Information for the user
Geolocation data which can be linked to a person are personal data. They provide an intimate overview of someone’s behaviour. For that reason, data subjects have to consent to these data being processed by a company and also have to be correctly and fully informed about what happens to these data. The CBP concludes that TomTom fails to sufficiently inform its customers about the exact use the company will make of the data it collects from the devices’ users. Through the offline devices TomTom acquires historical geolocation data the moment the user connects with the Tom Tom servers. By means of the online devices and the smartphone application, TomTom acquires real time geolocation data, as well as historical data through the online version. As for the storing and processing of historical geolocation data, TomTom asks for consent to collect anonymous data. In fact, the company actually collects personal data, like data on the use of the device and on the routes driven. The question with which it asks for permission is insufficiently specific. As regards the processing of real time data on the online devices and smartphones – for instance, in order to provide targeted information on traffic jams – TomTom does not ask users for specific permission and thus acts contrary to the Wbp.
TomTom has promised the Dutch DPA that it will provide for the required request for consent and the corresponding information on all the devices by half February 2012. An initial assessment shows that if TomTom implements these changes in the way of providing information and requesting consent, the observed violations will cease. A definitive assessment will follow as soon as possible after TomTom has actually implemented this.
Data passed on to third parties
TomTom provides data it has collected to third parties, amongst which indirectly to the police. As a result of media reports the CBP has investigated if the way TomTom provides geolocation data to third parties contravenes privacy legislation. The CBP concludes that data provided to third parties have been stripped of their identifying features and are only provided at an aggregated level. In that case these do not constitute personal data and the Wbp does not apply. On that account, TomTom has not contravened the Wbp.