legal basis is explicit consent (Art. 6.1.a GDPR).
Privacy policy and transparency
Update your privacy policy to include WhatsApp Business API use as a communication tool, specifying: BSP provider used (Chat API by Roxpay), processing purposes, data types, retention periods, and data subject rights.
Technical and organizational measures
Minimum technical measures required by GDPR include: access to management panels only for authorized personnel with personal credentials, access logs, encrypted data in transit and at rest, and incident response procedures.
Define a data retention policy: for most purposes, 12-24 months is reasonable. Implement automatic deletion processes for expired data.
