The General Data Privacy Regulations (GDPR) of the European Union stipulate that whenever personal data is collected based on legitimate interest (per GDPR article 6.1 (f)), the data subject (i.e. visitors to your location) must be informed prior to collection. In our case this concerns the collection of MAC addresses (Wi-Fi radio identifiers), even if the data is anonymized within a very short delay. It is the responsibility of the controller (the company licensing the service from BlueZoo) to provide this information. It should be displayed as a prominent notice where the data is collected (e.g. notice at the entrance or at any place where visitors usually would expect this kind of information).
The GDPR includes rules on giving privacy information to data subjects in articles 12, 13 and 14. These articles place an emphasis on making privacy notices understandable and accessible. Depending on the sensibility of the data and the delay until its deletion (or anonymization), the content that needs to be communicated is different. In our case we advocate information delivered in two tiers:
Tier 1. A short notice at the location that is monitored
Tier 2. A more detailed notice providing the information required according to article 13 of the GDPR.
Please, find below an example of notice customers can put in place. Please understand that the information provided is not a legal advice. Please use your best judgement before acting on it and consult legal advice. The information notice texts are provided to you as an example. Feel free to modify and adapt it to your needs.
First tier privacy note example
In [description of the location, e.g. “this mall”] [BlueZoo customer name] has set up a visitor counting system. The collected data is anonymized within minutes. To object the collection or for more information scan this code [insert here QR code that leads to 2nd level information that you make available on a web page ]
Second level of privacy note example
The data is collected on behalf of [BlueZoo customer name and contact information]. For any questions you can contact us at [contact data protection officer (DPO)of BlueZoo customer].
With the help of our provider BlueZoo, we collect MAC addresses that are broadcast spontaneously by Wi-Fi enabled mobile devices. We do this in order to generate anonymous statistics about visits to this venue. Better knowing visit counts and related metrics like dwell time [insert here an explanation of the purpose of data collection, for example: helps us to avoid overcrowding or helps us in staff scheduling or gives us insights into the efficiency of marketing activities].
As landlords, we have a legitimate interest in collecting anonymous statistics about visits to our venues. These collected statistics are the property of [BlueZoo customer] and [are shared with, or not shared with, any other organization].
Shortly after detection, your MAC address is encrypted and processed in the BlueZoo Cloud. The servers are located in [location reported by BlueZoo] [and the transfer of this data is secured by the Standard Contractual Clauses of the European Union - if applicable]. After processing, your personal data is irreversibly deleted.
Although the statistics are anonymous, you can choose not to participate in the collection of your data. In order to be able to exclude you from our anonymous statistics, please communicate the true (as known as "global' or "public') Wi-Fi MAC address of your mobile device (e.g. mobile phone) at bluezoo.io/optout
Contact us at firstname.lastname@example.org if you have any questions.