General Data Protection Regulation GDPR (EU)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

General Data Protection Regulation GDPR (EU)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
General Data Protection Regulation GDPR (EU)
General Data Protection Regulation GDPR (EU)
2019-06-24 09:20:24
Model: OC200  
Hardware Version: V1
Firmware Version: 20190419

In the EU, we have data protection regulation for personal client data (MAC, Device-Name, etc). I have to inform my client how long access log data is stored. Unfortunatly I'm unable to find this information in the documentation?!

 

The Omada Contoller needs to have some kind of client privacy features:

  • Automatically delete client data after a (adjustable) period of time
  • Option to delete data of a single client

 

Otherswise it's impossible to use it regulation confom in the EU.

  0      
  0      
#1
Options
5 Reply
Re:General Data Protection Regulation GDPR (EU)
2019-06-26 01:06:51

Hello,

 

Thank you for your feedback.

 

The OC200 is in compliance with the EU regulations and we have got through many knids of certification. 

You say you cannot find the information in the documentation. What information do you want to find?

You want to delete the information of the client devices. Could you please tell us what information you want to delete?

  0  
  0  
#2
Options
Re:Re:General Data Protection Regulation GDPR (EU)
2019-06-26 12:01:14

Luckily I was able to find the information ('Controller Settings' > 'Historical Data Retention') how long the client access data is keept in the logs. So my first Question is answered.

 

But for my second point I still haven't find a satisfying solution.

 

The General Data Protection Regulation of the EU states in Article 17:

 

Right to erasure (‘right to be forgotten’)

1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay

 

How can I fullfill this requirentment in case one of my clients ask me to erase his personal data record?

 

For this case, there should be a 'Delete' button for clients in the 'Insight' view (Next to 'Block' and 'Edit').

 

  0  
  0  
#3
Options
Re:Re:Re:General Data Protection Regulation GDPR (EU)
2019-07-01 05:50:40 - last edited 2019-07-01 05:50:58

Hello,

 

@vonTinzenberg , thank you for your feedback. 

 

1. The OC200 complies the law of EU. All TP-Link devices don't record the clietns' information.

 

2. When some clients connect to the AP, we can see some information of these clients. But after they disconnect from the AP, the information of these clients will be disappear. We can also find the information in the log, but the manager can delete them.

 

  0  
  0  
#4
Options
Re:General Data Protection Regulation GDPR (EU)
2019-07-01 10:23:40

EAP Controller doesn't collect personal data. Hostname/MAC-Address of the host is not the personal data. Personal data can be collected, when you auth via SMS or maybe facebook, etc.

  0  
  0  
#5
Options
Re: General Data Protection Regulation GDPR (EU)
2019-07-03 03:18:47 - last edited 2019-07-03 03:22:38

vonTinzenberg wrote

The General Data Protection Regulation of the EU states in Article 17:

 

Right to erasure (‘right to be forgotten’)

1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay

 

 

A MAC address alone is not a personal data record. See https://www.bundestag.de/resource/blob/538890/3dfae197d2c930693aa16d1619204f58/wd-3-206-17-pdf-data.pdf

 

But even if you regard a MAC address as a personal data record, the rules set forth in §28 BDSG apply: If you record the MAC address to fulfill a private business' (as opposed to a governmental agency's) purpose, it's allowed to store MAC addresses as long as you don't record other personal data, which can reveal a person as the device's owner or certain aspects of a person's behavior by using the MAC address to look up this person.

 

Since Omada Controller does not store names or addresses or emails of WiFi users when their MAC address is logged, it is perfectly o.k. to store the latter, especially on public hotspots where ten-thousands of MAC addresses show up each day.

 

Read the document linked above, it discusses the legal use of WiFi surveys at public places for mass tracking with MAC addresses being stored and looked up to prevent multiple accounting of the same device. It does not violate the BDSG law or the GDPR directive (it's NOT a law, the EU is NO state!).

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options