The National Cyber and Information Security Agency (NÚKIB) and the Office for Personal Data Protection have issued a joint statement drawing attention to e- commerce applications (apps) which request non-standard permissions on the user's device and may collect excessive amounts of user data, including personal information.
Currently, there are multiple e-commerce apps available for download in the Czech Republic. These apps generally require permissions of various levels on the user’s device. Some are entirely legitimate while others appear to be completely redundant in terms of the purpose of the app, i.e., the purchase and sale of goods.
The companies behindthese apps function within varying legislative environments. Due to this, authorities in third countries may require companiess to provide assistance in ways that would be considered non-standard from the perspective of Czech and European legislation (e.g., the company's obligation to cooperate with the intelligence services of a given country).
The following is recommended for users of e-commerce apps:
- Users should be cautious when granting permissions to downloaded Some require permissions that may not be necessary for their proper functioning (e.g., access to location, contacts, videos, or other files). It cannot be ruled out that if an app collects data, it may be passed on to third parties for purposes unrelated to the original purpose of the app.
- Users should read the app's privacy policy before granting permission (if it is not readily available or it does not exist, it is not a trustworthy online marketplace). Users should focus on:
- whether the purposes for the processing of personal data are adequate and reasonable (i.e., for what specific purposes does the app use customer data),
- the scope of the processing of personal data for each purpose, which should be limited to what is strictly necessary,
- the time period during which users' personal data is stored (it should be limited only to the time strictly necessary – i.e., in the case of order processing, this would mean time necessary to process the order, possibly extended to the time necessary to make a return or refund claim),
- excessive permission requests for personal data processing (i.e., where unnecessary – for example, the collection of data strictly necessary for the processing of an order generally should not require the data subject's consent),
- a description of how the company upholds the user's rights (in particular, with regard to informing the user about data processing, the right to delete personal data, and the right of access to personal data),
- in the case of companies based outside the EU, the name of the company's representative in the EU whom any user may, if necessary, contact for any questions relating to the processing of personal data.
- In case of unclear or missing information, we recommend not to grant permissions to e‑commerce applications.
- There is a number of e-commerce apps available in the Czech Republic where there is a real possibility that their main objective is not financial gain but the collection of large amounts of data. NÚKIB has assessed that some of them use non-standard business practices (e.g., gamification of purchases or possible sale of counterfeits). Extremely low prices in selected online marketplaces may appear attractive, but they may carry certain risks, as it can be assumed that the provider obtains real value for its services and products in other ways (e.g., by over-collecting personal data of app users used beyond the processing of an order for goods. For example, it may pass this data on to third parties for a fee).
- E-commerce apps that carry these risks must not be installed on devices handling sensitive data, such as online banking or government systems.
- If you nevertheless wish to use an e-commerce app that may hold the aforementioned risks, for example for a one-off purchase, make sure to uninstall it from your device after use if you do not intend to use it further.