I am trying to advise a customer about the measures he needs to put in place to ensure the GDPR compliance of his initiative using Meraki.
When an end user associates his device to an SSID, Meraki dashboard tracks the device MAC address and the logs of the activities of that device (for example associations / disassociations). This happens immediately as soon as the device associates the first time, independently if there is eventually a captive portal after, or it is a simple WPA2 or open network.
The MAC address is considered personal data in the GDPR, and, since it is not anonymized immediately after the collection, it is subject to the GDPR rules. Moreover, the logs are associated with an APs which physical location is known, so the logs track also the location of the device, plus other info (model, manufacturer, etc..)
The only lawful ground that can be used for the collection and processing of such personal data is legitimate interest.
However, to rely on this principle, the data controller must anyway provide prior notice to individuals before the data is collected. But, even in case of setting up a Splash Page with the privacy notice, that personal data is collected before and independently from the acceptance (or not acceptance) of the terms on the splash page.
What is the best practice recommended for a data controller to be able to deploy a WiFi network in compliance with GDPR? How can a data controller prove the legitimate interest in collecting and processing such personal data in clear and for such a long time?