Following report by Dutch DPA, TomTom provides user with better information

Press Release 12 January 2012
Following investigation, the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) concluded that TomTom, producer of navigation systems, acts contrary to the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). This is due to the fact that the users’ consent to process geolocation data is insufficiently specific. TomTom processes the geolocation data which are stored in both online and offline devices for its own use, in order to map traffic and roads. Because geolocation data are sensitive personal data, they  may only be processed after prior consent by the user. Also, the user has to be sufficiently informed. TomTom has promised to adjust the customers information in February 2012 to meet the legal requirements.

Read the report of the Dutch DPA (380 KB)

Information for the user
Geolocation data which can be linked to a person are personal data. They provide an intimate overview  of someone’s behaviour. For that reason, data subjects have to consent to these data being processed by a company and also have to be correctly and fully informed about what happens to these data. The  CBP concludes that TomTom fails to sufficiently inform its customers about the exact use the company will make of the data it collects from the devices’ users. Through the offline devices TomTom acquires historical geolocation data the moment the user connects with the Tom Tom servers. By means of the online devices and the smartphone application, TomTom acquires real time geolocation data, as well as historical data through the online version. As for the storing and processing of historical geolocation data, TomTom asks for consent to collect anonymous data. In fact, the company actually collects personal data, like data on the use of the device and on the routes driven. The question with which it asks for permission is insufficiently specific. As regards the processing of real time data on the online devices and smartphones – for instance, in order to provide targeted information on traffic jams – TomTom does not ask users for specific permission and thus acts contrary to the Wbp.

TomTom has promised the Dutch DPA that it will provide for the required request for consent and the corresponding information on all the devices by half February 2012. An initial assessment shows that if TomTom implements these changes in the way of providing information and requesting consent, the observed violations will cease. A definitive assessment will follow as soon as possible after TomTom has actually implemented this.

Data passed on to third parties
TomTom provides data it has collected to third parties, amongst which indirectly to the police. As a result of  media reports the CBP has investigated if the way TomTom provides geolocation data to third parties contravenes privacy legislation. The CBP concludes that data provided to third parties have been stripped of their identifying features and are only provided at an aggregated level. In that case these do not constitute personal data and the Wbp does not apply. On that account, TomTom  has  not contravened the Wbp.