Legal bases for WiFi tracking and Bluetooth tracking

Legal basis for WiFi tracking and Bluetooth tracking

Article 6 of the GDPR lists six legal bases. Of these, three could be used for WiFi tracking and Bluetooth tracking by companies:

• consent;
• contract;
• legitimate interest.

Whether you can base WiFi tracking and Bluetooth tracking on one of these legal bases depends on your specific situation.

Legal basis of consent

Under this legal basis, you may process personal data if the data subjects have given consent to do so. The legal basis of consent could be used for WiFi and Bluetooth tracking. However, it is practically and technically difficult to implement due to the conditions that consent has to meet. Because consent is only valid if it meets a number of requirements.

Legal basis of contract

Is it necessary to subject someone to WiFi and Bluetooth tracking to perform a contract with that person? You may then be able to base such processing of personal data on the legal basis of contract. Whether this is the case depends on the following:

• Is the processing of personal data strictly necessary?
• Does the user consent to any processing of information from peripheral equipment?

Processing of personal data necessary?

A data subject and you are free to agree on whatever you want (freedom of contract), provided you comply with the Dutch Civil Code (not contrary to public morality, etc.). However, entering into a contract with someone does not automatically mean that you can also rely on the legal basis of contract.

You must consider whether processing the data is necessary. You must determine the precise reasons for the contract. This means: the content, the purpose and whether the data processing is really necessary to achieve that purpose.

Including WiFi tracking and Bluetooth tracking in the contract does not automatically mean that you also meet the requirement that this processing is necessary to perform the contract.

Consent for processing information from peripheral equipment

Do you gain access to information in a user's peripheral equipment because of the way the WiFi or Bluetooth sensors read data from them? Such as identifiers and location data? Then this is only allowed if the user has given explicit consent for this.

Is this processing of information from the user's peripheral equipment not necessary to perform the contract? Then the consent only applies if:

• the data subject can give separate consent to such processing;
• you will also perform the contract if the data subject does not give consent.

Legal basis of legitimate interest

Whether you can use the legal basis of legitimate interest depends on the purpose of the WiFi tracking and Bluetooth tracking.

Processing personal data in public spaces has an additional impact. The government is only allowed to do this if legislation is in place. A private party often cannot rely on the legal basis of legitimate interest.

Sometimes, as a company, you can rely on this legal basis. For example, if WiFi and Bluetooth tracking is necessary to:

• protect private property in public spaces;
• ensure the safety of passers-by, for example, in a station;
• prevent dangerous crowds at certain points (crowd control).

The protection of private property in public spaces is considered a legitimate interest. The protection of people's physical safety can also be regarded as a legitimate interest. To protect this interest, it may be necessary for you as a company to (also) process personal data.

You thus meet the first requirement for being able to rely on the legal basis of legitimate interest. You must still meet the other conditions of Article 6, paragraph 1, point f of the GDPR:

• your processing must meet the requirements of proportionality and subsidiarity;
• you must weigh up your interests against those of the data subjects.

Proportionality and subsidiarity

The requirement of proportionality means that the infringement of the privacy of the data subjects must be proportionate to the purpose of WiFi tracking and Bluetooth tracking.

The requirement of subsidiarity means there is no less severe method possible than WiFi tracking or Bluetooth tracking that infringes less on privacy.

You must explain why you cannot protect your legitimate interest equally effectively in another way and without processing personal data.

Weighing of interests

When weighing up interests, you will need to consider whether you take additional measures to prevent or limit the undesirable consequences for data subjects. For example, by:

• Immediate anonymisation of the tracking data on the sensor.
• Hashing data in a different way for each measuring location, so there is no technical possibility to track data subjects over time and across multiple locations.
• Providing further safeguards, such as limiting measurements in space and time to specific times and locations (instead of measuring 24/7).
• Another way is to offer data subjects the opportunity to opt out of WiFi tracking and Bluetooth tracking. This allows them to avoid measurements in their (private) environment. It is important that you clearly indicate the opt-out option.