Do you process data in a mobile app? Be prepared for an inspection by the Personal Data Protection Office

by Marta Wiśniewska

4 February 2022 ​

 
Like every year, the President of the Personal Data Protection Office (PDPO) published in January an inspection schedule for 2022.

According to the schedule, the following groups of entities should get ready for a PDPO inspection:

1. authorities processing personal data in the Schengen Information System (SIS) and Visa Information System (VIS);
2. banks (as regards profiling of personal data of customers and potential customers, as well as the method of informing persons applying for a loan about the credit rating);
3. processors of personal data using mobile apps (as regards the methods of securing and sharing the personal data processed in connection with using these apps).

According to PDPO’s notice, the scheduled inspections are dictated by numerous signals (including complaints about, questions regarding and notifications of personal data protection incidents) indicating the risk of violations of personal data protection laws, as well as high public interest in such problems.

PDPO’s inspection and processing of data in mobile apps

Particular attention should be drawn to inspections scheduled in the private sector, i.e. inspections of companies which process data using mobile applications. The PDPO defines this group of enterprises very broadly because virtually every company processes data in this way nowadays.

Such mobile apps may be intended directly for customers / individuals (e.g. sport apps, employee benefit apps, applications of online stores provided to users to manage their own accounts etc.) or be operated internally (e.g. CRM software, sales rep management systems etc.). The introduction and use of a mobile app should be well-planned and monitored on a regular basis.

First, the issue of data protection by design and by default should be taken into account. This means that you should consider, among others, the following aspects before implementing a mobile app:

• whether personal data will be processed in the mobile app, and if so, what kind of data;
• whether the processed data are necessary for a given purpose (i.e. whether excessive data will not be processed);
• how the information obligations will be met.

In addition to verification and correct implementation of a mobile app from the legal and formal perspective, it is also important to check the app technically, including data processing security measures. Furthermore, third parties which will support the mobile apps must be verified, and relevant personal data processing agreements must be concluded. Verification of the above aspects should be documented in the form of a risk analysis and a data protection impact assessment (if required). Then, once the mobile app is implemented, it must be regularly monitored and tested for cybersecurity on a regular basis.

Summary

It is important to verify:

• whether the company processes personal data in mobile apps;
• whether the apps have been properly implemented and technically secured.

When it comes to inspection by the PDPO, bear in mind that it is never unannounced.

The President of the PDPO must issue a notification of intended inspection. The inspection starts not earlier than 7 days, and not later than 30 days, of the date on which the notification is served. In addition to the formal notification, the entity which is scheduled for inspection is also notified by phone.

The notification of intended inspection should specify the scope and date of the inspection. Once you receive the notification, you should take steps to prepare for the inspection. Remember that law imposes a number of obligations on the inspected entities. Failure to meet them is punishable with administrative fines or even subject to criminal liability.

If you have any questions about personal data protection, you are welcome to contact Rödl & Partner experts.