In order to minimize intrusion in the data subject’s life, it is essential that the device is designed in a way that serves well to preserve the purpose limitation principle. Whenever processing geospatial data, recipients must only use the information for the task for which it was provided to them. They must keep in mind that data that was collected for specified “initial” purposes shall only be processed for these initial purposes, or for compatible purposes. Further processing of data is allowed under certain circumstances under the GDPR. First, when the controller seeks another legal basis, and subject to compliance with all other legal requirements, such as transparent information and granting users’ rights. Second, for some pre-authorized purposes, such as scientific research or archiving (see the section “Use of data for scientific research” in the Concepts and tools part of these guidelines). Third, when the further processing has compatible purposes. For the general case, the GDPR gives criteria for how to determine the compatibility of purposes, which includes the link between the original and further processing, the nature of the data, the expectations of the data subject or the existence of appropriate safeguards (see Art. 6(4) and see purpose limitation subsection in the principles section).
If you are planning to offer an advertising platform and/or a webshop-like environment for applications that will be able to process personal data resulting from the (installation and use of) geospatial data applications, independently from the application providers, this should be carefully explained to the users. They should provide explicit consent to these purposes. Rejecting unnecessary processing should not provoke the impossibility to use the device or system. In general tracking walls, that is, the type of system that links the service to the consent for the use of data, and that are not needed for the functioning of the tool, should be carefully avoided.
If the tool has been designed to work on proximity data, it should not allow the developer or a third party to use such data to draw conclusions about the location of the users based on their interaction and/or any other means. If the tool has been designed to work on location data, it should not allow the developer or a third party to draw conclusions on the interaction of the users with other people.
The controller must pay specific attention to purposes that a data subject does not expect, such as for example profiling and/or behavioral targeting. If the purposes of the processing change in a material way so as to be incompatible with the original processing, the controller must seek a new valid legal basis, such as a new specific consent. For example, if a company originally stated it would not share personal data with any third party, but now wishes to share it, this processing will most likely not pass a compatibility test. Therefore, considering that the best lawful basis in this case is users’ consent, the controller must seek the active prior consent of each customer for this further processing activity. A lack of response (or other kind of opt-out scenario) does not suffice. Additionally, the controller must provide a genuine option to withdraw consent at any time, as well as the possibility of exercising users’ rights, such as erasure of data or restriction of processing.
It is also important to distinguish between consent to a one-off service and consent to a regular subscription. For example, in order to use a particular geolocation service, it may be necessary to switch on geolocation services in the device or the browser. If that geolocation capacity is switched ‘ON’, every website may read the location details of the user of that smart mobile device. In order to prevent the risks of secret monitoring, the Article 29 Working Party considered it essential that the device continuously warns that geolocation is ‘ON’, for example through a permanently visible icon.[1] This can hardly be considered a compulsory requirement for the controller, but it is certainly a good practice that must be recommended.
Checklist[2]: Purpose limitation
☐ The controllers have clearly identified their purpose or purposes for processing, which must be “specific”. ☐ The controllers have documented those purposes. ☐ The controllers include details of their purposes in the privacy information for individuals, ensuring that the data subject is adequately informed, according to art. 12-14 GDPR. The tool cannot be inadvertently diverted from its primary use. The tool does not use walls to collect unnecessary data If the controller initiates a further processing of personal data, a compatibility test has been carried out and documented in order to comply with the accountability principle. This test must take into account, at least, the factors listed in Art. 6(4) of the GDPR. If the controller wishes to further process the data for a purpose other than that initially obtained which is incompatible with the original purpose, and in the case that consent is the most suitable lawful basis, the tool is designed to ask users for permission. In any other case, the controller must find the most adequate lawful basis. If the tool has been designed to work on proximity data, it cannot be used to draw conclusions on the precise location of the users based on their interaction and/or any other means. If the tool has been designed to work on location data, it cannot be used to draw conclusions on the interaction of the users with other people or to make inferences about further categories of data based on the places visited by the person or any other means. |
References
1Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 13, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf ↑
2This checklist has been built on the basis of these documents: EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020; ICO (no date) Principle (b): purpose limitation. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/ (accessed 17 May 2020). ↑