Lexicon > Internet of Things

IT Glossary

Internet of Things

The Internet of Things (IoT) refers to fixed and mobile devices connected to the Internet.

These devices generally allow direct communication between them, with or without wires, and thus the exchange of information.

They can be autonomous or dependent on other systems (smartphone, computer…).

The Internet of Things represents a significant source of exploitable vulnerabilities in more environments and, due to the high quality of interconnections between devices and systems, a faster potential propagation path to multiple devices.

The implementation of technical and organizational security measures appropriate to the risk must therefore be ensured in all elements of a connected system, as a vulnerability in one component can potentially compromise the whole.

As the Internet of Things processes a large number of different categories of personal data in principle, but also creates new data and metadata by itself, their compliance with the GDPR is therefore important for the rights and freedoms of data subjects, but also of third parties.

In particular, the Internet of Things allows connections to be made between seemingly isolated and unrelated information.

It also enables knowledge to be generated from mundane data, even data considered “anonymous” due to the proliferation of sensors, revealing specific aspects of people’s habits, behaviors and preferences.

The volume of information collected by the Internet of Things is of interest in the context of Big Data, but also in the development ofArtificial Intelligence.

RGPD Point

” 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing operation, as well as the risks to the rights and freedoms of natural persons, which vary in likelihood and severity, the controller shall implement, both at the time of determining the means of processing and at the time of the processing itself appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, effectively and to provide the necessary safeguards for the processing to meet the requirements of this Regulation and to protect the rights of the data subject

2. The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of its processing, its storage period and its accessibility. In particular, these measures shall ensure that, by default, personal data are not made accessible to an indeterminate number of natural persons without the involvement of the natural person concerned.”

Article 25 of the GDPR

Point of jurisprudence

The Spanish supervisory authority was able to recall that “The way in which direct marketing is carried out has changed. Instead of simple emails reaching customers’ mailboxes, targeted advertisements are now appearing on the screens of smart phones and computers. In the near future, advertising could also be integrated on smart devices connected to the Internet of Things.”.

Agencia Española de Protección de Datos, July 6, 2021, No. PS/00259/2020

The Bouchara firm assists you in particular in :

  • Making your organization RGPD compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.