2. Mobile apps or mobile applications since they were first launched in
2008 have found widespread application and are now used not only
for general productivity, information retrieval, email, and other
auxiliary services, but also for purposes normally handled by
desktop application software packages
The existence of app stores has contributed greatly to the
development of the mobile app market
There are different types of mobile applications, depending on the
platform on which they run, for example, Android, iOS, etc
3. Apps offered on different platforms are either free or sold at a price
lower than ordinary software.
App developers which offer free mobile apps gain revenue from in-app
advertising or from in-app purchases.
The mobile app ecosystem is considered today one of the biggest
industries.
Smart devices may be equipped with a multitude of sensors - App
developers make use of this connectivity through the APIs to collect
data from the device and data from the different sensors
4. The fact that there exist many players in the app development and
distribution life-cycle, such as app developers, app owners, app
stores, operating systems and device manufacturers, and third
parties, increases the risks for data protection.
This plethora of players can also be the cause of lack of transparency
for end users who as a result, are not properly informed of their
rights as consumers.
5. The Consumer Rights Directive (hereinafter referred to as the CRD)
provides for a quite long list of informational requirements for the
traders to comply with.
As far as apps are concerned, there are additional informational
obligations imposed on the traders.
General information requirements set out in art. 5 and art. 6 of the CRD
Additionally, when a consumer purchases an app has the right to know about
the functionality and the interoperability of the particular app.
The above requirements have to be met even in the case that an app
is provided for free.
6. Most of the time, app users are informed about the cost of the app
but not for the additional costs within the app.
However, app users have to be aware of, apart from the ones mentioned above,
is the pricing details.
The app user has to be informed, as a consumer, in a clear and
comprehensible manner, about, among others, the total price of the
goods or services offered including any applicable taxes.
In the app environment, these additional payments may be build-in
purchases such as add-ons, game levels, or pay-per-view content
(e.g., movies, TV series), which are not included at the subscription
to the audio-visual content service.
7. Under the CRD, the trader bears the obligation not only to inform the consumer
about his right of withdrawal properly and in a timely manner but also to provide
him guidance on how to exercise it.
the consumer is provided with a period of 14 calendar days to withdraw from his
contract with the trader without giving any reason for his withdrawal and without
incurring any costs.
In the case of digital content contracts, the 14-day period starts from the day of
the conclusion of the contract.
8. Data protection risks are multiplied in the apps’ environment, as
apps gain access to big quantities of data which are stored in the
device (location data, photos, videos, text messages, emails, calls and
calendar logs, contacts, passwords, financial data, etc.) or data
collected by the various sensors of the device.
It is also notable that smartphones and other smart devices lack
data security software and are thus vulnerable to cyber-attacks and
other security threats such as malicious applications and spyware.
The absence of comprehensive information on the processing of
personal data leads to a lack of transparency which is detrimental
for the app user.
9. The field of application of GDPR extends to the processing of
personal data of individuals taking place through the use of apps on
smart devices. This includes data stored on a smart device or data
generated by the device.
Such data are considered personal data if they related to an
identified or identifiable natural person, regardless if this is the
owner of the device or any other individual.
10. The processing of personal data by apps can rely on the consent of
the user in accordance with Article 6 (1) lit. a GDPR, since none of
the other requirements is fulfilled.
In addition, if an app needs to access personal data stored on the
device such as contacts in the address book, videos or pictures, or
place information on it, it is required to obtain consent from the
user, pursuant to Article 5(3) of the ePrivacy Directive
11. The general principles of data protection mentioned in article 5 GDPR must be
complied with by data controllers, particularly the principles of purpose limitation
and data minimization.
the purpose of processing with regard to the functioning of apps should be defined
before the data processing takes place.
the principle of data minimization which provides that data must be adequate,
relevant, and limited to what is necessary in relation to the purposes for which
they are processed, must be respected. Thus, app developers must design their
software products in such a way that unnecessary data processing is prevented.
The purpose limitation and the data minimization principle must be applied
stricter in the case of children’s data processing by an app.
12. To ensure that the data subject is informed about the processing and is able to provide
an informed consent, it is crucial to make available the information in Article 13
GDPR. This includes information on the following points:
The identity and the contact details of the controller;
The contact details of the DPO, if one is appointed;
The purposes of processing;
Where processing is necessary for the legitimate interests pursued by the controller
or by a third party, these interests;
The recipients or categories of recipients of the personal data, if any; -
Τransfer of personal data to a third country or international organization
Additionally, the storage period, the right to request access, the right to withdraw
consent, the right to lodge a complaint with a supervisor, etc.
13. An impediment to providing information exists because of the fact
that mobile devices have small screens and this means that there
are space limitations, while the attention spans of consumers are
limited.
To address this issue, it is proposed to develop shorthand, consistent
disclosures, which will include the use of icons, short form privacy
notices, and layered notices.