GDPR Compliance Summary


The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018 and represents a new legal regime for protecting personal data.

GDPR sets out a regulatory framework governing the collection, use, storage and destruction of personal data of European Union (EU) residents and applies to entities outside the EU that process the personal data of EU residents.


We’ve determined that our system contains the following pieces of what GDPR considers to be Personal Identifiable Information (PID):

  • MAC addresses
  • Location
  • Timestamp

As a result, 7SIGNAL is making changes to its system and processes to ensure compliance with the regulations by the May 25, 2018 deadline.  Depending on the deployment type, 7SIGNAL customers are either a ‘controller’ or ‘processor’ or both, according to the GDPR. Each have specific requirements they/we must fulfill.


Our product changes enable customers to comply with GDPR however, it is not possible for us to automate all aspects of compliance. While our default configurations and compliance modes are a key part of enabling customer compliance, additional requirements apply to you. Since GDPR applies to the usage and storage of personally identifiable data. In many cases EU PID must only be stored in and accessed only from an EU country.

For example, assume a company deploys a Sapphire server to a US datacenter and has Eyes deployed to an EU location. Unless they are certified under Privacy Shield they will be in violation of GDPR. Thus, if you wish to see end-user performance directly, which requires collection of mac addresses from EU locations, then you must either store and access that information in an EU country or be certified under Privacy Shield. Regardless, we’ve got you covered.

Please refer to the Internet Commissioners Office (ICO) Guide to the General Data Protection Regulation (GDPR) for more information. For more guidance from the IOC on Wi-Fi refer to their Data Protection Wi-Fi analytics guide.

New ‘Compliance Mode’

Customers with systems on their premises or in our cloud will be able to toggle on/off the collection of MAC addresses. This feature is enabled through the 7SIGNAL Configurator.

Customers who subscribe to 7SIGNAL’s cloud system in the USA can continue to measure end-user client device performance in non-EU locations.

Customers who subscribe to 7SIGNAL’s cloud system in the USA will be unable to measure end-user client device performance in EU locations (as it requires client mac addresses).

Customers deployed to the EU may choose to measure their end-user client’s performance (and collect their mac addresses).

Remember that accessing EU end-user mac address information from a computer outside of the EU qualifies as “transfer of personal data” outside of the EU, even when it is stored in the EU. Use appropriate operational controls to avoid this situation. It is impractical for us to reliably automate this restriction.

Consent – Opting In or Out

7SIGNAL customers operating Sapphire Eyes in GDPR compliant locations should notify people who might have their information recorded by publishing a message such as:

To provide good Wi-Fi user experience <customer name> continuously measures the performance of Wi-Fi enabled devices such as laptops and smartphones. As a result, each device’s unique identifier or “mac address” may be captured along with the time and location it was seen. To view, delete, or have your device excluded please contact <contact info.>

Based on your situation, this information might be posted on bulletin boards, sent via email, included in your Wi-Fi captive portal page content or all of the above.

Any individual may request:

  • To view the information about their device that has been collected
  • That their MAC addresses be removed from the system and blocked from future collection from all monitored locations (including outside of the EU).

Use the updated Sapphire user interface to satisfy these requests.


Within the GDPR;

  • A controller determines the purposes and means of processing personal data
  • A processor is responsible for processing personal data on behalf of a controller

An On-Premise customer who deploys 7SIGNAL servers onsite within their own datacenter is operating as both controller and processor. A Cloud customer is operating as the controller and 7SIGNAL is the processor. When an On-Premise customer deploys 7SIGNAL servers via a 3rd party provider e.g. Rackspace, the customer is the controller and the hosting service is the processor. 7SIGNAL provides a capability to On-Premise customers but is neither the controller or processor.

7SIGNAL and our processor locations have the appropriate IT Controls in place to comply with GDPR. We deploy customers who access EU location PID in our EU datacenter.

On-premise customer should be sure to validate that their partners comply with GDPR’s requirements.


As required by the GDPR, 7SIGNAL has designated a Data Protection Officer who is responsible for managing and reporting any breaches in security to the EU Commissioner’s Office.

7SIGNAL will comply with the 72-hour notification rule, as outlined by the GDPR.


We’ve determined that our system contains the following pieces of what GDPR considers to be Personal Identifiable Information (PID):

  • MAC addresses
  • Location
  • Timestamp

7SIGNAL is actively working on developing the aforementioned product changes for Mobile Eye. They will not be completed by the May 25, 2018 deadline and as a result, Mobile Eye is no longer available for sale in the EU until such time as the product changes have been completed. In addition, to ensure our compliance with GDPR, beginning May 1st 7SIGNAL will no longer accept Mobile Eye device data originating from the EU.

Currently, 7SIGNAL’s Mobile Eye is not intended to and does not collect data on personal devices in GDPR countries. 7SIGNAL does not offer licenses for Mobile Eye deployment onto personal devices; as a result Mobile Eye is not deployed on corporate devices assigned to a specific person or individually owned devices, and is only deployed on multi-user devices.

Accordingly, 7SIGNAL does not process personally identifiable information shared devices, which are corporate devices that are not assigned to an individual person but are assigned to an area or workstation shared by a group of people. To use our product for “shared devices”, the “Data Controller” must confirm that the 7SIGNAL Mobile Eye will only be deployed to “shared devices”. In addition, the “Data Controller” on behalf of the End User Customer using the 7SIGNAL Mobile Eye must indemnify 7SIGNAL from and against any claim arising from non-shared device deployment.

Click here to download our consent form.