On June 18, 2014, the German state data protection authorities responsible for the private sector (the Düsseldorfer Kreis) issued guidelines concerning the data protection requirements for app developers and app publishers (the “Guidelines”). The Guidelines were prepared by the Bavarian state data protection authority and cover requirements in Germany’s Telemedia Act as well as the Federal Data Protection Act. Topics addressed in the 33-page document include:
- Applicability of German law;
- Compliance responsibilities (e.g., legal bases, consent, profiling, pseudonymization and anonymization, and purpose limitation);
- User information (e.g., data protection notices and their readability on mobile devices, data subject rights);
- Technological means (e.g., local data storage, logging, location data); and
- High-risk data processing (e.g., payment processing, apps for children).
According to Thomas Kranig, President of the Bavarian state data protection authority, a 2013 review of apps discovered many shortcomings in how developers and publishers comply with German data protection law. Now that specific guidelines have been published, Kranig emphasized that enforcement action will be stepped up for apps that breach data protection law in a way constitutes an administrative offense.