Data protection and instant messenger system solutions for companies

It could be so simple: practically the entire staff already has WhatsApp installed on their smartphone. Why not quickly create a group and use the most popular instant messenger for your internal company communication too? The issue is that WhatsApp, owned by Facebook, does not meet the most basic data protection standards. Our assessment shows that there are far better alternatives.

What you need to know in a nutshell

  • WhatsApp may be the most widely used messenger service but it should not be used for your corporate communication.
  • Even the popular alternative Telegram has some clear data protection weaknesses.
  • Our assessment shows that messenger services that comply with data protection rules do exist.
  • Companies can and should oblige their staff to use secure messenger services.

In this article

Instant messenger and data protection — what is the problem?

Employers in the UK and throughout the European Union are required to guarantee an adequate level of data protection, as per the General Data Protection Regulation (GDPR) which has been in force since 2018. Since communicating via instant messenger involves the exchange of personal data, it is important to consider data protection. However, it is not always that simple, especially when you have data saved on servers all over the world.

A practical example: an employer wishes to use WhatsApp as a communication channel for sick leave. In this case, personal data relating to a member of staff’s absence due to illness are sent and saved on servers belonging to WhatsApp that the employer has no control over.

It is therefore no surprise that courts and data protection authorities have classified the use of WhatsApp as critical for confidential communication since 2017. As you will see from our data protection assessment (results below), WhatsApp cannot be recommended for companies. There are, however, other messenger services that meet data protection requirements and can be used in everyday work.

Can I use messenger for confidential communication?

When data are strictly confidential, the best method of communication is to whisper in your counterpart’s ear. Old-fashioned copper cable landline telephones also offered a high level of confidentiality. But modern office life is very different.

Chats are probably most comparable to an email and we see here that a good messenger is superior to a non-encrypted email when it comes to data protection.

As such, there is no reason to go entirely without messenger services when corresponding on confidential issues. As you will see below, you simply must avoid certain apps.



What constitutes a data protection compliant instant messenger?

For a data protection authority, it is easy to set out the most important criteria for a good messenger:

  • Server location:  the server should be located in the EU or another country within the European Economic Area (EEA), i.e. Norway, Iceland, or Liechtenstein. Please note: the UK is no longer an EU member state and will no longer be bound by the GDPR after 2020.
  • Business model: the messenger should not be financed by advertising that uses the data you send.
  • Encryption: good end-to-end encryption should come as standard in a messenger that meets data protection requirements.
  • Contacts: the messenger should not access your contacts list.
  • Protocol: the instant messaging protocol should be open source.
  • Backup option:  it should be possible to store data locally as required, not only in the cloud.

These six criteria are important from a data protection point of view, which is why we have given them significant weight in our assessment.

There are also other important criteria when it comes to confidential communication:

  • Deleting the account: it should be possible to delete the account via the app.
  • Displaying actions: it should be possible to switch off the message that your counterpart is currently typing. The same applies to notifications that messages have been received/read.

The following is a chart of popular messengers and how each one performs against the aforementioned criteria based on our analysis.


Messenger Criteria





Rocket Chat



Wire – Ist der Messenger eine Konkurrenz für WhatsApp? | Android User




Datei:Telegram logo.svg – Wikipedia


Datei:WhatsApp.svg – Wikipedia


Location of servers (within the EEA); Switzerland was assessed as not having the same but adequate level of 200 points due to the adequacy decision pursuant to Art 46 GDPR and the USA was assessed with 50 points due to the Privacy Shield but the considerable uncertainties around Privacy Shields and the CLOUD Act.
300 300 200 200 50 0 0
Business model Not advertising
200 200 200 200 200 200 0
End-to-end encryption Group chat
200 200 200 200 200 0 200
Access to local address book necessary
200 200 200 200 200 0 0
Standardised, disclosed protocol
100 100 100 100 100 100 0
Backup Possible- On freely selectable storage without cloud
100 100 100 100 100 0 0
Delete account - within the app
50 50 50 50 50 0 50
"Typing" display can be switched off
50 50 50 0 50 50 50
"Receive/Read" indicator can be switched off
50 50 50 50 50 0 50
Rocket Chat is one of the leading open source team chat software solutions.
Secure communication from a Swiss provider.
Wire is arguably one of the most comprehensively publicly audited collaboration and communication software on the market.
Edward Snowden uses Signal.
Telegram claims to prioritise security, making it an alternative to other popular messaging apps.
The main advantage of Whatsapp is the distribution, but the data security is not given.
User numbers
More than 10 million
Approx. 8 million
Not specified
More than 10 million
Approx. 400 million
Approx. 2 biilion
Total points   1250 1150 1100 1000 350 350
Comparison of messenger services in terms of data protection, source: DataGuard Analysis

Which messengers are particularly problematic when it comes to data protection?

Two of the most frequently used instant messengers received a particularly bad rating in our assessment. On the one hand, we have WhatsApp. Despite being used by around two billion people worldwide for communication, it has sub-optimal data protection with the parent company, Facebook. Surprisingly, Telegram, with its 400 million users worldwide, is frequently seen as the shooting star among messengers and (wrongly) as the safe alternative to WhatsApp.

WhatsApp and data protection

Data protection authorities can certainly not give any ‘Likes’ to WhatsApp — especially considering its strong interdependence with its parent company Facebook. Several issues stand out negatively in our assessment:

  • Business model: Facebook earns its money with personalised advertising, something that poses a -substantial risk to WhatsApp given the growing interdependence of the various products.
  • Location: With WhatsApp, data is not stored on servers located in the EU or EEA.
  • Protocol: WhatsApp is the only messenger in the assessment to not have a standardised, open protocol.
  • Contacts: Possibly the most critical point from a data protection point of view is that WhatsApp requires access to the contacts list stored on the device.

While WhatsApp’s end-to-end encryption of group chats is positive, it must be emphasised that the contents are encrypted for transmission, but not the metadata. This means the company can, in principle, see who is in contact with whom at any given time.

Incidentally, we cannot recommend WhatsApp Business either. The Data Processing Agreement with Facebook does not cover the minimum requirements for data processing and transfer. Again, we must emphasise its interdependence with the data leech that is Facebook.

Telegram and data protection

Another messenger is taking advantage of WhatsApp’s slightly damaged public image: Telegram. Founded by Pavel Durov, a Russian entrepreneur living in exile, it currently has around 400 million users worldwide and is rapidly growing. Its two tangible advantages are the business model which does not rely on advertising, and the open standardised protocol.

But the assessment shows that Telegram absolutely cannot be recommended as an alternative to WhatsApp. Telegram has global server locations even in countries which have inadequate data protection measures from a European legal point of view. Telegram offers no encryption options in group chats thereby offering even less than WhatsApp. Thumbs down for Telegram at the office.

Which messengers can be recommended for secure communication?

Rocket Chat is the clear winner in our assessment when it comes to data protection with messenger services. Apps in second and third place, Threema and Wire respectively, can also be recommended without hesitation for communication within companies. Despite otherwise good results, the messenger Signal (personally recommended by Edward Snowden), lost points in our assessment because its server is located in the USA.

Rocket Chat and data protection

The greatest advantage of Rocket Chat as a messenger is that the service can be hosted on your own server, meaning that all data remains within the company. The service can be used via your browser without being installed on your device. In terms of the location of its server (and in all other categories), the app is the only messenger in the assessment to be awarded full points.

For companies, performance and functionality of a messenger are just as important as data protection. The good news: there is no need for Rocket Chat users to compromise. Files, images, and videos can all be sent without issues and the app works on a number of operating systems as well as on Android and iOS.

Threema and data protection

The messenger Threema can be recommended just as strongly as Rocket Chat when it comes to communication that meets data protection requirements. The only reason for the slight deduction in points is their server location in Switzerland. Whether that is an issue is open to discussion, but the fact remains that:, when in doubt, a server location in the EU is always better for companies than one outside the EU.

With Threema, you do not have to provide personal details such as your email address or mobile phone number. The app can be used on the basis of a randomly generated Threema ID without accessing your contacts list, but you can enter your name if you like. All communication is secured with end-to-end encryption.

Wire and data protection

Wire Enterprise is a service tailored specifically for communication within companies. To register, you must provide your email address, but the app does not need to access your contacts list. In addition to messenger services, it also offers the option of making Voice over IP (VoIP) calls.

Wire can be used on smartphones and tablets but also on desktop computers. All communication is end-to-end encrypted. Wire is ‘open source, i.e., the software is transparent and can be checked.

There are, however, two downsides: 1) the server is in Switzerland, where data protection levels are slightly lower than those in the EU and 2) you cannot switch off the feature that allows you to see if your counterpart is currently typing.

Signal and data protection

When it comes to data protection, we cannot entirely recommend using the messenger 'Signal' for communication within companies. Here, our assessment demonstrates just how important the location of the server is. While full scores were achieved in all other data protection-relevant features, physical storage of personal data in the USA, as is the case with Signal, is problematic in terms of data protection law, especially against the background of the ECJ ruling in the ‘Schrems II’ caseof 16 July 2020 on the level of data protection in the USA.

Not sure which messenger service to use now for a secure communication? No problem! Our experts would love to give you more details and recommendations. Feel free to reach out!

Book an appointment

How do I convince my contacts to switch to a secure messenger?

Data protection is a management task. As such, the use of secure messengers simply must be mandated by companies. The board and management need to lead by example. Be clear: WhatsApp and other unsafe messenger services must not be installed on company phones.

It is more difficult for staff if the use of unsafe messengers in the company is already established and widespread. Here, we recommend speaking to your management or your data protection officer about the issue. Only consider an anonymous report to the data protection authorities if this is unsuccessful despite several attempts.

It is surely most difficult to convince your private circle of friends and acquaintances to switch to a messenger that meets data protection requirements. If you need any help with your argument, it might be worth referring to WhatsApp’s T&Cswhich grant WhatsApp full rights of use for private content such as images. It gets lots of people thinking.


All hands should be off insecure messenger services, even if they are convenient and everybody seems to be using them.

If you are part of your company’s management, you are required to lead by example and to set the rules for your company. If you are a member of staff, you at least have good arguments and the clear position of the UK data protection authorities on your side when you attempt to convince your managers of the need for more data protection in messaging. Convenience simply does not pay off in the long run.

Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A session!

Subscribe now



Image CTA Expert Male 2

Want to learn more about a secure communication? Feel free to reach out to us.

We will be more than happy to help you with any questions.

Book an appointment

About the author

Dr. Niels Beisinghoff Dr. Niels Beisinghoff
Dr. Niels Beisinghoff

Before Dr. Niels Beisinghoff became Legal Counsel at DataGuard, he worked for five years as a management consultant and as a startup entrepreneur. Although the fully qualified lawyer only delved deeper into data protection at DataGuard, his academic years provide initial indications of his later career path: “For me, data protection is a human right that has finally become enforceable with the help of the GDPR. I wrote my doctoral thesis on the enforcement of human rights against companies." Today, he supports international companies from sectors such as logistics, industry, and e-mobility. He likes to spend his free time with family and friends. Incidentally, as a child, he had the largest collection of car pins in the region. We would have loved to have taken a look if someone hadn't stolen it from his cellar ...

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk