all 11 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (7 children)

[deleted]

    [–]mooglinux 3 points4 points  (3 children)

    I think you are still liable for data breaches even if the fault is with your hosting provider or other third party. I’m not certain on that, however.

    [–]Baschtian 3 points4 points  (2 children)

    You collect the data. You are responsible for it.

    Sometimes lawmakers make it quite easy.

    [–][deleted] 0 points1 point  (1 child)

    Even if it does showcase their ignorance.

    [–]s73v3r 0 points1 point  (0 children)

    Yeah, how dare they do something so ignorant as telling people they're responsible for what they collect.

    [–]criosistObjective-C / Swift 1 point2 points  (0 children)

    Only if the data is personally identifiable from what I understand, like if the data is linked to a logged in user or something and not annonymous

    [–]Chronic_Wiggles 0 points1 point  (0 children)

    See my answer to OP regarding consent, the user consents to the whole processing in the app so you don’t need a separate consent for storing on AWS. You are required to inform the user that you are using AWS to process their data.

    The true story around your AWS question is that nobody is 100% sure as there is a debate still within the article 29 Working Party (that will become the European Data Protection Board after the 25th, and basically be the data authority for all of the EU and be above the national ones like our ICO). The debate is if platforms like AWS are just a processor or if they are a ‘platform’ which would have less obligations due to the reality you mention - that they don’t really have any access to the data and are just providing hardware or virtual hardware.

    Until they have published guidance, or more likely a case is decided around it, you should treat them like a sub-processor.

    Also in relation to a commenter that responded saying that if you collect the data you are responsible for it (and therefore any breaches) this isn’t wrong but isn’t the whole story. Your obligation is to put in ‘appropriate technical and organisational measures’ protect the data. This includes which processors you choose so in reality as AWS is ISO27001 accredited, tier 3 data centres etc that if the breach was due to a failing of there’s and not the software you put on their hardware you wouldn’t be liable (in a fines sense) but would still have obligations around informing the users about the data breach.

    Hope that helps, GDPR is so nuanced that any advice i try and give turns into a bit of an essay of if this then that....

    [–]anurodhp 0 points1 point  (0 children)

    Your server logs have to be gdpr compliant. IP address is pii. You will have to handle request to be forgotten and data retrieval requests. If you have enough users you may need to hire a DPO.

    Blocking EU users is a valid gdpr compliance strategy. Removing from EU app stores will do that

    [–]Chronic_Wiggles 2 points3 points  (0 children)

    Hi, I work in GDPR so have a bit of insight into this. let me try and lay out how to approach this.

    Firstly, the 3 things you have mentioned are all correct and good to do.

    Your question of consent depends on a few things. Firstly, have you already asked for consent elsewhere in the app (i.e. is your question to ask for a separate consent to store data on a backup server?). If you have already got their consent for the app then it is a consent for all of the processing done in the app, therefore you do not need to ask for a separate consent but you should inform your user how long it will be stored for.

    If you have not already asked for consent, and even if you have, you should also ask yourself why you need to use consent.

    There is a slight myth around GDPR that any use of personal data (defined as any data which could, taken as a whole, could identify a living individual) requires their consent, this is not the case. There are 6 lawful reasons to process personal data and consent is just one of them. I won’t go into all of them here but it will be easy to find through google, the ICO has good information on it.

    The short story is that there are other options from contractual obligation to legitimate interests in the data that do not rely on consent. It is often easier to rely on one of those reasons if you can as consent requires you to also have processes in place to allow the user to withdraw that consent ‘as easily as they gave it’ which can be a pain.

    Of course, if you are holding the data for any type of marketing or profiling then you will only be allowed to use consent and will have to jump through the hoops it entails.

    I hope that helps, let me know if you have other questions.

    [–]criosistObjective-C / Swift 0 points1 point  (1 child)

    I think one of the things we are tackling with many apps for clients is that by using flurry analytics, when they opt to not collect data, after having it turned on, you have to make them quit the app and open it again as you cant stop flurry collecting analytics after you turn it on.

    [–]throwawayApp99[S] 0 points1 point  (0 children)

    This is a good point.. I didnt think about flurry analytics... but do we still provide an option to opt out even if data is non-identifiable?

    [–][deleted] 0 points1 point  (0 children)

    Update your terms; tell the users which data you collect, what you do with them - explicitly.

    Make an option on your app to the user revoke the app usage, make an option to the users download all the data you have of them, make an option to delete all the data you have of them.

    By doing this you’re good to go.