Identifying the roles of those involved in making an app and their responsibilities is one of the most important factors to establish when it comes to the dynamics inherent in the data processing.
The developer technically sets up the application so that requesting, receiving, and storing data is done according to the rules, and because of this, he is often mistakenly identified as the sole data controller. In reality, the technical implementation does not automatically make him the sole responsible party.
Currently, at the EU level, Regulation No. 2016/679 or GDPR applies, and in Article 3 of the latter, the figure of the data controller.
It is good to define who among the parties involved plays the role of data controller, who plays the role of data processor, and who plays the role of processor because that is what really affects the applicable law.
Several actors contribute to the creation of an app: developers, manufacturers, app stores or retailers, and third parties such as sponsors and consultants if it is an app in an industry with very technical specifications.
Defining the roles in the contract, or even simply what is written in the disclosure, will allow for Identify responsibilities for unlawful processing of data.
Violation cases for unlawful treatment
I mentioned in the article on the consent to data processing Of the ways in which to obtain user authorization for data processing. Following those guidelines, however, still does not make unfair and unlawful processing possible. In essence, if the processing is excessive and/or disproportionate to the purposes, you will not have a valid legal basis, violating the Data Protection Directive.
No part of the statement to which the data subject has given consent and which constitutes a violation of the Regulations is binding.
For Properly develop the mechanism of obtaining consent of the data, I invite you to consult the in-depth article on the subject.
Organizational and technical measures for data security
Beyond legal obligations, thinking about user security should be the first duty of an app maker.
On the subject of security, Article 32 of the GDPR stipulates that, taking into account the state of the art and the cost of implementation, as well as the nature, scope, context and purpose of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons,
the controller and processor must implement technical and organizational measures to ensure a level of security appropriate to the risk.
These security measures can be included:
1. pseudonymization and encryption of personal data;
2. the ability to ensure the continued confidentiality, integrity, availability, and resilience of systems and services that process personal data;
3. the ability to promptly restore data availability and access in the event of a physical or technical incident;
4. a procedure for regularly testing, verifying and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
5. genetic and biometric data
These are genetic and biometric data such as fingerprints, voice, hand shape, retinal structure.
Any biological property, physiological characteristic, biological trait, must be secured at a security level because it falls under sensitive data.
Similarly, repeatable actions, where such characteristics and/or actions are as much characteristic of a certain individual as they are measurable, even if the methods used in practice to measure them technically involve some degree of probability.
Understanding when and how to apply the regulation when not all actors are in the EU
Currently at the EU level, Regulation No. 2016/679 or GDPR applies: in Article 3 of the latter, it is Completely revised the traditional conception of the principle of land establishment.
The user who uses the app and to whom the data relate may be located in one state, the developer in another, the producer located in yet another. Therefore, what Article 3 states allows for Identify a data controller in the Union, also Whether or not the processing is carried out in the EU.
When the controller is not located in the European Union, the EU Regulation applies to the processing of personal data of data subjects located in the Union in the case where:
(a) the goods or services offered are aimed at EU users, regardless of whether the data subject's payment is mandatory
(b) control of their behavior, understood within the European Union, is at stake.
(c) is in a place subject to the national law of a member state under public international law.