Introduction
The General Data Protection Regulation (GDPR) will enter into force on May 25. It is intended to harmonize all the legislation of the member countries of the European Union and advance in the protection of citizens’ rights. The 1999 Data Protection Law will remain in force as long as it does not oppose the aforementioned Regulation and will have to adapt to it with the following modification of its articles.
The GDPR aims to increase the control of companies over their customer data and provide users with greater control over their personal data. And how do you get it? Well, first of all, protecting the citizen against large companies that operate on the internet and that have their headquarters outside the European Union. From now on, citizens’ rights are protected as long as the company provides services or offers goods in the EU, regardless of where its headquarters are.
Therefore, companies must adapt to the GDPR before May 25. Violating it can lead to fines of up to 4% of annual turnover with a limit of 20 million euros. This applies to both companies and freelancers who handle personal data of their clients, as well as public companies and associations.
So what about apps and GDPR?
Mobile applications have always required our data. But now users are going to demand greater control and transparency. There will still be data collection in the app, but these must have a clear purpose, be appropriate and have the consent of the user.
These changes will affect the development of the product in the new apps, which will be done with the GDPR in mind and will necessarily require changes in the existing mobile applications. We review below the aspects of the GDPR that affect us the most:
1- Right to be forgotten.
The right to erasure, also called the right to be forgotten, allows EU users to request information about the data they have provided. And they can also submit a request to remove such information. A company that receives any of these requests must comply with this requirement within 10 days as long as the purpose for which they were collected has been completed. If the canceled data had been previously transferred, the company must notify the cancellation within the same period.
In addition, companies must delete the data when the purpose for which it was provided disappears.
→ Put it into practice: include in your privacy policy the user’s right to request access, rectification, deletion or limitation in the processing of their data in your privacy policy. The electronic address where these rights can be filed must be clear, since they were collected electronically and the user has the right to request cancellation by the same means.
2- Explicit consent.
The app must require the explicit consent of the users to collect, use and transfer their data. Consent must be:
- free: it must be provided within a framework of absolute freedom, it cannot be conditional on obtaining an offer, for example.
- specific: consent must be obtained for each of the purposes for which it is requested. If we require the data for the provision of a service in the app but at the same time we are going to use it to create marketing campaigns, we must specify it and receive authorization from the user for each of the uses.
- informed: the user must be informed about the person responsible for the treatment, the purpose for which the data is collected, how this data will be processed and the rights that the app user has over them.
- unequivocal: the user of the app should have no doubt that he is providing the data for the required purpose.
The RGPD establishes new guidelines for the treatment of data of minors. As a general rule, minors can give their consent from the age of 16, although each member country can establish a lower age with a ceiling of 13 years. In Spain, the consent of minors who have reached 13 years of age is considered valid, while minors of this age will need the approval of those who have parental authority or guardianship (of both if it is shared). On the other hand, the GDPR in its article 8.2 is not very strict when it comes to verifying that this age is correct and only instructs the person responsible for the data to make a reasonable effort taking into account the state of technology.
The main marketplaces are not far behind and try to prevent the personal data of the app user from being accessed without their consent. The App Store Review Directive, in its sections 5.1 and 5.2, establishes that the app cannot transmit the user’s location data without their express consent, or for an unauthorized purpose. And for its part, Google Safe Browsing for Android forces applications to show their privacy policy and detects apps that use data without the user’s consent.
→ Put it into practice: the app must include a view in which the privacy policy and legal notices appear or a link that directs to a landing page that contains these texts. Keep in mind that minors will read the consents aimed at collecting their data, so the text you show must be simple and easy to understand.
Enter a box for each purpose that requires consent, and blocks the possibility of sending until they have been authorized by the user. Do not leave boxes marked by default, it is expressly prohibited in the GDPR.
Manage consents through a platform that allows you to demonstrate that the user of the app consented and that automatically removes from the database those who request the deletion of their data.
3. Notification of security breaches.
If the app is hacked, as soon as the data controller is aware that there has been a security breach of the users’ personal data, they must notify the competent control authority without undue delay and within a maximum 72 hours.
In addition, according to the GDPR, the data controller must inform the user about the leakage of their personal data or the violation of their privacy. The circumstances in which such a violation has occurred must also be reported.
Notification will not be necessary if the leak does not affect users’ personal data or their privacy, nor when the data is properly encrypted. This exception does not apply to certain categories of data such as banking for example.
→ Put it into practice: first of all implement the appropriate security measures and train your staff so that this does not happen. If you finally have to notify the control authority about the security breach, you must draw up a document that contains the number of affected stakeholders, the types of data, the contact of the data protection officer in the event that this position is mandatory in your company, the consequences of the leak and the measures adopted or proposed to mitigate its effects.
4- Privacy by design.
Privacy by design is not a new concept, but it does become a legal requirement. For compliance, data protection and user privacy must be considered at the beginning and throughout the project development cycle.
→ Put it into practice: in the development of the app, the security of the user’s data and their privacy must be guaranteed from the conceptualization of the project. Only the employees in charge of the process should access the data. Sign with your employees a confidentiality document and a confidentiality contract with the collaborators who have access to the data.
5. International data transfers.
The transfer of data beyond the borders of the European Union is one of the most important points of the GDPR, and essential to provide technological services since many of the servers we use are located outside the EU. According to European regulations, these data transfers may be made by both the controller and the person in charge of the treatment. The cases in which data may be transmitted without the authorization of the competent control body are the following:
- Transfers based on an adequacy decision (art. 45 GDPR): with countries that the Commission considers to have an adequate level of protection. In the case of the United States, only companies that adhere to the Privacy Shield*.
- Transfers through adequate guarantees (art. 46 GDPR): certain guarantees are established regulated by the regulations that third countries must fulfill in order to dispense with administrative authorization.
- Transfers based on binding corporate rules (art. 47 GDPR): these are rules to guarantee the processing of data between companies of the same group located in different countries.
→ Put it into practice: check all the servers or platforms that provide cloud services and that contain data from your app or your company, read their privacy policies to check that they guarantee an adequate level of protection. This link will be useful for you, which shows the US companies that adhere to the Privacy Shield https://www.privacyshield.gov/list
* July 2020 update: The CJEU invalidates the Privacy Shield for transferring data to third countries outside the European Union, although the standard contractual clauses (SCC) are still considered valid.
This new challenge that is the adaptation to the GDPR must be faced as a great opportunity to differentiate ourselves from the competition, betting on the safeguarding of the trust of the user of the app.