Data Protection Commissioner
Data Protection Commissioner

FAQ: Location Data For Individuals

For guidance for Organisations please see Guidance note on Location Data here

Location data
Are you concerned about organisations collecting or processing information relating to your location? Read this guide to find out when it is allowed and what your rights are when it comes to the collection and processing of location data.
 
·      Be aware that some smartphone apps, websites, and public WiFi networks or other locations might collect information about your location when you use them. Keep an eye out for such services asking your permission to track you or otherwise process your personal data.
 
·      Get to know your smartphone settings and notifications so that you can control the amount of location data you share with organisations and how often you share it.
 
·      Know your rights, so that you can react if you think that your location data is being misused or processed without your permission.
 
·      From a data protection perspective, this type of technology must take account of the fair obtaining and fair processing requirements of the Data Protection Acts which are, generally speaking, that a person must be informed of - and consent to - what will happen to their data before it is collected and processed. In essence, people have a fundamental right to privacy. Any processing of their location and movements without permission can be seen to be an infringement of these rights.
 
Any information linking you with a particular place can be considered to be "location data" about you.  This includes information about where you are now, or where you were at some point in the past.  Technology has made it easier than ever before for individuals to be located and for information about their location to be used by organisations to offer new services, such as navigation apps or location-specific news content on websites.
 
However your location data can give away a lot of information about you.  In particular, information about your movement over a long period of time can be analysed to reveal very intimate details about your personal life.  This type of data may be valuable to some organisations, as it can allow for very specific targeting of services to individuals. However, this detailed data may also pose serious risks to your privacy. Location data that is inappropriately processed may be used to make decisions which adversely affect you.
 
There are a range of technologies which are capable of gathering location data about you, including:
 
·      Smartphones: Most smartphones are equipped with sensors which allow your phone to detect its own location almost anywhere in the world. The manufacturer of the phone or apps installed on the phone may wish to collect this information to provide location-specific services or targeted advertising for instance.
 
·      Websites: Websites may seek location data about the location of the device you are using to access them, such as your computer or smartphone.
 
·         Public WiFi: If a shop or other publicly accessible building offers WiFi, it is technically possible for the operator of the WiFi network to analyse data from this network to count the number of visitors carrying smart mobile devices, or to monitor their location and movements around the area covered by the WiFi network. In some cases, you could also be tracked across networks. Retailers etc. must post signage telling consumers /employees that this processing is occurring. It is essential that clear information is provided informing them how to opt-out of tracking.
 
·      Network providers: Data collected by mobile phone service providers relating to your mobile phone's connection to the network can be used to determine the location of your phone.
 
·      Wearable devices: So called “Wearable” and “mHealth” devices may wish to gather your location data in order to enrich the information they already process about your fitness or other activities
 
Location Data and the Data Protection Acts 1988 & 2003
Location data is defined as any information about your current location, or about your movements in the past, which can be linked to you. This qualifies as your personal data.
 
The Data Protection Acts give you the right to request access to information held about you by organisations, including information about your current or past locations.  It also sets out the rules which organisations must follow when gathering, keeping or processing your location data. 
 
We have prepared an introductory guide to the Data Protection Acts, which you may want to read to find out more about what the Data Protection Acts do for you. This page contains some additional information and tips specifically about location data.
 
While location data is technically not categorised as “sensitive personal data” within the meaning of the Acts, location data can contain sensitive personal data, as set under Section 2B of the Acts.
  
In most cases, an organisation should obtain your consent before collecting or processing your location data.  Where the location data is generated by a "public communications network" like a mobile phone network, prior informed consent is mandatory, and your location data can only be processed to the extent necessary to provide a "value added service" that you requested.
 
Personal data may only be collected and processed by an organisation if it complies with one of the conditions listed in the Data Protection Acts.  Consent is one of the conditions, but there are others which an organisation may rely on to collect data about your location, even if you do not consent to it.  For example:
 
·      If an organisation needs to collect personal data in order to perform a contract with you
 
·      If the organisation is required by law to collect location data
 
·      If an organisation needs to collect your location data to pursue its legitimate interests, after balancing those interests against your fundamental rights. This is likely only to be possible in exceptional cases, and will be accompanied by other safeguards including prompt anonymisation of the data.
 
To find out more about the circumstances in which an organisation may collect and process your personal data, see our general information pages on your rights when an organisation holds your personal data, and your rights when an organisation wants to obtain your personal data.
 
Whenever your location data is being collected, you should be told in advance who is collecting your location data, the purposes for which it will be used, and details about any other organisations with which your location data might be shared.  Often this information will be contained in a privacy policy or information notice. For example:
 
·      If location data is collected by a website or app, the website or app will normally have a privacy policy containing this information. It should detail why and when it is needed, and how you can control the website or app access to the location data. It should only collect the data when needed and not continuously.
 
·      If location data is collected by a shop's WiFi network, this information should be displayed on your device before you are able to connect to the internet over the network, or there should be physical notices in the shop informing you about this.
 
The technology in your smartphone is capable of pinpointing your location quite accurately It is also able to share this information with organisations, such as the developers of apps installed on your phone.  You have the ability to control when your phone generates data about your location, and to decide whether or not to install an app that will use your location data.  Some types of smartphone also enable you to switch location services on and off for individual apps, giving you a lot of control over your location data. Recent smartphones also have the facility to ensure that apps to only collect location data when they are running on the display of the phone, not when they are open in the background. It may also be possible to control the accuracy of the location data collected, or the sensor in the device that provides it – eg a GPS or the cell-towers in a network based location.
 
Smartphone operating systems, such as Android and iOS, allow you to turn location settings "on" or "off" completely.  When location settings are turned "off", your location data will not be collected by your phone.  You can choose to switch location data on only when you need it, for example when using a navigation app, to protect your privacy.
 
When you install an app, it will often ask for permission to use certain functions on your phone, or to access certain data.  For example, a navigation app will normally ask for permission to use your “current location” in order to give you directions or to provide information.  You should carefully read permission requests when installing or updating apps, so that you know who you are allowing to collect data about your location, and are comfortable with allowing that app to access your location data. The app or service should also clearly indicate the circumstances and duration of the location data it collects, and it should periodically remind you that processing of your location data is taking place. This is usually presented as a visual cue such as an icon or flash indicating that your location data is being gathered.
 
Remember, you should familiarise yourself with the location settings on your phone or other smart mobile device, so that you know who has access to your location data, and you can control when location data is collected.  You can always choose not to install an app, or to remove it, if you are not happy with the permissions it requests.  There are often alternative apps offering the same service without requiring the same permissions.
 
You have a right under Section 3 of the Data Protection Acts to establish whether an organisation holds data about you and, if so, to be given a description of the data and the purposes for which the organisation holds the data.  An organisation must reply to a written request under Section 3 within twenty-one days, and cannot charge a fee for providing this information.
 
See our information page on your rights when someone else keeps information about you to find out more.
 
 
Section 4 of the Data Protection Acts provides for the right of individuals to request access to personal information held about them by an organisation.   You may be asked to pay a fee, but this cannot exceed €6.35. You may also be required to provide a copy of a photo ID. Once you have made your request, and paid the appropriate fee, you must be given the information within forty days.  A data controller that receives an access request can only rely on the exemptions as set out in Section 4 and Section 5 of the Acts in order to withhold information. Your personal data must be given to you in "intelligible form".  In the case of location data, this means that your location data could be plotted on a map, or that an address be given, rather than just being provided with geographic coordinates.
 
To find out more about requesting access to personal data held about you by organisations, and to find out about the circumstances in which organisations don't have to provide access, see our information page on your rights when someone else keeps information about you.
 
The general rule is that organisations can only retain your location data for as long as they need it for the lawful purposes for which they hold it.  If an organisation no longer has a valid reason for retaining your location data, it should delete it.
 
To find out more about an organisation's duty to delete your personal data when it is no longer needed for a legitimate purpose, see our information page on your rights when someone else keeps information about you.
 
 
Some location data, such as the information gathered by a mobile phone network about the location of your mobile phone, is required by law to be kept by mobile phone service providers for a defined period of time (currently two years for call related location data, or one year when collected in relation to an internet service provider).
 
The Communications (Retention of Data) Act 2011 allows Gardaí, the Defence Forces,   Revenue Commissioners and the Competition & Consumer Protection Commission to request access to this information only for law enforcement and state security purposes, or to save human life.  Apart from complying with these requests, service providers may only access retained location data if you have requested and consented to the access, or at the direction of a court or with permission of the Data Protection Commissioner.
 
For more information on obligations for data controllers, click here
For more information on your data protection rights, click here
 
 
For more information on relevant Article 29 Data Protection Working Party Opinions, click below: