ARTICLE
27 May 2026

GDPR Update: Noyb Complaint Raises Concerns Over Possible Cross-App Social Media Tracking

Frangos Law

Contributor

Frangos Law logo
Frangos Law is a leading full-service law firm, advising local and international businesses, investors and private clients across a broad range of legal matters. Our practice is defined by long-standing relationships, sound judgement and a commitment to delivering legal support that is both commercially grounded and responsive to the realities our clients face.
Explore Firm Details
Data protection issues surrounding possible cross-app tracking have once again come into focus following a complaint filed by noyb concerning the potential sharing of user data between different mobile...
Cyprus Privacy
Olga Antoniou
Your Author LinkedIn Connections
Olga Antoniou’s articles from Frangos Law are most popular:
  • within Privacy topic(s)
Frangos Law are most popular:
  • within Privacy, Litigation, Mediation & Arbitration and Finance and Banking topic(s)

Data protection issues surrounding possible cross-app tracking have once again come into focus following a complaint filed by noyb concerning the potential sharing of user data between different mobile applications and a major social media platform.

Recent developments in EU data protection law highlight ongoing concerns regarding the processing of personal data by major digital platforms. The European digital rights organisation noyb has recently filed a complaint with an EU supervisory authority concerning the data processing practices of a major social media platform.

According to noyb’s complaint, the platform allegedly receives information about users not only through its own application, but also through interactions occurring in other mobile applications installed on users’ devices. The data is alleged to originate from third-party analytics or advertising partners, which may share information regarding user activity across different applications.

This type of alleged data sharing raises important questions under the GDPR, particularly where users may not be fully aware that their activity in one application could be shared with, or made available to, another digital platform. Possible cross-app tracking can be difficult for individuals to understand, especially when several third-party providers, analytics tools or advertising partners are involved.

Of particular concern is the possibility that such data could allow inferences to be drawn about sensitive aspects of an individual’s private life. Depending on the nature of the applications used and the information shared, certain data may potentially reveal information relating to a person’s health, sexual orientation, political views, religious beliefs or other sensitive matters.

Under the GDPR, this type of information may fall within special categories of personal data under Article 9. Such data benefits from stricter protection and may only be processed under limited circumstances and subject to appropriate legal safeguards.

The complaint also raises issues regarding the right of access under Article 15 GDPR. It is alleged that when a user exercised their right to obtain a copy of their personal data, the platform provided access only to a limited set of information through a downloadable tool. According to the complaint, this tool did not include all personal data allegedly processed by the platform, which may raise questions regarding transparency and compliance with Articles 12 and 15 GDPR.

At the time of writing, the matter concerns allegations raised in a complaint filed by noyb with the competent supervisory authority. This article does not refer to any final finding of infringement. If confirmed by the competent supervisory authority, the alleged practices may give rise to broader compliance concerns under the GDPR, particularly in relation to the lawfulness of processing, the handling of sensitive personal data and transparency obligations.

noyb also appears to request the imposition of an effective, proportionate and dissuasive administrative fine under Article 83 GDPR, with the aim of preventing similar infringements in the future, should the allegations be confirmed by the competent supervisory authority.

This article does not seek to reproduce the noyb complaint in full, but rather to highlight the key data protection issues raised by it.

What Rights Do Individuals Have Under the GDPR?

The GDPR provides individuals in the European Union with important rights in relation to the processing of their personal data. These rights include:

  • The right to access their personal data
  • The right to request rectification of inaccurate data
  • The right to request erasure of personal data, also known as the right to be forgotten
  • The right to restrict processing
  • The right to object to certain types of processing
  • The right to be informed about how their personal data is collected, used and shared

Organisations processing personal data must be able to respond to such requests within the time limits established by the GDPR. They must also ensure that individuals receive clear and transparent information about how their personal data is processed.

This is particularly important in the digital environment, where personal data may be collected through websites, mobile applications, cookies, analytics tools, advertising technologies and third-party integrations. Individuals should not be left guessing who has access to their data, why it is being used or how they can exercise their rights.

Why This Matters for Businesses

Cases such as this illustrate the increasing regulatory scrutiny faced by technology companies, digital service providers and organisations operating within complex data ecosystems.

Many businesses rely on third-party tools for analytics, advertising, customer engagement, app functionality, social media integration or personalised content. These tools may be useful from a commercial perspective, but they can also create GDPR risks if personal data is collected or shared without sufficient transparency, a valid legal basis or appropriate safeguards.

Businesses should therefore understand not only what data they collect directly, but also what data may be collected through third-party providers. This includes reviewing how cookies, SDKs, pixels, analytics tools and advertising technologies operate in practice.

A Privacy Notice or Cookies Policy should not simply state that “data may be shared with third parties”. It should explain, in clear and accessible language, what categories of data are collected, why they are collected, who may receive them and what rights individuals have.

Where sensitive data or inferences about sensitive aspects of an individual’s life may be involved, businesses should be especially careful. The GDPR provides stricter rules for special categories of personal data, and organisations should carefully assess whether such data is being processed, whether there is a valid legal basis and whether additional safeguards are required.

Conclusion

This case serves as a reminder that GDPR compliance is not limited to having policies in place. Businesses must ensure that their actual data processing practices are transparent, lawful and proportionate.

As digital platforms increasingly rely on third-party analytics, advertising partners and technologies that may enable possible cross-app tracking, organisations should regularly review their data practices, Privacy Notices, Cookies Policies and third-party tools.

Failure to comply with the GDPR may lead not only to regulatory action and potential fines, but also to reputational damage and loss of consumer trust.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Olga Antoniou
Olga Antoniou
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More