Guideline for Data Privacy in Mobile Applications

Guideline for Data Privacy in Mobile Applications

The Data Protection Board (“Board”) issued its guideline with respect to data privacy in mobile applications (“Guidelines”). Under the Guidelines, the Board underlined the importance of the protection of the personal data of data subjects in mobile applications used in smart devices.

Compliance with Article 4 of the Law on the Protection of Personal Data:

The Guidelines underline that the data processing activities needs to be in line with Article 4 of the Law on the Protection of Personal Data and advice the following:

The processing needs to be in line with law and good faith principles:

• Mobile application developers and providers need to (i) investigate if they have a legal ground before commencing processing of personal data, (ii) be sincere and transparent with respect to the processed personal data, (iii) enable data subjects to use their rights and implement practices which support those rights.
• The consent mechanism needs to be structured in a way to enable data subjects to give their explicit consent separately for the application and third parties integrated into the application. Therefore, transparency with respect to third party data processing activities should be established and if there is no legal ground for the processing of personal data through third party services, then those services should not be used in the mobile application.
• Voice command assistance should not be activated as a matter of rule when the mobile application is used for the first time,
• Microphone should be accessed only when the application is in use.
  Personal data should be accurate and up to date
• The application should provide the possibility to the users to control and correct their personal data while using the application,
• Email address and phone numbers should be verified.
  Data processing should be for definite, clear and legitimate interests, limited to the processing purpose
• Personal data which is not required for the purpose should not be processed.
• Personal data collected by the mobile application should not be used for the purposes of extending the use of the mobile application,
• If it is possible to carry out the data processing activities with the personal data which are already stored in local data storage of the mobile device, then such personal data should not be transmitted to the data storage systems of the mobile application provider.
  Personal data should be stored for a period foreseen under relevant legislation or for as long as required for their processing purpose
• Any personal data stored in a cloud system by mobile application developer needs to take all measures for the destruction and deletion of the personal data at the end of their storage period. The status of the active users and inactive users should be taken into account when deciding on the deletion or destruction,
• For instance, a mobile application providing electronic mail services should change the status of a user as “inactive” if the latter does not log in for the duration of a specific period of time.

Information Obligations

• Awareness declaration and privacy policy (if any) need to be easily accessible to both the users and the potential users who consider downloading the application,
• While informing about the updates of the application, the users should be informed about the changes which relate to the processing of personal data,
• The users should be made aware of the default privacy settings, easy to understand mechanisms and user friendly interfaces should be provided which would help the users to control their privacy settings.

Registration with the VERBIS System

• Verbis registration of the data controller should be completed by the mobile application providers which are located outside of Türkiye,
• If the users located in Türkiye are targeted by mobile applications, Verbis registration of the data controller should be completed with respect to the personal data processed through the mobile application.

Other measures

• Applications which target minors or which are commonly used by minors should create systems to verify the age of the minor and processing of such personal should be subject to separate policies and procedures,
• The consent of the users, if required, should be collected with the activation by the user,
• Applications should constructed in line with the privacy by design and privacy by default principles,
• Control mechanism should be in place with respect to logging in from different mobile devices
• If possible, users should be encouraged to use multi-factor identify verification systems
• Adequate password security policy needs to be put in place and the users should be prevented from using their previous passwords,
• Passwords should be stored with hashing functions,
• Regular patch management and software updates should be in place,
• Software tests should be implemented before publishing mobile applications,
• Trials of unsuccessful access to the accounts needs to be limited in number.

The Board identifies the data controllers as application providers to the extent they use the personal data of the application users for their own interest. However, the Board also acknowledges that in cases where the mobile application integrates a third party service then, there will be multiple data controllers. Furthermore, the operating system operator may also use the personal data collected from the mobile application, which makes the operating system operator also a data controller.  Hence, the above suggestions needs to be taken into consideration by application providers, third party service providers and operating system operators.

Please feel free to contact us for the details of these rules and their possible implications.