GDPR and Marketing Messages: What You Need to Know in 2026

Why GDPR matters for those using WhatsApp and SMS in business

The General Data Protection Regulation (GDPR) applies to any business processing personal data of European Union residents — regardless of the company's size or the country where it is based.

Sending a WhatsApp or SMS message to a customer is processing personal data. The mobile number is personal data. The content of the message may contain further personal data. The conversation history is a collection of personal data.

In recent years, national data protection authorities have significantly increased enforcement actions against SMEs. Fines can reach up to 4% of annual global turnover or 20 million euros — whichever is higher.

The three principles that matter for marketing messages

1. Legal basis for processing

To send marketing messages, your company needs a legal basis. The two most common for direct communication are:

Consent (Art. 6(1)(a)): The customer has given explicit authorization to receive marketing communications. This consent must be freely given, specific, informed, and unambiguous (a checkbox checked by the user, not pre-checked).

Legitimate interest (Art. 6(1)(f)): This can be invoked for communications with existing customers, about products or services similar to those they have already purchased, provided there is an easy opt-out. This basis is narrower and must be assessed on a case-by-case basis.

2. Right to opt-out

Anyone receiving marketing communications has the right to object at any time. Your messages must include a clear and functional opt-out mechanism.

For WhatsApp: include "Reply STOP to opt out of further messages" and honor that request immediately.

For SMS: the same. And record all opt-out requests — authorities can request this record.

3. Purpose limitation and data minimization

Do not collect data you do not need. If you collect a mobile number to send order confirmations, you cannot use that number for marketing campaigns without new consent for that specific purpose.

What to record and store

Data protection authorities may request evidence of compliance. Keep records of:

• When and how consent was obtained (date, source, form, or checkbox used).
• Exactly what the user authorized.
• Opt-outs received and the date they were processed.
• Data retention: how long you keep numbers and conversations.

Data Processing Agreements (DPA)

If you use a messaging platform like WhatSMS, you are handing your customers' personal data over to a sub-processor. The GDPR requires a data processing agreement (DPA) between your company and the provider.

WhatSMS provides a DPA for all clients, confirming that data is processed exclusively within the European Union (Hetzner servers in Germany and Austria).

Transactional vs. Marketing Messages

This distinction is crucial. GDPR rules for marketing are much stricter than for transactional communications.

Transactional messages (do not require marketing consent): order confirmations, delivery alerts, appointment reminders, account notifications, replies to customer-initiated requests.

Marketing messages (require a specific legal basis): promotions and discounts, new product launches, newsletters via WhatsApp or SMS, proactive upsell/cross-sell.

If you send an order confirmation message and include a discount coupon at the end, the message becomes partially a marketing message. Be conservative on this border.

Practical checklist

Before launching your next campaign, check:

• Do you have a documented legal basis for each segment of recipients?
• Do the messages include a clear and functional opt-out?
• Do you have a record of when and how consent was obtained?
• Is there a signed DPA with your messaging platform provider?
• Are customer data kept only for as long as necessary?
• Does the team know the procedure to respond to data access, rectification, or deletion requests?

GDPR compliance is not a one-time project — it is a continuous practice. But with the right processes in place, the maintenance effort is minimal.