Software Developer in the World of the GDPR

19 April 2018 | Weronika Masternak | gdpr development

The profession of a software developer is not just about coding. Every developer should take into account the activities that ensure a high level of security in their work, and treat them as an inseparable element of the application development process. Possessing the knowledge regarding the GDPR is a great advantage and makes implementing the project assumptions much easier Thanks to knowing the regulations, a developer is able to take care of the technical aspects of the application that make it possible for the users to, e.g. control the data flow, express consents, gain access to specific resources or exercise new rights (the right to be forgotten, the right to object or the right to transfer data).

In this article you can read about:

  • the changes arising from the GDPR;
  • the key online identifiers;
  • the developer's work standards.

Changes arising from the GDPR

The developers creating a new application should know where to update the code to add a new feature that guarantees a high level of security. In addition, the GDPR broadens the definition of personal data that from May 25 includes:

  • genetic data (revealing unique information about the person's physiology or health),
  • biometric data (created through a biometric measurement, e.g. fingerprint, retinal scan),
  • location data (obtained, e.g. when the location is made available as part of a mobile application),
  • other online identifiers.

Key online identifiers

As you can guess, the last type last data – the online identifiers – are important for a developer and include elements such as:

  • IP addresses (unique numerical labels assigned to devices connected to a computer network),
  • mobile identification numbers (individual numbers associated with smartphones or other portable devices),
  • cross-browser ”fingerprints” (information about the user's identity and browser configurations, gained by tracking their web traffic [even if they surf the Internet in private browsing modes] and based on HTTP cookies),
  • RFID tags (using the radio waves to remotely identify people and objects),
  • telemetric data (data from the user's devices; collecting them contributes to the comfort of using the software),
  • cookies (files that are saved and stored on a local computer or other device when visiting a website),
  • MAC addresses (unique identifier assigned to a network interface card, given by the manufacturer of the card during the production process),
  • user account identifiers and other data generated by the system, enabling the identification of a natural person.

Work standards

Software developer should build on certain tools, frameworks or libraries, and then create a list of approved standards and methodologies used in coding and testing their applications.

Giving up on dangerous modules by developers is closely related to the Privacy by Design concept, and respect for the privacy of the future user. Being a responsible developer involves determining where and how data is stored, how is it protected and encrypted.

Developers must work according to the Privacy by Default principle, which means that the user who sets up their account for the first time, should immediately use the optimal privacy settings by default. This way, the user is given the opportunity to make an informed choice if they would like to adjust the level of privacy. The default application setting basically menas that it does not track the user's location or share user data with others.

The product that is to be released should first be subject to a security audit with implemented legal and technical recommendations, and to penetration tests. These works, carried out by security testers and auditors, lawyers and security designers, reduce the risk of unauthorised access to the application.

Creating a software that is secure and conforming with the GDPR depends to a large extent on adapting the perspective of both the potential user and the cyber-criminal. It is good to consider all scenarios, to improve the project and thus avoid any unidentified threats.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
We would be happy to talk about your project!
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail:

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.