Infor­ma­ti­on from the FDPIC on per­so­nal track­ing; pro­ce­e­dings against Valo­ra concluded

On 22 Febru­ary 2017, the FDPIC announ­ced that it had con­clu­ded the pro­ce­e­dings against Valo­ra in the mat­ter of peo­p­le track­ing. You can find the cor­re­spon­ding noti­ce here.

Back­ground: In Decem­ber 2016, it beca­me publicly known that Valo­ra was coll­ec­ting mobi­le data from its cus­to­mers in its kiosk bran­ches in order to use this data for per­so­na­li­zed adver­ti­sing. In the mean­ti­me, howe­ver, Valo­ra had explai­ned to the FDPIC in a writ­ten state­ment that it does not pro­cess any per­so­nal data, but only eva­lua­tes aggre­ga­ted data for sta­tis­ti­cal pur­po­ses. Valo­ra had also agreed to pro­vi­de more detail­ed infor­ma­ti­on about the pro­ject on its website.

In this con­text, we would like to remind you of the infor­ma­ti­on pro­vi­ded by the FDPIC on the data pro­tec­tion aspects that must be taken into account when using per­so­nal track­ing systems:

Peo­p­le track­ing invol­ves track­ing the move­ments of objects or peo­p­le. Per­son track­ing systems record cer­tain cha­rac­te­ri­stics of the pas­sing objects or per­sons at a loca­ti­on with a lot of public traf­fic (e.g. shop­ping mall or high­way ent­rance) in such a way that the system can reco­gnize them at cer­tain check­points and thus track their movements.

The FDPIC notes that the scope of the Data Pro­tec­tion Act is not limi­t­ed to track­ing systems that record direct per­so­nal cha­rac­te­ri­stics (e.g., facial or licen­se pla­te reco­gni­ti­on). Rather, the Data Pro­tec­tion Act also covers track­ing systems that record mobi­le pho­ne data under cer­tain circumstances:

In the case of the­se systems, it has been argued on various occa­si­ons that no per­so­nal data is coll­ec­ted, which is why the Data Pro­tec­tion Act does not apply.

Howe­ver, this view does not go far enough: It is true that the ope­ra­tors of such systems are not yet able to assign IMSI and TMSI num­bers or Mac addres­ses direct­ly to a spe­ci­fic per­son. Howe­ver, this may be pos­si­ble under cer­tain cir­cum­stances in the case of the move­ment pro­files that are crea­ted. For exam­p­le, the move­ment pro­files of sales staff in a retail store dif­fer from tho­se of cus­to­mers. In the case of smal­ler stores, this means that a move­ment pro­fi­le can quick­ly be assi­gned to a spe­ci­fic employee. But also by lin­king the coll­ec­ted data and the crea­ted pro­files with fur­ther data (e.g. the images from sur­veil­lan­ce came­ras or payment data), an allo­ca­ti­on can beco­me pos­si­ble. It must the­r­e­fo­re also be assu­med that the­se systems are pro­ce­s­sing per­so­nal data within the mea­ning of the Data Pro­tec­tion Act.

From this, the FDPIC con­clu­des that the use of per­so­nal track­ing systems always requi­res a justification.

• The FDPIC points out the prac­ti­cal dif­fi­cul­ties of obtai­ning effec­ti­ve consent.
• The FDPIC con­siders an over­ri­ding public inte­rest to exist whe­re per­son track­ing is car­ri­ed out for non-per­so­nal pur­po­ses (for exam­p­le, to impro­ve secu­ri­ty at air­ports or to avo­id traf­fic jams).
• The pri­va­te inte­rest in the deli­very of cus­to­mi­zed adver­ti­sing is not reco­gnized by the FDPIC as a justification.

The FDPIC’s infor­ma­ti­on on per­so­nal track­ing can be found at here.