Newsletter On Recommendations for The Protection of Privacy in Mobile Applications Published by The Personal Data Protection Board
Personal Data Protection Board (“Board”) has published a Guide on Recommendations for the Protection of Privacy in Mobile Applications (“Guide”), which includes the points to be considered within the scope of the Personal Data Protection Law No. 6698 (“Law”) regarding personal data processing activities carried out through mobile applications used on smartphones and tablets.
Although there are also recommendations for mobile application users in the Guide, our newsletter concerns the recommendations for parties that process personal data through mobile applications (e.g. application providers, application developers, etc.).
1. Data Controller – Data Processor Terms
- There are important assessments in the Guide as to whether the actors involved in data processing processes within the scope of mobile applications will be data controllers or data processors.
- In this context, it is stated that the application provider is the data controller to the extent that it uses the personal data collected through the mobile application for its own purposes, and if third party services are integrated into the application, the relevant third party may be considered as the data controller (e.g. a third party service provider that provides authentication services).
- On the other hand, it is stated that the application developer is a separate organization from the application provider and if undertakes not to process personal data for its own purposes within the scope of the contract with the application provider, it should be considered as a data processor.
2. Compliance with General Principles
- Data processing activities carried out through mobile applications must comply with the general principles[1] listed in Article 4 of the Law.
In terms of compliance with these principles, some remarkable examples are given in the Guide. For example, in terms of mobile applications that can work with voice commands, if this feature is turned on when the application is first started to be used, it will be contrary to the general principles. In addition, it is underlined that the reasonable expectation of the user should not be exceeded in terms of data processing activities, and it is recommended that in an application that collects data via microphone, access to the microphone should be provided only when the user is actively using the application, and data should not be collected via microphone in other cases.
- In addition, within the scope of compliance with the general principles, it is reminded that retention and destruction periods should be determined for personal data processed through mobile applications, these retention and destruction periods should be justified by clearly defined business needs or legal obligations and such data should not be stored for longer than the required period. A noteworthy recommendation in this regard is to consider the active and inactive status of the users while determining the retention periods.
3. Ensuring Transparency
- Within the scope of Article 10 of the Law, the obligation to inform data subjects must be fulfilled in terms of data processing activities through mobile applications. In this context, the information note and the privacy policy, if prepared separately, should be positioned in a way that is easily accessible by the existing users and potential users.
- The Board made a remarkable assessment with respect to mobile applications offered by providers located abroad. According to the Board, offering goods and services by referring to Turkey, making introductory statements indicating that the service is provided to persons in Turkey, offering Turkish language option, offering product delivery option to Turkey, targeting the relevant persons in Turkey in the provision of goods and services or conducting behavioral advertising activities, online tracking through unique identifiers and conducting geo-localization activities for marketing purposes will mean monitoring the behavior of the relevant persons in Turkey, and hence, the providers of such mobile applications should consider their obligation to be registered at the Data Controllers Registry and notify their processing activities to the registry in accordance with Article 16 of the Law.
- In case of processing children’s personal data through mobile applications, it is recommended to establish systems to verify the age of users and to carry out processing activities for children by following a separate policy and procedure.
4. Determination of the Conditions for the Processing of Personal Data
- In terms of personal data processed through mobile applications, it is necessary to determine the processing conditions that will form the basis for this processing. In this respect, it should be determined which of the legal grounds in Article 5/2 or 6/3 of the Law will be used for data processing.
- In cases where data processing will be carried out based on explicit consent, the explicit consent of the users should be obtained in a manner that meets the validity elements stipulated in the Law (especially through establishment of mechanisms that will ensure that the explicit consent of the user is obtained through active action).
5. Ensuring Data Security
- Mobile applications should be designed in accordance with the principles of privacy by design and privacy by default.
- In addition, the Guide also recommends some other important measures to be taken in respect of mobile applications, such as identity verification methods, use of strong passwords, protection of passwords against cyber-attacks, patch management and software updates.
You can access the Guide (in Turkish) from the link below:
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/8ba209bb-fa93-4479-84f0-dd55aac97a0f.pdf
[1] (i) being in compliance with the law and good faith, (ii) being accurate and up-to-date when necessary, (iii) being processed for specific, explicit and legitimate purposes and being relevant, limited and proportionate to the purpose for which they are processed, and (iv) being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.