Applicable Law to mobile applications in Spain

Mobile applications, commonly known as apps, are tools for smartphones or tablets, which take advantage of the features of these devices such as the touch screen, internet connection, camera or GPS. These apps are usually games, office tools, social networks, tools for editing photos, videos or music, etc. and they are usually free or for a very low price.

However, just because apps are cheap or free does not exempt them from compliance with law. The European Data Protection Authorities have adopted the first joint opinion regarding mobile applications analysing the effects and risks apps pose for data protection, elaborating on the obligations of app developers and everyone involved in their creation, and paying special attention to the use of these apps by minors.

The types of existing apps are as follows:

According to the external resources the app accesses:

  • Online Apps: These are apps that require access to online or location resources: apps for news, games, social networks, bank consultations, specialized consultations, forums, betting, maps, radar notifications, geographic location, etc.
  • Offline Apps: These are apps that do not require any online or location resources, for example games that do not access data networks, informative applications, automation tools, etc.

According to the internal features they access:

  • Invasive Apps: These gain access to the device calendar, the identification number of the terminal, geographic location, stored photos, they display advertisements, manipulate the users profile in a certain social network or require that the user to register and submit their personal data.
  • Non-invasive Apps: These do not gain access to any internal or confidential feature of the device; neither do they need any personal information from the user.

Most apps are the Online and Invasive type. Depending on the type of application, compliance with different laws is required. In the following chart, we have summarised the main laws in Spain that one must considered when launching an app in the market.

 Invasive Apps  Non-invasive Apps
Online Apps OLPDLSSI LSSI
Offline Apps OLPD Does not apply

Below we shall briefly summarise the main obligations pursuant to these laws.

LOPD: The current regulation in Spain requires compliance with the following obligations:

  • Quality: The information should be adequate, relevant and not excessive to the purpose for which it is collected. This obligation shall be more strictly applied to apps aimed at youth.
    The European Authorities recommend not registering data of minors for advertising purposes, not collecting information about parents and other family members and removing all personal information when uninstalling the app.
  • Information: It is necessary to inform the user in advance about the data that will be obtained through the app and which has not been provided directly by the user himself.

Information about the identity and domicile of the person responsible for the app is also to be provided, as well as the purpose of the collected or accessed information, the possibility of the user to exercise their rights, if there is an interconnection with third parties, etc. In the case of apps aimed at youth, this information is to be transmitted in a simple and comprehensive manner.

  • Consent: If the user goes forward with the installation after being informed of the previous points, they will have given their consent. Still, the consent given by children under the age of 14 is not valid. This is why there should be a mechanism preventing minors from using such apps or which allows the obtainment of the consent of their parents or guardians.
  • The rest of the principles and obligations in the LOPD are also applicable to the data collected through the apps.

LSSI: The current regulation in Spain requires compliance with the following obligations:

  • General Information: A report is to be composed, indicating the identity of the person responsible for the app, their domicile, NIF, register details, contact details, details of the administrative authorizations for exercising their activity and ethical codes they are affiliated with.
  • Commercial Information: It is advisable to obtain express consent about sending advertisement materials. This objective should be left as an option for the user.

Whenever communication with a commercial purpose takes place, it must be marked as Advertisement or Advert and must allow the user to oppose receiving such messages in the future.

Cristina Sandoval & Jesóús Sánchez

This article is not considered as legal advice

Jesús Sánchez

A Business Law graduate of the Universidad San Pablo (CEU) and a PhD in Consitutional Rights and IT, Jesús Sanchez specialises in IT Law. He is a partner at Áudea, a firm that specialises in the managing the security of information. For any further enquiries please Contact us