Enschede municipality – Court Ruling (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dutch municipality of Enschede was found to have improperly tracked visitors using WiFi sensors in the city center. This ruling matters because it shows that even anonymized data can still risk identifying individuals, which is crucial for businesses using tracking technology.
What happened
The municipality's WiFi tracking system was deemed insufficiently anonymized, risking the identification of individuals.
Who was affected
Visitors to the city center of Enschede who were tracked by the municipality's WiFi sensors.
What the authority found
The Dutch DPA concluded that the anonymization method used did not adequately protect individuals' identities, violating data protection rules.
Why this matters
This case emphasizes the need for companies using tracking technologies to ensure their methods truly protect user privacy. It serves as a warning that inadequate anonymization can lead to legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off. The Dutch DPA concluded that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Accofrding to the Dutch DPA employees of the controller could identify people in three ways: (a) When someone walks past sensor, their MAC address is registered and an employee in the vicinity of the sensor could see who is walking by and link the MAC address to the person walking by on that moment. (b) the moment that a device enters the range of the sensor and the moment when device leaves the range of the sensor were stored. If someone enters for a longer time but does not exit within range sensor, and employee could find out who is in the range of the sensor in the corresponding time-span and connect the MAC address to that person. (c) An employee could determine a movement pattern based on the readings of multiple sensors, and use this information to link the MAC address to a specific person. Because of these reasons the Dutch DPA held that the data pro
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Enschede municipality in NL
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
2 February 2024
Authority
Autoriteit Persoonsgegevens
About this data
Cite as: Cookie Fines. Enschede municipality - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: