4

There are articles commenting that the European Commission has recently told its staff to switch to the encrypted Signal messaging app. When I look into Signal's privacy policy, as linked from their app, I find several points which don't fulfill GDPR in my understanding (just listing the most obvious):

  • Their webpage is available in several languages of EU countries (e.g. German) and they offer a service (for free), so they have to fulfill GDPR
  • They store the user's phone number (and optionally more), so they process private information, but they don't name an EU representative located in the EU
  • They don't tell the user the rights like deleting data, making requests and so on.

So do I miss something or is Signal in violation of GDPR?

UweD
  • 1,388
  • 8
  • 15

1 Answers1

1

Probably

A phone number is categorically personal information under the GDPR and collecting it makes you a data controller if you provide goods or services in the EU.

It seems unlikely that this would not be considered a service provided in the EU.

If the terms of service were purely in English then an argument could be raised that they are intended purely for anglophone countries, since all but one are (now) not members of the EU. However, that is an argument that is undercut by having terms in German. While there are many people outside the EU with fluency in German, the majority of German speakers are in the EU.

Dale M
  • 237,717
  • 18
  • 273
  • 546