Adding people to WhatsApp groups without consent can breach data‑protection law

Everyone has been added to a WhatsApp group at some point — work, university, family — but if someone is added without their explicit consent, the person who added them may be breaching data protection law. This is one of the most common issues handled by the Data Protection Agency (APDA), its president Jèssica Obiols said on Diari TV’s Parlem-ne programme.

Adding someone to a group without permission shares that person’s private phone number with others who may not have wanted it disclosed. Because of WhatsApp’s immediacy, once a piece of information appears in a group it is very hard to retract: photos can be downloaded, messages saved or forwarded across the network in seconds. “When data has been shared in a group, there is no going back,” Obiols warned, noting the difficulty of tracking how far data has spread.

When someone finds their information circulating, formal complaints are directed at the data controller rather than every group member. In a company group the employer is typically the controller; in a group created by a supervisor or coordinator, responsibility falls on the person who created it. There must be someone who can explain what happened and take responsibility, Obiols said.

APDA finds that many of these breaches occur without malicious intent: people often do not realise they are doing anything wrong. For that reason the agency emphasises education about individuals’ rights and about the existence of the agency to help them. The usual procedure, when the breach stems from lack of awareness, is a warning rather than a financial sanction.