On 22 December, the Personal Data Protection Authority ("Authority") published the Recommendations for Privacy Protection in Mobile Applications ("Recommendation Text").

We summarize the important points in the Recommendations Text under the relevant headings below:

  1. Purpose and Scope

The scope of the Recommendation Text is applications used on smartphones and tablets, and its purpose is "to address the existing and potential risks to the protection of privacy in mobile applications and to provide general recommendations to data subjects and data controllers in terms of personal data processing activities carried out through mobile applications used on smartphones and tablets" within the scope of the Law on the Protection of Personal Data No. 6698 ("Law").

  1. Data Controller-Data Processor Distinction

The Recommendation Text provides examples in mobile applications where several actors, including the app provider, app developer, advertising network, app store organisation, operating system provider, library provider and device manufacturer, may have the role of data controller or data processor in the processing and protection of data.

  1. Recommendations to Individuals

The Recommendations Text makes a distinction between what individuals should pay attention to before and during the installation and use of the app.

a. Before installation

The Recommendation Text recommends checking that the app comes from a trusted source, the app developer, the app name, user comments and ratings, the data requested by the app, and the privacy policy before installing the app.

b. During the use

The Recommendation Text recommends paying attention to data processing requests that are incompatible with the purpose of the app, avoiding the use of social media accounts to log in to apps, creating strong passwords and using multi-factor authentication to log in to apps, updating the app regularly and removing unneeded/unused apps from the device.

4. Recommendations to Data Processing Parties

a. The principle of compliance with the law and good faith: It is stated that it is necessary to ensure compliance with the Law and secondary regulations, to act in a way that prevents the emergence of consequences that the data subject does not expect and should not expect, to ensure transparency regarding data processing activities and to provide the necessary information (especially regarding third party service providers).

b. The principle of being accurate and up-to-date when necessary: In terms of mobile apps, the Recommendation Text states that users should be given the opportunity to correct their personal data and emphasizes that outdated personal data may pose a risk of identity theft.

c. The principles of being processed for specific, explicit and legitimate purposes and being relevant, limited and proportionate to the purpose for which they are processed: Within the scope of this principle, it is emphasized that the purpose of processing personal data processed through mobile apps and the data categories required to achieve the purpose should determined, data minimization should be ensured while making this determination, and the data obtained should not be subject to processing activities that exceed the purpose of using the app.

d. The principle of retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: Within the scope of this principle, it is emphasized that the data should not be stored with the thought that it may be reused in the future, and it is stated that personal data should be destroyed by determining the retention and destruction periods justified according to clearly defined business needs or legal obligations and taking all necessary technical and administrative measures for the destruction of such data.

e. Ensuring transparency: Within the scope of this principle, the minimum information specified in the clarification communique should be provided, the clarification text/privacy policy should be kept in a place accessible by the user, VERBIS registration should be made when necessary, updates regarding personal data processing activities should be notified to users in updates regarding the app, and the necessary explanations and opportunities should be provided to the user regarding the privacy settings and management of the app. The Recommendation Text emphasizes the necessity of VERBIS registration in accordance with the Law, especially if foreign-based data controllers target users in Turkey.

f. Processing of personal data of children: Under this heading, it is recommended to establish systems to verify the age of users, especially in apps that are directed towards children / widely used by children, and to carry out processing activities for children with a separate policy and procedure.

g. Determining the conditions for processing personal data: It is emphasized that it is necessary to determine the conditions that will be the basis for the processing of personal data processed through mobile apps, to obtain the explicit consent of the user in case of processing personal data that is not needed to fulfill the actual function of the app and to establish explicit consent mechanisms in this context.

h. Ensuring data security: The main recommendations under this heading are summarized below:

  • Apps should be designed in compliance with the principles of privacy by design and privacy by default,
  • Authentication methods should be used on devices (especially multi-factor authentication) to prevent unauthorized access to devices using mobile apps,
  • An appropriate password security policy should be maintained by ensuring that strong passwords are created by users and changed periodically, and these passwords should be maintained by passing them through up-to-date "hashing" functions against the risk of cyber-attacks,
  • Regular patch management and software update processes should be carried out,
  • Appropriate software testing prior to the release of applications should be carried out,
  • Secure software development strategies should be executed,
  • The number of failed logins in users' account should be limited, and methods such as CAPTCHA, four operations, etc. on user login pages should be preferred as a precaution against bot attacks,
  • A risk assessment should be conducted before releasing applications considering the data protection and security features of the targeted operating systems,
  • Encryption should be used for protection during storage/transmission of personal data in practice, through an adequate encryption layer appropriately configured in network communications and secure management of the associated encryption keys,
  • Where personal data is stored on mobile devices, personal data security should be ensured through effective encryption of personal data.

You can access the full Recommendation Text from the link below (in Turkish).

https://kvkk.gov.tr/SharedFolderServer/CMSFiles/8ba209bb-fa93-4479-84f0-dd55aac97a0f.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.