Mobile app GDPR compliance

"Firstly, I want to thank you so much for providing such help. It is really valuable.I would like to ask you about the following.Current situation:

I have a mobile application (Notes & todo lists) running on Android that stores & processes data.- This data could be personal or personally identifiable.- The app stores the data on the user's device in the app folder that is accessible by the user only.- We do not collect or store any data in the cloud.- The app also has google ads. Users are informed and have to give consent before using the app- There is no requirement for sign up or requests for email, name, passwords, financial information etc.- Data stored (because it is a notes app) can be personal interests, schedules, names, numbers etc.

What I would like to know:

Considering the app above:If I do not encrypt the data stored in the device am I in breach of GDPR?

The GDPR lets the controller decide if security measures as appropriate to the data processing or not, so encryption can be a good security measure and it is recommended but it is non-mandatory. Article 32 GDPR states that the controller needs to consider the risks for freedom and rights of users, the state of art, the costs of implementation, the nature, scope, and purpose of processing and to balance it in order to verify the appropriate security measure (i.e., the app may not encrypt data because are stored on user device but request two-factor authentication or access with fingerprint).

Do I need to appoint an EU Data Protection representative?

If you are not located in the EU yes you need to appoint an EU representative, as required by Article 27 GDPR.

Does the GDPR really apply to this application since there is no collection of data and only the user has access to it?Thank you so much for your help."

GDPR applies to data processing which is defined by Article 4 GDPR “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

Your app records and makes available personal data to the user so it processes personal data, then your company probably acquires data of users who downloaded the app, their device numbers or email or Google Play account, in fact, you ask consent for processing data, the GDPR will apply even if your app does not transmit personal data of your user you still process other personal data (device number, email, google accounts, etc.).

Here you can find more information on GDPR implementation:

• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//