Duyurular

Turkish Data Protection Authority Publishes Advisory Guidelines on the Protection of Personal Data in Mobile Applications

Kişisel Verilerin Korunması Hukuku

The Turkish Data Protection Authority ("Authority") has recently published a Guideline on Recommendations for the Protection of Privacy in Mobile Applications ("Guideline") on the Authority's website, which provides recommendations on how to ensure that mobile applications, from checking the weather to receiving real-time news updates, from conducting banking transactions to tracking health status, and from using social media to online shopping, are designed in compliance with the principles of privacy by design and privacy by default, and to protect personal data at the highest level.

With the Guide;

  1. Examples of personal data processed by mobile applications;
  • identity information (name and surname, Turkish ID number, date of birth, etc.),
  • membership information (username, password, etc.),
  • contact information (home address, phone number, e-mail address, etc.),
  • financial information (IBAN, credit card number, etc.),
  • online identifiers (IP address, MAC address, IMEI and IMSI number, fingerprinting through the list of applications installed on the device, etc.),
  • user interactions (search history, in-app purchases, etc.),
  • location information,
  • lists of friends in the phone book or apps,
  • biometric data (facial recognition data, fingerprint data, voiceprint biometrics, etc.),
  • health data (heart rate, sleep patterns, etc.) in case the application is health-related,
  • visual data collected by granting access to the device's camera and gallery,
  • auditory data collected through voice commands or messaging applications,
  • text data collected from messaging platforms

are enumerated.

  1. Act No. 6698 on the Protection of Personal Data ("Act"), the use of voiceprint biometrics in voice recognition applications, collection of health data in health applications, or revealing the beliefs and political opinions of individuals in messages are given as sensitive personal data examples.
  2. Actors such as the application provider, application developer, advertising network, application store organization, operating system provider, library provider, and device manufacturer are held responsible for the processing and protection of personal data.
  3. While the application provider is considered to be the data controller in terms of its use of users' personal data, in a situation where the application provider and the developer are separate organizations, the application developer will be considered as a data processor if, according to the contract between them, the application developer assumes only a technical role in personal data processing and ensures that it does not process personal data for its own purposes.
  4. For individuals using mobile devices by the Authority;
  • Before installing the mobile application;
  • The application comes from a reliable source,
  • Download from trusted platforms such as app stores,
  • Pay attention to the developer and make sure the name is correct,
  • Check user reviews and ratings,
  • Not every high-scoring app is necessarily understood as trustworthy,
  • Preferring an alternative to applications that demand more personal data than the provision of the service,
  • When using the mobile application;
  • Access permissions unrelated to the use of the application are not allowed,
  • For permissions for continuous access to mobile device tools that obtain location, audio, and video data, choosing the "allow only when using the application" option, taking into account the intended use of such data,
  • Not using social media accounts to access apps,
  • Enabling multi-factor authentication and strong combinations of uppercase and lowercase letters, numbers, and symbols, rather than easily guessable strings of numbers or letters associated with personal information, and enabling multi-factor authentication for passwords to be used for application logins,
  • Keeping applications up to date and checking privacy settings after updating due to the risk of attack from outdated software,
  • Removing unused applications from mobile devices

recommendations have been given.

  1. For the parties that have the title of 'data controller' or 'data processor' by the Authority;
  1. Within the scope of the Principle of Compliance with the Law and Good Faith; it is recommended that application developers and providers question the legal reason for processing before processing data, be honest and transparent about personal data processed in mobile applications, and implement processes and designs that support the exercise of rights, it has been determined that the voice command feature being turned on on the device when the mobile application is used for the first time is contrary to the principle of compliance with the law and good faith.
  • Based on this contradiction, the Authority recommended measures such as providing access to the microphone while the user is actively using the device, instead of providing access to the microphone while the mobile phone is on the table or in the person's pocket or bag.
  • Again, the Authority considered that it is against the rule of good faith for a mobile application provider, which monitors the physical activity levels of individuals by counting steps and monitoring their sleep and dietary habits, to offer health insurance services and to use the personal data collected through the mobile application to calculate insurance premiums.
  1. Within the scope of the Principle of Being Accurate and Up-to-Date When Necessary; while it is stated that users should be provided with the opportunity to correct their personal data and to use this opportunity with appropriate methods within the application, it is reminded that outdated personal data may pose a risk of identity theft.
  • For example, if the user changes his/her phone number after a certain period of time and requests a password reset through the mobile application because he/she has forgotten the password of his/her mobile application, the risk of transmitting the code as a message to a third party is given if a code is sent to the phone number that the user has previously entered and no longer uses during the password reset.
  1. Within the scope of the Principles of Processing for Specific, Explicit, and Legitimate Purposes and Being Relevant, Limited, and Proportionate to the Purpose for which they are Processed; it is stated that personal data obtained by the mobile application should not be subject to processing activities that exceed the purpose of using the application.
  • According to the example in the Guidelines, tracking the exact location and movements of the users of a mobile application prepared to be used in contact tracing to combat infectious diseases is unnecessary for the purpose of determining that the user is in close contact with another user with an infectious disease, and processing activity of this nature is contrary to the principle of being connected, limited and proportionate to the purpose.

According to the Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed Principle; retention and destruction periods justified according to clearly defined business needs or legal obligations should be determined for personal data and these data should not be stored for longer than the required period.

  • For example, if the user of a mobile application that provides e-mail service does not log in to the application for a certain period of time, his/her status should be converted to inactive user and the retention period of his/her personal data should be shorter compared to active users (except for legal obligations).
  1. According to Article 16 of the Act, in the mobile applications offered by providers located abroad; in cases where goods and services are offered by referring to Turkey, introductory explanations are made indicating that the service is provided for persons in Turkey, there are issues such as the Turkish language option in the provision of goods and services, the option of product delivery to Turkey, and the relevant persons in Turkey are targeted in the provision of goods and services, these data controllers must also fulfill their obligation to register with the Data Controllers Registry.
  2. Considering that mobile applications are frequently used by children, the Agency submitted a document titled "Protection of Children's Personal Data - Things to be Considered by Product and Service Developers" for the processing of children's personal data, especially for applications that are directed towards children or known to be widely used by children, while it is recommended to establish systems to verify the age of users and to carry out processing activities for children by following a separate policy and procedure.
  3. It is recommended to limit the number of failed logins for users' account logins for mobile applications and to prefer methods such as CAPTCHA, four operations, etc. on user login pages as a precaution against bot attacks.

You can access the full text of the Guidelines (in Turkish) here.

The document titled "Protection of Children's Personal Data - Considerations for Product and Service Developers" (in Turkish) is available here.

 

Saygılarımızla,

Zümbül Hukuk ve Danışmanlık

info@zumbul.av.tr