Patrwm.io and Footfall Privacy Policy

Introduction

Menter Môn is a not for profit company providing solutions to the challenges facing rural Wales. A variety of projects work with businesses, communities and individuals, to deliver meaningful projects that harness their strengths and contribute to a sustainable future. The project will provide towns and rural communities of Anglesey and Gwynedd with public wi-fi and access to the Patrwm.io website, which reveals useful data e.g. footfall.

This Policy

This Privacy Policy (“Policy”) applies to the Patwrm.io footfall project (“the Project”) and the Patwrm.io website (“the Website”). It does not apply to any other projects of Menter Môn, or to any external websites that you may access through the Website.

Data controllers

The Data Controller for data processed under this Policy is Menter Mon, registered in the United Kingdom with company number 03160233 and address Neuadd Y Dref, Bulkley Square, Llangefni, Anglesey, LL77 7LR.

Contact

Any inquiries regarding this Policy or any other data protection issue regarding the Project can be submitted to:

Postal Address: Neuadd Y Dref, Bulkley Square, Llangefni, Anglesey, LL77 7LR or

Email: datacontroller@mentermon.com

What we process, why and the legal basis for this

Menter Môn launched the Project in order to measure the number of people in certain public spaces and share this aggregate data with local councils in order to understand how people move about and engage with these spaces in order to inform the development of towns and cities in Wales. It does this through an automated process which involves sending an ambient signal out from stations located in public spaces throughout Wales, which are received by devices including mobile phones, laptops and tablets. These devices then send back a unique identifier, allowing Menter Môn to interpret this data and infer how many people were in a particular public place at a particular time.

The personal data processed in order to carry out these purposes is a device media access control address, or MAC address, only. A MAC address is essentially a unique identifier assigned to a device – phones, tablets, computers and other devices that can connect to the internet each have their own unique MAC address – that allows the device to communicate with a network and connect to the internet. While we do not process any names, contact or other information in relation to any individual for the purposes of the Project, a MAC address is classified as personal data under applicable data protection laws. This information is used to infer how many individuals are in a particular area at a particular time only and is not linked to any other personal data about an individual.

Menter Môn protects personal data by hashing MAC addresses automatically upon receipt – meaning the numbers are redacted before being entered into a database to record them, so they cannot be read in full. This data is then used to create aggregate data, which is presented on the Website). The database of hashed MAC addresses is automatically within 24 hours of it being collected. At no time are copies or backups of unredacted MAC addresses made.

Opting out

Individuals may opt out from processing by completing this form. In order to opt out, we need to collect your MAC address, which will then be added to a list allows it to be excluded from aggregate data published on the Website. In order to effect this opt out, Menter Môn will need to retain your MAC address.

Sensitive data

Certain types of data are classed as “special category” under data protection laws including the GDPR. A higher threshold of data protection standards are in place in relation to this data as it concerns information deemed to be potentially sensitive. Special category data includes information about a person’s race, ethnicity, sexuality, health status and political or philosophical beliefs. We do not process any special category data under this Policy.

Data sharing and processors

Menter Môn works with certain carefully selected third-party processors who perform certain tasks in order to facilitate the Project. These include cloud data storage providers and Kodergarten Ltd which provides data collection, processing and administration services. For a full list of processors, their locations and the functions they perform, you can contact: datacontroller@mentermon.com.

Other data sharing relationships

Public

The aggregated, non-personal data published on the Website is available for download by the public via an authenticated API.

The Website

Aggregated, non-personal data only is published on the Website.

Data retention

All personal data collected through the Project (limited to MAC addresses only) is deleted within 24 hours after being collected.

Cookies

We do not use cookies on the Website.

Information security

We take all reasonable steps to ensure that personal data is processed securely and treated in accordance with applicable data protection laws and with this Policy. We institute technical and organisational measures to prevent unauthorised access to personal data, including limiting staff and contractor access in line with specific job responsibilities and the encryption of data where possible. While we do our best to protect personal data, information shared over the internet remains vulnerable to interception – for this reason, the transmission of any personal data to our websites or via email to us is therefore at the data subjects’ own risk.

International transfers of data

Any transfers of personal data to a country outside the EU, or a country without an adequacy decision in place will be supported by an appropriate international transfer safeguard as required by data protection laws, for example the European Commission’s Standard Contractual Clauses will be in place with international recipients of data.

Your rights

Where your data is processed under this Policy, you may have the right to:

  • be informed as to whether Menter Mon holds data about you;
  • access that data;
  • have inaccurate data corrected;
  • have your data deleted;
  • opt-out of particular data processing operations;
  • receive your data in a form that makes it “portable”;
  • object to data processing;
  • to receive an explanation about any automated decision making and/or profiling, and to challenge those decisions where appropriate.

You can seek to exercise these rights by contacting: Neuadd Y Dref, Bulkley Square, Llangefni, Anglesey, LL77 7LR or datacontroller@mentermon.com.

Data subjects covered by UK and EU data protection laws, including the GDPR, may also be entitled to lodge complaints with the ICO if in the UK, or in the EU, the data protection authority in their country of residence.

Updates to this Policy

We may change this Policy from time to time. If we make material changes, we will notify you as required by law.