Category: Blog, Business, Fundamentals, Legal

10 Myths About GDPR in Mobile Apps

GDPR came into force on May 25th, 2018. At that time, we observed a lot of news and articles introducing various myths and misconceptions. As of writing, nearly 4 years later, some of these myths are still alive. Let’s defeat them!

The privacy policy is mandatory in every app

You may have heard that the privacy policy is a must-have and you cannot have an app without it. Well, it is not quite accurate. A privacy policy is not obligatory according to GDPR. On the other hand, you (or more precisely the data controller) have to fulfill concrete information obligations arising from GDPR, such as why, how, for how long, or on what basis personal data is processed. Such information does not need to be located in the privacy policy.

Moreover, if your app does not process any personal data – eg. it is a calculator app without sign-in functionality – you don’t need a privacy policy at all. Keep in mind that the privacy policy may be required by some 3rd parties. For example, at the time of writing, it is required by Google Play Store when targeting users younger than 13 years old. If you only target older users, a privacy policy is optional.

However, starting from April 1, 2022, it becomes mandatory for all the new apps. The privacy policy of the app is always required by Facebook. This is obvious because the personal data needs to be processed in order to sign in to the user.

On the other hand, even if a single privacy policy document is not required in your particular case, it can be useful to have it. Why? Usually, it is easier to maintain a single document related to the processing of personal data than multiple ones caused by various regulations, such as GDPR and the cookie law. Check out our recent article about writing a privacy policy for mobile apps!

User consent is always needed for processing personal data

You have probably seen ubiquitous consents required before an app can access personal data. You may think such consents are enforced by GDPR. However, it is not always true! There are various legal basis that can be (and in some cases, should be) used instead of the consent. Consent, in fact, as a legal ground for processing, should be required only if other basis such as the legitimate interest of data, for instance, cannot be used.

Separate consent is not required when personal data is needed to fulfill an agreement. For example, the user name and address are usually needed to deliver the physical products bought in the app. If such data is used only for that purpose and not for other purposes, such as marketing, then user consent related to GDPR is not needed and, in some cases, may in fact be considered invalid.

My company is based outside the EU, so GDPR does not apply to my application

It does not matter where the organization’s HQ is located. In general, if your app interacts with EU citizens or residents then it must be GDPR compliant. Such interactions may consist of selling goods or services, regardless of whether they’re physical or virtual. However, GDPR also applies when your app uses personal data for marketing purposes, such as tracking analytics events.

GDPR is identical across all EU countries

General rules are the same in all EU member states. However, details may vary between particular countries. For example, GDPR does not specify the exact age of children for whom the processing of personal data should be lawful. According to Art 8. only the maximum is of least 16 years old is defined, but each member state can lower it down to 13 years old. In France, for example it is 15 years.

Pseudonymized personal data is the same as anonymized and thus it does not fall under GDPR

GDPR does not apply to properly anonymized personal data. However, it is not true in the case of pseudonymization. The key difference between those 2 techniques is that pseudonymization is a reversible process. That being said, pseudonymized personal data still needs to be protected. Read more about those processes in the official work group opinion.

GDPR forbids storing personal data in the cloud

GDPR itself does not touch the technical details like whether personal data is stored in the cloud or not. No matter where data is stored, that place needs to be GDPR compliant.

Moreover, you (as an entity developing software for other business clients) should use only storage authorized by your client (in the written contract). It should be also mentioned in the privacy policy for end users whose personal data is processed.

Finally, you have to sign the Data Processing Agreement with the data storage provider. Most of the well-known cloud providers, such as Google Cloud or AWS, use GDPR compliant agreements based on standardized templates which you cannot negotiate with. However, signed terms of service, especially regarding free of charge solutions, may not be treated as formal DPAs. Note that it matters whether data centers are located in the EU or not. Exporting personal data outside the EU is governed by additional regulations.

Every app needs a Data Protection Officer (DPO)

According to GDPR, the DPO is only needed if the main activity of your organization consists of processing sensitive data or regular person monitoring at a large scale.

Otherwise, the company does not need to have a DPO. Note that HR/head-hunting usually involves sensitive data processing. GDPR itself does not exactly specify what “large scale” is. According to some interpretations, the processing of data by more than 20 employees is enough.

If a company is based in the UK, it does not need to comply with GDPR after Brexit

The British Data Protection Act, effective from 2018, incorporates GDPR. It hasn’t changed after Brexit.

People can always request to completely erase their personal data according to the “right to be forgotten”

Individuals can request to remove their personal data. However, the right to be forgotten is neither absolute nor unconditional. Data won’t be removed immediately if it is still needed for other legal purposes. For example, the personal data of customers who bought the physical products usually have to be retained for the time they can fill complaints.

All personal data breaches need to be reported to authorities and affected users

In general, data breaches have to be reported to supervisory authorities. However, reporting is not mandatory if a breach is unlikely to result in the violation of rights and/or freedom. For example, consider the case where the laptop with personal data was stolen or lost but it was locked and its hard drive was properly encrypted. There is an extremely low probability that such personal data will be accessible to unauthorized people.

In some circumstances, the subject (the person whose data was disclosed) has to be informed about the breach. That happens if there is a high risk to the rights and freedoms of the subject (eg. the possibility of financial loss or identity theft). Note that the respective authority may also require that you inform affected users.


There are a lot of myths and misinterpretations related to GDPR floating around the internet. These 10 mentioned in the article are only a drop in the ocean. Keep in mind that the intent of GDPR is to simplify and unify personal data processing across all the EU countries.

About the authors

Jacek Czerski

Jacek Czerski

Android Developer



Magdalena Zygmunt

Magdalena Zygmunt

Scrum Master

Scrum Master for 3 years with the PSM I certificate. Magda loves her work because of its unpredictability and absolute lack of boredom. In her spare time, she learns French and plays the drums.