Where devices and/or services process personal data, they shall do so in accordance with applicable data protection law, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Device manufacturers and IoT service providers shall provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service. This also applies to any third parties that may be involved (including advertisers). Where personal data is processed on the basis of consumers’ consent, this shall be validly and lawfully obtained, with those consumers being given the opportunity to withdraw it at any time.
This guideline ensures that:
i) IoT manufacturers, service providers and application developers adhere to data protection obligations when developing and delivering products and services;
ii) Personal data is processed in accordance with data protection law;
iii) Users are assisted in assuring that the data processing operations of their products are consistent and that they are functioning as specified;
iv) Users are provided with means to preserve their privacy by configuring device and service functionality appropriately.
Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers, Retailers