The Guideline for the Protection of Privacy in Mobile Applications  contains recommendations on the current and potential risks related to personal data processing activities in mobile applications.

The Personal Data Protection Authority (“Authority“) published the Guideline for the Protection of Privacy in Mobile Applications (“Guideline“) on its website, stating that mobile applications process personal data in order to increase user experience and optimize functionality. In this process, many recommendations have been provided for data subjects to protect their personal data.

The important line headings in the Guideline are as follows:

  • The Law on the Protection of Personal Data defines personal data as “any information relating to an identified or identifiable natural person” and explains various examples of personal data processed in mobile applications. This data includes identity information, contact information, financial information, online identifiers and biometric data. In particular, sensitive personal data is more tightly protected, as it may cause the individual to be victimized or discriminated against.
  • In mobile applications, personal data and various non-personal data can be processed in order to increase the user experience, strengthen functionality, improve the service offered and create marketing strategies. The processed personal data varies according to the function of the application, its design, and the permissions given by the user.
  • To verify that the mobile application is reliable, it is important to download it from reliable sources such as official app stores or the official website of the mobile application provider. When installing the mobile application, applications of unknown origin should be avoided and the name of the application should be ensured.
  • Although it does not constitute a definite trust to get information about the mobile application, user comments and ratings given by users are useful.
  • Before installing an app, access permissions should be checked, the app’s privacy policy should be reviewed, and requests for personal data should be carefully considered; In particular, caution should be exercised against requests for personal data that are not related to the service, and alternative applications should be investigated when necessary.
  • The use of social media accounts to log in to apps should be avoided, as this may cause the app to collect information from the relevant social network account and make the accounts more vulnerable to threats.
  • It is important that the passwords to be used when logging into applications form strong combinations; These combinations must contain uppercase and lowercase letters, numbers, and symbols. Different passwords should be used for each account, if possible, and multi-factor authentication should be enabled.
  • It is important to keep applications up-to-date, outdated software can become more vulnerable to attack; After the updates are made, the privacy settings should be checked.
  • Personal data processed through mobile applications should be processed in accordance with the procedures and principles specified in Article 4 titled “General Principles” of the Law on the Protection of Personal Data No. 6698.
  • In this context, application developers and providers should inquire whether there is a legal reason before starting to process personal data in accordance with the rule of good faith.
  • The main problem in mobile apps is that permission architectures do not provide the possibility to grant separate permissions to third parties. This can lead to apps struggling to manage requests for access to specific data and third-party services can be unclear.
  • Mobile devices can access all verbal communication by working with voice commands through voice control assistants; In this case, it is important that the processed personal data is disclosed transparently. When the application is used, the fact that the voice control feature is turned on as a rule is contrary to the rules of law and honesty. It is necessary to take precautions such as providing access to the microphone while the user device is actively being used to access the microphone.
  • A mobile application that tracks data subject’s physical activity levels creates statistical information using data such as users’ step counts and sleep patterns, and processes this data by reminding them to exercise; However, if the same application provider provides health insurance services and calculates insurance premiums using this data, it may exceed the user’s reasonable expectation and constitute a violation of the rule of good faith.
  • Personal data must be accurate and, where necessary, up-to-date. Within the framework of the principle of “being accurate and up-to-date when necessary” in mobile applications, users should be offered the opportunity to correct their personal data and should be made available with appropriate methods by taking this feature into account in the design process of the application; At the same time, it should be remembered that outdated personal data can cause a risk of identity theft.
  • The purpose of personal data processed through mobile applications must be specific. For this purpose, when determining which categories of personal data are needed, it should be aimed to collect as few types and numbers of personal data as possible, thus protecting the fundamental rights and freedoms of data subjects.
  • It is stated that personal data should be kept for the period required for the purpose for which they are processed, in accordance with the principle of “limitation to purpose” and “retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed”.
  • It is stated that the processing activities for children’s personal data should be handled separately from other processing activities, especially in applications aimed at children, age verification systems should be established and transactions for children should be carried out with a separate policy and procedure.
  • Determining transparency and processing conditions for personal data transactions in mobile applications is important to ensure confidentiality and transparency.
  • In mobile applications, the explicit consent of the user must be obtained in case of processing personal data that is not necessary for the main function of the application. In cases where location data is collected for targeted advertising, this data should not be collected unless the user has given explicit consent. In addition, the application must be allowed to be used if permissions for features that are optional and not required for the actual function are disabled by the user.
  • Mobile applications should be designed in accordance with privacy principles, and it is important to ensure that users use privacy-oriented settings on first use.
  • Authentication methods and user control mechanisms should be used to prevent unauthorized access.
  • Security policies such as the use of strong passwords, multi-factor authentication encouragement, and regular password changes should be implemented.
  • Passwords should be stored securely and software should be updated regularly. Software tests should be passed completely, and application security should be considered from the design stage.
  • The number of unsuccessful entries in users’ account entries for mobile applications should be limited, and methods such as CAPTCHA should be preferred.
  • Care should be taken to use encryption for data security, and effective encryption of personal data should be ensured, especially on mobile devices.

The full text of the Guideline can be reached via thins link. (Only available in Turkish)