Measuring visit flows in the city center of Västerås violates the Personal Data Act – this was established by the Swedish personal data authorities, the Data Inspection Board last week.
The inspection made by the Data Inspection Board shows that the system used in the city center of Västerås to measure visit flows through people’s mobile phones, is not allowed in its current form, since it enables tracking of individuals’ movements.
In a pilot project run by the company Västerås Citysamverkan AB, visitor flows was measured for statistical purposes in the city center of Västerås. The system collects data (called MAC addresses) automatically sent by mobile phones when the wifi function of the mobile phone is switched on. The decision by the Data Inspection Board establishes that the MAC addresses collected by the system constitute personal data. Consequently, the company running the pilot project shall adhere to the Personal Data Act.
Västerås Citysamverkan AB had engaged a third party company to carry out the measurements. The company that provided the solution had taken certain measures, such as encryption, to limit the identification of individuals. Despite such measures the data collected still allowed for the monitoring of individuals in a way that constituted an infringement of the personal integrity, since it under certain circumstances could be used to identify a person’s movements. Therefore, the Data Inspection Board ordered the company responsible for the monitoring (i.e. the personal data controller) either to stop the monitoring by use of mobile phones, or to ensure that the information collected cannot be used to identify how individuals move in the city center. If so, then the company must also inform the visitors about the processing, including the identity of the processor (who is collecting the data) and the purposes for the collection.
For further information, please contact Ida Häggström.