Denied access to "Office365 - Request AzureAD Applicatie Consent" due to the application's privacy policy not meeting Art.13 of the GDPR

Hello everyone, I have submitted K9 to be reviewed by my school in order to use my school email (office365) with K9. However, they denied it because of the privacy policy not meeting article 13 of the GDPR. Does anyone of you have some comments about this?

Also, somehow I am able to use https://github.com/M66B/FairEmail which somehow bypasses this application check (and it’s not whitelisted either, I guess they use a different method of logging in, but it still uses “OAuth”, not sure what the difference is with K9’s oauth).

Can you ask them what they’d like to see added to the privacy policy?

The app only “collects” personal information on the device. And only what is necessary for the app to work (email address, display name). No data (personal or otherwise) is sent to the creator of the app (MZLA).

3 Likes

I have not yet received a reply, if I do so, I will keep you updated.

My university rejected my request for the exact same reason (Article 13), with the following reasoning:

To begin with Article 13 obligations of the GDPR extend beyond the situations where data is automatically sent to the developers or the third party. It also applies to any personal data processing that occurs on the user’s device, such as the collection and storage of contacts, email addresses, and display names. The GDPR has deliberately defined “processing” and “personal data” in very broad terms so as to ensure that the legislation and its applicable obligations cover variety of situations.

In line with obligations laid down under Article 13, K9’s privacy policy should at the very least state the identity of the data controller, the purpose of the data collection(this has to be comprehensive), the legal basis for processing, the retention period as applicable and information about data subject rights and how to enforce them. The privacy policy also does not address all possible scenarios for which the data might be processed for example for user support and troubleshooting.

At first this didn’t make any sense to me, but after looking into it it seems that the GDPR does probably even cover data that doesn’t leave the device.

I can confirm that FairEmail indeed works fine, somehow.

@cketti who should we approach for the privacy policy to be changed and incorporate that feedback?

Also… Do you have any idea why fairemail is able to bypass this? Maybe a different version/endpoint of oauth2 (I have no single clue how this works tho…)?