Where the GDPR applies, when you use the WhatsApp Business app, you are the Controller of all contacts in your address book. As the Controller of your contacts, you must have a legal basis: contractual necessity, legitimate interest, consent, or any other appropriate legal basis described in Article 6 of the GDPR to process these contacts.
When you give WhatsApp access to these contacts, WhatsApp is your data Processor. We quickly determine whether you can message these contacts on WhatsApp and deliver your messages to the intended recipients. For more information, refer to the WhatsApp Business Data Processing Terms referenced and incorporated within our WhatsApp Business Terms of Service.
There are several ways to control which contacts you provide to WhatsApp. For example, you can add only those contacts for which you have the appropriate legal basis to your device address book. One benefit of this approach is that it encourages you and your employees to practice good data privacy hygiene. Keeping business contacts and business devices separate helps prevent the misuse of customers' data or company devices for personal use (and vice versa).
If you wish to keep all your business and personal contacts on the same device, you can segment your address book by using tools that allow you to keep separate address books.