0

I am having an Android App which uses Advertising networks and other Analytics services.

Now under the GDPR the data controller which is me in my case is required to provide some rights to the user such as the user can view its data which is collected, user can download that data.

Now my question is whether am I required to provide those rights to the user for the data which is collected by the other services/Ad networks who are the data processor in my case.

The data is practically being collected by other services but legally I am the data controller and they are only the data processor hence I don't have access to their sever which stores data and will be difficult for me to provide those rights to he user.

Rajesh K
  • 203
  • 1
  • 6

1 Answers1

1

If you, as data controller, let your data processor process your data, but you have no control over the data, then you are breaking the law.

The fundamental idea in the GDPR is that the relationship between the controller and processor must be regulated by a contract known as the DPA (Data Processing Agreement), and that this contract must at least make sure that the controller can order the data processor to do whatever it is that must be done to preserve the data protection rights of user.

If you do not have a DPA with all your processors today, then you will be busy in the upcoming week.

It may a bit of a hassle to get a DPA set up. From experience I know that this is so if the other party is an USA company that is clueless about the GDPR. You can sometimes avoid the requirement for a DPA by curating the data before you hand them over to the third party. For instance, we strip the last octet of IP-addresses before letting Google Analytics have them. Then an IP-address is not personal data and a DPA with Google Analytics is no longer necessary.

You need to review the personal data you share with third parties, try to anonymize or pseudonymize those that can be curated, and make sure you have DPAs to cover the rest.

Free Radical
  • 3,322
  • 16
  • 28