Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Do normal GDPR obligations apply to information held locally on a phone, encrypted?

Options
  • 20-06-2022 8:22pm
    #1
    AndrewJRenko
    Registered Users Posts: 29,092 ✭✭✭✭


    I've noticed one particular app on my phone is using information that I didn't give it, or give consent for storage. I queried this with the privacy team of the app provider, and they came back saying that they don't store the information, it is held locally on the phone, and they have no access to it because of encryption.

    But their app is visibly using this information.

    Does GDPR apply to this scenario, where the info is stored locally on the phone, encrypted?

    I guess a similar scenario would be WhatsApp messages held on a phone, which WhatsApp don't actually have access to.



Comments

  • Options
    #2
    ItHurtsWhenIP
    Registered Users Posts: 2,029 ✭✭✭ItHurtsWhenIP


    If this is a personal device and the data stored on it is your own collection of data, then GDPR would not apply, as you are not a data controller.

    If this was a business device or personal device storing business "owned" personal data, then the GDPR would come into scope.

    While the storage on the phone is likely encrypted, this just means if somebody physically accessed the locked phone and connect it to something to try to harvest data, they would only get gibberish.

    My understanding of how apps work and interact with the device is kinda basic. I believe that if you are using an app, which has permission to access storage, then the storage will be accessible to the app. The same would be true if the app was running in the background when the phone is unlocked.

    For example that Clubhouse "social media" app used to ask for permission to access the contacts on the device. Clubhouse then took a copy of the device's contacts and stored them on their own servers.



  • Options
    #3
    AndrewJRenko
    Registered Users Posts: 29,092 ✭✭✭✭AndrewJRenko


    Thanks for getting back to me. This is definitely not ‘my own collection of data’. This is data about me that a particular app has derived, without my explicit permission.

    The app owners are telling me that GDPR doesn’t apply, because this information is held on the phone, and is not transferred to their servers. Are they right?



  • Options
    #4
    zg3409
    Registered Users Posts: 6,758 ✭✭✭zg3409


    https://www.boards.ie/discussion/comment/119292547#Comment_119292547

    It sounds like they are not storing it, you are on your phone. If it's in their servers they have to take reasonable precautions to secure it. What reasonable precautions have you taken to secure your data such as phone number, access to Gmail etc? Many people don't even have a pin set up to unlock their phone.



  • Options
    #5
    AndrewJRenko
    Registered Users Posts: 29,092 ✭✭✭✭AndrewJRenko


    https://www.boards.ie/discussion/comment/119292573#Comment_119292573

    They’re storing it and using it on my phone. I’ve no idea how or where it is stored, so I have no option to delete it.

    This isn’t data that I’ve entered on screen or sent to them in any way. It isn’t a file or a photo.

    it is information derived from how I use the phone, stored locally somewhere with the app’s internal storage.

    What is the distinction under GDPR that excludes information stored locally?



Advertisement