Zonder toestemming geen locatiegegevens

Afbeelding: Boston Church of Scientology on Google Maps on iPhone van Steve Garfield | Licentie: CC BY-NC-SA

Het vooraf verkrijgen van geïnformeerde toestemming moet het uitgangspunt zijn voor het verwerken van de locatiegegevens voor mobiele apparaten. Dat zegt een aantal Europese autoriteiten.De belangrijkste conclusies uit Opinion 13/2011 on Geolocation services on smart mobile devices van Article 29 Data Working Party:

  • The EU legal framework for the use of geolocation data from smart mobile devices is primarily the data protection directive. Location data from smart mobile devices are personal data. The combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data.
  • Because location data from smart mobile devices reveal intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent.
  • Consent cannot be obtained through general terms and conditions.
  • Consent must be specific, for the different purposes that data are being processed for, including for example profiling and or behavioural targeting purposes from the controller. If the purposes of the processing change in a material way, the controller must seek renewed specific consent.
  • Data subjects must be able to withdraw their consent in a very easy way, without any negative consequences for the use of their device.
  • Information must be clear, comprehensive, understandable for a broad, non-technical audience and permanently and easily accessible. The validity of consent is inextricably linked to the quality of the information about the service.
  • The different controllers of geolocation information from mobile devices should enable their customers to obtain access to their location data in a human readable format and allow for rectification and erasure without collecting excessive personal data.
  • Data subjects also have a right to access, rectify and erase possible profiles based on these location data.
  • Providers of geolocation applications or services should implement retention policies which ensure that geolocation data, or profiles derived from such data, are deleted after a justified period of time.
  • If the developer of the operating system and/or controller of the geolocation infrastructure processes a unique number such as a MAC address or a UDID in relation to location data, the unique identification number may only be stored for a maximum period of 24 hours, for operational purposes.