The E.U. General Data Protection Regulation (G.D.P.R.) is now officially applied throughout the European Union, introducing major changes in relation to the data systems of natural persons’ protection with regard to the processing of personal data and on the free movement of such data.

Furthermore, our era is characterized by the evolution of technology with new internet – enabled devices, known as Internet of Things (IoT) devices, on the European market, which may process a great amount of personal data. Thus, a need of their compliance with the G.D.P.R. framework is unequivocal.

In particular, the key considerations for the IoT’s manufacturers, service providers and retailers in the new G.D.P.R. regime, are analyzed as follows:


  1. Their IoT devices are very likely to process personal data:

The IoT devices of a manufacturer or a service provider, who are involved in the related technological industry, will probably be processing personal data (e.g. names, e-mail addresses, location data, online identifiers like IP addresses etc.)

In this case, the G.D.P.R. and its implementation local data protection laws shall apply, by including all the layers of data processors and data controllers in the IoT world (e.g. manufacturers, app developers, social media platforms, aggregation platforms etc.).

*Caution: Must be carefully determined, in any case, whether a manufacturer or a service provider is a controller or processor under the G.D.P.R.

  1. Data protection by design is required if the IoT devices use personal data:

The aforementioned IoT devices shall, from the beginning, be built with the necessary data privacy. In particular, the G.D.P.R. requires the «data protection by design» adoption to any product’s or service’s approach. This means both that data protection issues must be taken into account at the start of the product’s development and that, through the lifecycle of any device or service, these data must be ensured.

The reception of technical and organizational measures, in order to safeguard any personal data which the IoT devices process, as well as, the performance of a Data Protection Impact Assessment (DPIA – mandatory, indicatively, in cases of high risk processing) may help each manufacturer or service provider to comply with data protection obligations when designing a related device, product or service that processes personal data.

  1. Crucial fact is the costumer’s trust:

As reported in a last year globally survey, the six in ten IoT devices do not properly inform the customers about their personal data’s use. Thus, under the G.D.P.R. framework the manufacturers or service providers are obliged to inform their customers both about the collection, storage, use, disclosure, transfer of their personal data and their new and enhanced rights over these data.

  1. Cyber security and data protection are a required correlation:

The IoT devices’ manufacturers or service providers, who invest time and money in designing secure, shall respect their customers while remembering that cyber security and data protection are inextricably linked and necessary to be together high on everyone’s agenda.


  1. Each retailer shall protect his/her products’ reputation:

In any case, high priority must be given to the qualitative design on the people’s data protection and not in catching up certain times of year (e.g. Christmas, Easter season etc.), as the aforementioned strategy will both protect their business by any reputational damage and reward them in the long term.

  1. Each retailer is obliged to protect his/her costumers:

The safety of any IoT device must be taken always into consideration when choosing the products to be sold, as the digital innovation is based on consumers’ trust.

In particular, the IoT devices’ retailers shall monitor if the related manufacturer has produced a safe for the consumers’ personal data product, if this data’s use is transparent and, eventually if the manufacturers’ practical measures provide strong credentials and timely software updates.

In any case, it is worth to be noted that in our broadened digital era the «battle» between the demand for connected toys, smart watches and smart home accessories and the personal data protection must end always in favor of the last.


Edited by Dimitra Panagidi