Does GDPR apply to my WhatsApp marketing if I am based in India?

Yes, if you offer goods or services to people in the EU or monitor their behavior. Article 3 of the GDPR sets extraterritorial scope — the law applies based on where the data subject is, not where your business is registered. An Indian D2C brand shipping to Germany on WhatsApp is a GDPR controller for those German customer numbers.

What is a lawful basis for WhatsApp marketing under GDPR?

Article 6 of the GDPR lists six lawful bases. For WhatsApp marketing the practical bases are: (a) consent under Article 7, which must be freely given, specific, informed and unambiguous via a clear affirmative action, or (b) legitimate interests under Article 6(1)(f) for limited transactional messaging where the user reasonably expects it. Marketing typically requires consent.

What GDPR penalties apply to WhatsApp violations?

Article 83 of the GDPR sets two tiers of administrative fines: up to 10 million EUR or 2% of global annual turnover for procedural breaches, and up to 20 million EUR or 4% of global annual turnover for breaches of core principles, consent and data subject rights. EU supervisory authorities have applied both tiers to WhatsApp-related cases.

Do EU customers have a right to erasure for WhatsApp data?

Yes. Article 17 of the GDPR provides the right to erasure ("right to be forgotten"). When an EU data subject asks you to delete their WhatsApp number and conversation history, you must comply within one month under Article 12, unless an exception applies. PostEngage.ai supports one-click erasure with confirmation receipt and audit log.

Can I transfer EU customer WhatsApp data to India?

Yes, but only under one of the GDPR Chapter V safeguards: an adequacy decision (India does not currently have one), Standard Contractual Clauses (SCCs) signed with your processor, Binding Corporate Rules, or specific derogations in Article 49. The 2021 EU SCCs are the most common path. Always run a Transfer Impact Assessment as set out in the EDPB Recommendations 01/2020.

Do I need an EU representative under GDPR Article 27?

Most non-EU controllers processing EU data must designate an EU representative under Article 27. Exceptions exist for occasional processing of low-risk data. Best practice for any Indian brand with regular EU customers is to appoint a representative — they are the point of contact for supervisory authorities and data subjects.

Are FREE keyword auto-replies GDPR compliant?

Yes — when the user initiates the conversation. The act of messaging your business is unambiguous consent for the service interaction under Article 7. PostEngage.ai's FREE keyword replies fire only inside this user-initiated 24-hour window, which is the lowest-risk lawful basis under both Meta policy and GDPR.

Is this article legal advice?

No. This is informational. GDPR is interpreted differently across 30 EU/EEA supervisory authorities. Always consult a qualified EU data protection lawyer for binding advice on your situation.

WhatsApp GDPR Compliance for Automation: 2026 Guide for EU Customers

Not legal advice. GDPR is enforced by 30 EU/EEA supervisory authorities with diverging interpretations. Always consult a qualified EU data protection lawyer for binding guidance.

Does GDPR Apply to Your Indian Brand?

Article 3(2) of the GDPR sets extraterritorial scope. The law applies whenever a controller or processor — regardless of where it is established — offers goods or services to people in the EU, or monitors their behavior in the EU. Practically:

Your D2C site accepts EU shipping addresses → GDPR applies to those customer records.
Your tutor/coach platform sells courses payable in EUR → GDPR applies.
Your ads target EU audiences on Meta → GDPR applies to clicks and downstream messaging.

Lawful Basis for WhatsApp Marketing

Article 6 of the GDPR requires at least one of six lawful bases. For WhatsApp marketing the practical choices are:

Article 6(1)(a) Consent — most common for marketing. Must satisfy Article 7: freely given, specific, informed, unambiguous, clear affirmative action, easy to withdraw.
Article 6(1)(b) Contract — applicable only for transactional messages tied to a real contract (order shipped, appointment reminder).
Article 6(1)(f) Legitimate interests — very limited use for marketing; requires a Legitimate Interest Assessment and easy opt-out.

For the opt-in mechanics, see our WhatsApp opt-in best practices guide.

Data Subject Rights to Honor

Chapter III of the GDPR grants eight rights:

Article 15 — Right of access (provide a copy of the data you hold)
Article 16 — Right to rectification
Article 17 — Right to erasure
Article 18 — Right to restriction of processing
Article 20 — Right to data portability
Article 21 — Right to object
Article 22 — Rights regarding automated decisions
Article 7(3) — Right to withdraw consent at any time

Article 12 requires responding within one month. Failure attracts the higher tier of fines.

Cross-Border Transfers to India

Chapter V of the GDPR governs transfers outside the EU. India does not have an adequacy decision under Article 45, so transfers rely on Article 46 safeguards. The two main routes:

Standard Contractual Clauses (SCCs) — the 2021 SCCs are the standard. Sign with your processor (e.g. cloud provider, automation platform).
Binding Corporate Rules (BCRs) — only for intra-group transfers within a multinational.

After Schrems II (CJEU C-311/18) you must also run a Transfer Impact Assessment using the EDPB Recommendations 01/2020 framework, and consider supplementary technical measures such as encryption at rest.

Allowed vs Not Allowed Under GDPR

Allowed

Explicit unchecked-checkbox opt-in with purpose

Session replies after user-initiated chat

EU-region storage for EU customer data

2021 SCCs + Transfer Impact Assessment

Article 17 erasure within 30 days

Not allowed

Pre-ticked or hidden consent

Transfers to India without SCCs or BCRs

Ignoring access or erasure requests

Profiling without lawful basis & transparency

No EU representative when one is required

Penalties — How Bad Does It Get

Article 83 GDPR sets two fine tiers, and supervisory authorities actively use both:

Tier 1: up to 10 million EUR or 2% of global annual turnover (whichever is higher) — for procedural breaches like records, breach notification.
Tier 2: up to 20 million EUR or 4% of global annual turnover — for breach of consent rules, data subject rights or international transfers.

Beyond fines, EU supervisory authorities can order processing to stop entirely — a much sharper business risk than the headline number.

How PostEngage.ai Supports GDPR Compliance

Official Meta Cloud API as a Meta Business Partner — Meta is the data processor for the messaging layer.
Standard Contractual Clauses available in the Data Processing Agreement for EU customer data.
EU-region storage option for EU customer profiles.
Article 15 access export and Article 17 erasure built in.
Consent capture stamped with timestamp, source, exact wording, and IP — the audit chain that supervisory authorities expect.
FREE keyword auto-replies fire inside the user-initiated 24-hour service window — minimal GDPR risk surface.

For Indian customer data parallels see our DPDP compliance guide and our deeper India privacy walkthrough.

Frequently Asked Questions

Does GDPR apply to Indian brands?

Yes, whenever you offer goods or services to people in the EU.

What is the max GDPR fine?

20 million EUR or 4% of global turnover, whichever is higher.

Can I transfer EU data to India?

Yes — under 2021 Standard Contractual Clauses plus a Transfer Impact Assessment.

Are FREE keyword replies GDPR safe?

Yes — user-initiated chats give unambiguous service consent.

Sell into the EU on WhatsApp — GDPR-Ready

PostEngage.ai gives you SCCs, EU-region storage, Article 17 erasure and consent audit logs on the official Meta Cloud API. FREE keyword replies. 100 AI credits.

Start Free