Their use poses serious risks to privacy, since they could allow the tracking of people's movements without them being aware of it and without an appropriate legal basis. The guidelines analyze the implications of these technologies, identify the main associated risks and offer a series of recommendations so that they can be used safely
The Catalan Data Protection Authority, the Basque Data Protection Authority, the Andalusian Transparency and Data Protection Council and the Spanish Data Protection Agency have drawn up guidelines on treatments that incorporate Wi-Fi tracking technology or wifi tracking in which they analyze the implications of this technology, identify the main risks and offer a series of recommendations for responsible use compatible with data protection regulations.
Wi-Fi tracking is a technology that allows mobile devices to be identified and tracked through the Wi-Fi signals they emit, detecting the presence of the device in a specific area and identifying movement patterns. Practical applications can be found in shopping centers, museums, workplaces, public areas, transport or large events, being used to calculate capacity, analyze people flows or measure the time of permanence.
The data protection authorities state that the use of this technology may involve the processing of personal data and, therefore, must be subject to the set of principles, rights and obligations established in the General Data Protection Regulation. In addition, its use poses serious risks for privacy, since it could allow the tracking of people's movements without them being aware of it and without an appropriate legal basis.
For this reason, the authorities consider that, given the factors and elements of inherent risk, in general, the conditions are met so that, before carrying out the treatment, it is mandatory to carry out a Data Protection Impact Assessment (DPIA) . In fact, taking into account the risk factors, they recommend doing it even when the person in charge of the treatment may not be clear about its obligation. In addition, in order to use these technologies, it is necessary to intensify compliance with the principle of transparency through clear and accessible information, such as visible panels with information, public signage, voice alerts or information campaigns, among others.
The guidelines also include a list of measures to be implemented if all the requirements for compliance with the principles of the GDPR are exceeded, highlighting, among others, anonymizing and aggregating right after data collection, limiting the scope in which it is carried out Wi-Fi tracking, not assigning the same identifier to a mobile device on different visits to the same site, implementing security measures adapted to the level of risk and subject to continuous reviews or conducting independent audits.
These technologies allow mobile devices to be identified and tracked through the WI-Fi signals they emit, detecting the presence of the device in a specific area and identifying movement patterns.