Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Mobile app GDPR compliance

  Quote
Guest
Guest user Created:   Feb 17, 2021 Last commented:   Feb 17, 2021

Mobile app GDPR compliance

Firstly, I want to thank you so much for providing such help. It is really valuable.

I would like to ask you about the following.

Current situation:

I have a mobile application (Notes & todo lists) running on Android that stores & processes data.
- This data could be personal or personally identifiable.
- The app stores the data on the user's device in the app folder that is accessible by the user only.
- We do not collect or store any data in the cloud.
- The app also has google ads. Users are informed and have to give consent before using the app
- There is no requirement for sign up or requests for email, name, passwords, financial information etc.
- Data stored (because it is a notes app) can be personal interests, schedules, names, numbers etc.

What I would like to know:

Considering the app above:
1. If I do not encrypt the data stored in the device am I in breach of GDPR?
2. Do I need to appoint an EU Data Protection representative?
3. Does the GDPR really apply to this application since there is no collection of data and only the user has access to it?

Thank you so much for your help.

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Feb 17, 2021

"Firstly, I want to thank you so much for providing such help. It is really valuable.I would like to ask you about the following.Current situation:

I have a mobile application (Notes & todo lists) running on Android that stores & processes data.- This data could be personal or personally identifiable.- The app stores the data on the user's device in the app folder that is accessible by the user only.- We do not collect or store any data in the cloud.- The app also has google ads. Users are informed and have to give consent before using the app- There is no requirement for sign up or requests for email, name, passwords, financial information etc.- Data stored (because it is a notes app) can be personal interests, schedules, names, numbers etc.

What I would like to know:

Considering the app above:If I do not encrypt the data stored in the device am I in breach of GDPR?

The GDPR lets the controller decide if security measures as appropriate to the data processing or not, so encryption can be a good security measure and it is recommended but it is non-mandatory. Article 32 GDPR states that the controller needs to consider the risks for freedom and rights of users, the state of art, the costs of implementation, the nature, scope, and purpose of processing and to balance it in order to verify the appropriate security measure (i.e., the app may not encrypt data because are stored on user device but request two-factor authentication or access with fingerprint).

Do I need to appoint an EU Data Protection representative?

If you are not located in the EU yes you need to appoint an EU representative, as required by Article 27 GDPR.

Does the GDPR really apply to this application since there is no collection of data and only the user has access to it?Thank you so much for your help."

GDPR applies to data processing which is defined by Article 4 GDPR “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

Your app records and makes available personal data to the user so it processes personal data, then your company probably acquires data of users who downloaded the app, their device numbers or email or Google Play account, in fact, you ask consent for processing data, the GDPR will apply even if your app does not transmit personal data of your user you still process other personal data (device number, email, google accounts, etc.).

Here you can find more information on GDPR implementation:

If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 17, 2021

Feb 17, 2021

Suggested Topics

Guest user Created:   May 13, 2021 EU GDPR
Replies: 1
1 0

PECR and GDPR

Guest user Created:   Mar 31, 2020 EU GDPR
Replies: 1
0 0

Data protection and using WhatsApp