Privacy Policy for Public Wi-Fi

1. Overview

The following statement explains to you as a user of Unwired Wi-Fi for what purpose, what type of data is collected, how long it is stored, and how you can determine at any time how your personal data is handled. We therefore process your data exclusively on the basis of the legal provisions (General data protection regulation, briefly referred to as GDPR, TKG). In this privacy notice, we inform you about the most important aspects of data processing in connection with Unwired Wi-Fi.

1.1 Person responsible:

Name/Company: Unwired Networks GmbH
Street no.: Gonzagagasse 11/25
Postcode, City, Country: 1010, Vienna, Austria
Company register number: 365784v
Managing Director: Mag. Alexander Szlezak
Phone: +43 1 996 2051
Email address: privacy@unwirednetworks.net

1.2 Data Protection Officer:

For questions or suggestions regarding data protection, please contact the company’s Data Protection Officer.
Email address: privacy@unwirednetworks.net

2. Purpose of processing

2.1 Data processed

List of Categories with Examples

• Wi-Fi connection data (e.g., MAC address of the device, IP address, DNS requests, browser type & browser version, operating system, referrer, …)
• Wi-Fi probe data (e.g., MAC address, signal strength, …)
• Personal. data (e.g., for Facebook & email login: first name, last name, email address)

No special categories of data pursuant to Article 9(1) GDPR are processed.

WiFi Connection Data

To provide internet access via Wi-Fi and to avoid requiring a repeated login for recurring Wi-Fi usage, we process, among other things, the MAC address of the connected device, the IP address, DNS requests from the device, as well as, for the purpose of confirming the terms of use, the browser type, device manufacturer, and operating system. The data is processed for the technical provision of Wi-Fi access, enforcement of service restrictions, prevention of misuse, proof of consent to the terms of use, as well as, in aggregated form, for usage analysis.

Wi-Fi probe data

The purpose is the aggregated collection of usage data (number of devices), such as visitor flows. Within the range of a Wi-Fi access point, the search requests of Wi-Fi-enabled devices for available Wi-Fi networks, as well as the time and received signal strength, are processed. This processing is exclusively for the creation of anonymized, aggregated analyses and never in relation to individual devices or persons.

Logs

For the purpose of obtaining consent to the Wi-Fi terms of use, as well as providing information and non-personalized advertising, we store web server log data from our Wi-Fi portal, including the private IP addresses assigned by us. Additionally, for the purpose of technical monitoring of the service, preventing misuse, and statistical analysis of operating systems, device manufacturers, browser versions, etc.

Personal master data

As part of certain services, we process, on behalf of and depending on the chosen service of our clients (as a data processor), the email address, as well as the first and last name of the Wi-Fi user, with their consent. This data is collected as part of the Wi-Fi advertising, Facebook login, and email login products. The data is temporarily processed by Unwired and transmitted to the client. To provide proof of the Wi-Fi user’s consent, data about the device and the time of consent are stored.

Cookies

A ‘cookie’ is a small file consisting of a text-only string of information that a website transfers to your computer hard drive web browser and places there temporarily for the duration of your visit to the site or sometimes longer, depending on the type of cookie. Cookies perform different functions (e.g., to distinguish between you and other users of the same website or to remember certain facts about you, such as very specific preferences) and are used by most websites to provide a higher quality user experience. Each cookie is unique to your web browser and contains anonymous information. Typically, a cookie contains the name of the domain from which it came from, the “lifetime” of the cookie, and a value (usually in the form of a randomly generated, unique number).

Cookies without consent

We use cookies if they are absolutely necessary from a technical point of view, e.g., for error-free website display. The following cookies may be used:

• User-input cookies (session ID), e.g., first-party cookies that store user input when filling out online forms, but only for the duration of the session. Persistent cookies may be exempt if the storage duration is limited to a few hours.
• Authentication cookies that remember the user’s login status once they are logged in, for example, as a family member; this must be limited to the duration of the session.
• User-centric security cookies designed to enhance the security of a service, e.g., detecting multiple failed login attempts, for a limited duration (a few hours).
• Multimedia content player cookies that store technical data for playing video and audio files, e.g., Flash cookies, for the duration of a session, with the condition that no additional information not necessary for playback is included.
• Load-balancing cookies that are necessary for the operation of a so-called load balancer to ensure routing to a specific server in the pool, limited to the duration of the session.
• User-interface customization cookies that store user preferences regarding a service across multiple websites and are not linked to other permanent identifiers (e.g., username), but are explicitly desired (button, checkbox), e.g., cookies for setting language preferences, for the duration of the session.
• Third-party social plug-in content-sharing cookies, provided the user is a logged-in member of a social network and they are necessary for the desired functionality (also across third-party websites), for the duration of the browser session or until the member logs out. However, as a non-member or logged-out member, they must give their consent.

Cookies requiring consent – cookie banner design

For consent-required cookies, we obtain your consent in accordance with Section 96(3) of the Telecommunications Act (TKG).

2.2 Persons concerned

• WiFi Users
• Owners of devices with active Wi-Fi functionality

2.3 Legal basis

• We process Wi-Fi connection data for the technical provision of internet access via Wi-Fi and to fulfill our contractual obligations and services according to. Art. 6 para 1(b) of the GDPR, in this case, the provision of internet access via Wi-Fi.
• To offer our products and services to our clients, Unwired collects technically necessary data and data for which Unwired has a legitimate interest, while respecting the interests of the affected groups (e.g., Wi-Fi probe data, DNS requests). For the use of personal data (e.g., first name, last name, email address), Unwired obtains the consent of the Wi-Fi user at the instruction and on behalf of the Unwired clients.
• The legal basis for obtaining consent is Article 6(1) of the GDPR. 1 point (a) and Art. 7 GDPR, the legal basis for processing in order to perform our services and carry out contractual measures and respond to enquiries is Art. 6 para. 1 point (b) GDPR, the legal basis for processing in order to comply with our legal obligations is Art. 6 para. 1 point (c) GDPR, and the legal basis for processing in order to protect our legitimate interests is Art. 6 para. 1 point (f) GDPR.

2.4 Third-party provider

• We use wholesale service providers in order to be able to provide our services: e.g.: A1 Telekom Austria AG, Hutchinson Drei Austria GmbH.
• We use Google Cloud Services and other services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, based on our legitimate interests. For this purpose, we have concluded a contract with Google with so-called standard contractual clauses, in which Google undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. Google is also certified under the Privacy Shield agreement and thus offers an additional guarantee of compliance with European data protection law https://policies.google.com/privacy?hl=de&gl=de
• We use the cloud services of Amazon Web Services, a subcompany of Amazon Inc. You can find the privacy policy of Amazon Web Services at https://aws.amazon.com/de/privacy/?nc1=f_pr.

3. Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 point (a) and Art. 7 GDPR, the legal basis for processing in order to perform our services and carry out contractual measures and respond to enquiries is Art. 6 para. 1 point (b) GDPR, the legal basis for processing in order to comply with our legal obligations is Art. 6 para. 1 point (c) GDPR, and the legal basis for processing in order to protect our legitimate interests is Art. 6 para. 1 point (f) GDPR. In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 para. 1 point (d) GDPR serves as the legal basis.

3.1 Amendment and update of the privacy policy

We ask you to regularly inform yourself about the content of our data protection declaration. We adapt the data protection declaration as soon as the changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

3.2 Provision of contractual services

We process the data listed under 2.1 for the purpose of fulfilling our contractual obligations and services in accordance with Article 6(1)(b) of the GDPR.

3.3 Rights of data subjects

You are generally entitled to the rights of information, correction, deletion, erasure, data portability, revocation and objection. If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can complain to the supervisory authority. In Austria, this is the data protection authority. You have the right to request confirmation as to whether relevant data is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with Article 15 of the GDPR. According to Article 16 of the GDPR, you have the right to request the completion of your personal data or the correction of inaccurate data concerning you. Under Article 17 of the GDPR, you have the right to request the immediate deletion of your data, or alternatively, under Article 18 of the GDPR, to request a restriction of data processing. You have the right to receive the personal data that you have provided to us in accordance with Article 20 of the GDPR and to request its transfer to other controllers. You also have the right, under Article 77 of the GDPR, to file a complaint with the competent supervisory authority. You have the right at any time to obtain free information about the data stored about you, its origin and recipient, as well as the purpose of the data processing. You also have the right to data transfer and deletion of your data. Please contact us via the contact form or by telephone.

3.3.1 Right of withdrawal

You have the right to revoke any consents given in accordance with Article 7(3) of the GDPR, with effect for the future.

3.3.2 Right to object

You can object to the future processing of your personal data at any time in accordance with Article 21 of the GDPR. The objection can be made particularly against the processing for the purposes of direct marketing.

3.3.3 Right to erasure

The data we process will be deleted or restricted in processing in accordance with Articles 17 and 18 of the GDPR. Unless explicitly stated otherwise in this privacy policy, the data stored with us will be deleted or anonymized as soon as it is no longer necessary for its intended purpose, and there are no legal retention obligations preventing deletion or anonymization. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted.

3.4 Data security

We strive to protect our users from unauthorized access to, or unauthorized alteration, disclosure, or destruction of data. In particular:

• we encrypt many of our services using TLS.
• we review our collection, storage and processing practices, including physical security measures, to protect against unauthorised access to systems.
• we restrict access to personal data to employees and contractors who have a compelling need to know the data in order to process it for us and who are subject to strict confidentiality obligations and may be subject to disciplinary action or termination if they fail to comply with those obligations.

3.5 Scope of the privacy policy

This privacy policy applies to the services defined above, offered by Unwired Networks GmbH. Our privacy policy does not apply to services provided by other companies or individuals, including products or websites that are displayed to you in search results or other websites linked to our services. Our privacy policy does not cover the handling of information by other companies or organizations that promote our services and may use cookies, pixel tags, and other technologies to provide and display relevant advertisements.

3.6 Regulatory compliance in cooperation with government agencies

We regularly review compliance with our privacy policy. Once we receive formal written complaints, we will contact the person who submitted the complaint for the purpose of addressing the issue. We work with the relevant regulatory authorities, including local data protection authorities, to handle any complaints regarding the transmission of personal data that we are unable to resolve with our users.

Competent supervisory authority

Austrian Data Protection Authority
Wickenburggasse 8
1080 Wien
Telefon: +43 1 521 52-25 69
E‑Mail: dsb@dsb.gv.at