Partnerblog
In its decision of 27 January 2026 (No. 10/2026), the Belgian Data Protection Authority (DPA) issued a decision following a complaint by a student worker whose supervisor had shared private WhatsApp messages in a work-related WhatsApp group with other colleagues. The DPA held that this constituted unlawful processing of personal data. Although the employer had implemented various technical and organisational measures to ensure compliance with the General Data Protection Regulation (GDPR), the DPA found that it lacked concrete internal guidelines governing the use of work-related chat groups.
Facts
A student worker had exchanged private WhatsApp messages with her supervisor. After communicating her resignation via WhatsApp, the supervisor shared screenshots of these private conversations in a work-related WhatsApp group with colleagues. The screenshots revealed the student’s first and last name, as well as the content of the messages. The student had not consented to this disclosure and only became aware of it through a third party.
The employer did not contest the facts and acknowledged the unlawful nature of the conduct, but stated that sharing private messages in a work-related WhatsApp group was not in line with the expectations it places on its managerial staff.
Decision of the DPA’s litigation chamber
The DPA confirmed that sharing the private messages in a work-related WhatsApp group constituted unlawful processing of personal data. It emphasised that the employer remains responsible, as data controller, for GDPR compliance, even where the processing is carried out by an employee. Processing activities performed by employees are deemed to take place under the authority and supervision of the employer.
The DPA recalled that controllers must implement appropriate technical and organisational measures to prevent GDPR infringements. In this context, such measures may include clear internal policies, targeted training, and awareness-raising initiatives for employees regarding data protection.
The employer outlined a series of measures already in place, including general codes of conduct requiring respect for colleagues and their privacy, mandatory e‑learning courses, a global Data Protection Policy, internal guidelines with practical “do’s and don’ts”, annual GDPR training, and extensive information made available via the internet.
Following the complaint, the employer also decided to prepare an informative memo for its operational management staff, providing specific instructions on the use of work-related WhatsApp groups and reiterating the applicable data protection rules.
Despite these efforts, the DPA held that no valid legal basis existed for sharing the private conversations in a work-related chat group. According to the DPA, the infringement suggested that the existing measures were either insufficient or insufficiently implemented. In particular, the DPA noted the absence of guidance specifically addressed to operational management staff and welcomed the employer’s intention to adopt a dedicated memo for this group.
Sanction
The DPA imposed a warning on the employer and required it to develop and comply with a data protection policy specifically addressed to managers, in order to prevent similar incidents in the future.
Key message
This decision confirms that employers remain responsible for the processing of personal data carried out by their employees, even when such processing takes place via informal communication tools such as WhatsApp. Ensuring GDPR compliance therefore also requires concrete internal guidelines on the use of work-related chat groups and on the handling of personal data in that context.
Authors
Lucas De Vooght and Inger
