RGPD and WhatsApp: What a Clinic Needs to Know About Health Data
Communicating with patients via WhatsApp raises a legitimate question: where is the data stored, who has access to it, and what happens in the event of an audit?

Health data is among the categories most strictly protected by RGPD—and for good reason. A clinic that decides to communicate with patients via WhatsApp therefore has a greater responsibility than a store or a restaurant: it’s not enough for the communication to be effective; it must also be compliant.
What Changes When the Data Is Health-Related
A doctor’s appointment, in and of itself, is already a piece of data that reveals information about a person’s health—the mere fact that an appointment with a particular specialist exists can be sensitive. This means that any system used to manage this communication must comply with the requirements for processing sensitive data: data minimization, specified purpose, and control over who accesses the information.
Where is the data stored?
WhatSMS’s own infrastructure—where conversations and contact data managed by the platform are stored—is hosted on European servers, in line with the privacidade e protecção de dados approach described by the platform. This alone does not resolve the entire issue: WhatsApp is operated by Meta, and any message sent through that channel passes through Meta’s infrastructure as a subprocessor, regardless of where WhatSMS stores its own copy. A clinic that transmits health data via WhatsApp must take this into account in its risk assessment—it is not an issue that goes away simply by choosing a platform with servers in Europe.
Consent and Transparency
RGPD requires that the data subject know how their information is being processed. In practice, this means that the clinic must inform patients that communication via WhatsApp is managed through a platform—something that can be addressed with a simple note in the first message or during the patient’s admission process.
Team Access
Not everyone at the clinic needs to see all the conversations. The system allows you to manage which team members have access to which information—which is important when there are several professionals and only a few of them should be able to view a specific patient's history.
What the clinic should not assume
It’s important to be clear on one point: no tool, on its own, makes a clinic “automatically compliant” with RGPD. Compliance also depends on the clinic’s internal processes—who has access to what, how data is deleted when it is no longer needed, and how the clinic responds to a patient’s request for access or deletion. The platform provides the technical foundation—data storage in Europe, access control, data export—but the clinic remains responsible for its usage policy.
If you have specific questions about your situation, it’s a good idea to get them answered before migrating your clinic’s communications to any new channel—criar conta gratuita allows you to test the platform’s technical functionality while you’re evaluating it.
Frequently asked questions
How long are a patient's data stored on the platform?
Data retention must follow the principle of data minimization — data should only be retained for as long as necessary for the purpose of communication, and the specific retention policy is defined by the clinic, not imposed by the platform.
Does the patient have to give explicit consent to be contacted by WhatsApp?
The RGPD requires transparency regarding how data is handled—the clinic must inform the patient that communication takes place through a platform, for example, by including a note in the first message or during the admission process.
Can a patient request that their data be deleted?
Yes, the right to erasure is one of the rights provided for in RGPD, and the clinic remains responsible for responding to such requests, supported by the platform’s technical tools for data export and deletion.
Is using WhatsApp to communicate health data, in and of itself, prohibited by RGPD?
It is not prohibited, but it requires a careful risk assessment, because WhatsApp is operated by Meta as a subprocessor—the clinic should take this into account when deciding what to communicate through this channel.
Does the platform automatically bring the clinic into compliance with RGPD?
No. The platform provides the technical foundation—data storage in Europe, access control, data export—but compliance also depends on the clinic’s internal processes.