Mobile App Privacy And Data Protection Compliance

07.02.2024

Contents

Mobile application is a specialized computer program or software designed to run on mobile devices like smartphones, tablets, or smartwatches.

The widespread prevalence of mobile applications is significant due to the convenience and accessibility they offer in various aspects of our daily lives. However, this ubiquity also brings data privacy risks that are noteworthy. As mobile applications become increasingly common, users often share personal data, preferences, and usage patterns, making their data vulnerable to potential privacy breaches.

On this subject, the Turkish Personal Data Protection Authority ("Turkish DPA") published a Guideline on Recommendations for Protecting Privacy in Mobile Applications ("Guideline") on December 22nd, 2023. In the Guideline, the Turkish DPA has provided recommendations to users and data controllers regarding personal data processing activities carried out through mobile applications that can be downloaded on smartphones and tablets.

According to the Guideline, many actors, including the application provider, application developer, advertising network, application store provider, operating system provider, library provider, and device manufacturer may be considered as data controllers in the processing, and protection of personal data in mobile applications.

What is in the Guideline?

The Guideline provides important and detailed definitions, categorizations, terms of data controller and data processor, compliance principles, transparency principles, information for the users, obligations of controllers that located outside Turkey, processing principles on children data, legal basis for processing, and data security.

What types of personal data are commonly processed in mobile applications?

Personal data may start to be processed when the user downloads a mobile application on the device and launches the app. Personal data is processed in many other activities such as mobile applications using cookies and online identifiers, processing traffic data, obtaining registration form, offering a newsletter, making purchases and etc.

Under the Turkish PDPL, the processing of personal data covers a wide range of activities performed on personal data.

The Turkish DPA provides specific examples of personal data used through the apps such as identity information including first and last name, ID number, passport number, date of birth, membership information including username, password, financial information including IBAN, credit card number, cryptocurrency wallet number, contact information including phone number, e-mail, address, location information, contacts in the phone or friends lists in the applications, information obtained through online identifiers, including IP address, MAC, IMEI, IMSI number, list of applications installed on the device, information collected through messaging platforms or voice command applications, search history, information obtained through user interactions including in-app purchases might be processed through mobile applications.

Moreover, apps may process the biometric data of the data subjects through the use of facial recognition, fingerprint, voiceprint technologies, or health data including heart rate, sleep patterns, blood pressure status, or in some cases ethnic origin, race, political opinion, disability status of the person through photographs. In these cases, the data controller must conduct compliance studies for the processing of special categories of personal data.

Who is the controller and who is the processor?

"Data controller" is the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment, and management of the data filing system. On the other hand, "data processor" means the natural or legal person who processes personal data on behalf of the data controller upon its authorization.

Where the mobile application integrates a third-party service (i.e. third-party service providers included in the mobile application to perform two-factor authentication for fraud prevention or advertising networks included in the mobile application), "Third Party Service Providers" may be considered as data controller if the third-party processes such personal data for their own purposes.

However, if the "Application Developer" is a party other than the application provider, the application developer may be considered as a data processor if the service agreement between the parties provides that the application developer undertakes only a technical role in the processing of personal data and ensures that it does not process personal data for its own purposes. If technical support is received from "Cloud or Server Service Providers", these parties may also be considered as data processors.

Which general principles should be considered?

App developers, and providers should consider whether there is a legal basis for processing personal data before starting to process personal data, be fair, and transparent about the data and the processing activities, enable individuals to exercise their rights, and put in place procedures, and designs that support the exercise of individuals' rights.

Data controllers should set out the purposes of the processing activities to be carried out and determine which personal data they need in order to achieve such purposes. Data controller should set retention, and destruction periods that are justified by their activities, business needs, or legal obligations, for personal data processed through mobile applications, and should not retain such personal data for longer than the reasonably required period.

Data controllers located outside Turkey also have to comply with the Turkish PDPL in the event they process the personal data of users in Turkey through a mobile application.

What should be considered when processing children's personal data?

Especially for the applications aimed at or widely known to be used by children, the data controller should establish systems to verify the age of the users and implement a separate policy and procedure for processing activities.

Conclusion

Many actors, including the application provider, application developer, advertising network, etc. may be considered as data controllers under the Turkish PDPL One of the most important recent source on this topic is the Guideline on Recommendations for Protecting Privacy in Mobile Applications published by the Turkish DPA. Data controllers subject to the Turkish PDPL should conduct compliance studies, and consider the decisions and guidelines of the Turkish DPA to carry out mobile application activities.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent