Municipality of Enschede – €600,000 Fine (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off. According to the municipality, the data was sufficiently anonymized in such a way that no personal data was processed. The municipality also did not agree with the AP that it was a personal data controller in this case. Finally, the municipality argued that this processing could be based on the Article 6(1)(c) “compliance with a legal obligation” or Article 6(1)(e) GDPR “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The AP concludes that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Because of that the data processed by the municipality constitutes personal data. Because the data was stored for a long time and the truncated/hashed MAC-addressed were not rotated, clear life and location patterns could be deducted from the data set. These patterns could reveal, for example, someone's home or place of work, but also more sensitive data such as visits
GDPR Articles Cited
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off. According to the municipality, the data was sufficiently anonymized in such a way that no personal data was processed. The municipality also did not agree with the AP that it was a personal data controller in this case. Finally, the municipality argued that this processing could be based on the Article 6(1)(c) “compliance with a legal obligation” or Article 6(1)(e) GDPR “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The AP concludes that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Because of that the data processed by the municipality constitutes personal data. Because the data was stored for a long time and the truncated/hashed MAC-addressed were not rotated, clear life and location patterns could be deducted from the data set. These patterns could reveal, for example, someone's home or place of work, but also more sensitive data such as visits
Related Enforcement Actions (0)
No other enforcement actions found for Municipality of Enschede in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
11 March 2021
Authority
Autoriteit Persoonsgegevens
Fine Amount
€600,000
Enforcement Tracker ID
ETid-659
GDPRhub ID
gdprhub-3453About this data
Cite as: Cookie Fines. Municipality of Enschede - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: