Personnel File Shared via WhatsApp Group

The Scenario

At a mid-sized manufacturing company in Munich with around 280 employees, an important personnel decision is on the table. Thomas Bergmann, a team lead in production for the past three years, is being considered for promotion to department manager. The HR director, Claudia Meier, wants to align the decision with the other team leads before finalizing the recommendation.

On a Tuesday evening at 7:47 PM — well after office hours and outside the company network — Claudia opens the WhatsApp group "Production TL Round" on her personal smartphone. The group contains eight team leads, the head of production, and Claudia herself. She types: "Here's Thomas's file for our Thursday meeting. Please treat this confidentially!" and attaches a 14-page PDF.

The document contains Thomas Bergmann's complete personnel file: his employment contract with salary details (68,400 euros gross annual salary plus bonus agreement), two medical certificates documenting extended sick leave, a written warning from 2023 for repeated tardiness, performance reviews from the last three years, internal notes about a conflict mediation session with a colleague, and his private home address and bank account details.

Within minutes, several group members read the message. Team lead Marco Schulz, who had been hoping for the promotion himself, takes screenshots of the salary information and the written warning. The next morning, he shows these screenshots to two colleagues in the cafeteria — "Look at what Bergmann earns, and he even has a written warning!" The information spreads rapidly. By noon, at least 15 additional employees know about Thomas's salary, his written warning, and his medical leave history.

Thomas Bergmann learns on Thursday morning from a friendly colleague that his complete personnel file has been circulating in a WhatsApp group. He is devastated. The medical certificates relate to treatment for depression — information he had deliberately shared only with the HR department. Thomas feels exposed and violated. He contacts an employment lawyer that same day.

The Risks

Forwarding a personnel file via WhatsApp triggers a cascade of risks that extend far beyond the initial transmission.

Uncontrolled Distribution: Once a document lands in a WhatsApp group, the sender loses all control. The file is automatically saved on every group member's device — personal smartphones that may lack passwords, may not be encrypted, or may be shared with family members. Deleting the message does not remove the already-downloaded file from recipients' devices.

Screenshots and Forwarding: WhatsApp offers no protection against screenshots. Every group member can take screen captures at any time and forward them at will — via email, in other chats, or even on social media. There is no way to trace or prevent this activity.

Health Data as a Special Category: The medical certificates in Thomas's file contain health data, which under the GDPR qualifies as a special category of personal data subject to heightened protection. The disclosure of a mental health condition can lead to stigmatization, workplace bullying, and severe personal distress.

Workplace Conflict and Loss of Trust: Knowledge of salary differences, written warnings, and confidential personnel decisions poisons the work environment. Affected employees lose trust in the HR department and company leadership. In this case, Thomas Bergmann has not only a legitimate claim for damages — he will very likely leave the company entirely.

No Traceability: Who read the file, when it was forwarded, and where it was saved cannot be reconstructed after the fact. The company cannot fully comply with its notification obligations to the supervisory authority, which further aggravates the violation.

Legal Consequences

Sharing a personnel file via WhatsApp touches multiple legal provisions simultaneously and can pose an existential threat to the company.

Art. 9 GDPR — Processing of Special Categories: Health data belongs to the specially protected data categories. Its processing is generally prohibited and only permitted under narrowly defined exceptions. Sharing medical certificates in a WhatsApp group with ten people falls under none of these exceptions. Supervisory authorities treat violations of Art. 9 as particularly serious.

Art. 6 and Art. 32 GDPR — Lawfulness and Security: There is no legal basis under Art. 6 GDPR for forwarding the personnel file in this manner. Furthermore, using WhatsApp for confidential personnel data violates the obligation to implement appropriate technical and organizational measures under Art. 32. A personal smartphone with WhatsApp meets none of the requirements for secure data processing.

National Employment Data Protection Laws: Most EU member states have specific regulations governing the processing of employee data. In Germany, Section 26 of the Federal Data Protection Act (BDSG) restricts the processing of employee data to what is strictly necessary for the employment relationship. Sharing complete personnel files with eight team leads for an informal promotion discussion far exceeds what is necessary.

Employment Law Consequences: The HR director Claudia Meier faces a formal warning or even immediate dismissal. Violating confidentiality obligations in handling personnel files constitutes a serious breach of contractual duties. The company is also required to report the incident to the works council, if one exists.

Works Council and Co-determination: Where a works council exists, it has a right to be informed about the incident. The works council can demand organizational measures — such as binding guidelines for handling personnel data or the provision of secure digital tools. An incident like this significantly strengthens the works council's negotiating position.

Financial Impact

The costs of such a data protection violation accumulate from multiple positions and can be substantial for a mid-sized company.

Cost Item	Estimated Amount
Supervisory authority fine (Art. 83 GDPR)	15,000 - 50,000 €
Compensation for the affected employee (Art. 82 GDPR)	5,000 - 15,000 €
Legal fees (company and affected employee)	4,000 - 12,000 €
Severance payment if HR director is terminated	3,000 - 18,000 €
Recruitment costs (replacing HR director + potentially Thomas Bergmann)	5,000 - 20,000 €
Implementation of secure systems and training	2,000 - 8,000 €
Productivity loss and workplace morale	1,000 - 7,000 €
Total Costs	35,000 - 130,000 €

Not included in this table are the long-term reputational damages. When it becomes known that a company distributes personnel files via WhatsApp, employer attractiveness declines measurably. Qualified candidates avoid companies with known data protection problems.

How to Prevent This

Personnel decisions require the confidential exchange of sensitive documents — but through secure channels. SendMeSafe provides companies with the tools to share personnel data without losing control.

Secure Share Links Instead of WhatsApp: With Share Links, you create password-protected links to confidential documents. Define how many times a document can be downloaded and when the link expires. After expiration, access is automatically revoked — no files on personal smartphones, no uncontrolled forwarding.

Confidential Communication with Connect: Through Connect, you can communicate securely with internal and external stakeholders. Instead of sharing personnel files in messenger groups, invite relevant parties to a protected channel. Every activity is logged — you always know who accessed which documents and when.

Audit Trail for Compliance: Every access, every download, and every interaction is documented in a complete audit trail. During an inspection by the supervisory authority, you can demonstrate at any time who had access to which data and that appropriate protective measures were in place.

Automatic Expiration and Access Control: Personnel files should not linger indefinitely in chat histories. With SendMeSafe, you set an expiration date after which access is automatically revoked. Download limits prevent documents from being mass-downloaded and redistributed.

Frequently Asked Questions

Can I share personnel files via WhatsApp if I ask recipients to keep them confidential?

No. A verbal or written request for confidentiality does not constitute a technical safeguard under the GDPR. Art. 32 requires appropriate technical and organizational measures to protect personal data. WhatsApp automatically saves files on all recipients' devices and offers no protection against screenshots or forwarding. Even WhatsApp's end-to-end encryption does not change this, since the data exists unencrypted on the devices themselves. Using a messenger without access controls and audit capabilities violates the principles of data minimization and purpose limitation.

Which parts of a personnel file are particularly sensitive?

All components of a personnel file are confidential as a matter of principle. However, health data (medical certificates, doctor's notes, disability information) enjoys especially strict protection as a special category of personal data under Art. 9 GDPR. Salary information, performance reviews, written warnings, and disciplinary actions are also highly sensitive. Bank account details and tax identification numbers additionally fall under special protection requirements for financial data. Sharing even a single one of these components through insecure channels constitutes a reportable data protection breach.

Can the affected employee claim compensation for damages?

Yes. Art. 82 GDPR grants any person who has suffered material or non-material damage as a result of a GDPR violation a right to compensation from the data controller. European courts have awarded compensation in employment data protection cases ranging from 1,000 to 15,000 euros. When health data is disclosed — particularly mental health conditions — courts tend toward the upper end of this range because the non-material damage from stigmatization and exposure is especially severe.

How can we securely share personnel documents with multiple managers?

Use a platform with granular access controls, expiration dates, and audit capabilities. With SendMeSafe, you create a password-protected Share Link for each document, valid only for a defined period and a limited number of downloads. Alternatively, you can set up a protected communication channel through Connect where all participants can review documents without files being stored on personal devices. Every access is logged, so you can always demonstrate who viewed which documents and when. This fulfills GDPR requirements while simultaneously protecting your employees' privacy.