The processing of location data is unnecessary, such as Windows 10’s location setting being automatically enabled violates the “data protection by default” requirement under Article 25(2) GDPR. The DPA noted that the principle of “data protection by default” requires that the controller, when using third-party software or firmware, ensures that functions for which there is no legal justification to use or that do not correspond to the intended purposes of the processing are disabled.
Advises to organisations:
– Take care of up to date personal data overview/inventory (ROPA)
– Review all information and infrasystems to ensure you have privacy-friendly settings enabled.
– Location data may be and should be managed as sensitive – just consider how much you can understand about a person if you can track their movements at all times.
– Disable any unnecessary data collection – not only location, but so many of these systems/apps have integrated analytics that often are privacy-invasive.