Wifi and bluetooth

WiFi and bluetooth are increasingly used for ‘tracking’. An organisation can, for example, measure the volume of people in a shopping area by collecting telephone data of the people in that area. As an organisation, you can use WiFi and bluetooth tracking for compiling a combination of data. These data can be used for identifying an individual. This means that these data are personal data.

On this page

  1. General information

Indirectly identifying personal data

WiFi tracking and bluetooth tracking are normally used for collecting someone's MAC address (the unique number of a telephone or another mobile device), the serial number and/or the location of the sensor, and a point in time.

In this case, there are no directly identifying data. After all, this does not concern data such as names, addresses and telephone numbers. If no other data are collected, a MAC address will not directly reveal the identity of an individual.

Nevertheless, MAC addresses are personal data. We call data such as these indirectly identifying personal data. This is because you can combine the data with each other or with other data. In this way, you will be able to trace the data back to a specific individual.

Additional data using which you can indirectly identify people are, for example, camera images, payment details in shops, login details of public WiFi hotspots, or the use of entrance gates with unique identificators, such as RFID tags.

Use of tracking techniques by municipalities

Organisations other than businesses, such as municipalities, can process personal data using WiFi tracking and bluetooth tracking if this is necessary for the performance of their task. For example, for ensuring public order or safety on the streets.

As a municipality, you are allowed to use WiFi tracking and bluetooth tracking on strict conditions only:

  • You must have an independent legal basis for this activity.
  • It is only permitted in specific periods.
  • It is only permitted in precisely described areas, where it is really necessary. At other times and in other places, the measuring equipment for the WiFi or bluetooth tracking must be turned off.

Quick answers

When I apply ‘hashing’ to my WiFi and bluetooth tracking, will there still be personal data?

Yes. Even if you apply hashing to the MAC addresses you collect, these will remain personal data.

Pseudonymisation

Just hashing MAC address, without any additional measures, does not mean that you no longer process personal data. In that case, this is not anonymisation, but pseudonymisation.

For example, because you have the hashing formula in your possession. This means that you could calculate the original MAC addresses again. In that case, the data are not anonymous. Applying a ‘salt’ does not alter that.

The resulting hashed MAC address can be regarded as a (pseudonymous) identificator. And this is explicitly named in the law as a personal data.

Conditions for anonymisation

Under the General Data Protection Regulation (GDPR), data are only anonymous if personal data have been anonymised in such a way that the data subject is not or no longer directly or indirectly identifiable.

Applicability of the GDPR

Have the personal data actually been anonymised? Then the GDPR does not apply to those data (anymore).

You can find more information about anonymisation in the Opinion on Anonymisation Techniques of the European data protection authorities.

Can I prevent Google Streetview from collecting my WiFi data?

Ja, dat kan. Wijzig de netwerknaam (SSID) van uw wifi-router door er ‘_nomap’ aan toe te voegen. Is uw huidige SSID bijvoorbeeld 'Saskia'? Dan wordt dat 'Saskia_nomap'.

Voor meer informatie, zie: Hoe meld ik me af voor locatieservices van Google?

Komt u er niet uit? Dan kunt u contact opnemen met uw internetprovider.