Since the introduction of Regulation (EU) 2016/679 of the European Parliament and of the Council – more commonly known as GDPR – on the 25th of May 2018, GDPR has become more or less a part of everyone’s daily life in one way or another; either by experiencing the onslaught of privacy policy notices and consent requests as a user, or on behalf of a market enterprise trying to navigate the seemingly impenetrable data regulations in an effort to achieve data compliance.

Many have since passed the initial hardships of achieving basic GDPR compliance, however, a general experience is that many of the more complex data management practices that were previously legally valid – or at least possible – have been rendered substantially more difficult, or in some cases invalid since GDPR having come into effect.

In the present article, we examine and help with one of these practices that are more complex in their execution, but are however of a high economic value and use: location-based advertising.

1. What do we mean by location-based advertising?

Any economic advertising activity in which the person is targeted and addressed by the advertising message based on the geographic situation – the location data – of their mobile device.

Such activities are for instance where a store engaged in location-based direct advertising sends a consenting person walking by their store a direct advertising message (e. g. a push notification) regarding a promotion or an offer found in the store, sent in real-time, based on the recipient’s location.

As it’s shown by the above example, the basis and the centre of this sort of marketing activity is the location data of the addressee, and the handling thereof regarding marketing purposes; the former qualifies as personal data, while the latter is personal data management, both of which entail the regulations of GDPR.

2. What legislation applies to location-based advertising?

The European and Hungarian legal regulations regarding location-based advertising are both multi-faceted:

a) Both the general regulations of Act XLVIII of 2008 on economic advertising (Grt.) and its specific provisions on direct marketing apply, since location-based advertising messages count as economic advertisements aimed at specific persons;
b) Act CVIII of 2001 on electronic commercial activities (Elkertv.) also applies, as these kinds of messages count as electronically communicated advertisements;
c) The provisions of the ePrivacy Directive (2002/58/EC) shall also be observed, as well as the soon-to-be enacted ePrivacy regulation (repealing the Directive);
d) since location-based advertising entails the processing of personal data, naturally the regulations of GDPR shall have to be observed – this is where the brunt of the necessary legal steps stem from.

As we’ve previously indicated, in spite of the wide-branching legal regulations that apply, there is a single key to the heart of the matter, the personal data category of location data. This is defined by the ePrivacy Directive as follows: “any data managed by way of electronic communications networks or electronic communications services for the purposes of marking the geographical location of the terminal device of a user of openly accessible electronic communications services.”

GDPR requires location data to be regarded and handled as personal data, thus in order for an enterprise to not only effectively, but to legally practice this kind of direct marketing, several GDPR-required actions must be carried out.

3. How can all this be done legally?

To achieve legal compliance in processing the location data that are paramount to location-based advertising, various steps must be taken by the enterprises engaging in this sort of direct marketing, which include the following:

a) Requesting of consent

GDPR Article 6 regulates what circumstances may be nominated as legal bases for the processing of personal data. In examining thereof, we may quickly recognise that in cases of direct marketing, especially the kind based on location data may only be conducted on the grounds of the consent of the persons concerned, with no other legal grounds available as basis – thus enterprises wishing to engage in direct marketing of this kind need to secure the consent of the persons concerned in line with the regulations of GDPR.

b) The matter of profiling

In the context of GDPR, profiling means when the personal data of a concerned person are linked, connected by the data processor in a way that provides – via the linking itself – a broader picture of the concerned persons’ preferences, by which the data processor may predict or estimate the possible decisions of the concerned person (prediction). This may very well be the case with databases kept for marketing purposes, however if so, the concerned persons need to be duly and adequately informed of the profiling being conducted. Such is the case regarding automated decision making as well, for instance where targeted promotional discounts are communicated to the concerned persons.

c) Record keeping regarding processing activities

Since the processing of location data is deemed “likely to result in a high risk” by Guideline no. 248 of the Article 29 Data Protection Working Party, and since location data registers are very rarely kept in an occasional fashion, processors of location data are required to keep mandatory records per their processing activities, with which they are to comply with all of the administrative requirements set out by the Regulation, moreover, in the event of any authority inspection, these records shall have to be presented to the authority conducting the inspection.

d) Preparing data protection impact assessments

The above-referenced category of “likely to result in a high risk” also entails mandatory data protection impact assessments (DPIA) to be conducted by the data processors of location data – regarding which we hasten to stress that it is not sufficient to merely conduct the DPIA’s, as the residual risks and results thereof also need to be mitigated or managed in line with GDPR provisions.

Conclusion

To summarise, we can rest assured that it is far from impossible to conduct modern, technology-intensive commercial practices based on complex data processing such as location based advertising in a post-GDPR world – with the appropriate level of care and by skilled mitigation of the legal risks, these endeavours can continue to be brought to success.

The author: dr. David Beraczkai, Senior Associate at Sár & Partners

Budapest, March 4th, 2019.