Protection of privacy and security of personal data with RTLS

Datenschutz | Favendo

Protecting personal information is a top priority not only in healthcare, but also in real-time location systems across multiple industries. As with any software solution that processes personal data, including people´s whereabouts, there are data protection risks associated with tracking or navigating people.

The processing of personal data in the European Union is based on the General Data Protection Regulation (GDPR), in force since 2018, more specifically on Art. 6 of the GDPR. In general, however, it should be noted that – as long as none of the authorization standards of Art. 6 of the GDPR apply – data processing is prohibited. In other words, any processing of personal data requires either the consent of the data subject or the legitimate interest of the responsible party (in our case, the company using the RTLS solution).

Data protection for indoor positioning systems and RTLS

As a result, there are two legal bases for the processing of location data relating to individuals: Either the individuals have consented to being tracked or, in the case of tracking solutions that locate employees on company premises for security reasons, there may be a legitimate interest on the part of the company in ensuring the safety of the employees. Irrespective of the legal basis on which the location data is processed, the responsibility for data processing in compliance with data protection law always lies with the customer. If the processing of location data is based on the consent of the data subject, the data subject must consent to both the mere location tracking and the intended use of the data. In the example above, this would be for security purposes.

The position data in the Favendo RTLS is real-time data. In theory, only the current positions of assets or persons can be determined. At the customer’s request, the position data can also be stored directly in the company’s own databases in an anonymized form. The anonymization of the data makes it impossible to trace the position data back to an individual person, but the data can still be used for productivity analysis with the Favendo Dashboard or other analysis tools. Despite the anonymization of the data, it is advantageous, especially for people tracking, to work with tag IDs that cannot be directly assigned to a person and that change on a regularly basis. This means that each person to be tracked is given a tag with an arbitrary ID at the start of the work, which is then visible in the system. If a tag is placed in a hazardous area, an alarm is triggered for that ID, without it being immediately obvious to which person the tag belongs. If the tags are also randomly rotated among the people to be tracked every day, it is almost impossible to assign movement data to a specific person afterwards.

The scenario is different for indoor navigation solutions: The first and most important difference is that with wayfinding, the position calculation takes place on the user’s mobile device. To locate people indoors via BLE, users need to activate Bluetooth on their smartphone and give the navigation application location permission. Certain data, such as which operating system or device was used or when the position was recorded, can be stored in anonymized form. This makes it possible to perform retrospective analyses or measure visitor flows on the basis of a heat map.

Users must therefore actively consent to their location being tracked using Bluetooth signals via the app. The data processed in the context of indoor positioning is used by Favendo as an RTLS provider for a specific purpose and exclusively for displaying the location on the map and for navigation in the building. The server connection established when using the application is encrypted and offers the highest security standards. In general, the following data is collected when using Favendo indoor navigation:

  • Device operating system
  • Smartphone model
  • User’s position during indoor navigation
  • User ID (pseudonym; automatically generated during the installation of the application).

The first two records are especially important for the application to work properly.

The processing of personal data cannot be avoided in the case of both personal tracking and indoor navigation. However, such data will only be processed for a specific purpose, in an anonymous form that does not allow conclusions to be drawn about individual persons, with the voluntary consent of the data subject or in the legitimate interest of the responsible party.

Fundamentally, we believe that transparency pays off whenever personal data is involved – for whatever reason. For example, if you want to track your employees on the factory floor, talk to them about the benefits and potential risks, and explain to them how and where their data is being processed. Tracking is important, but so is trust.