Contact
Jarosław Kamiński

Attorney at law (Poland)
Associate Partner
Phone: +48 22 244 00 27
E-Mail

In recent times, computers or laptops have been losing popularity, giving way to mobile devices such as smartphones, smartwatches or tablets, which are gradually becoming our basic working tools. Currently, smartphones not only serve communication, but also help us to organise time, obtain information and entertain ourselves. This forces mobile app producers to design ever faster devices with an ever bigger capacity. Mobile app developers also compete in creating more attractive solutions to be able to reach the greatest possible number of users. But whatever functions and attributes mobile apps may offer, they should ensure personal data protection. This is especially important in the times in which data leaks are a common thing, and all the more so after the General Data Protection Regulation (GDPR) came into force. What should developers designing an application pay attention to in order to avoid a data breach?

Controller, processor and mobile apps

The basic question arising from the new laws and connected with designing mobile apps is: what role do mobile app developers and their contractors (e.g. outsourcing firms) providing additional services necessary to create an app play in the personal data processing? In this respect GDPR defines two terms: controller and processor. The data controller makes the most important decisions and determines the purposes and means of data processing. The data controller carries the main responsibility for the security of personal data processed using an application. Individual roles are defined based on various factors, such as using own or third-party servers to develop and operate an app or using external advertisements when running the app. As it is common for mobile app developers to use external hosting services, it is important to stress the relations between the developer and e.g. a cloud computing provider. 

Personal data processing agreement

As a rule, the developer is the controller and the provider/supplier is the processor. Therefore, they need to sign a personal data processing agreement that meets GDPR requirements. The agreement should above all regulate the subject matter of the processing, that is, the scope of data which the processor will be authorised to access and the purposes for which those data will be processed. The agreement should also set out the controller's and the processor's rights and obligations. It is very important that the processor processes the personal data only on documented instructions from the controller. In practice, however, cloud service providers often have a stronger market position than controllers and offer their own template of the data processing agreement or the general terms and conditions which may release them from liability or frequently force the controller to grant them access to more personal data than needed. So it is extremely important that you review a data processing agreement before signing it. In this respect it is worth using the assistance of a lawyer expert in personal data processing.

Data minimisation rule

The next step needed to ensure compliance with GDPR is to analyse what data the mobile app developer has access to and whether he does not process too many data (so-called redundant data). This is because one of the basis GDPR rules is the data minimisation rule. According to this rule, the controller may process exclusively those data which are adequate and limited to what is necessary for the purposes for which they are processed. The minimum scope of data will certainly include the IMEI and IP number of the device to which the application has been downloaded. However, the larger the scope of the data being collected, the more the controller needs to demonstrate that those data are really necessary for the correct operation of the app. Data needed by an app for creating index cards are entirely different from those needed by an app helping us to find the nearest bars and restaurants based on our cuisine preferences. But neither of these applications may request us for access to a 'photo gallery' or 'voice recorder', which occurs quite frequently among the mobile apps currently available on the market. 

Privacy Policy

Defining the data to be processed is important not only for the controller but also for the data subject, because the latter has the right to be informed about the processing of his or her personal data. The app developer (if he is the data controller) must inform data subjects in his "privacy policy" about the processing of their personal data by the application downloaded to their device. According to the GDPR transparency rule, obtaining of information about the processing of personal data should be as easy for the user as the use of the application he has downloaded on his device. The application's privacy policy should be first of all easy to access and to understand for the user (the so-called "double tap rule"). Read more about the information obligation and its aspects in the previous article

Data protection impact assessment (DPIA)

Before developing a mobile application you should analyse how the use of your application may affect personal data. In GDPR such an analysis is termed 'data protection impact assessment' (DPIA). Article 35 GDPR also specifies in what cases companies are obliged to carry out such a formal assessment. A data controller must carry out a DPIA if he profiles personal data, processes data on a large scale or regularly monitors publicly available places. But even if an application developer does not meet any of the aforementioned criteria, he should consider conducting such an analysis so as to be able to prove in the event of an inspection by the supervisory authority that his adopted solutions comply with GDPR. The DPIA should at least include a description of the planned personal data processing operations and their assessment in terms of proportionality and the risk to the rights of data subject, as well as the list of the planned measures protecting the data against data breach. The data controller should carry out the analysis together with the Data Protection Officer, if appointed. Just as there data processing operations that require a DPIA, there are processing operations that require appointing a Data Protection Officer under GDPR. So if the data controller is not sure what he must do and what he is only advised to do, he should consider carrying out a comprehensive legal and technological audit that will show him whether his personal data processing operations are secure and lawful.

Increased user privacy protection

The main purpose of GDPR is to ensure the security of personal data, but GDPR also grants data subjects various rights to protect their privacy. Some of those rights were already available under the repealed Personal Data Protection Act, but GDPR also provides for new rights that are to increase the protection of users' privacy. One of them is the right to data portability. This right ensures that, first, the user can receive from the controller the personal data concerning him or her in a commonly used and machine-readable format. Second, the user has the right to transmit those data to another controller without hindrance from the current controller. The data subject has the right to have his or her personal data transmitted directly by the controller, where technically feasible. Most concerns refer to the format in which the data are to be transmitted, i.e. it is not clear what the "commonly used and machine-readable format" means. According to the EU supervisory authority, the data should be generally transmitted as e.g. HTML, JSON, XML, CSV files, but this may vary depending on the purpose for which the data are being processed. What is crucial is that the person or a potential new controller has easy access to the previously disclosed data. The right to data portability refers directly to the condition described at the beginning of the article, namely, that the controller must know what data he manages, what qualifies and what does not qualify as personal data, where the relevant information is located and to whom it is disclosed.  

Mobile app developers should carefully analyse the risks involved in the processing of personal data already at the initial stage of the application design process (the so-called privacy by design rule). The desire to achieve the greatest number of downloads and to ensure the best possible availability of the application should not prevail in the assessment of how a given solution will affect the security and privacy of the application users.  

If you would like to discuss this topic in more detail or if you are interested in a legal and technological audit in your company to see if your solutions comply with GDPR, Rödl & Partner experts from Cracow, Gdansk, Gliwice, Poznan, Warsaw and Wroclaw will be glad to help.

28.08.2018