Your Apple App Store app will need a privacy policy. So here are some tips.


If shouldn't be much of a surprise that apps which collect personal data need their own GDPR Privacy Notice (aka a privacy policy). That is the law, but now Apple is also making it their official policy. Apple's App Store's terms will change next month to require every app to have one.

Your app may have had a privacy policy for some time. That's great as it means you are not starting from scratch, but do be aware that the GDPR requires Privacy Notices which are much more detailed than old style privacy policies. 

Here are some tips for writing a GDPR compliant Privacy Notice:

- Identify the Controller (the company responsible for the collection and use of the date, usually the company whose app it is);

- Say whether or not the Controller has a Data Protection Officer (GDPR requires some organisations to appoint one, but not all).

- Outline each item of personal data being collected by the Controller or obtained from a third party, including setting out the legal basis of processing, the recipients (or categories of recipients) of the personal data; and the period of retention, or criteria used to determine it.

- Explain whether any personal data will be transferred to a third country/international organisation and if so on what basis and how the individual can obtain a copy of any "safeguards" relied on by the Controller.

- Explain the existence of any automated decision making (including profiling), explaining the logic involved, and the significance and consequences of the processing for the individual.

- Explain the various enhanced rights that people have in relation to processing (e.g. the new right to data portability).

- Explain the right to lodge a complaint with the supervisory authority.

The deadline set by Apple isn't that far away. If you need any assistance in creating an appropriate GDPR Privacy Notice, or with any other aspect of GDPR compliance, please do get in touch.

Quote mark icon

Apple says that all apps, including those still in testing, will be required to have a privacy policy as of October 3, 2018.
featured image