GDPR: is Partitalia RFID reader privacy compliant?

On the privacy issue, Discovery Mobile, the Partitalia RFID reader, complies with the provisions of the GDPR, the general data protection regulation, which has been applicable in the European Union States since 25th May 2018.

What is the GDPR?

The Regulation (EU) 2016/679 of 27th April 2016 on “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” was published in the European Official Journal on 4th May 2016. The General Data Protection Regulation (GDPR) came into force on 24th May of the same year but became effective in the EU Member States from 25th May 2018; the GDPR repeals Directive 95/46/EC, the previous European reference regulations on data protection, which had already become inadequate with the introduction of automated processing and the increasingly widespread use of the web.

The GDPR regulates the processing of personal data regarding persons in the EU by persons, companies or organisations: as consideration 14 clarifies “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. It also applies “to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” (Article 2) and “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Article 3).

As regards companies, “The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises” (Article 40).

Who is the DPO and what are his tasks?

Regulation (EU) 2016/679 introduces the position of Data Protection Officer (DPO). As specified by Article 39:

"1. The data protection officer shall have at least the following tasks:

1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; 
2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; 
3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; 
4. cooperate with the supervisory authority; 
5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 

2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing”.

Why is Discovery Mobile privacy by default

Article 25 of the GDPR introduces the concept of “privacy by default”: in companies “the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons”.

Discovery Mobile is privacy by default, since:

• the GPS is active, but the position of the Partitalia RFID reader is only recorded through a voluntary act, i.e. when the RFID tag on the bag or bin is read. The device, therefore, has no automatic control purpose;
• the wearable device ID is not associated with the operator using it, in no database;
• only authorised users can access the data and functions made available by the system/application;
• the Partitalia RFID reader checks that the user has an appropriate authorisation profile that sets out which functions (read, write, search, print, etc.) and data it can access;
• the error messages from the system provide a prompt and effective indication of the causes without revealing information that could be useful for carrying out unauthorised access attempts.The system error messages are only revealed to authorised persons (e.g. system administrator, maintenance operatives, etc.).

Partitalia RFID reader doesn’t collect any sensitive data

Article 9 of the regulation identifies sensitive data, which are defined as “special categories of personal data”, and establishes a prohibition on processing them: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”.

The Partitalia wearable RFID reader does not collect sensitive data: in fact, when reading the tag, the wearable device reveals data that shows the ID of the device, without associating the name of any operator, and the tag ID, the 24 figure code, which by definition is associated unambiguously with a user, but without showing its name. It is not possible to trace who the code belongs to, or even find any sensitive data from that code.

Consequently, the Partitalia wearable RFID is GDPR by default, because:

• during the work shift, recordings of the positions of the Discovery Mobile which are not associated with a RFID tag reading or an anomaly do not exist; 
• there is no possibility of associating the wearable device ID with a pay as you throw collection operator;
• the Partitalia RFID reader does not collect sensitive data.