Is it okay to store user locations? The Next CEO of Stack OverflowAm I allowed to store data of EU citizens as an Indian company?Can companies use user data for App Store marketing screenshots?Are data processors allowed to locally store live customer information for testing GDPRGDPR and logging which user accessed which personal informationUser consent required under GDPRGDPR - Withdrawn user consentGDPR - A mobile App that allows user to store media do we have to option user consent?GDPR - Can I store domain names?GDPR - is user social ID personal dataHow can GDPR affect user generated content?
Why didn't Theresa May consult with Parliament before negotiating a deal with the EU?
What's the point of interval inversion?
Why didn't Khan get resurrected in the Genesis Explosion?
Is it my responsibility to learn a new technology in my own time my employer wants to implement?
Can the Reverse Gravity spell affect the Meteor Swarm spell?
Implement the Thanos sorting algorithm
Any way to transfer all permissions from one role to another?
How to write the block matrix in LaTex?
Does the Brexit deal have to be agreed by both Houses?
Why do professional authors make "consistency" mistakes? And how to avoid them?
Customer Requests (Sometimes) Drive Me Bonkers!
How to write papers efficiently when English isn't my first language?
A pseudo-riley?
How can I get through very long and very dry, but also very useful technical documents when learning a new tool?
Why do remote companies require working in the US?
Inappropriate reference requests from Journal reviewers
How do I construct this japanese bowl?
Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?
Is there a good way to store credentials outside of a password manager?
How do scammers retract money, while you can’t?
Why is Miller's case titled R (Miller)?
Does it take more energy to get to Venus or to Mars?
Describing a person. What needs to be mentioned?
Should I tutor a student who I know has cheated on their homework?
Is it okay to store user locations?
The Next CEO of Stack OverflowAm I allowed to store data of EU citizens as an Indian company?Can companies use user data for App Store marketing screenshots?Are data processors allowed to locally store live customer information for testing GDPRGDPR and logging which user accessed which personal informationUser consent required under GDPRGDPR - Withdrawn user consentGDPR - A mobile App that allows user to store media do we have to option user consent?GDPR - Can I store domain names?GDPR - is user social ID personal dataHow can GDPR affect user generated content?
I know it might sound quite bad. But here I explain the whole situation.
I'm developing a mobile application based on visiting different places. And I would store in some database (surely AWS) all different locations each user has been in. By location I don't mean I would store coordinates, just all cities in which he/she has checked in (really no coordinate would be stored).
I've been told to be really cautious with this because of recent GDPR law.
But to be honest I know barely nothing about law and its interpretation.
So my question is if I can store this kind of information (as it is not really precise data) and if I should ask for user's explicit consent.
Thanks.
privacy gdpr data-storage
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I know it might sound quite bad. But here I explain the whole situation.
I'm developing a mobile application based on visiting different places. And I would store in some database (surely AWS) all different locations each user has been in. By location I don't mean I would store coordinates, just all cities in which he/she has checked in (really no coordinate would be stored).
I've been told to be really cautious with this because of recent GDPR law.
But to be honest I know barely nothing about law and its interpretation.
So my question is if I can store this kind of information (as it is not really precise data) and if I should ask for user's explicit consent.
Thanks.
privacy gdpr data-storage
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
FWIW, you can read the actual law online, as well as the interpretations of the organization that created it!
– immibis
20 mins ago
add a comment |
I know it might sound quite bad. But here I explain the whole situation.
I'm developing a mobile application based on visiting different places. And I would store in some database (surely AWS) all different locations each user has been in. By location I don't mean I would store coordinates, just all cities in which he/she has checked in (really no coordinate would be stored).
I've been told to be really cautious with this because of recent GDPR law.
But to be honest I know barely nothing about law and its interpretation.
So my question is if I can store this kind of information (as it is not really precise data) and if I should ask for user's explicit consent.
Thanks.
privacy gdpr data-storage
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I know it might sound quite bad. But here I explain the whole situation.
I'm developing a mobile application based on visiting different places. And I would store in some database (surely AWS) all different locations each user has been in. By location I don't mean I would store coordinates, just all cities in which he/she has checked in (really no coordinate would be stored).
I've been told to be really cautious with this because of recent GDPR law.
But to be honest I know barely nothing about law and its interpretation.
So my question is if I can store this kind of information (as it is not really precise data) and if I should ask for user's explicit consent.
Thanks.
privacy gdpr data-storage
privacy gdpr data-storage
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 6 hours ago
Sergi Mascaró
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
asked 6 hours ago
Sergi MascaróSergi Mascaró
162
162
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Sergi Mascaró is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
FWIW, you can read the actual law online, as well as the interpretations of the organization that created it!
– immibis
20 mins ago
add a comment |
FWIW, you can read the actual law online, as well as the interpretations of the organization that created it!
– immibis
20 mins ago
FWIW, you can read the actual law online, as well as the interpretations of the organization that created it!
– immibis
20 mins ago
FWIW, you can read the actual law online, as well as the interpretations of the organization that created it!
– immibis
20 mins ago
add a comment |
1 Answer
1
active
oldest
votes
It seems clear that this is personal information under the GDPR. If you are subject to the GDPR, you need to have a "lawful basis" to store or process such information. (You are subject to the GDPR if you are locates in the EU, or if your users are. My understanding is that it is location at the time the app is accessed that matters, not a user's citizenship. I am not totally sure about that, however. Unless your app is limited to non-EU access, it it probably safest to comply with the GDPR)
The degree of precision of your location data will not matter -- a specific city is quite enough to make it personal data if it can be tied to a specific person.
There are various lawful bases that may be relied on for processing and storage, but explicit consent is probably the one with the widest applicability.
To use consent as the lawful basis, you must present an OPT-IN decision to the user, and record the results. If the user does nothing, the result must record lack of consent. You may not use a pre-checked consent box or another mechanism that has the effect of an opt-out choice. You should be clear about what information will be stored, and how it will or might be used.
You will also need to consider how your app will function for those who do not consent, and how to handle requests to withdraw consent.
So if an app obtains user consent to store location data in a manner that complies with the GDPR, it may store user location data. The consent should make the possible uses of the data clear. If the data is to be shared, the consent should make the possible extent of sharing clear.
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
1
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
3
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "617"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sergi Mascaró is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f38533%2fis-it-okay-to-store-user-locations%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It seems clear that this is personal information under the GDPR. If you are subject to the GDPR, you need to have a "lawful basis" to store or process such information. (You are subject to the GDPR if you are locates in the EU, or if your users are. My understanding is that it is location at the time the app is accessed that matters, not a user's citizenship. I am not totally sure about that, however. Unless your app is limited to non-EU access, it it probably safest to comply with the GDPR)
The degree of precision of your location data will not matter -- a specific city is quite enough to make it personal data if it can be tied to a specific person.
There are various lawful bases that may be relied on for processing and storage, but explicit consent is probably the one with the widest applicability.
To use consent as the lawful basis, you must present an OPT-IN decision to the user, and record the results. If the user does nothing, the result must record lack of consent. You may not use a pre-checked consent box or another mechanism that has the effect of an opt-out choice. You should be clear about what information will be stored, and how it will or might be used.
You will also need to consider how your app will function for those who do not consent, and how to handle requests to withdraw consent.
So if an app obtains user consent to store location data in a manner that complies with the GDPR, it may store user location data. The consent should make the possible uses of the data clear. If the data is to be shared, the consent should make the possible extent of sharing clear.
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
1
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
3
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
add a comment |
It seems clear that this is personal information under the GDPR. If you are subject to the GDPR, you need to have a "lawful basis" to store or process such information. (You are subject to the GDPR if you are locates in the EU, or if your users are. My understanding is that it is location at the time the app is accessed that matters, not a user's citizenship. I am not totally sure about that, however. Unless your app is limited to non-EU access, it it probably safest to comply with the GDPR)
The degree of precision of your location data will not matter -- a specific city is quite enough to make it personal data if it can be tied to a specific person.
There are various lawful bases that may be relied on for processing and storage, but explicit consent is probably the one with the widest applicability.
To use consent as the lawful basis, you must present an OPT-IN decision to the user, and record the results. If the user does nothing, the result must record lack of consent. You may not use a pre-checked consent box or another mechanism that has the effect of an opt-out choice. You should be clear about what information will be stored, and how it will or might be used.
You will also need to consider how your app will function for those who do not consent, and how to handle requests to withdraw consent.
So if an app obtains user consent to store location data in a manner that complies with the GDPR, it may store user location data. The consent should make the possible uses of the data clear. If the data is to be shared, the consent should make the possible extent of sharing clear.
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
1
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
3
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
add a comment |
It seems clear that this is personal information under the GDPR. If you are subject to the GDPR, you need to have a "lawful basis" to store or process such information. (You are subject to the GDPR if you are locates in the EU, or if your users are. My understanding is that it is location at the time the app is accessed that matters, not a user's citizenship. I am not totally sure about that, however. Unless your app is limited to non-EU access, it it probably safest to comply with the GDPR)
The degree of precision of your location data will not matter -- a specific city is quite enough to make it personal data if it can be tied to a specific person.
There are various lawful bases that may be relied on for processing and storage, but explicit consent is probably the one with the widest applicability.
To use consent as the lawful basis, you must present an OPT-IN decision to the user, and record the results. If the user does nothing, the result must record lack of consent. You may not use a pre-checked consent box or another mechanism that has the effect of an opt-out choice. You should be clear about what information will be stored, and how it will or might be used.
You will also need to consider how your app will function for those who do not consent, and how to handle requests to withdraw consent.
So if an app obtains user consent to store location data in a manner that complies with the GDPR, it may store user location data. The consent should make the possible uses of the data clear. If the data is to be shared, the consent should make the possible extent of sharing clear.
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
It seems clear that this is personal information under the GDPR. If you are subject to the GDPR, you need to have a "lawful basis" to store or process such information. (You are subject to the GDPR if you are locates in the EU, or if your users are. My understanding is that it is location at the time the app is accessed that matters, not a user's citizenship. I am not totally sure about that, however. Unless your app is limited to non-EU access, it it probably safest to comply with the GDPR)
The degree of precision of your location data will not matter -- a specific city is quite enough to make it personal data if it can be tied to a specific person.
There are various lawful bases that may be relied on for processing and storage, but explicit consent is probably the one with the widest applicability.
To use consent as the lawful basis, you must present an OPT-IN decision to the user, and record the results. If the user does nothing, the result must record lack of consent. You may not use a pre-checked consent box or another mechanism that has the effect of an opt-out choice. You should be clear about what information will be stored, and how it will or might be used.
You will also need to consider how your app will function for those who do not consent, and how to handle requests to withdraw consent.
So if an app obtains user consent to store location data in a manner that complies with the GDPR, it may store user location data. The consent should make the possible uses of the data clear. If the data is to be shared, the consent should make the possible extent of sharing clear.
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
edited 5 hours ago
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
answered 6 hours ago
David SiegelDavid Siegel
15.1k3159
15.1k3159
1
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
3
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
add a comment |
1
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
3
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
1
1
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
So, to make things clear as water, if the user gives consent I can store his/her locations, right? And I guess I should also let them revoke the consent given and erase all their data. Thanks! (After this response I'll accept your answer)
– Sergi Mascaró
5 hours ago
3
3
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
@Sergi Mascaró Right. See my edit above. There can be valid reasons to retain data even if consent is revoked under the GDPR, but if you don't need to retain it, allowing deletion is probably simplest. Otherwise you wiull have to determine if some other lawful basis applies
– David Siegel
5 hours ago
add a comment |
Sergi Mascaró is a new contributor. Be nice, and check out our Code of Conduct.
Sergi Mascaró is a new contributor. Be nice, and check out our Code of Conduct.
Sergi Mascaró is a new contributor. Be nice, and check out our Code of Conduct.
Sergi Mascaró is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Law Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f38533%2fis-it-okay-to-store-user-locations%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
FWIW, you can read the actual law online, as well as the interpretations of the organization that created it!
– immibis
20 mins ago