App Development: Anyone who develops or offers an app will sooner or later come into contact with personal data. But what do you legally have to consider regarding data protection when developing an app? We clarify. Apps are a regular part of our connected life. Many applications also process (a lot of) personal data. Just think of registration data such as e-mail address, first and cash on delivery.
However, data protection law, such as the General Data Protection Regulation (GDPR) in particular, is also observed if, at first glance, less specific personal data may be used. The European data protection authorities published a helpful recommendation on “data protection and apps” in 2013. According to the supervisory authorities, app providers must comply with data protection regulations when processing unique device and customer identifiers such as IMEI, IMSI, UDID and mobile phone numbers.
GDPR Data Protection In App Development Also Applies Outside The EU
In practice, this means that data protection always plays an important role in app development. There is also a further note for providers from outside Europe. The GDPR is also applicable if there is no branch in the EU. It is sufficient to process personal data from EU citizens.
An Example: A game provider from India also offers its app for users in the EU. This can be attributed to the fact that in-app purchases can be made in euros. Then this provider from India must also comply with the rules of the GDPR.
Who Is Responsible?
In practice, the answer to who is responsible for compliance with the GDPR is particularly relevant. The app operator and the app developer? In practice, these are not always congruent. Apps are often sold as a white label solution and branded on the customer.
In general, it can be assumed that the app provider is the person responsible for data protection. According to the German data protection authorities, this also applies if he did not develop the app himself.
The background to this classification is, among other things, that the provider is ultimately the point of contact with the users. If necessary, he concludes usage contracts with them. He also decides which user data is used for which purposes.
The allocation of responsibility becomes complex when third parties join in – such as advertising network operators. In this case, the so-called joint responsibility of the app provider and the advertising network operator can arise.
If the app provider also uses service providers who handle user data for him – for example, to create analyses or offer customer support – it may be necessary to conclude order processing contracts with these service providers.
Data Protection In App Development: What Should Be Considered?
If the GDPR is applicable, it must, of course, also be observed in its entirety. Nevertheless, there are no special “app regulations” and some particularly relevant requirements.
Be Careful With Consent
Every scope of personal data requires a legal basis. The app provider could obtain the consent of the user for this. At first glance, it sounds very transparent and privacy-friendly. In practice, however, consent may not be the best choice.
One of the reasons for this is that the formal requirements for their issuance are very high. In addition, it must always be possible to withdraw consent. If possible, no app offer should be designed based on this risk.
Since users of apps conclude a contract with the provider anyway – this can also be done without many clauses and terms and conditions – the implementation of this contract is more likely to be considered the legal basis under data protection law.
The Requirements Of The Privacy Directive
It should be noted that the GDPR has to be complied with when offering apps. If the provider accesses the memory of the end device, stores data there, or collects data from the end device, the requirements of the so-called privacy directive must be observed.
According to Article 5 Paragraph 3 of the Privacy Directive, consent must generally be obtained if data on end devices is accessed, and this access is not necessary to offer the functions of the app.
A requirement of the GDPR that must be observed in any case when developing apps are the principles of “data protection through technology design and data protection-friendly default settings”.
Even when designing the software, the person responsible must ensure that the product implements data protection principles such as data minimization effectively.
In practical terms, app providers who have an app developed should agree on these specifications as part of the service description.
Of course, every app must also provide information on how personal data is processed and for what purpose. Therefore, there must be an easily recognizable and easy to find data protection declaration in the app.
Overall, app providers should consider data protection at an early stage in the development stage. Foresighted planning in implementing data protection regulations saves experience in terms of time, money and nerves, compared to the situation that data protection should only be implemented “quickly” shortly before a launch.
ALSO READ: Web Hosting Comparison: The Best Providers At A Glance