10

I've built devices for an internet service provider company (in EU) to measure internet speed at subscribers' home. The devices are used by company technicians when fixing network speed problems reported by subscribers. For every measurement the devices store the location and the time of measurement, and the measured network speed. The location is stored as the technical identifier of the subscriber's network endpoint, which basically identifies the "internet cable" installed at the subscriber's home.

Question 1. Are technical identifiers personal data? Inside private company databases, they are definitely linked to subscriber data. They are also printed on invoices sent to the subscriber. But they are not public information.

Question 2. Can technical identifiers be stored in measurement devices? The devices I made only measure a physical parameter, the network speed, for a given location in the company's IP network. I think this has nothing to do with the subscribers themselves.

Someone told me endpoint identifiers should not be stored in the devices, or at least should be deleted after a while, "because of GDPR". I think deleting the endpoint identifiers would make the measurements unusable, because the location of the measurement is very important for solving network problems. Delayed deletion is also problematic: if there is a 2nd speed problem months later, then it would be useful to have previous measurements at the same location. What should I do?

Improve this question
1
  • 6
    This is a question for the Data Protection Officer you need to employ as a company that handles data in compliance with the GDPR.
    – Philipp
    Commented Jan 31, 2023 at 15:37

2 Answers 2

Reset to default
9

Question 1. Are technical identifiers personal data?

Yes. If they identify a person. For example an IP Address is considered personal data, because a person or household can be identified by an IP. Yes, I know that technically there are a lot of exceptions. But in general, if you have an IP, you can identify the subscriber given the right databases. So if your identifier, lets say a generated GUID, identifies a customer or something the customer can be linked to, it is personal data.

Question 2. Can technical identifiers be stored in measurement devices?

Just because something is personal data, does not mean you are forbidden from using it. As long as you need it to do your job, you can store it. The internet would not work, if everybody was forbidden from storing any IP address.

So to summarize it: yes, it is personal data since it identifies a subscriber. However, it is needed for the job your subscriber asked you to do. So for as long as the job takes, it is legal to store it.

Once your job is done, you would be required to delete it.

But consent trumps everything. If your subscriber consents to you keeping all data of such incidents to improve your network and handle future incidents better, then it's legal. Just let them sign it with your other legal paperwork. Done. No problem. You could just periodically delete all records that have no consent for long term storage beyond the current incident. Lets say every 24h or 48h. You should get the details on the wording of the paperwork and the period that it is legal to keep the data as "current incedent related" from your data protection officer or legal department.

Improve this answer
5

TL;DR: yes it's personal data, yes you can store the identifier in the device, yes the data should eventually be deleted, but no, this doesn't have to complicate how your device works.

Personal data is any information that relates to an identifiable person. The GDPR has an extremely broad view of identification: it recognized both direct and indirect identification with additional data, and also if you need the help from third parties. Even just singling out the data relating to one person counts as identification, so that even “anonymous” identifiers (such as cookie IDs) are typically personal data.

In your case, the technical identifier is very likely to be personal data: it clearly relates to an identifiable subscriber.

This does not prevent you from storing or otherwise processing the personal data. You just need to do so in a GDPR compliant manner. In particular, this means:

  • having a clear purpose of processing
  • having a legal basis that authorizes this processing activity
  • only processing the personal data as necessary for the purpose
  • implementing appropriate technical and organizational measures to ensure the security and compliance of processing
  • providing transparent information about the processing to the data subjects
  • preparing to satisfy data subject requests (e.g. access, erasure, and so on)

An Art 6(1) GDPR legal basis is necessary to authorize the processing of personal data. This could be:

  • the processing is necessary to fulfil a contract with the data subject
  • the processing is necessary to fulfil a legal obligation
  • the processing is necessary for a legitimate interest (requires conducting a balancing test and usually requires offering an opt-out)
  • the data subject has given consent

An ISP might rely on any of these legal bases depending on context. For example, diagnosing connectivity problems might be necessary to fulfil the contract. Or the subscriber has consented to pre-emptive network monitoring. The ISP might have a legitimate interest in keeping logs for a reasonable duration in case there are recurring problems.

Only processing the data as necessary also means that it should be deleted when it is no longer necessary. The GDPR does not prescribe fixed retention periods. Instead, how long data can be kept depends on the purpose for which it is being kept.

Technical and organizational measures might include the device capability and corresponding training for service personnel to factory-reset a measurement device when it is uninstalled from a subscriber.

It seems that you are not the ISP. For GDPR aspects, the data controller is responsible for compliance. Controller is whoever determines purposes and means of processing, i.e. who decides why and how personal data is being processed. If you just design a device for another company but do not control how it is operated, it is quite possible that you're not a data controller. This greatly simplifies your obligations to general product liability questions. You'll likely want to develop a product that can be used in a GDPR-compliant manner, but you have no influence over many aspects of GDPR compliance such as selecting an appropriate legal basis.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .