Enschede municipality – Court Ruling (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off. The Dutch DPA concluded that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Accofrding to the Dutch DPA employees of the controller could identify people in three ways: (a) When someone walks past sensor, their MAC address is registered and an employee in the vicinity of the sensor could see who is walking by and link the MAC address to the person walking by on that moment. (b) the moment that a device enters the range of the sensor and the moment when device leaves the range of the sensor were stored. If someone enters for a longer time but does not exit within range sensor, and employee could find out who is in the range of the sensor in the corresponding time-span and connect the MAC address to that person. (c) An employee could determine a movement pattern based on the readings of multiple sensors, and use this information to link the MAC address to a specific person. Because of these reasons the Dutch DPA held that the data pro
GDPR Articles Cited
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off. The Dutch DPA concluded that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Accofrding to the Dutch DPA employees of the controller could identify people in three ways: (a) When someone walks past sensor, their MAC address is registered and an employee in the vicinity of the sensor could see who is walking by and link the MAC address to the person walking by on that moment. (b) the moment that a device enters the range of the sensor and the moment when device leaves the range of the sensor were stored. If someone enters for a longer time but does not exit within range sensor, and employee could find out who is in the range of the sensor in the corresponding time-span and connect the MAC address to that person. (c) An employee could determine a movement pattern based on the readings of multiple sensors, and use this information to link the MAC address to a specific person. Because of these reasons the Dutch DPA held that the data pro
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Enschede municipality in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Enschede municipality - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: