The Board published the Guideline on Recommendations for the Protection of Privacy in Mobile Applications (“Guideline“) in order to address the existing and potential risks regarding the protection of privacy in mobile applications and to provide general recommendations for data subjects and data controllers in terms of personal data processing activities conducted through mobile applications used on smartphones and tablets.

In the Guideline, it is mentioned that mobile applications collect various personal data ranging from identity information to health data, and it is pointed out that the data accessed by the application may constitute special categories of personal data.

In addition, the Guideline distinguish between data controller and data processor in terms of mobile applications. Accordingly, the mobile application provider shall be considered as the data controller to the extent that it uses the personal data of the users for its own purposes. In the event that third party services are integrated into the application or the operating system provider brings together the applications installed on the device, more than one parties can be considered as data controller. In case the mobile application provider and the mobile application developer are separate organisations, the developer may only be considered as a data processor in cases where it is clear that the developer does not process personal data for its own purposes.

In the Guideline, the importance of compliance with the general principles listed under Article 4 of the LPPD is emphasised and supported with examples, and it is reminded that the conditions for ensuring transparency regulated under Article 10 shall be fulfilled. In this context, it is recommended that documents such as information note, privacy policy, changes regarding data processing should be notified and easily accessible.

In the Guideline, it is stated that mobile application providers that offer goods and services by referring to Türkiye, make introductory statements indicating that the service is provided to persons in Türkiye, offer Turkish language option in the provision of goods and services, offer the option of product delivery to Türkiye, target the relevant persons in Türkiye in the provision of goods and services; or carry out behavioural advertising activities, conduct online tracking through unique identifiers and carry out geo-localisation activities for marketing purposes should take into account the VERBIS obligation.

Considering that mobile applications are frequently used by children, it is recommended to establish systems to verify the age of users, especially by the mobile applications directed to children or known to be widely used by children, and to carry out processing activities for children by following a separate policy and procedure.

Should you have any inquiries, please do not hesitate to contact us.