Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
LinkedIn Created with Sketch. Twitter Created with Sketch.
07 May 2024

Spain: AEPD publishes guidance on processing of personal data using WiFi tracking

Privacy Impact AssessmentsAnonymization and PseudonymizationData Subject RightsPrivacy Law ConceptsTransparencyEncryptionSurveillance

On May 7, 2024, the Spanish data protection authority (AEPD) announced that it published, together with data protection authorities of Catalonia, Basque Country, and Andalusia, a Guidance on processing incorporating WiFi tracking technology.

Data protection concerns

The AEPD highlighted that WiFi tracking allows mobile devices to be identified and tracked through the WiFi signals they emit, detecting the device's presence in a specific area, and identifying movement patterns.

From the point of view of data protection, according to the AEPD, such movement tracking poses serious privacy risks as individuals might not be made aware of the tracking and it might lack an appropriate legal basis.

Key aspects of the guidelines

The guidelines analyze both technically and legally the implications of the use of WiFi tracking, identify the main associated risks, and offer specific recommendations for responsible use, compatible with data protection regulations.

In particular, the AEPD and the other data protection authorities consider that a Data Protection Impact Assessment (DPIA) must be carried out. The controllers must also, pursuant to the principle of transparency, provide clear and accessible information, such as visible panels with information, public signage, voice alerts, or information campaigns.

Furthermore, the guidelines:

  • examine the processing of personal data that may take place, including presence and location data;
  • provide general guidelines on identifying the applicable legal basis under the General Data Protection Regulation (GDPR);
  • outline the risks to the rights and freedoms of natural persons, including data breaches and international transfers;
  • provide guidelines on carrying out the assessment of necessity and proportionality of the processing;
  • analyze a list of technical and organizational measures to implement, highlighting, among others, anonymizing and aggregating just after data collection, limiting the scope in which tracking is carried out, not assigning the same identifier to a mobile device on different visits to the same place, implementing security measures adapted to the level of risk, and carrying out continuous reviews or independent audits; and
  • outline the importance of the establishment of visible, accessible, and simple mechanisms, including electronic means, for the exercise of data subject rights.

You can read the press release here and the guidelines here, both only available in Spanish.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback