Online and mobile payment involves various (German) laws, such as the Telecommunications Act (TKG), Telemedia Act (TMG), Federal Data Protection Act (BDSG), Payment Services Regulation Act (ZAG), Banking Act (KWG) and the Civil Code (BGB). Some EU directives (e.g. Payment Service Directive) have to be considered as well. For personal data collected in connection with a payment transaction, a strict purpose limitation applies. Bank account data is particularly sensitive data, subject to special statutory protection. The authorities emphasize the paramount importance of specific technical and organizational measures regarding data security. In addition, Sec. 42a of the German Federal Data Protection Act obliges operators to notify the authorities and concerned users immediately of any data security breach involving banking or credit card data. Failure to do carries fines of up to EUR 300,000.
Minors, because of their mental development and noteably at a young age are often not in a position to understand whether a disclosure of their data is necessary or useful, and what consequences this will have. Children under the age of 7 are legally incapacitated in Germany; the critical age in the context of data protection consent declarations is between 7 and 14. According to the Düsseldorfer Kreis, consent to data processing from a minor under 14 years of age cannot be assumed as lawful without parental approval.
If a procedure is used for range measurement and the evaluation is or will be performed by a service provider, the app provider remains legally responsible (responsible entity). The privacy guidelines summarize the requirements for privacy-compliant tracking and audience measurement methods as follows:
- Anonymization of the IP address
- Effective possibility to opt out
- No merging of pseudonyms with data on the actual data subject.
- Information on creating pseudonymous user profiles and about the possibilities to opt out
- Conclusion of a commissioned data processing contract (Assignment to a service provider)