Data rights of individuals
In several jurisdictions, individuals have certain right to how their data is collected, stored, and used. To make sure your app is operating in an ethical and legal matter, it is crucial to consider the following:
- Under GDPR, European residents have individual rights to access, correct, erase, and restrict how their data is processed. It is therefore important to have a process for how to receive and respond to these requests.
- GDPR also imposes restrictions on transferring data about Europeans outside of Europe, except under certain circumstances. For example, GDPR recognizes that the privacy laws of certain countries might protect information enough to permit transfers, that companies might contractually require recipients of data to protect information, or that companies might publicly commit to protect information in accordance with certain codes of conduct or negotiated agreements (such as the EU-U.S. Privacy Shield Framework).
- If you are transferring data of European residents outside of Europe, then you should consider whether you are doing so in accordance with GDPR.
- If you are processing personal data at scale, then GDPR requires you to have a Data Protection Officer (“DPO”) to advise the company on GDPR compliance.
- You should consider whether you are required to have one, and if you are, whether you want to appoint one internally or if you want to use an outside consultant or firm. Note that there are certain requirements in order to be a DPO, and it is not just the matter of a title.
If you think that any of these restrictions apply to your app, or if you have concerns about how GDPR affects how you currently process and store personal data, then we suggest you consult with a lawyer.