The developer should always make sure that the device or system incorporates an adequate privacy notice, according to articles 12 and 13 of the GDPR and the requirements introduced by the ePrivacy Regulation and the national legal framework. This must describe how the tool collects, uses, retains and discloses personal data. Furthermore, the device should include information about the data subjects’ rights in an accessible way.
The information included must be explained in a comprehensible language, which can be understood by people who know almost nothing about ICT systems. This notice must include, at least, all the topics listed in arts. 13-14 of the GDPR, namely: information related to the (1) purpose of processing, (2) what personal data is collected, (3) how the collected data is used, (4) with whom the personal location data is shared, (5) how a data subjects can withdraw consent and access or rectify their personal location data, (6) information about rights linked to automated decision making, (7) the contact information of the corresponding DPO, in case they need to be contacted, (8) information about the retention periods, etc. Moreover, it is important to keep data subjects informed of any changes to the processing of their personal data, which should be reflected in the privacy notice. Furthermore, the system should be designed in a way that makes the data subject aware of the changes (through messages, icons, alerts, etc.).
In addition to the compulsory information requirements mentioned, controllers are encouraged to follow the following best practices regarding the provision of transparent information in projects that involve the processing of geospatial data. These are not compulsory, of course, but they are highly recommended:
- What are the concrete uses that will be given to the data collected
- State the frequency and detail in which the geospatial data are collected;
- State the nature and the type of data collected;
- When applicable, remind data subjects that they may forget they are being tracked, and that the device may record their visits to private locations or their proximity to some concrete people (this is not compulsory, but might be considered good practice);
- When applicable, remind participants that evidence suggesting illegal activities may be uncovered by geospatial data. If so, disclosure may not be protected by the research institution’s confidentiality policy and could be potentially discoverable by law enforcement (see art. 10 of the GDPR);
- Provide for an easy means of reminding data subjects that they are being tracked. For instance, by activating an icon when location or proximity data are being collected and deactivating this icon when data is not being collected.
- Provide a statement explaining that individuals will not be identified in any research publication or presentation without explicit participant consent (unless an alternative legal basis for processing is applicable);
- Provide a statement explaining that identifiable data will not be shared with third parties without the subject’s consent, but that de-identified data may be shared;
- When applicable, remind and show data subjects how they can disable or temporarily pause location tracking or proximity data gathering whenever they wish;
- Build a list of recipients who will have access to the data;
- Assess risk that participants will be re-identified from the data provided;
- Assess risk for possibility of harm if data were inadvertently re-identified including, when relevant, financial loss, psychological harm, and/or physical harm.
- Inform data subjects about their rights and the way to enforce them
- Provide data subjects with contact information of the corresponding DPO
It is recommended to opt for legal design options that can make the privacy policies more visual and easier to understand. For example, you can opt for iconography to comply with the duty of information of the data controller, videos, storytelling, or even simple formatting like the use of charts. It is necessary to provide participants with a “privacy self-management” model where participants have easy access (via a link or menu item) to brief contact details of the entity. The app landing page is an excellent place to post relevant privacy information, contact information and provide a hyperlink to a “second layer” of more detailed privacy information, according to article 12.7 of the GDPR.
If processing involves third parties, a contractual clause with recipients of data, whether they are controllers or processors, must be signed. This clause can state that the recipient refrains from trying to re-identify data subjects and that, in case re-identification occurs, such data must be deleted and the fact must be notified.
☐ The controllers regularly review their processing and, where necessary, update their documentation and privacy information for individuals.
Users are informed of all personal data that will be collected. These data are collected only if a legal basis for processing applies
The controllers explain how people can access details of the information that is used for the services offered by the tool.
1JRC Technical Reports, Guidelines for public administrations on location privacy, at: https://publications.jrc.ec.europa.eu/repository/handle/JRC103110 ↑
2JRC Technical Reports, Guidelines for public administrations on location privacy, at: https://publications.jrc.ec.europa.eu/repository/handle/JRC103110 ↑
3Goldenholz DM, Goldenholz SR, Krishnamurthy KB, et al. Using mobile location data in biomedical research while preserving privacy. Journal of the American Medical Informatics Association, ocy071, https://doi.org/10.1093/jamia/ocy071. ↑
4This checklist has been built on the basis of these documents: EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020; ICO (no date) Principle (b): purpose limitation. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/ (accessed 17 May 2020). ↑