Increasingly, personal tracking systems are being used in order to analyse customer data and thus to optimise retail space, product ranges and service offerings. During the year we therefore decided to take a closer look at these systems and noted that there were some potential risks involved affecting privacy rights.

Anyone who knows exactly how customers will behave can use that information to make money. This can be done by optimising the location of advertising space, making changes to the product range, or even sending out personalised advertising messages. More and more companies want to make the most of these advantages and, to that end, are installing systems capable of observing customers automatically and analysing their behaviour. The systems we inspected record people as they enter a particular area (e.g. a shopping mall) and follow them as they move through this space.

Some systems rely on biometric data (face recognition) and therefore quite clearly fall into the category of personal data. Usually they are also capable of breaking down the information according to age, sex and ethnicity. It is self-evident that there is a risk of an individual's privacy being violated, which is why it is important to ensure a high level of data protection (cf. our guidelines on biometric recognition systems which can be found on our website).

There are also other systems that rely on the signals transmitted by mobile phones and track the movement of all devices that move through the space that is under surveillance. Even though at first sight there may not seem to be any personal data involved (mobile phone operators cannot use the TMSI or IMSI numbers to identify a particular person), it can in some cases be relatively easy to establish a link with a person indirectly. For example, based on a movement profile it is possible, under certain circumstances, to attribute what was originally an impersonal profile to a specific person.

The motion profiles of store employees usually differ significantly from those of customers. In stores where there are few sales staff, it is relatively easy to assign a profile to a particular employee. By cross-referencing the profile with other data (e.g. images from CCTV cameras) it is possible to personalise a movement profile. Consequently, we can assume that these systems also process personal data and that the general processing principles enshrined in the Data Protection Act must be respected.

What this means first and foremost is that grounds must be provided to justify the data processing. The operation of such systems could be warranted, for example, by the existence of an overriding public interest or the consent of the persons concerned.

  • An overriding public interest can be said to exist when such systems are used to improve security in airports and train stations. An overriding public interest may also exist when systems are used not for personal but for statistical purposes, in order for example to measure customer frequency, providing that the analysis of the results does not permit the identification of individuals.
  • On the other hand, there is no overriding interest when personal data is used for marketing purposes. The data processing can only take place if the data subjects have given their consent. It should be understood in this context that the consent must be given freely and that the data subject must have the possibility of moving about in an area covered by a tracking system without fear of being filmed. Depending on the configuration of the system in question, this could be an extremely difficult exercise.

Under no circumstances may tracking systems be used in order to monitor employee behaviour. To do so would be unlawful and cannot be justified even if the employee concerned were to give his or her consent.