To elaborate Crowd Analytics figures, LBASense passively collects digital signatures (MAC addresses, IMSI/TMSI) of phones present in the area of coverage of its sensors.
Art. 11 “Processing which does not require identification”
According to the EU General Data Protection Regulation 2016/679 (GDPR), data collected by the system is considered private, hence Art. 11 “Processing which does not require identification” applies.
The processing of MAC addresses and IMSI/TMSI doesn’t require identification of data subjects, as such DFRC complies with the regulation not acquiring or performing any correlation with additional data other than the device signature of phones present in the area under monitoring.
Art. 13 “Information to be provided where personal data are collected from the data subject”
According to the EU GDPR, data subjects present in the system’s area of coverage shall be informed of the phone data monitoring, hence Art. 13 “Information to be provided where personal data are collected from the data subject” applies.
For commercial installations, the GDPR indicates DFRC Customer in the role of the controller; as such, the controller shall inform end users about LBASense activity via posted signs, in the locations where the system is deployed, or via notifications on the program’s terms and conditions through the appropriate engagement platform (mobile apps, captive portals), when LBASense is deployed as engagement tool. In the latter case, in full compliance with GDPR, the data subject can take a conscious action giving explicit consent to take part into the program, allowing the collection of the requested information (opt-in); terms and conditions of the agreement detail the data processing.