If the use of anonymous data is not possible, use the minimal amount of personal data and pseudonymize them
Home » Geolocation » Minimize intrusion » If the use of anonymous data is not possible, use the minimal amount of personal data and pseudonymize them

If anonymization were not possible, controllers should at least try to work with pseudonymized data (see pseudonymization and anonymization section in the Concepts and tools part of these Guidelines). Ultimately, each controller needs to define which personal data are actually needed (and which are not) for the purpose of the processing, including the relevant data retention periods. Indeed, controllers must keep in mind that the necessity of processing must be proven before using any legal basis from Article 6 or 9(2) of the GDPR. Although consent may seem to be the only legal ground which does not require necessity, it actually does involve necessity to a certain degree, as valid consent for the purposes of the GDPR is given for a specific purpose, and the processing must be necessary in relation to that purpose, according to Article 5(1)(c). In other words, data minimization, purpose limitation and lawfulness principles require controllers to ensure that the purposes sought by the device or system cannot be done without using less personal location or proximity data, or those categories of data with a lesser degree of detail.

In practice, the EDPB considered that this principle means that “the application should not collect unrelated or not needed information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc. Data broadcasted by applications must only include some unique and pseudonymous identifiers, generated by and specific to the application. Those identifiers must be renewed regularly, at a frequency compatible with the purpose of containing the spread of the virus, and sufficient to limit the risk of identification and of physical tracking of individuals.”[1]

In general, for the purpose of offering geolocation services, the collection and processing of Service Set Identifiers (SSIDs) is not necessary. Therefore, the collection and processing of SSIDs is excessive for the purpose of offering geolocation services based on mapping of the location of WiFi access points.[2]

Box 6: Contact tracing app in pandemics

This type of application provides us with some good examples of data policies that respect the data protection regulations. Some useful tips developed by the ICO are:

  • the exchange of information between devices does not include personal data such as account information or usernames;
  • matching processes take place on-device and are not undertaken by the app host or with the involvement of any other third party; and
  • the information required for the core functionality of contact tracing apps built using CTF does not use location data, either in the exchange between devices, the upload to the app host or subsequent notifications to other users from the app host.
Checklist[3]: Minimizing data

 According to the data minimization principle, the application does not collect data other than that which is strictly necessary for its purposes.

 When possible for the purpose of the processing, controllers will set a preference for the use anonymous data. If personal data must be used, pseudonymous data will prevail over direct personal data.

 The tool only collects data transmitted by instances of the application or interoperable equivalent applications. No data relating to other applications and/or proximity communication devices are collected.

 Requests made by the applications to the central server do not reveal unnecessary information for the purposes of the service to the system.

 Requests made by the tool to the central server do not reveal any unnecessary information about the user, except, possibly, and only when necessary, for their pseudonymous identifiers and their contact list.

 The use of the application does not allow users to learn anything about other users, if it is not strictly necessary.

 The central server does not maintain nor circulate a list of the pseudonymous identifiers of users

 

 

References

1EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020

2Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 16, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf

3This checklist has been built on the basis of the one included in the EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020, at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf

Skip to content