AP (The Netherlands) - 11.03.2021

From GDPRhub
Revision as of 07:25, 7 May 2021 by RRA (talk | contribs)
AP (The Netherlands) - Gemeente Enschede
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4 GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.03.2021
Published: 29.04.2021
Fine: 600000 EUR
Parties: Municipality of Enschede
National Case Number/Name: Gemeente Enschede
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Autoriteir Persoonsgegevens (in NL)
Initial Contributor: n/a

The Dutch DPA fined the municipality of Enschede €600,000 for processing personal data of 1.8 million unique mobile device owners for the period of 25 May 2018 and 30 April 2020 without a legal basis.

English Summary

Facts

On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tacking in the center of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off.


Dispute

According to the municipality, the data was sufficiently anonymized in such a way that no personal data was processed. The municipality also did not agree with the AP that it was personal data controller in this case. Finally, the municipality argued that this processing could be based on the Article 6(1)(c) “compliance with a legal obligation” or Article 6(1)(e) GDPR “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Holding

The AP concludes that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Because of that the data processed by the municipality constitutes personal data. Because the data was stored for a long time and the truncated/hashed MAC-addressed were not rotated, clear life and location patterns could be deducted from the data set. These patterns could reveal, for example, someone's home or place of work, but also more sensitive data such as visits to medical institutions. Although it was not the municipality’s intention to track people’s life patterns and there is no evidence that that has factually happened, the AP considered these facts irrelevant for this case. According to the AP, the municipality was the controller because it has decided on the means and purposes of personal data processing; it had even issued orders to the Bureau RMC about the specifics of this processing on at least one occasion. Furthermore, the AP considered that there was no law that had obliged the municipality to do WiFi tracking in the city center. This processing also could not follow from a broadly formulated duty of care or a statutory obligation. Moreover, the conditions of necessity and proportionality have not been respected by the municipality as there were less privacy-intrusive ways to count the number of visitors of a city center, like infrared counters. In the view of the recital 47 GDPR, the AP considered that legitimate interest also could not possibly be a valid legal basis in this case because, according to its own arguments, the municipality had acted in the exercise of its official authority. The AP did not see any reason to reduce the fine, it considered the amount of the fine of 600 000 EUR to be proportionate.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.