Why, why, why?

Apps are considered so-called telemedia in the sense of the German Telemedia Act (TMG) and have long been required to provide a data protection statement, which must transparently explain to the user which data is collected when using the app. Since 25 May 2018, the requirements of the EU General Data Protection Regulation (GDPR) with new information and transparency obligations also apply to apps. Accordingly, users must be informed in detail about the processing of data "at the time of collection". In this case, for example, when an app is launched for the first time, for example by providing data protection notices or a data protection declaration.

What has long been required by law has so far been implemented rather half-heartedly in practice. In many cases, a separate data protection statement that complied with the legal requirements could not be found. In most cases, only data protection declarations of the corresponding websites of the providers were linked, which were either difficult to read or not at all relevant for the app.

Isn’t the website's privacy policy enough?

No, this (mostly) does not do justice to the other usage habits and especially formats of apps. The differences to websites, especially in the technical provision and not least the presentation on the devices, are too great.

The special permissions that apps (ideally) request before first use must also be taken into account. Can the app access photos? Can it access the microphone or even contact details? It must be explained for which purposes these permissions are required and how the user can deactivate them in case of doubt.

It is also interesting with regard to advertising and ad networks - most apps live from advertising as their most important source of income. Think of mobile games that are offered free2play or with freemium content and are financed exclusively through in-game advertising. Here, the user must be informed in a comprehensible way which advertising partners are involved, which data are processed and how to object to this.

If consent to data processing has to be given, for example for the processing of health data in the context of so-called health apps, the consent must be given explicitly and, in particular, voluntarily. The privacy policy - which unfortunately is still only read by a few users - is therefore not suitable as a hiding place.

User information - a fine line for apps thanks to the GDPR!

On the one hand, users must be informed about all processing activities, such as the integration of analytics, advertising, authorisations or GPS or location data. On the other hand, this information should be provided in a comprehensible and transparent manner. This can be a fine line in view of the mostly small screen size of mobile devices, not to mention the complexity of the APIs used in the backend. What can the user be expected to do here and what only serves the user's own legal security? Long texts on small screens often fail to meet the requirements of the legislator. The target group should be my users, not the lawyers of the competitor.

It is also important that the privacy policy can be accessed "at the time of collection" of the data. This is ensured if it is ideally already available in the app store and the user can take note of the information at any time within the app, e.g. through a separate "Privacy" button in the app options.

Data protection generators – cheap, but risky?!

For young founders and app developers, the question now arises as to which procedure is best when creating such a privacy policy. Anyone who has already dealt with this for their website knows that there are several ways to draft a privacy policy.

Many young companies resort to a "generator". However, this can be much more difficult than for a website. For example, if an external developer is used, it must be ensured that all technical details are known and explained. However, the trusted generator may not be able to provide this level of detail. It should be borne in mind that, due to controversies in the past, supervisory authorities also like to take a very close look at apps. The supervisory authorities are also aware that a large number of apps collect and store data in the background, about which the user is not even informed in case of doubt. Individual advice can therefore be useful, at the latest for apps that are very data-driven.

If you have not yet dealt with the requirements of the GDPR, you can find a practical summary for start-ups at the following link: GDPR Guide for Start-ups: The 5 Most Important ToDo’s