The use of work-related chat groups: The DPA stresses the need for concrete internal guidelines for managers

The Belgian Data Protection Authority (DPA) issued a decision following a complaint lodged by a student worker after her supervisor had shared private WhatsApp messages in a work-related WhatsApp group with other colleagues. The DPA held that this constituted unlawful processing of personal data. Although the employer had already implemented numerous technical and organisational measures to ensure compliance with the General Data Protection Regulation (GDPR), the DPA found that it had not adopted internal guidelines governing the use of work-related WhatsApp groups.

Facts

A student worker had exchanged private WhatsApp messages with her supervisor. After she communicated her resignation via WhatsApp, the supervisor shared screenshots of these private conversations in a work-related WhatsApp group with other colleagues. The screenshots showed the student’s first and last name as well as the content of the messages. The student had not consented to this and only became aware through a third party that her messages had been shared internally.

The employer did not dispute the facts and acknowledged the unlawful nature of the conduct, but stated that sharing private messages in a work-related WhatsApp group was not in line with the expectations it places on its managerial staff.

Decision of the litigation chamber of the DPA 

In its decision of 27 January 2026 (Decision no. 10/2026), the DPA held that sharing the private messages in a work-related WhatsApp group constituted unlawful processing of personal data. The DPA emphasised that the employer, as the data controller, remains responsible for compliance with the GDPR, even where the processing is carried out by an employee. Processing activities performed by employees are deemed to take place under the authority and supervision of the employer.

The GDPR requires controllers to implement appropriate technical and organisational measures in order to prevent infringements of the GDPR and to ensure the right to data protection. According to the DPA, such measures may, in this context, include clear internal policies, targeted training, and awareness-raising initiatives for employees with regard to data protection.

The employer outlined the measures it had already taken to ensure GDPR compliance. These included general codes of conduct requiring employees to treat one another with dignity and respect, and emphasising that employees’ privacy must be respected and protected. Employees were also required to complete mandatory e‑learning courses every two years to refresh these principles. In addition, the employer had implemented a globally applicable Data Protection Policy, supplemented by an informative brochure and guidelines setting out “do’s and don’ts”. Employees were further required to complete annual mandatory GDPR e‑learning training, and had access to an intranet platform containing information on key GDPR concepts, a toolbox, practical tips, and explanations of individual responsibilities of staff members in the context of data protection.

Following the complaint, the employer also decided to draw up an informative memo for its operational management staff, providing specific instructions on the use of work-related WhatsApp groups and reiterating the applicable data protection rules.

Despite these measures, the DPA held in this prima facie decision – in which it expresses a preliminary assessment without ruling definitively on the merits – that there was no valid legal basis for sharing the private conversations in a work-related chat group. According to the DPA, the established infringement may indicate that the technical and organisational measures in place were insufficient or insufficiently implemented. In particular, the DPA noted the absence of a specific policy aimed at operational management staff. The DPA therefore encouraged the employer’s intention to remind its managers of their obligations under the GDPR by means of a dedicated memo.

Sanction 

The DPA imposed a warning on the employer. The employer is required, going forward, to develop and comply with a data protection policy specifically addressed to managers, in order to prevent similar incidents in the future.

Key message

With this decision, the GBA confirms that employers remain responsible for the processing of personal data carried out by their employees, even when such processing takes place via informal communication tools such as WhatsApp or Messenger. Employers must take the necessary measures to ensure compliance with the GDPR. These measures also include the adoption of concrete internal guidelines governing the use of work-related chat groups and the handling of personal data in that context.