Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Spain: AEPD publishes guidance on processing of personal data using WiFi tracking
On May 7, 2024, the Spanish data protection authority (AEPD) announced that it published, together with data protection authorities of Catalonia, Basque Country, and Andalusia, a Guidance on processing incorporating WiFi tracking technology.
Data protection concerns
The AEPD highlighted that WiFi tracking allows mobile devices to be identified and tracked through the WiFi signals they emit, detecting the device's presence in a specific area, and identifying movement patterns.
From the point of view of data protection, according to the AEPD, such movement tracking poses serious privacy risks as individuals might not be made aware of the tracking and it might lack an appropriate legal basis.
Key aspects of the guidelines
The guidelines analyze both technically and legally the implications of the use of WiFi tracking, identify the main associated risks, and offer specific recommendations for responsible use, compatible with data protection regulations.
In particular, the AEPD and the other data protection authorities consider that a Data Protection Impact Assessment (DPIA) must be carried out. The controllers must also, pursuant to the principle of transparency, provide clear and accessible information, such as visible panels with information, public signage, voice alerts, or information campaigns.
Furthermore, the guidelines:
- examine the processing of personal data that may take place, including presence and location data;
- provide general guidelines on identifying the applicable legal basis under the General Data Protection Regulation (GDPR);
- outline the risks to the rights and freedoms of natural persons, including data breaches and international transfers;
- provide guidelines on carrying out the assessment of necessity and proportionality of the processing;
- analyze a list of technical and organizational measures to implement, highlighting, among others, anonymizing and aggregating just after data collection, limiting the scope in which tracking is carried out, not assigning the same identifier to a mobile device on different visits to the same place, implementing security measures adapted to the level of risk, and carrying out continuous reviews or independent audits; and
- outline the importance of the establishment of visible, accessible, and simple mechanisms, including electronic means, for the exercise of data subject rights.
You can read the press release here and the guidelines here, both only available in Spanish.