Employer Spotlight: The Use of GPS Trackers by Employers

Introduction

The use of GPS vehicle tracking systems has become increasingly prevalent among employers, offering operational efficiencies and enhanced asset protection. However, these systems involve the collection and processing of personal data, such as location data, which falls under the scope of the General Data Protection Regulation (“GDPR”). Employers must carefully consider the data protection implications and ensure compliance to protect employees’ privacy rights.

This article explores the key considerations for employers implementing GPS tracking systems, focusing on the distinction between company-owned vehicles and private vehicles used for work purposes. It also addresses GDPR obligations associated with each scenario and outlines the Data Protection Commission (“DPC”)’s guidance on best practices.

Personal Data Processed by GPS Trackers

Before addressing compliance requirements, it’s essential to understand the types of personal data GPS trackers may process and how these data types are categorised under GDPR. GPS trackers typically process data that can be linked to an identifiable individual, such as an employee. The following are key types of personal data that GPS trackers might process:

These data types carry varying levels of risk and must be handled in compliance with GDPR principles, particularly under Article 6 (Lawful Basis for Processing). If the system collects sensitive data, such as health-related data (e.g., fatigue monitoring), Article 9 (Special Category Data) may apply, requiring additional safeguards.

Legal Basis for GPS Tracking: Understanding the GDPR Requirements

Under Article 6 of the GDPR, every instance of personal data processing must be legally justified by a valid legal basis. The data controller must ensure there is a clear and appropriate reason for processing each data point, ensuring the process is lawful, fair, and transparent. This is critical for protecting individual rights. Employers must assess the purpose of processing and ensure that each data type meets one of the lawful bases for processing outlined in Article 6. Without such justification, data processing is deemed unlawful.

When implementing GPS tracking systems, employers must comply with Article 6 by selecting an appropriate legal basis for data collection and processing. This includes adhering to purpose limitation (ensuring data is used only for its specified purpose) and data minimisation (collecting only the necessary data).

Common Grounds for Lawful Processing

• Consent (Article 6(1)(a)): While consent may seem like an obvious choice, it is not ideal in employer-employee relationships due to the inherent power imbalance. Employees may feel pressured to consent to tracking to maintain their employment status. Therefore, consent is rarely considered sufficient, particularly when tracking is part of the employment relationship.
• Contractual Necessity (Article 6(1)(b)): This legal basis applies if tracking is essential to fulfil the terms of an employment contract (e.g., for a delivery driver or company car user). However, contractual necessity does not justify continuous or non-business-related tracking of private vehicles.
• Legitimate Interests (Article 6(1)(f)): Legitimate interests is the most commonly used basis for company vehicles. Employers can argue that tracking vehicles used for business purposes is necessary to safeguard business assets, ensure security, or improve operational efficiency. However, for private vehicles used for work, this basis becomes more complex, as employees have a higher expectation of privacy outside working hours. Therefore, the employer’s legitimate interests must be balanced against the employee’s privacy rights.

Purpose Limitation and Data Minimisation

Under Article 5 of the GDPR, employers must ensure that data processing is purpose-limited and data minimised. The purpose for data collection must be defined before implementing tracking technology and must be explicit and legitimate. Data should only be used for the purpose for which it was originally collected; for instance, using location data gathered for vehicle security to monitor employee performance is incompatible with the original purpose.

Employers should also ensure that tracking is necessary and cannot be achieved by less intrusive means. Data minimisation is essential—only the minimum amount of data necessary to achieve the purpose should be collected.

Transparency and the Right to be Informed

Employers must comply with GDPR transparency obligations by ensuring employees are informed about vehicle tracking. Employees must be made aware of the existence of tracking, how it works, and the specific purposes for which their data will be used before the tracking system is implemented. Employers must also explain what records are being created, how long the data will be retained, and who will have access to it.

Employers should provide clear, comprehensive information to employees, and ideally display this information prominently in the vehicle. A vehicle tracking policy should also be made available, outlining the use of tracking devices and policies for company vehicles used for private purposes.

The Need for Extra Safeguards and DPIAs

As location data carries a moderate to high risk to individuals’ privacy, employers must implement safeguards when processing it, particularly if it is collected systematically or continuously. Article 25 of the GDPR requires employers to integrate privacy measures into GPS tracking systems from the outset.

A Data Protection Impact Assessment (DPIA) is crucial to assess privacy risks, evaluate the necessity and proportionality of the tracking, and outline mitigating measures. Given that GPS tracking involves systematic location data collection, a DPIA is typically required before implementation.

When is a DPIA Needed?

Under Article 35(1) of the GDPR, a DPIA is mandatory when processing likely results in a high risk to individuals’ rights and freedoms. GPS tracking, which often involves systematic monitoring of an employee’s location or behaviour, meets this criterion. The European Data Protection Board (EDPB) clarifies that profiling, monitoring, and new technologies such as GPS tracking often necessitate a DPIA, particularly when location data reveals personal aspects of an individual’s behaviour or routine.

What Should a DPIA Include?

A DPIA should address the following:

1. Description of the Processing Operation: This should include the type of data being collected, the specific purposes for processing, and any legitimate interests for the processing.
2. Assessment of Necessity and Proportionality: Employers must assess whether the GPS tracking is necessary for the identified purpose and ensure the data collection is proportionate to that purpose. For example, tracking should be limited to the times when the vehicle is used for business activities, and any tracking outside of working hours should be justified and kept to a minimum.
3. Impact on Employees’ Rights and Freedoms: Employers must evaluate the potential impact on employees’ privacy rights and freedoms. The DPIA should include an analysis of the risks associated with the processing and the specific privacy risks linked to location data.
4. Risk Mitigation Measures: Employers must identify measures to mitigate the risks identified in the DPIA. This could include:
   • Implementing data security measures such as data encryption and access controls to prevent unauthorised access to location data.
   • Limiting the duration for which location data is retained.
   • Ensuring employees are informed about the tracking system and their rights.

Spotlight: Practical Compliance Steps for Employers

Employers implementing GPS tracking systems must ensure compliance with GDPR principles by ensuring tracking is limited, proportionate, and lawful. The DPC offers the following key recommendations:

• Limit the Time and Location of Tracking: Tracking should be restricted to work hours or work-related activities. Tracking outside these times, particularly for privately owned vehicles, may not meet GDPR requirements. Location data access should be limited to emergencies, such as vehicle theft or when a vehicle leaves a predefined area, ensuring compliance with data minimisation and proportionality.
• Take Extra Care with New Technologies: Employers must ensure that employees are fully informed about tracking systems and their purpose. The tracking should be limited to its intended purpose. Employers should develop a clear tracking policy that explains data collection, use, and retention. The EDPB stresses the need for clear limits and transparency to avoid intrusive monitoring, ensuring that employers’ interests do not override employees’ privacy rights.
• Implement Opt-Out Measures: For personal vehicle use, employers must provide an opt-out option, such as a privacy switch, to allow employees to deactivate tracking during personal use. Employees should be trained on how to use the switch and be informed about the system’s existence and the process for deactivating tracking when the vehicle is used personally.
• Avoid Intrusion into an Employee’s Personal Life: Employers should avoid collecting excessive or unnecessary data, particularly location data, which can reveal personal habits and routines. Tracking personal vehicles outside of working hours should only occur when there is a valid legal basis, as unauthorised tracking could lead to significant privacy risks and data protection violations.

This article was drafted by Robin Hyde (Partner)