The Netherlands

Municipality of Enschede

600,000 €

GDPR enforcement action by Dutch Supervisory Authority for Data Protection (AP) on 2021-03-11.

Rank · Sector

#10

of 356 in Public Sector and Education

Rank · The Netherlands

#13

of 43

Rank · All fines

#217

of 3,042

Case details

Authority: Dutch Supervisory Authority for Data Protection (AP)
Date: 2021-03-11
Controller / Processor: Municipality of Enschede
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) a) GDPR, Art. 6 (1) GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Dutch DPA (AP) has fined the municipality of Enschede EUR 600,000. In 2017, the municipality decided to install special measurement boxes to measure crowds in the city center of Enschede. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone passed by, making it possible to track the movement of passers-by. The municipality states that it was never its intention to track passers-by. However, the DPA finds that the wifi tracking (even if it was unintentional) constitutes a serious breach of the GDPR. The DPA concludes that the municipality tracked its passers-by without an effective legal basis and thus violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR.

Open original source Links to the regulator's original publication or another source.