The German data protection agency has ordered Facebook to stop collecting user data from its WhatsApp messenger app and delete any data it has already received.

The social network announced in August that it would begin sharing data from its 1 billion-plus user base, including phone numbers, from WhatsApp users with Facebook for the purpose of targeted ads. It gave users the option of opting out of the data being used for advertising purposes, but did not allow them to opt out of the data sharing between WhatsApp and Facebook.

Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar ruled on Tuesday that Facebook “neither has obtained an effective approval from the WhatsApp users, nor does a legal basis for the data reception exist”.

“It has to be [the users’] decision whether they want to connect their account with Facebook. Facebook has to ask for their permission in advance.”

Caspar also recalled that in the wake of Facebook’s 2014 acquisition of WhatsApp it had promised that they would not share user data.

Facebook’s German activities are headquartered in Hamburg, placing the social network under the jurisdiction of the regulator in the northern city.

Caspar ordered Facebook to delete any data already received from WhatsApp in Germany, saying that he was acting to protect the privacy of Germany’s 35 million WhatsApp users and that of people saved in each user’s address books, whose details might also be forwarded under the data-sharing arrangement.

A Facebook spokesperson said: “Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.”

The California-based company has faced several privacy challenges across Europe, including those from the Belgian data protection authority, in Germany and France. Facebook has maintained that it operates in Europe from its headquarters in Ireland and that its actions are therefore governed by Irish law.

The European Commission recently recommended tighter privacy and security requirements for services including WhatsApp and Microsoft-owned video calling service Skype, saying they should be regulated more like traditional telecoms.

Greater regulation could result in stricter data privacy provisions as well as requirements for emergency calling services and other facilities currently the preserve of mobile and fixed line telephony services.