The GDPR (General Data Protection Regulation) is perhaps the most popular piece of legislation that concerns online businesses. It was passed on May 25, 2018 and affects all businesses that collect personal information of individuals. It also applied to businesses located outside the European Union, considering that they collect the personal data of even one EU citizen. In that sense, owners of mobile apps are also subject to the strict rules of the GDPR and should aim to comply with it, in order to avoid massive fines.
This article examines the basic principles of the GDPR and how they apply to mobile applications.
Who needs to comply with the GDPR?
Any individual or a business that processes personal data in the EU needs to comply with the GDPR. As previously established, this also includes companies based outside the EU that target EU citizens, knowingly or not.
If you offer services or goods to EU citizens, or monitor their behaviour, you should observe the obligations imposed by the GDPR. Hence, if you use monitoring software such as Google Analytics or cookies to study your users’ behaviour on your app, you are bound by the GDPR.
What is personal data?
Personal data is defined under Art. 4 of the GDPR. In the broadest terms, personal data means any information that can be associated with an identifiable person. This obviously includes basic information such as name, address and telephone number, but it also extends to browsing information, IP address, location etc.
How does the GDPR apply to Mobile Apps?
The GDPR regulates the way in which mobile app owners process the personal data of their users. It requires that you process personal data in accordance with one of the six lawful basis (more information below). In addition, it provides the users with certain rights by which they can retain control over their personal data.
Mobile apps can collect and process personal data in a number of ways. The most common are collecting login details, tracking users’ location or accessing their photos. When designing and developing a mobile app, you shall consider all basic principles of the GDPR, in order to ensure your compliance.
The six lawful basis of processing personal data
We previously mentioned that there are six lawful basis for collecting personal data, to which each mobile app should adhere. These are defined under Art. 6 of the GDPR and include:
- Consent
- Contract
- Legal Obligation
- Vital Interest
- Public Task
- Legitimate Interest
While the first five principles are pretty much self-explanatory, the legitimate interest is the most complex one. Legitimate interest means that in some cases you can process personal data without the consent of the user, when you have legitimate interest to do so. An example of such interest is a security concern.
When determining whether you have legitimate interest, you should consider i) the purpose for processing (pursuing legitimate interest) ii) the necessity of the processing and (iii) the balance between your interest and the rights of the user. Make sure to go through these points before processing personal data without the user’s explicit consent.
In any case, the best course of action is to always obtain the consent of the individual for collection and processing of personal data. Such consent shall be freely given through a clear affirmative action (avoid pre-checked boxes) and shall be easy to be withdrawn.
You should also consider that each individual has the right to request access to all information that you hold on him/her. The GDPR also includes the right to be forgotten, whereas an individual has the right to request of you to delete any personal information that you hold.
What you need to consider when developing your Mobile App
First and foremost, when developing your mobile app you should consider how to obtain the consent your users for collecting their personal data. You should also ask for permission to access their photos, contacts etc.
It is of utmost importance to have your mobile app users clearly informed of the way you collect and process personal data, why you do it and what their rights are. This is done through a comprehensive Privacy Policy.
The importance of a Privacy Policy
The Privacy Policy is the single most important legal document you need to have on your mobile app in relation to compliance with the GDPR. Lack of a comprehensive Privacy Policy that informs your users of the way you store, collect, process their personal data, and what their rights are, can lead to massive fines and lawsuits.
We can save you from that by providing you with a fully GDPR compliant Privacy Policy, drafted for your own specific needs. If you would like to learn more about your GDPR and compliance obligations in general, and how they apply to your business, please get in touch with us or sign up for a free legal consultation.
CREATE YOUR GDPR PRIVACY POLICY
P.S. This article does not constitute legal advice. Please note that the aim of this article is to simply show you the general principles of the GDPR and its applicability to mobile apps. For more detailed information and advice, please get in touch with us.