What does GDPR mean for WiFi hotspots?

German users check their mobile phones on average 214 times per day. Even on holiday, in hospital, at the doctor’s surgery, when out shopping, dining or visiting the library, they don’t like going without. Those who don’t go with the flow risk losing customers. However, operators face new obligations that came into force on May 25th, 2018 with the GDPR. The new regulations mean not only higher fines than was previously the case; they also make imposing penalties an obligation rather than a matter of discretion.

What do you need to do to stay on the right side of the law? The login process is all-important in this regard as data is processed at this stage. Here are the most important criteria:

• Legal basis: No legal basis, no data processing! If, for instance, a customer books a room with WiFi service, buys a WiFi ticket or if WiFi access is a part of a club membership, an employment relationship or a university course enrolment, then the legal basis for processing the booking data is given.
• Transparency and data thriftiness: Data controllers should only process the data necessary for the intended purpose, but not for additional purposes such as marketing – and especially not without the knowledge of the data subject.
• Exporting data: Data subjects must be informed of and consent to the export of data to third parties. It is prohibited to make free WiFi available to spa visitors, for instance, only if they consent to the export of their data. Opt-ins, for instance for a mailing list of the affiliated cosmetics institute, must be independent of this service.
• Retention periods: The customer must be informed of how long their data will be retained for and must have an option to have their data deleted, corrected, transferred or limited on request. Every operator is well-advised not to hold on to personal customer data for longer than necessary or legally required.
• Data protection notification: This is the right medium with which to fulfil your information obligation as an operator. It must explain in clearly comprehensible language which data is stored hor how long, the legal basis for doing so and whether the data is exported to third parties. A contact option must be provided in this context.

The IACBOX keeps you on the right side of the law when it comes to data privacy. The IACBOX already offered data-saving and privacy-friendly basic settings as well as deletion and anonymisation functions. It now also features data protection information for end users; every login page provides information relating to anonymisation and deletion periods. The new, optional Privacy Toolkit module offers additional options for creating a data processing directory under consideration of specific login methods and database connections as well as convenient options for privacy by design/default settings, a non-disclosure and data processor agreement, checks, help texts and access logging.

This article was also published in IT-BUSINESS 4.2018.