• Home
    • Blog
    • Carbonio Chat – GDPR Compliant Enterprise Instant Messaging service for Data Controllers | Blog

Carbonio Chat – GDPR Compliant Enterprise Instant Messaging service for Data Controllers | Blog

In this article, you’ll find out why Zextras Carbonio’s instant messaging service, aka Chats, is a perfect fit to comply with GDPR and how it meets all the legal obligations subjected to data controllers.

We have recently seen different regulations and laws emerging regarding data privacy being devised. The General Data Protection Regulation (GDPR) that came into force in May 2018 is one of the many. The European Union mainly adopted GDPR to strengthen data protection and sovereignty. Data sovereignty is the right of sovereignty over your data. To be more precise, it’s a person’s right to access, control, and disclose their own data.

Before such regulations, companies could freely choose any messaging app of their choice, whether WhatsApp, Telegram, or Signal; the only aspect a business should consider was functionality. However, emerging these data privacy regulations made things different. Considering the amount of data processed every day on these apps, your company is more responsible than ever for how personal data is treated and if it complies with these regulations.

The role of a data controller is to determine the purpose and means of processing personal data to comply with data privacy regulations. What it means for your company’s internal communication is to verify whether the messaging app you use meets all the legal obligations a data controller is subjected to e.g.

  • Controlling the data
  • Data transfer
  • Data processing agreement

Below, you’ll see how Zextras Carbonio’s instant messaging service meets all the abovementioned obligations to help companies comply with GDPR.

Controlling the Data

Having complete control over personal data is one of the most challenging obligations for data controllers, especially if you consider cloud computing’s popularity and its adoption rate. The reason is storing a companies data on a cloud inherently may conflict with control and ownership of data.

The roots of this problem lie in the fact that your stored data on the cloud can be physically located in any data server around the globe. It contradicts with GDPR in several levels included in articles 5 and 17, specifically the principles of storage limitation and right to erasure.

To put it simply, a specific degree of control over personal data is required in order for a data controller to comply with the GDPR. Let’s say you run a large real estate business. You need a messaging app to communicate with your employees and customers. Now imagine, a customer requests to delete their personal information that was previously shared between the employees. The problem here is that you can only go through your chats history and delete that information, not the actual data on some messaging app cloud storage. Based on GDPR, the right to erasure (the right to be forgotten) requires you to have control over that data and be able to erase it whenever needed.

With Zextras Carbonio, this problem never emerges in the first place as the company in our example has complete sovereignty over its data by deploying the servers and storage devices on-premises. Even in the case of cloud storage, the company has the flexibility of choosing a private cloud to be sure about data privacy regulations. Any piece of information is stored in the messaging service is under your administration and can be altered or erased without the need for any third-party interventions.

Data Transfer

According to GDPR chapter V, articles 44 to 50, you allow transferring personal data only if the level of protection of natural persons guaranteed by the regulation is not undermined. To put it simply, you cannot simply use any messaging app to carry on with your company communications while dealing with people’s personal data. The reason is that these apps use different servers around the world for several motivations, such as lowering storage costs, faster transfer, and providing a better user experience. Although your company may be located in the EU, the destination server your sending personal data can be located anywhere in the world.

Transferring personal data to third countries (outside of the EU) is possible only if they provide an adequate level of protection, and we cannot be sure if it is the case in our situation. When it comes to the GDPR, you’re responsible for compliance with data transfer regulations. If you’re lucky, the destination server is in the EU or at least provides the same level of protection; however, the chances are low.

Zextras Carbonio prevents you from gambling on secure data transfer and level protection as all the servers are located at your company’s premises and can be easily migrated to other locations to adapt to possible changes in such regulations.

Data Processing Agreement

Article 4 of GDPR describes processing as any operation or set of operations that are performed on personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

By definition, data processing covers pretty much everything you may or may not perform on personal data. Therefore, this is by far the most delicate aspect of GDPR that data controllers face.

According to GDPR, you as the processor must guarantee appropriate technical and organizational measures to meet the requirements of this regulation, ensure the protection of data subjects’ rights, and finally, provide a legally binding instrument in place between the data controller and the data processor.

This basically means that you cannot transfer personal data through some messaging app unless you have a contract in place between you and the data subject, which is pretty unimaginable on large scales.

With Zextras Carbonio, have control over the geographical location of your servers that is firstly more secure and secondly is indeed compliant with data protection regulations. Whether your servers are deployed in the same location or separated, or even if you used private clouds for some of your data, you can be sure all data processing happens under your sight and can be audited.

Enterprise “B2B” Messaging System

Using common instant messaging apps such as Whatsapp or Telegram as corporation messaging services is not uncommon although they are not designed for enterprises but are targeted for personal and individual use. With the advent of GDPR due to data protection, companies don’t have the freedom of choice to use any messaging apps because of their inherent design characteristics.

Today, large enterprises’ data controllers are required to use a dedicated instant messaging service to provide maximum data security and protection to guarantee compliance with the GDPR.

Another way to think about this is from a business model standpoint. Common instant messaging apps designed for personal use might be very successful following a B2C model but not a B2B. As the data controller, you cannot simply rely on these apps to address your communication needs. Let’s see how GDPR treats these business models differently:


  • To process business data there is no need for asking individuals’ consent
  • To use e-mails addresses for marketing purposes there is no specific consent of having a legitimate interest


  • To process personal data you need individuals’ consent
  • To retain and use personal data for marketing purposes you need active consent of having legitimate interest such as joining the mailing lists
  • Individual entrepreneurship and partnerships are also included so must be treated as B2C

As you see, GDPR compliance is more intricate in B2C business models. Considering the amount of information transferred via your chats and messaging apps, you need to choose wisely.

Although on the surface Carbonio Chat does the same as personal instant messaging apps, under the hood, they are entirely separate products for different goals. One is suitable for individuals with personal motives, while the other is designed to handle large-scale enterprise communications.

Carbonio Community Edition is available! | Blog
Zextras at FOSDEM 2022 | Event | Blog