The global positioning system (GPS) is becoming popular with employers wishing to monitor vehicles or equipment used by their workers. This article explores how a worker’s privacy may be restricted by the employer using GPS tracking in their equipment and how the latest European case law treats this.
Employers are increasingly using GPS geolocation devices to analyse vehicle fuel consumption, mileage, travelling time, parking time, idle time, usage statistics etc. Yet recent European case law has laid down tighter rules and requirements for personal data processing associated with GPS tracking. There are certain restrictions that each employer using these devices for business purposes should be aware of.
Restrictions
Employers are not allowed to operate GPS devices installed on vehicles used by workers in the following cases:
-
monitoring of compliance with speed limits;
-
constant monitoring of workers;
-
geolocation devices cannot be used in vehicles –
-
because of the worker’s freedom to organise how they move around,
-
to monitor movement of the worker’s representatives or trade union representatives,
-
outside working hours when the worker is allowed to use the vehicle for private purposes,
-
to record hours worked if other devices are used for this purpose.
On 19 March 2019 a German court ruled that any unlimited tracking of staff vehicles is not permissible.
In the case covered by the ruling, a company ran a cleaning business and had installed GPS on company vehicles used by its supervisors and cleaners for business and private purposes. The company recorded the number plates of each vehicle and the start and end points of the route travelled by each worker, including the time and ignition status. The workers were unable to switch the GPS on or off.
The court found that the constant recording of the worker’s location data outside working hours is not permissible. In this case the GPS tracking could not be based on the data subject’s consent to the data processing, either. The company had no right to undertake such GPS tracking outside working hours even if the company’s legitimate interests had been cited as a legal basis for the data processing.
This ruling gives the regulators and the National Data Office a reason for checking whether such use of GPS is permissible, including by assessing whether the company engaged in GPS tracking has a legal basis for this personal data processing and whether the company has determined the legal basis correctly when doing the processing.
Employer obligations
Duty of notification
The employer is required to notify workers of a GPS device being installed. This notification can take various forms, but the most common approach is to draw up an internal policy explaining the legal basis and purpose of this data processing as well as other obligations of the employer acting as data controller to notify the data subjects under articles 13 and 14 of the General Data Protection Regulation (GDPR).
Legal basis for data processing
The employer determines a legal basis for data processing done by a GPS tracking device. The legal basis for this processing is the company’s legitimate interests.
1 In this case the company should do a balancing test to find out whether the data subject’s interests or basic rights and freedoms in need of personal data protection override the company’s interests.
A temporary solution that makes the data processing lawful may be consent received from the data subject,
2 but this is not the safest basis as such consent may be revoked at any time. It is important to note that the data subject’s consent cannot be a legal basis for data processing unless the data subject is given the right to revoke it.
Appropriate security measures
The employer is required to adopt proper technical and organisational solutions in order to make the data processing secure. These solutions include granting appropriate access rights to anybody who can access the GPS data collected and adhering to the data minimisation principle, i.e. processing the GPS data for as short periods as possible and using as little personal data as possible. The National Data Office recommends that any GPS data containing personal data should not be stored for longer than three months. Such information should be accessible only to the employer and the workers involved in providing those services.
GPS data is not always personal data
The employer should assess whether the GPS data held is personal data. It is important to note that not all geolocation data is personal data as this depends on the context and on how the data is used in each case. The same set of GPS data can be neutral in terms of privacy if it is used for tracking as part of logistics optimisation services and does not help identify a particular individual.
Our recommendations
To avoid the risk of a data protection breach, companies planning to process the location data of their employees or third parties such as subcontractors should, before using any GPS tracking system, assess whether the GPS equipment installed restricts the data subject’s privacy, and should also carry out other obligations of the data controller arising from the GDPR requirements.
It is also worth noting that the ePrivacy Regulation (yet to be adopted) addresses the question of gathering location data and emphasises that collecting GPS data may pose a “high privacy risk.” This means that companies will have to carry out an assessment of how such data processing affects the data subject’s rights and freedoms under article 35 of the GDPR.
_________________________________
1 Article 6(1)(f) of the GDPR
2 Article 6(1)(a) of the GDPR