Adalo APP - Responsibility of whom?

Goodmorning everyone,

Yesterday discussing with a friend of mine (lawyer), talking about this platform (Adalo), we asked ourselves this question:

Who is responsible for compliance with the GDPR, privacy policy and terms and conditions?
Adalo or Creator of APP?

I’ll give you a concrete example:

Let’s pretend that I create a social network with an app based on the Adalo platform.
Allow users to register, exchange messages, images etc.

Who will have to comply with the GDPR? and then collect the consents, etc?
Users register in the APP not on the Adalo platform.

As the creator of the APP, will I just have to create a privacy policy, terms and conditions dedicated to the service I offer? Or will I also
have to worry about collecting consents and everything else to be GDPR compliant?
I ask this because Adalo does not currently have these services. And the management of consents and all the rest for the comparison can be an “extra” service to look for outside (adalo) very expensive.

Would my app be a “Content Provider” and Adalo are “Provider” or Adalo = “Content Provider” and my APP just a “Service”?
A service that is based on terms and conditions dictated by the platform (adalo)?

It is important to understand how we can move with the user.

Thank you for your attention and I hope someone can help me.

Hi @miticobeppe,

Please read this statement from Adalo regarding GDPR.

Adalo & GDPR Compliance

Thanks

This passage is not very clear to me:

"What do I need to do as a Data Controller?

As a Data Controller you have a number of obligations under GDPR, including…

• Asking for your users’ consent to process their data before they use your app.*
  ( You can fulfill this obligation by building a required consent checkbox into your signup form.)"

The GDPR is clear on the consent collection for each user who uses and registers for your service, the manager will have to: Collect consent

But consent gathering imposes these prerequisites:

• for each consent, keep track of the legal document or privacy policy that the user has accepted;

• for each consent, keep track of the form or wording with which the consent was requested from the user;

• Keep proof of accepted consent or legal notice;

• for each user, obtain the latest preferences expressed and an indication of the consent action taken as proof of the same;
  for each user, obtain a history of consent.

How can we guarantee all this for every user who registers on our APP?

At this point, a simple checkbox is not enough! We should also save a copy of the privacy policy and more.

It’s incorrect? How can users who register on the APP based on the Adalo platform be managed responsibly?

thanks

what do you mean by this?

I mean how we must respect and adapt our APPs to comply with the requirements of the GDPR? A checkbox that says “Do you accept the conditions of the app?” True/False field.

The requests of the GDPR are as follows:

Collect consent imposes these prerequisites:

• for each consent, keep track of the legal document or privacy policy that the user has accepted;
• for each consent, keep track of the form or wording with which the consent was requested from the user;
• Keep proof of accepted consent or legal notice;
• for each user, obtain the latest preferences expressed and an indication of the consent action taken as proof of the same;
  for each user, obtain a history of consent.

How can apps be adapted to these requests?
Maybe it will be necessary to create a collection that saves and archives what was accepted at the time of registration?

Or won’t it necessary? I seem to understand that as a “creator and manager” I only have to supervise the contents. But am I not required to ensure compliance with the GDPR or not?

@miticobeppe I think you just need to add a checkbox under your signup form for the user to see if they agree with it.

And who will keep the registered user’s consent? Who stores the conditions that the user has just accepted?

It will be saved in your user’s database.

Will this also apply to European apps? Is adalo’s GDPR also compliant for Europe?

Hi miticobeppe

The GDPR is an EU framework. It has been developed in the EU and other countries start adapting similar frameworks (Brazil, UK, …). If it is GDPR compliant, it is compliant in the EU.

I’d recommend you to google the difference between a “Data Controller” and a “Data Processor” to start with. It is your responsibility, as a Data Controller, to make sure, that your subcontractors = Data Processors, comply with GDPR, because YOU have chosen them for your solution.

Just 2 cents, hope that helps.

Miro

Thanks so much.
But I have read, however, that adalo is not adequate
To EU-US Privacy Shield for use in Europe.

Is there any way to be able to rest assured and create apps that will be used by users on European territory?

I am wondering if you ask the same question to bubble or webflow before, or this is your first.

Isn’t it if we enter our data in the website form, the same concept to the one you are asking ?

Sure thing. The data privacy is complex.

EU-US Privacy Shield is a set of guidelines under which data can be transferred from EU to US. This is to ensure that data of EU citizens stay safe and they won’t be used for different purposes than specified. The Privavy Shield is a self-certification.

HOWEVER

EU-US Privavy Shield has been recently voided by the EU and does not provide an adequate method of transferring data out of EU to the US.

If you look at websites on the Internet, half of them didn’t get the point and still rely on the Privacy Shield. It represents the sad fact that functionality overweighs data privacy.

Adalo says they don’t rely on the Privacy Shield and that is very transparent and very correct. They rely on different guidelines than Privacy Shield, such as Standard Contractual Clauses, or any other method that meet the GDPR requirements. Fully legal.

Because Adalo is GDPR compliant, your task is to have Adalo mentioned as a Data Processor in your Privacy Policy and take an occasional look if they still are compliant (as you as a Data Controller are responsible for checking this regularly). Of course nobody expects Adalo to become non compliant suddenly

There are other responsibilities of a Data Controller too, such as to have a so called “GDPR Representative”. It is a natural person or a company that represents your EU users in the EU. This is only required when you are outside of the EU/EEA. I am from Europe but NOT from EU, hence it applies to me too. This can be thousands of EUR/month, but there is also “GDPR Representative as a Service”. I only pay less than 20 EUR for this service and it is fully legit. Should anyone be interested I can give you a contact and a 10% discount for both of us

You might also check Iubenda.com. There are good articles with practical tips on GDPR. Sometimes a bit chaotic and repetitive but the best what I’ve seen so far.

(Link to other Ressource: Adalo & GDPR Compliance)

@miro, I’m afraid I can’t fully agree with your statements (you gave good advice at the beginning of this post, but your last statement is dangerous, so I decided to enrich you comment, if you don’t mind…).

@miticobeppe,
If you as a company (or “as an institution that wants to make a profit”) request data from your users, you absolutely must follow the rules of the GDPR, otherwise you will face severe penalties within the EU.

As a provider of your services based in the EU, it is not enough to ask permission from your users, as your contract cannot override basic EU and national consumer protection laws.

Take, for example, the question of what data you process:

If you process/store personal data (or data that can be used to identify a person), then you must use servers in the EU. Here you must also take into account “personal data” is again divided into simple personal data and highly sensitive data (e.g. health infos, religion, sexual orientation, names, date of birth, etc.) that are particularly protected (and I’m not even scratching hassle that may occur with copyright infringement for private images etc.).

Adalo is not GDPR compliant (Date of the Info: 13th of April 2021), because the data is not stored on servers in the EU (Adalo won’t tell us, where they Database is located, but we have to ensure, that the data is explicetly stored in the EU). Any provider that has a company in the EU and processes (sensitive) data of EU citizens must also store the data in the EU.

In addition, the concept of data economy applies. I.e. you may only process data that is urgently needed for your business. If a user wants to know how you process his data, you must show him how and where his data is processed in your systems (and those of secondary contractors, e.g. Airtable etc.).
A user may request deletion of his/her data at any time. For newsletters, the double opt-in procedure applies…and so on…

You see, before you naively plunge into the processing of user data from the EU, you should definitely acquire knowledge, hire a specialist or move your company headquarters to non-EU country.

Keep in mind that you could face very high penalties in the event of a violation!

Long Story short: You, as the business and process owner, are fully responsible for the data processing, storage, usage and security, you can not give this responsibility away. You have to ensure, that all secondary contractors you cooperate with, stick to the GDPR as long as they store personal or sensitive information.

There are some exceptions. For example, if the app, that you biult on Adalo is simply used for processing the data, but the storage could happen on servers in the EU. You can work with IDs, so that the processed data can not be used to trace back a person…

Hello @Rajko

Very interesting what you wrote. Also reading the GDPR a little bit I had the doubt that Adalo was not compliant because it does not process data in the EU.

But if a user asks how we treat their data, how can we prove it? With a text document? or what does it take to show a user what he asks? and then eliminate his doubts?

Thanks

Hi Rajko

Thank you very much for your post here.

I agree with data processor responsibilities you describe. However, I have to stand my point regarding the transfer safeguards. This is an educated post I believe, not a naive compliancy wish

Having data of EU citizens in the EU is NOT (has never been and will practically never be) a GDPR requirement, as long as your data transfer is based upon a GDPR-compliant method (such as SCC, binding corporate rules, or other as mentioned in GDPR). That’s what a GDPR is about, been reading it for months over and over, consulting legal professionals, and also educating myself. Essentially since May, 2018.

Here is the official wording, Article 46:

The Terms of Services (unless it does not incorporate correct GDPR wording), of course, is not enough. You are very right, a consumer cannot just “accept” what is presented. The data controller/processor must make sure they are GDPR compliant and the conditions for compliancy are not vague — they are pretty clear. This is not a subject of consent given to by ticking the checkbox next to Terms of Conditions.

If we talk about sensitive data (health information, religious views, ethnicity, etc.), sure, there are other bodies that have higher requirements, such as HIPAA or PCI-DSS (not applicable if you use a PCI-DSS compliant payment provided).

The world is round and the economy is global.

• If I visit a website, hosted in the US, my IP appears in the access log (and an IP address IS already personal information because, if connected to other data, might lead to an identification of an individual).

• If I send an email to a US company, they have my email address (again, personal information).

• If I subscribe to an email list, there is a 30-50% chance that it is MailChimp, a US company with data stored mostly in the US

If the EU data has to stay in the EU, then we have to cut the transatlantic cables in the ocean, because every data packet sent from the EU has a source IP address from the EU.

Very rarely there is a solution that lets you specify the region to place your data. Of course, excluding cloud service providers.

What Adalo can make better, in my opinion, is to implement more “data minimization”, with their API for an external collection, as long as there is no “legitimate interest” they can justify.

What we users can make better (99% do not), is to appoint a “GDPR representative according to Article 27”, should you live outside EU/EEA, while processing data of EU/EEA citizens. This is the most missed responsibility of data controllers. I have appointed mine in Austria, despite being an EU citizen, because I live outside EU/EEA.

I’ve never seen any official GDPR article saying the data of EU citizens must stay in the EU. It is preferred, but not implementable. Hence there are legal transfer methods with appropriate safeguards, which Privacy Shield is not a part of anymore.

Miro

What else do we need to implement besides the terms and conditions, privacy policy, cookies? Can additional statements be needed to sleep peacefully?
If so, which ones?

Cheers

@miro I read your post with high interest and I’m glad we are having such a interesting exchange of infos, thank you for that. Your post realy made me doubt my information, so I checked again (maybe EU-US-treaty changed in the past and I have missed some crucial infos?)

The thing is: Your post is right between 2016 and 2020… but on 16th of July 2020 the european commision declared the EU–US Privacy Shield invalid (not that reliable source, but it helps getting the overview: EU–US Privacy Shield - Wikipedia)

First there was the Safe Harbor Treaty, followed by the EU-US-privavc shield treaty. Both were declared as invalid from the EU court.

US (Cloud-) Servers do not comply with the GDPR (Storing EU data on US servers no longer compliant with GDPR - Matomo)

I don’t want to overstretch time, so I just want tell you, that you (we ) really need to keep an eye on this.

(Last but not least, here’s a german article, which is very interesting, maybe you can translate it via deepl/ g-translator) Kein Datentransfer mehr in die USA? EuGH kippt EU-US-Datenschutzabkommen „Privacy Shield”. Was Unternehmen jetzt wissen müssen | Rödl & Partner )

To everyone concerned: please be very, very careful when processing and storing data of EU citizens.

@Adalo: I wrote it in another Ticket: Please consider strongly to establish a hosting in the EU. This market contains 746 Mio. people - a market potential not to be underestimated which is lost to you and the developers of your apps. I strongly recommend “Seatable” as the German version of Airtable as an Adalo-cooperation partner (you are welcome to send a nice greeting from Rjk ).

@miticobeppe here I have a checklist which will help you:

Cheers Mate!

Hi Rajko

Thank you too, for your time to challenge the privacy questions. This is very important.

I believe there have been a misunderstanding, in my both posts I referred to Privacy Shield to as voided (= invalidated). That is already a relatively old thing, and Adalo reacted wisely in January to rely solely on the SCCs.

In the documents you have attached (ich hab sie gelesen ) there is nothing against our statements here — the companies cannot rely on the Privacy Shield anymore and have to pick another method.

In one of them there is a surprising fact, that SCCs is probably not staying for long either (as a compliant safeguard transfer method) and a more stringend way is going to be required.

The article from Matomo is a bit exagerated in my opinion. I am also their customer. They are french and France goes beyond what is required by the EU and even Germany. They’re the ones who fined Google

Personally I’ve been pretty annoyed by the EU byrocracy first, but zooming out, I am honestly happy something like GDPR is in place. The ultimate solution would be for countries such as US, Russia, China, and so on to start respecting privacy and not exposing everything to the government. Then, they will be treated as trustworthy countries to send data to. I feel sorry for the companies operating in those countries — they have it even more difficult to stay compliant that we do

My knowledge is at the limit, from my point the SCCs are fully valid at the moment. What happens tomorrow, without any warning, no one knows

I think I didn’t really help.

Cheers
Miro