IoT Software and the GDPR – General Data Protection Regulation

Almost all software is affected in some way by the GDPR (General Data Protection Regulation). Manufacturers and companies using “Internet of Things” (IoT) applications must comply with the regulation from May 25, 2018. This defines the legal framework with regard to the processing of personal data and the corresponding obligations of data controllers or operators of IoT applications.

The GDPR in Brief:

  • Concerns the processing of personal data (for example: name, address, date of birth etc.)
  • Regulates the protection of the data subject
  • The processing of personal data is generally prohibited – is only allowed if an exception (legal basis e.g., purchase contract, order) exists.
  • From May 25, 2018, directly applicable in all EU Member States
  • Fines of up to EUR 20 million or 4% of last year’s worldwide annual turnover in serious cases

What Does this Mean in Concrete Terms for Internet of Things Applications?

A typical “Internet Of Things” (IoT) application usually records a lot of process data and sensor data without direct personal reference. However, each system has at least one personal reference. Users log on to the system using the login. A login is defined in the Regulation as personal data.

What are the Implications?

  • The application must be entered in the company’s procedure directory.
  • The application does not need to be registered in the Austrian Data Processing Register (DVR).
  • Data deletion time limits must be observed.
  • Data security (encryption of personal data or password protection)
  • Data protection through technology – assessment according to probability of occurrence
  • privacy by design/privacy by default i.e. protection via default settings

An IoT application such as RevoConnect that is operated in the cloud via AWS or Google Clouds fulfills these obligations. If there is a personal reference within the process data, it is made anonymous.

Users log in to the system via the login, of course. A login is defined in the Regulation as personal data. The Regulation uses the wording “SA007 Administration of user identification”. Depending on the processing, there are different obligations such as registration in the DVR, data retention period, entry in the register of procedures.

More detailed information on the RIS website: RIS