A GUIDE TO RECOMMENDATIONS FOR THE PROTECTION OF PRIVACY IN MOBILE APPLICATIONS
INTRODUCTION
Mobile devices, which have become one of the building blocks of human life with the digital age, are divided into many categories such as smartphones, tablets, laptops, wearable technology. Personal data of individuals are processed for different purposes and in different ways through mobile applications offered for use on these devices.

The Personal Data Protection Authority (“Authority”) aims to guide data subjects and data controllers within the scope of personal data processing activities carried out through mobile applications used on smartphones and tablets by evaluating the protection of privacy and potential risks in mobile applications with the Recommendations Guide for the Protection of Privacy in Mobile Applications (“Guide”) published on 22.12.2023.

PERSONAL DATA PROCESSED IN MOBILE APPLICATIONS
In mobile applications, personal data and many data that do not qualify as personal data are processed for purposes such as enriching the user experience, providing functionality, improving the service offered and creating marketing strategies. The following data can be given as examples of personal data that differ according to the nature of the application:

Identity information (name and surname, T.R. Identity information, date of birth, etc.)
Membership information (username, password, etc.)
Contact information (home address, telephone number, e-mail address, etc.)
Financial information (IBAN, credit card number, etc.)
Online identifiers (IP address, MAC address, IMEI and IMSI number, fingerprinting through the list of applications installed on the device, etc.)
User interactions (search history, in-app purchases, etc.)
Location information,
Friend lists in the phone book or apps,
Biometric data (facial recognition data, fingerprint data, voiceprint biometrics, etc.)
Health data (heart rate, sleep patterns, etc.) if the application is health-related
Visual data collected by granting access to the device’s camera and gallery
Auditory data collected through voice commands or messaging applications
Text data collected from messaging platforms
Within the scope of the processed data, the applications can obtain information about the social connections of these users by accessing the phone books of the users, friend lists in other applications, and can perform profiling by revealing the habits of the users with location information. However, since special categories of personal data specified in Article 6 of the Law on the Protection of Personal Data (“Law”) are categories of data that may cause victimisation or discrimination of the person if they are learned by others, strict protection measures should be taken. For example, the use of voiceprint biometrics in voice recognition applications, processing of health data in health applications, visuals may indicate ethnic origin, race, messages may indicate belief, political opinion, health status, and therefore collect special categories of personal data. In this context, this data processing activity must be carried out within the framework of the conditions specified in the Law.

DATA CONTROLLER – DATA PROCESSOR CONCEPTS WITHIN THE SCOPE OF MOBILE APPLICATIONS
With the Guideline, the concepts of mobile application developer, mobile application provider and application store, which were not previously defined in our legislation, have been defined. In this context

Mobile Application Developer: A natural or legal person who designs and develops various software and applications to be used on mobile devices,

Mobile Application Provider: A natural or legal person that provides users or organisations with access to mobile applications and related mobile services over the internet,

App Store: An online application distribution platform where users can download various mobile applications for free or for a fee.

Considering the structure of mobile applications, the application provider and developer, advertising network, operating system provider, application store organisation, library provider and device manufacturer are the main ones in terms of personal data processing activities, but there are many institutions to which responsibility can be attributed. In terms of personal data processing activities through mobile applications, the Authority will make an assessment of the data processor-data controller by making an examination within the scope of the concrete case.

When the relevant bodies in the data processing activity through mobile applications, which are expressed as software programmes designed to run on mobile devices, are evaluated with examples;

The application provider will generally be accepted as the data controller to the extent that it uses the personal data of users for its own purposes.
In cases where the mobile application integrates a third party service into the application, there is more than one data controller.
The operating system provider may be considered to be the data controller if the operating system provider uses the personal data collected from the applications on the user’s device for its own purposes by combining the data by using the applications installed on the device.
If the application provider and the application developer are separate organisations, the application developer may be considered as the data processor if the application developer does not perform personal data processing activities for its own purposes by assuming only a technical role in accordance with the contract between these organisations. However, considering that personal data obtained from mobile applications are generally stored in the cloud, if the application developer uses a cloud service, it is likely that the title of data processor will arise.
RECOMMENDATIONS FOR INDIVIDUALS
Things to Consider Before Installing Mobile Application
It should be ensured that the source of the application is reliable and it should be downloaded to the device via platforms that are considered to be reliable.
When downloading the mobile application to the device, the official application stores provided by the device manufacturer or operating system or the official internet system of the mobile application provider should be used, so that the risk of installing dangerous applications on the device can be reduced.
Before installing the mobile application, information about the developer of the application should be obtained and the name of the application should be made sure. Imitation applications of unknown origin should be avoided.
User comments and ratings of the mobile application should be taken into consideration.
Although high scoring and positive comments do not provide absolute reliability to the application, user comments and scores should be checked to get an idea about the reliability and functionality of the application. As a matter of fact, although the application scores are very high, Meta, X and TikTok, which have millions of users worldwide, come to the agenda with a new data breach news every day.

Before the mobile application is installed on the device, the privacy policy should be examined and it should be checked which data it requests access to.
The relationship of the data that the application requests access to with the functionality of the application and the service it provides should be evaluated. If the application requests access that exceeds the scope of the service relationship, the person should evaluate whether he/she really needs the application and, if necessary, consider alternative application options.

For example, according to the news published in 2023 July, it was stated that Threads, created by Meta as a competitor to X, could include sensitive data such as health and fitness information, financial information, location and browsing history in its application store. It was also found that Threads’ privacy policy was the same as other platforms owned by Meta. Considering Meta’s history in privacy policies, the data collected by Threads raises suspicion. You can find the details of the related news in the 13th issue of our “What’s Happening in the World?” series.

Things to Consider During the Use of a Mobile Application
Attention should be paid to the information requested during the use of the application. In mobile applications where location, audio and video are obtained, continuous access permissions should be granted by evaluating the purposes of the data used in the applications.
Mobile applications may request permission to access data that are not needed within the scope of the functionality of the application during use. For example, a photo editing application’s request for access to photos or a navigation application’s request to use instant location to provide accurate direction and location information to the user will be accepted as a normal situation.
The use of social media accounts should be avoided while logging into mobile applications.
Mobile applications that are logged in with social media accounts may allow the collection of information through the person’s social media account and make these accounts more vulnerable to threats.
Mobile application login passwords should consist of strong combinations, and passwords should not include numbers or letter strings consisting of personal information that can be easily guessed. If the application allows, different passwords should be created for each account and multi-factor authentication should be enabled.
At the multi-factor authentication stage, many applications use the verification method with biometric data. At this point, the suitability of the special quality personal data processed during the multi-factor application should be evaluated, and if there are options such as SMS verification, these methods should be preferred.

In addition, saving mobile application login information through a single linked account may also pose a risk. For example, the e-mail address and password provided to log in to the applications can be saved in the internet browser. If the user’s internet browser account is compromised, it is highly probable that the data in the applications connected with the browser in question can also be accessed. In our opinion, the fact that various scenarios such as this example are not addressed by the Guidelines raises questions as to whether the Guidelines are capable of responding to today’s technological developments and practices.

Current versions of applications should be used. Privacy settings should be checked after application updates.
Saving financial information should be avoided.
Unused and unneeded mobile applications should be deleted from the device.
RECOMMENDATIONS FOR PARTIES PROCESSING PERSONAL DATA
Compliance with General Principles
Article 4 of the Law states that personal data can only be processed based on the procedures and principles stipulated in this Law and other laws, and data controllers are obliged to comply with the general principles listed in the same article.

The Principle of Compliance with the Law and Good Faith
The principle of compliance with the law and the rule of good faith is the obligation to act in accordance with the principles introduced by laws and other legal regulations while carrying out personal data processing activities. Within the framework of this principle, the data controller should ensure the transparency of the activity by considering the interests and reasonable expectations of the data subject while trying to achieve its objectives with the data processing activity and act in accordance with the obligation to inform.

In the reflection of this principle on mobile applications, application developers and application providers are expected to determine the existence of a legal reason before starting the personal data processing activity, to be honest and transparent about the personal data processed within the scope of the activity, to enable the data subjects to exercise their rights and to implement processes and designs that support the exercise of these rights.

The biggest problem that arises in mobile environments is that the permission mechanism does not allow the application and third parties integrated into the application to give permission separately. Mobile applications can only request access to data because a third party wants or needs access to that data. At this point, it should be noted that transparency should be provided about the third party processing utilised in the application and if there is no legal reason for the third party integrated into the application to process personal data through the service, this service should not be used in the application.

For example, if voice control assistants are activated on mobile devices that work with voice commands supported by voice control assistants, all verbal communication becomes accessible. In this context, transparency should be provided about the data to be processed. However, the activation of this feature on the device for the first time use of the application may be contrary to the law and the rule of good faith. However, for example, the user’s reasonable expectation in the processing of personal data can be met by taking measures such as providing access to the microphone when the user is actively using the device instead of providing access to the microphone when the mobile phone is not actively used.

In the case of a mobile application that monitors the physical activity levels of individuals by counting steps and monitoring sleep patterns and dietary habits, the processing of this data by reminding users to exercise as well as the statistics generated by the application with the data obtained by the application may be considered in accordance with the intended use of the application. This situation may be considered reasonable and welcomed by the users. However, if this application provider provides health insurance services and uses the personal data collected through the mobile application to calculate the insurance premium, a breach of the good faith rule may arise due to exceeding the reasonable expectations of the user.

The Principle of Being Accurate and Up-to-Date When Necessary
The principle of being accurate and, where necessary, up-to-date is linked to the right to request correction of the data granted to the data subject under the Law. In this context, although the data controller must always keep the channels open to ensure the accuracy and timeliness of the data subject’s information, the active duty of care exists in the event that it produces a result for the data subject based on this data.

In the reflection of this principle on mobile applications, it is expected that users are given the opportunity to correct their personal data through appropriate methods within the application. Outdated personal data creates a risk of identity theft.

For example, in a scenario where the application, which is signed up without verifying the phone number and e-mail information, does not provide users with the opportunity to update this information within the application, if the person mistakenly entered the e-mail address incorrectly and the information regarding the shopping made through the mobile application was sent to this e-mail address, personal data may be disclosed to a third party. In this case, the fact that the application does not verify the e-mail address constitutes a violation of this principle.

Similarly, in the scenario where the user changes his/her phone number and requests a password renewal because he/she has forgotten the password of the mobile application and the code is sent to the phone number previously registered in the system and no longer used, there will be a risk of sending the code to a third party. In this case, the fact that the user is not given the opportunity to check and update his/her phone number within the application constitutes a violation of this principle.

The Principles of Processing for Specific, Explicit and Legitimate Purposes and Being Relevant, Limited and Proportionate to the Purpose for which they are Processed
This principle regulated in the Law is a reflection of the principle of data minimisation. In terms of personal data processed through mobile applications, after the purpose of the processing activity is determined, it should be determined which categories of personal data are needed to fulfil the purpose in question. In addition, it is also important that the processing carried out through the mobile application is purpose-related, limited and proportionate in order to ensure predictability for users.

For example; a mobile application prepared to be used in contact tracing for the purpose of combating infectious diseases will be able to fulfil its purpose of use only by processing the proximity data of individuals (information collected through Bluetooth technology and showing how close people are to each other over what period of time). Therefore, the tracking of the exact location and movements of the users of this mobile application is unnecessary for the purpose of determining that the user is in close contact with another user with an infectious disease, and a processing activity of this nature may contravene the principle of being connected to the purpose, limited and proportionate.

Another example is; in cases where it is possible to carry out the processing activities to be carried out within the scope of the service provided by the mobile application only with the personal data to be kept in the local storage area of the device where the mobile application is used, not transmitting the personal data in question to the data recording systems of the mobile application provider will be in accordance with the principle of “being connected, limited and proportionate to the purpose for which they are processed”.

The Principle of Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
This principle regulated in the Law is a temporal form of the principle of data minimisation, and its regulation as a separate principle stems from the fact that the legislator attaches special importance to this principle. In this context, personal data must be retained for the period required for the purpose for which they are processed. For personal data processed through mobile applications, retention and destruction periods justified according to clearly defined business needs or legal obligations should be determined and these data should not be stored for longer than the required period.

For example; the retention period of personal data stored in the cloud by a mobile application developer should be based on the maximum retention period regulated in the legislation specific to the sector in which the mobile application is used, and if there is no such retention period, the retention period related to the purpose for which these data are processed should be determined. The Law does not impose an obligation on the data controller to inform the data subject regarding the retention period, but Article 6/1/g of the Regulation on Deletion, Destruction or Anonymisation of Personal Data stipulates that the personal data retention and destruction policy should include a table showing the retention and destruction periods.

In addition, personal data whose retention period has expired must be destroyed by taking all kinds of technical and administrative measures regarding the destruction of such data. Another example is; when a classification is made according to the nature of the service to be provided through the mobile application, it would be a correct practice for inactive users to have a shorter retention period for their personal data compared to active users. At this point, the fact that the Guidelines do not clarify the criteria for determining active or inactive users is an issue that should be criticised in terms of certainty. In our opinion, it would be healthy to include clearer and more specific expressions in the content of the Guidelines, which aims to provide guidance to the relevant parties.

Ensuring Transparency
The disclosure obligation stipulated in Article 10 of the Law must be fulfilled in accordance with the provisions of the “Communiqué on the Procedures and Principles to be followed in the Fulfilment of the Disclosure Obligation” issued by the Personal Data Protection Board (“Board”).
In addition, the disclosure text and the privacy policy, if prepared, should be positioned in a way that existing users and potential users can easily access.
If it is necessary to evaluate this issue stated in the Guidelines; In the Board’s Decision dated 17/03/2022 and numbered 2022/249, it is stated that “there is no obligation in the Law and other relevant legislation regarding the preparation of a privacy policy by data controllers, and the primary responsibility of data controllers for informing the data subjects about the processing of their personal data; in cases where personal data is obtained from the data subject, as a rule, the obligation to inform is fulfilled before the personal data processing activity”. Based on the relevant decision and our legislation, there is no obligation for data controllers to prepare a privacy policy, but there is an obligation to inform the data subjects. However, data controllers resident in Turkey will be subject to the European Union General Data Protection Regulation, for example, if they process personal data of EU citizens. In this context, the obligation to prepare a privacy policy may arise, in addition to the disclosure obligation pursuant to the LPPD. Although the phrase “if a privacy policy has been prepared” in this article of the Guidelines has been expressed in this way for the reasons explained above, we believe that a detailed explanation of the relevant issue in the Guidelines regarding mobile applications that allow the processing of personal data of citizens from all over the world may provide better guidance for data controllers.
Users should be made aware of the default privacy settings of an application and easy mechanisms to help them manage their privacy should be provided with a user-friendly interface.
Information should be provided in accordance with Article 10 of the Law to enable users to make informed decisions about the use of an application.
Due to the frequent processing of personal data of users in Turkey through mobile applications offered by providers based abroad and the targeting/monitoring of behaviours of users in Turkey in mobile applications, the obligation of registration and notification to the Data Controllers Registry (VERBIS) regulated under Article 16 of the Law is important in order to have the highest level of control over the personal data of users. In the Board’s Decision dated 23/07/2019 and numbered 2019/225, it is stated that non-resident data controllers who process personal data directly or through their branches in Turkey are required to register with the Registry.
In terms of personal data processed through mobile applications, in order to ensure transparency, it is necessary to determine the processing conditions that will form the basis for this processing and to justify this situation. Regarding the subject, it is important to examine the Board’s Decision dated 27/01/2020 and numbered 2020/65 on “Personal data processed within the scope of a mobile application providing transportation services”. In the relevant decision; it was decided that in order to continue the data processing activity based on scoring, the data controller must determine an appropriate data processing condition within the scope of Article 5 of the Law and update the disclosure text accordingly.

As an example of the requirement of explicit consent in terms of mobile applications, in cases where access to the user’s location is not required for any feature or function of an application requested by a user, the user’s location data should not be collected for targeted advertising purposes unless the user gives explicit consent. At this point, it is important to examine the Board’s Decision dated 13/04/2021 and numbered 2021/361 on “A bank sending promotional messages to the data subject through mobile applications without his/her consent”. In the relevant decision; it has been decided that it is unlawful for the data controller to process the personal data of the data subject for the purpose of sending promotional messages without obtaining his/her explicit consent duly through mobile applications, and an administrative fine has been imposed with the opinion that the data controller has not taken the necessary technical and administrative measures.

“In the 11th issue of our “What’s Happening in the World?” series, we reported that Apple introduced App Tracking Transparency, a feature that asks users for their consent to be tracked online by third parties for targeted advertising purposes. Considering that the devices produced by Apple are used by millions of people, this step is considered to be a good example of transparency. Thanks to this feature, users have control over their personal data.

Processing Personal Data of Children in Mobile Applications
With the widespread use of smart devices, it is observed that mobile applications are frequently used by children. Considering the sensitivity of personal data of children; processing activities for personal data of children should be handled separately. At this point, especially in terms of applications known to be frequently used by children, it is necessary to establish systems to verify the age of users and to carry out processing activities for children by applying a separate policy and procedure. We believe that the document titled “Protection of Personal Data of Children – Things to be Considered by Product and Service Developers” prepared by the Authority is an inadequate regulation in terms of protection of personal data of children.

We observe that Meta is frequently encountered in the world examples of violations that occur in the processing of children’s personal data. For years, Meta has been accused of knowingly allowing accounts belonging to children under the age of 13 to remain active and collecting personal information without parental consent. Unlike our legislation, the European Union General Data Protection Regulation introduces a separate regulation on the protection of personal data of children and imposes severe sanctions for violations. According to this regulation, children are divided into two as those under the age of 16 and those who are 16 years of age or older. In order to process the personal data of a child, he/she must be at least 16 years old, and the consent of his/her parent/guardian is required for the processing of personal data of children who are not yet 16 years old. Even if consent is given, the limits of this activity are still determined by the parent/guardian. At this point, the fact that there is no special provision or guide for children in our legislation should be brought to the agenda again. We hope that the Guideline for children, the work on which has been started by the Agency, will bring clear and decisive regulations that can guide the practice, and will stipulate stricter measures to protect the fundamental rights and freedoms of children.

Ensuring Data Security
Applications should be designed and implemented in compliance with the principles of privacy by design and privacy by default. In this context, the privacy by design principle requires that privacy protections should be organically integrated into the operational phase of all activities and processing, rather than being instilled as an afterthought as a result of a security incident or personal data breach, thus ensuring data privacy protection. The principle of privacy from the outset requires organisations to apply by default the strictest privacy-oriented settings available, so that data minimisation can be achieved, with only those operations that are considered strictly necessary to achieve specific and lawful purposes. A practical example is that a social media platform may by default limit the accessibility of a user’s profile to an indefinite number of people.
It is important that privacy-oriented settings are turned on during the first use of mobile applications in order to comply with the rule of honesty in the processing of personal data.
In order to prevent unauthorised access to the devices where mobile applications are used, authentication methods should be used on the devices.
Users should be encouraged to use multi-factor authentication methods.
An appropriate password security policy should be operated by ensuring that strong passwords are created by users in mobile applications and that users’ passwords are changed periodically. Passwords should be stored by taking adequate security measures.
Against the risk of cyber-attack, it is recommended that passwords be stored by passing them through up-to-date “hashing” functions.
Patch management and software update processes should be carried out regularly.
Before the release of the developed mobile applications, it should be ensured that software tests are carried out appropriately and secure software development strategies should be implemented.
The number of failed logins should be limited in users’ account logins for mobile applications. As a precaution against bot attacks, methods such as CAPTCHA, four operations, etc. should be preferred on user login pages.
Data protection and security features of the targeted operating systems should be taken into consideration by making a risk assessment before the applications are published.
In cases where personal data is stored on mobile devices, it should be ensured that personal data security is ensured through effective encryption of personal data.
GRC LEGAL COMMENT
In the dynamics of the digitalised world; due to the increase in the use of smartphones and tablets and the increase in mobile applications used accordingly, the issue of protecting the privacy of individuals within the scope of personal data processing activities carried out specifically for mobile applications comes to the fore.

In the Guideline; within the scope of data processed through mobile applications, existing and potential risks for data controllers and data subjects are discussed and recommendations are given for the protection of privacy. In this context; operating privacy-oriented settings in the use of mobile applications, using authentication methods on devices using mobile applications, encouraging users to create strong passwords, operating secure software tests in mobile applications will reduce possible risks as an important step in ensuring data security.

Individuals should secure their personal data by taking precautions both before and after the use of mobile applications within the scope of the Guidelines. As a first step, the application should be downloaded from a reliable source with the evaluation made within the scope of users’ ratings and comments. During the use of the application, the scope of compliance with the purposes of use and the data processing purposes of the application should be evaluated and requests for access to data should be allowed, and permission requests that are excessive should be rejected. A strong password should be set against threats that may occur during use and two-factor authentication should be activated. However, it should be avoided to provide two-factor authentication with biometric data, and if possible, methods such as SMS verification etc. should be preferred.

At the same time, the Guidelines provide recommendations for the establishment of age verification systems in mobile applications used by children. At this point, it is an important step to increase the Board’s sensitivity towards the privacy of children and to emphasise that a separate procedure should be followed within the scope of children’s data processing activities.