Municipality fined for missing legal basis for Wifi-tracking Summary Our remarks The municipality of Enschede used WiFi counting in the • If a processing relies on the legal basis “necessary city center with the aim of measuring how crowded the for a task carried out in the public interest”, the law city center was. that the controller refers to must specifically allow the processing activity in question. It is not sufficient Sensors were placed in high streets that detected the for ”day-to-day administration” to legitimize the WiFi signals from the mobile phones of passersby. Each use of WIFI in such cases. phone was registered separately and given a unique code. • Moreover, when collecting data for one purpose, the data controller should consider if the data could be The ‘counting’ became ‘tracking’ as it was possible used for other purposes. This consideration should through data analysis to deduct information about be included in a risk assessment. specific persons. For example, where they worked or lived, or in some cases if they went to church, etc. • Even if a data controller has a legal basis for monitoring citizens, this should always ensure that The decision of the Dutch DPA the processing is conducted in the most privacy- The Dutch DPA imposed an administrative fine of friendly way possible. For example, instead of 600,000 EUR on the Municipality of Enschede for WiFi-tracking cell phones, they could have used an processing personal data of owners/users of mobile automatic visitor counter. This alternative would devices without any legal basis (GDPR, Articles 5(a) and not collect any personal data, while still serving the 6(1)). purpose of counting visitors. Published: 29-04-2021, Journal number: N/A Tags: 01 Legal basis and principles of processing 22