Many organisations use GPS tracking in the vehicles they operate claiming necessity for protection against theft, general fleet management and monitoring deliveries, etc. One of the first rulings under GDPR and Germany’s updated Data Protection Act (BDSG-new), has provided clearer guidance on what is the appropriate use of this technology in employment. Many employers will need to revisit how their systems are configured and whether persistent use of GPS is warranted.
The case in question
The situation arose when a cleaning company, which had 18 vehicles equipped with GPS tracking technology and which was gathering real-time data on these vehicles’ positions, was instructed to cease doing so by the Data Protection Authority. This order was issued in March 2017 and required that ‘personal positioning during proper operational use of the vehicles’ must not take place. The company decided to contest the order in court. Its position was that the use of GPS was necessary to:
- Provide evidence that work was carried out as scheduled;
- Help plan visits to customer sites and coordinate the vehicles;
- Help enforce the company’s bans on weekend-driving and personal use of the vehicles;
- Prevent theft of their vehicles or recover them if stolen.
The staff were aware of the use of the GPS systems and consent had been gathered from some of the staff who used these vehicles. The system recorded information such as distance travelled with starting location, the time travelled, whether the ignition was turned on, all while identifying the vehicle by its number plate.
The Court’s decision
In March of this year, the Lüneburg Administrative Court ruled that there were no grounds to challenge the Data Protection Authority’s order. The Authority was properly acting under its powers as set out under Article 58 (2) (d) and (f)) of the GDPR. Their order was correctly based on Article 88(1) GDPR, and section 26 of the updated German Data Protection Act (Bundesdatenschutzgesetz (‘BDSG-new’)). In light of this legislation, the Court agreed with the decision that the current use of the GPS system by the cleaning company was not warranted. This was because it was not necessary for the purposes of the employment relationship nor was its use in this case validated by gaining proper consent of the employees in line with the GDPR standards. The company did not adequately communicate the right to withdraw consent and employees were not fully informed about the purpose of processing the data.
In response to the arguments put forward by the company, the Court went on to counter these as follows:
- Vehicle location data is not suitable as proof that work was carried out for a client as it only shows a company’s vehicle was close by;
- For a cleaning company, unlike say for a bus company or transporting of goods, the current or past location of the vehicles is not required for planning of visits which are not time-critical. Other less intrusive methods such as phoning the driver, could be used for coordination, in other words in was disproportionate;
- Again, other methods could be used for monitoring weekend-driving bans and personal use, such as the use of logbooks or handing in the keys;
- GPS tracking does not prevent theft by itself while the potential recovery of stolen vehicles can be aided by a one-time GPS location request rather than constant ongoing monitoring.
The fact that the company only accessed the real-time geolocation data less than 5 times a year further undermined their arguments.
What does this mean for employers?
While this is a German ruling and is tied in part with the updated German Data Protection Act, this judgement is likely to set precedence in interpreting how GPS technologies can be correctly implemented under GDPR.
- Firstly, not all businesses/industries are the same and while some may be able to demonstrate a reasonable requirement for the use of real-time GPS, not all will be able to.
- Secondly, given how intrusive constant tracking is to the employees, where other means can reasonably be used to achieve the same goals, GPS will likely not be permitted. There are strong similarities here with French regulations on Biometric data.
Organisations wishing to use a GPS system will need to ensure such use is proportionate in the wider context of their sector and demonstrate this by undertaking a detailed Data Protection Impact Assessment (DPIA) including appropriate consultation with their employees. Where a GPS system is deemed warranted, it must be correctly configured and access to the data must be restricted to those whose roles require access to such personal data. The use of GPS should also be fully explained in company policies and staff handbooks.
Please visit Trilateral’s Data Governance page and contact our team for more information on DPIAs and suggested mitigation measures to protect the rights and freedoms of employees.
