Last updated: April 2025
Between April 14th 2025 to October 2025, Heathrow Airport Ltd (“Heathrow”) will be running a trial project in Terminal 3 to determine whether Wi-Fi connection data can be processed to monitor and improve crowd management.
This privacy notice tells you what to expect when Heathrow collects your personal information during the trial.
Whenever we process your personal data, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal data, including the UK General Data Protection Regulation (UK GDPR).
Signs have been put up in Terminal 3 explaining the Wi-Fi data collection that is taking place and how to opt-out.
When a device such as a smartphone or tablet has Wi-Fi enabled, the device will continually search for a Wi-Fi network to connect to. When searching for a Wi-Fi network, the device sends out a probing request which contains an identifying number specific to that device known as a Media Access Control (MAC) address. We refer to the processing of your device’s MAC address as “Wi-Fi connection data”.
Once on our system, the MAC address will be hashed and salted. Hashing is a way of converting your data (such as a device ID) into a unique string of characters that cannot be traced back to you. We then apply salting, which means we add random information to your data before hashing it again. This extra step makes it even more secure. Together, hashing and salting help us protect your information while still allowing us to analyse how people move through the airport.
This hashing and salting process is to minimise any personal data processed by us as part of the trial. We do this so that we can provide insight into passenger flows through the terminal. This hashing and salting process is carried out by our supplier before the data is analysed to create the trial project report. The MAC address is not stored after the salting and hashing takes place. Once your data has been salted and hashed, your data will be pseudonymised. We use pseudonymisation to protect your personal data. This means that any information that could identify you directly — like your name or device ID — is replaced with a code.
This process allows us to analyse movement patterns and improve airport services, while keeping your personal information safe and private.
We convert the Wi-Fi connection data into an aggregated reports about crowd movement patterns, walking routes, occupancy rates in certain areas and waiting times. This report will not contain any personally identifiable information about you.
For this trial we are not collecting data on browsing activity, cookies, phone numbers or whether the Wi-Fi service is used.
During this trial we will use Wi-Fi connection data to determine the feasibility of using the technology to optimise the flow of visitors at Heathrow. This is very important for Heathrow so that we can:
We therefore have a legitimate interest in collecting this data so that we can make data led decisions on what we can do to improve the passenger experience and journey throughout Heathrow.
During the trial we will not match the Wi-Fi connection data to any other data held about you (e.g. CCTV footage, boarding pass information, etc.).
There are numerous ways to not be included in this trial. This includes:
By turning off your wi-fi or device your device data will not be processed during the Wi-Fi connection trial, and we will not be able to analyse your movements through the terminal.
For MAC addresses which remain consistent, we can also add you to a “do not track list”. In order to do this, you will need to email dpo@smart-flows.com and provide us with your MAC address. We require five working days to process your request.
If you have a device which changes your MAC address, known as MAC randomisation, and wish to be added to a “do not track list”, please provide us with your latest MAC address and we will endeavour to add you to this opt out list. Please note, that due to the changing nature of randomisation we may not be able to fulfil your request. Please allow five working days for us to process your request.
Due to our salting and hashing process, we will not be able to identify your MAC address once it’s collected. We will retain the hashed and salted MAC addresses for up to two years in order to analyse the data. This is important to allow us to get an accurate picture of passenger flows without polluting the data.
Your information will remain within Heathrow and will only be shared with our trusted IT service providers who manage our Wi-Fi network and our passenger flow monitoring supplier, SAPA Smart Flows.
We will not transfer or disclose your personal information, other than as identified in this Privacy Notice, to our trusted third party suppliers, to the police, tribunals, courts, regulators, or other authorities to assist them with their investigations or requests or for us to report security incidents or suspected or actual unlawful acts and/or as may be otherwise required by law.
Under UK GDPR, you have the right to:
To exercise your rights please contact the Heathrow Data Protection Officer using the following contact details:
By Post - Data Protection Officer Heathrow Airport Limited, The Compass Centre, Nelson Road Hounslow Middlesex TW6 2GW
By Email - privacy@heathrow.com
From time to time, we may process personal data from EU residents. Whenever applicable, we have appointed an EU Representative to ensure that we continuously process your personal data in compliance with applicable laws and without undermining your statutory rights.
You can contact our EU Representative at HeathrowEURepresentative@eversheds-sutherland.com and write EU Representative as subject matter.
You may also contact our EU Representative by post at:
Eversheds Sutherland Netherlands B.V.
Attn. EU Representative Heathrow Airport
Fascinatio Boulevard 212
Floor 2A
3065 WB Rotterdam
Should you find our response unsatisfactory, you have the right to lodge a complaint with the supervisory authority – the Information Commissioner’s Office (ICO). You can find more information on the ICO website at https://ico.org.uk/concerns/ regarding the complaints process.
We will keep this privacy notice under regular review, and we will place any updates here. At the start of this privacy notice we will tell you when it was last updated.
Heathrow will collect only pseudonymised data, including:
Passenger Flow Management leverages Wi-Fi signals emitted by passengers’ mobile devices. When a device connects or pings the airport’s Wi-Fi network, data is collected to understand movement patterns within the terminal.
There are numerous ways in which you can opt out of this processing:
By turning off your wi-fi or device your device data will not be processed during the Wi-Fi connection trial, and we will not be able to analyse your movements through the terminal.
For MAC addresses which remain consistent, we can add you to a “do not track list”. In order to do this, you will need to email dpo@smart-flows.com and provide us with your MAC address. We require five working days to process your request.
If you have a device which changes your MAC address, known as MAC randomisation, and wish to be added to a “do not track list”, please provide us with your latest MAC address and we will endeavour to add you to this opt out list. Please note, that due to the changing nature of randomisation we may not be able to fulfil your request. Please allow five working days for us to process your request.
Only authorised airport personnel and our trusted IT service providers have access to this data.
No, the Passenger Flow Management system operates independently from public Wi-Fi access and does not impact connection quality or speed.
