The Odido Case: A GDPR Transparency Lesson
The Dutch telecom provider Odido forwarded personal data from customers’ home routers to Lifemote, an American AI company, without clearly disclosing this in its privacy policy. The data included the names and MAC addresses of every device on customers’ home networks, identifiable device names such as “Jan’s iPhone” or “Apple TV in the living room,” and the names and MAC addresses of surrounding Wi-Fi networks visible from the property.
The timeline of disclosure began when Dutch newspaper De Telegraaf reported the incident in March 2026. Since then, Odido has updated its router software to stop the data sharing.
Key regulatory perspectives shape how this case is viewed. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) classifies MAC addresses as personal data under the GDPR. The events prompt scrutiny of transparency, lawful basis, and requirements for third-party data sharing under European law.
What data was Odido sharing, and with whom?
Odido routers were sending the MAC addresses and device names of all devices on a customer’s home network to Lifemote, an American AI company. This included identifiable device names such as “Jan’s iPhone” or “Apple TV in the living room,” as well as the names and MAC addresses of neighbouring Wi-Fi networks visible from the property.
A MAC address is a unique number given to each network-connected device. It is persistent and device-specific. According to Spoke Mellema, as cited by De Telegraaf, this data is highly sensitive because it enables tracking of devices and users over time and could be used for targeted advertising.
The Dutch Data Protection Authority treats MAC addresses as personal data under the GDPR because they relate to identifiable individuals. Sending MAC addresses along with device names can reveal who lives in a household and which devices they use.
Did Odido’s privacy policy disclose this data sharing?
No. Odido’s privacy policy stated only that it collects MAC addresses and device data from its modems. It did not disclose that this data was being forwarded to a third-party AI company in the United States.
Under Articles 13 and 14 of the GDPR, data controllers must inform individuals, at the time their data is collected, of every recipient or category of recipient. This applies whether the recipient is a processor, a sub-processor, or a third-party controller. A privacy policy that describes collection but omits onward transfer to a named company in another jurisdiction does not meet this standard.
When De Telegraaf asked Odido why it had shared customer data with Lifemote, the company declined to explain and directed the newspaper to its privacy statement. That statement, as reported, did not contain the disclosure that would have answered the question.
What GDPR provisions does this appear to engage?
The central issue is a failure of transparency under Article 5(1)(a) and Article 13. The case also raises questions about the lawful basis, the existence of a valid transfer mechanism for sending data to a US-based company, and whether the data collected was proportionate to any disclosed purpose.
Article 5(1)(a) requires that personal data be processed in a transparent manner, making transparency a legal obligation. Article 13(1)(e) legally obligates controllers to inform individuals about recipients or categories of recipients when collecting data. Article 5(1)(b) establishes that data cannot be further processed in ways incompatible with the original stated purpose, with noncompliance representing a legal violation.
International data transfer also has distinct legal implications. Since the Court of Justice of the European Union invalidated the EU-US Privacy Shield in Schrems II (Case C-311/18, 2020), transfers from the EU to US companies must be underpinned by a valid legal mechanism, typically Standard Contractual Clauses, as required by Chapter V of the GDPR. The EU-US Data Privacy Framework, adopted in July 2023, provides a lawful basis for transfers only for certified US organisations. The NL Times report does not confirm the existence of a required legal transfer mechanism for the Lifemote arrangement.
This is not Odido’s first data protection problem
Odido recently made international headlines after hackers breached its systems and stole the personal data of 6.2 million current and former customers, eventually publishing it after Odido refused to pay a ransom.
That incident also revealed a data retention failure. Odido’s privacy policy states it retains data for up to two years after a contract ends. Former customers who had switched providers up to ten years ago received breach notification emails.
Under GDPR Article 5(1)(e), it is a legal requirement to retain personal data only for as long as necessary. Retaining former customers’ data for a decade, while publicly stating a two-year limit, appears to breach this legal principle and the accountability obligation under Article 5(2). These two distinct violations, one in data security and one in data transparency and retention, may indicate systemic noncompliance with legal requirements rather than an isolated error.
What does this mean for organisations that use third-party tools in connected products?
If your product or service involves hardware, software, or applications that collect data from users and send any of it to a third-party service, that processing must be disclosed in your privacy notice, covered by a valid lawful basis, and, where the recipient is outside the EU or UK, protected by an appropriate transfer mechanism.
Many organisations integrate third-party SDKs, analytics platforms, or AI services into their products without treating those integrations as data sharing with third parties. Under the GDPR, it is.
Practical steps for any organisation in this position: audit every third-party service integrated into your product and confirm each one is referenced in your privacy notice; verify the lawful basis for any data transfer to each tool; check whether each vendor’s infrastructure is located outside the EU or UK and, if so, confirm what transfer mechanism is in place; confirm your Data Processing Agreement with each vendor reflects the actual categories of data being processed.
Odido’s case is a reminder that GDPR compliance obligations do not stop at the organisation’s own infrastructure. They follow the data.
Frequently Asked Questions
What is a MAC address, and why does it matter under GDPR?
A MAC (Media Access Control) address is a unique identifier assigned to every network-connected device. It is built into the device’s hardware and remains unchanged when the device moves between networks. The Dutch Data Protection Authority treats MAC addresses as personal data because they can be used to identify and track individuals, particularly when combined with other information such as device names. Collecting and sharing MAC addresses from home networks without disclosure is therefore a GDPR compliance issue, not a technical detail.
What are the transparency requirements under GDPR when using third-party data processors?
Under Articles 13 and 14 of the GDPR, organisations must tell individuals, at the point of data collection, who will receive their data. This includes processors and sub-processors. Where data is transferred to a company in a third country, the privacy notice must also reference the transfer and the safeguards in place. Vague references to “service providers” or “partners” without naming or categorising recipients do not meet the GDPR standard. If a third-party tool processes personal data on your behalf, that arrangement must appear in your privacy notice.
What transfer mechanism is required to send personal data from the EU to the US?
Following the Schrems II ruling in 2020, which invalidated the EU-US Privacy Shield, organisations transferring personal data from the EU to the United States must rely on an alternative mechanism. The most widely used is the Standard Contractual Clauses (SCCs), which require the importer and exporter to assess whether the law in the destination country offers essentially equivalent protection. The EU-US Data Privacy Framework, adopted in 2023, offers an adequacy-based route for transfers to US organisations that have certified under the Framework. UK organisations must use the equivalent UK mechanisms, including the UK International Data Transfer Agreement (IDTA).
What can Odido customers do?
Current and former Odido customers can submit a data subject access request under GDPR Article 15 to find out what personal data Odido holds about them. If they believe their data has been processed unlawfully, they can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
Could Odido face regulatory action over this?
The Dutch Data Protection Authority has the power to investigate and, where a GDPR infringement is confirmed, to impose fines of up to 20 million euros or 4% of annual global turnover, whichever is higher, for the most serious violations. Whether the AP has opened a formal investigation into Lifemote data sharing specifically has not been publicly confirmed as of March 2026. Given the separate breach affecting 6.2 million customers, the AP is likely already in contact with Odido.
Does this only affect Dutch companies, or is it relevant elsewhere in the EU and UK?
The underlying compliance issues apply across the EU and UK wherever organisations use third-party tools that process personal data. GDPR is not sector-specific or country-specific within the EU. Any organisation that embeds a third-party analytics, AI, or data processing service into a product without disclosing that arrangement in its privacy notice and without securing an appropriate transfer mechanism for cross-border flows is exposed to the same regulatory risk that Odido now faces.
Sources:
NL Times: Odido routers forwarded customers’ personal data to American AI company for years, March 2026
EU GDPR — Articles 4, 5, 13, 14, 44 — eur-lex.europa.eu
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
CJEU — Schrems II judgment, Case C-311/18, 2020
European Commission — EU-US Data Privacy Framework
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.