European Data Protection Supervisor
European Data Protection Supervisor

Mobile devices

Mobile devices

What you should know about mobile devices

Having become general purpose computers that run almost any application, mobile devices, particularly smartphones and tablets, have pervaded our professional and private lives. In addition to voice calls and text messaging, they offer the use of internet services (social networks, content sharing, etc.) and feature sensors collecting an increasing amount of information linked to their users, such as location and other environmental and personal parameters. Smart mobile devices have had a profound impact on the way organisations, including EU institutions, work. Increasingly, applications for these devices are being developed that are replacing workstations and laptops for some uses. Among the benefits of using mobile devices increased employee satisfaction, cost savings and the flexibility to work remotely are significant.

Users of mobile devices usually process personal data (also known as personal information) of other people, for example, when taking a photo of somebody, contact lists, sending or receiving emails, and so on. All individuals (data subjects) with any connection to the organisation, staff, contractors, candidates for a job vacancy, journalists or others are potentially affected.


What are the main data protection issues?

Accountability – Organisations that allow the use of mobile devices need to weigh up the benefits of using mobile devices for each specific processing operation (case-by-case) and take into account the risks and invasiveness that their use may imply. This assessment should also consider the added functionalities and features of the mobile devices and the impact on the security of IT infrastructure.

Right of information - When organisations provide mobile devices, they must inform users of what data processing will be carried out. This is one element of an acceptable-use policy on mobile devices which lays down the rules for their professional use. Where Bring-Your-Own-Devices (when private devices are used for work purposes) are permitted, such a policy is even more important for clarifying the rights and obligations of organisations and their staff.

Data security – Security is one of the main principles of data protection. To guarantee an adequate level of protection, organisations must implement a risk management process, assessing the security risks of using mobile devices for processing personal data; organisations must then implement measures to deal with the identified risks.


More Information

EDPS Guidelines on the protection of personal data in mobile devices used by European institutions

 
Related topics:

Information security and information security risk management.