GPS tracking of company vehicles

Companies regularly provide company vehicles to some of their employees, such as managers or field staff. This may be done as a special token of appreciation, as a monetary benefit, or for specific purposes such as business trips or the transport of work equipment. This can give rise to data protection pitfalls if these vehicles are equipped with global positioning system transmitters (hereinafter "GPS transmitters"), as is common in newer vehicle models ex works, so that their location can be tracked via an app or other means. It is often overlooked that the material scope of the General Data Protection Regulation (GDPR) applies when personal data is stored in a file system or is to be processed wholly or partly by automated means (Art. 2 (1) GDPR). According to Art. 4 No. 1 GDPR, data is personal if it relates to an identified or identifiable natural person (hereinafter referred to as "data subject"); it is sufficient if the data subject can be identified directly or indirectly, in particular by assignment to an identifier such as location data. GPS tracking initially only records data on the location of the GPS transmitter. However, as soon as a company vehicle is assigned to specific employees or a limited group of people, the location data becomes personal. This location data can thus be used to draw conclusions about the whereabouts and driving behaviour of the respective employee. This can result in a comprehensive movement profile of the employee. If company vehicles are equipped with GPS transmitters and companies have access to this (personal) data, they are therefore obliged to find a sound legal basis for processing this data and to comply with the principles for processing personal data in accordance with Art. 5 (1) GDPR. 

Legal basis 

The processing of personal data is subject to a preventive prohibition with reservation of permission and must therefore be based on a legal basis. The catalogue in Art. 6 (1) GDPR offers two legal bases that can be used to justify GPS tracking. However, the hierarchical relationship in the employment context sometimes poses particular challenges.

Consent

One possible legal basis is consent pursuant to Art. 6 (1) (a) GDPR. Effective consent requires the employee's informed, voluntary and specific agreement in relation to a particular case. If company vehicles are equipped with GPS transmitters, employers must therefore inform their employees comprehensively before handing over the keys as to whether and, if so, under what conditions and for what purpose location data is (or can be) collected, when the GPS transmitter is activated and collects location data, who has access to the data and what deletion periods apply. Furthermore, a declaration of consent in the form of an explicit statement or a clear confirmatory action is necessary. A mere service instruction that GPS tracking is taking place only documents compliance with the information obligations and is not sufficient even if employees are required to sign this notice. Rather, the document must clearly state that the employee agrees to GPS tracking. In some vehicle models, GPS transmitters can be switched on and off manually, for example via an app. In this case, the activation of the GPS transmitter by the employee could be considered an unambiguous declaration of consent. Once the employee has effectively declared their consent, the employer must ensure that they can revoke their consent at any time. This right of revocation must also be communicated in advance.

In the employment context, stricter requirements apply to the voluntary nature of consent pursuant to Section 26 (2) of the Federal Data Protection Act (BDSG) due to the relationship of dependency. Indications of voluntariness include the employee gaining a legal or economic advantage or having interests similar to those of the employer. If, for example, the use of a company car is linked to a salary increase or permission to use it for private journeys, voluntary consent may well be given. As soon as a pressure situation arises for the employee or disadvantages are to be feared if consent is refused, voluntariness is ruled out. In any case, voluntariness cannot be assumed in the case of comprehensive surveillance (cf. 1st Activity Report 2018 of the Thuringian Data Protection Authority).

Consequently, when requesting consent, the employer must ensure that the employee makes an unambiguous and voluntary declaration. 

Legitimate interest

The employer may have a legitimate interest in the use of GPS tracking, Art. 6 (1) (f) GDPR. The employer may assert various legitimate interests when utilizing GPS tracking. These include protection against criminal offences, the safety of employees transporting dangerous goods, optimal route planning, the awarding of contracts based on proximity to location, or proof of work performed for billing purposes (to the customer).

However, it is already questionable whether GPS tracking is necessary to achieve the respective purpose and whether less intrusive measures could be used instead. If the employer wishes to protect itself from becoming the victim of a criminal offence or a serious breach of employment law obligations, there must be suspicion of a work-related offence, such as theft. Furthermore, the suspicion must be limited to an identifiable group of employees. In other words, there must be concrete evidence that a (limited group of) employees may commit a criminal offence. In case law, GPS tracking is described as "completely unsuitable" for preventive theft protection (see LG Lüneburg, decision dated 19.03.2019 – 4 A 12/19, VG Wiesbaden, decision dated 17.01.2022 – 6 K 1164/21. WI). Only real-time monitoring of location data has a deterrent effect and deters perpetrators from committing their crimes, whereas the storage of location data does not. If a company vehicle or work equipment kept inside the vehicle has already been stolen, selective collection of location data is sufficient as a repressive measure. However, the data may not be stored. If the employer's interest lies in using the location data for future-oriented and optimised route planning, current and past location data is outdated and therefore useless, according to case law. For proving that work has been performed, there are less intrusive means, such as manual logbooks, acceptance or receipt confirmations from customers, and file notes. In certain areas of work, such as winter road maintenance or motorised road surveillance, GPS tracking may be necessary to document the clearance and gritting routes travelled (see 1st Activity Report 2018 of the Thuringian Data Protection Authority). However, the documentation (to defend against possible claims) must only prove that a service vehicle completed the tour at a certain time, and it is not necessary to establish a personal reference. In this respect, however, the scope of application of the GDPR does not apply. On the other hand, a personal reference is necessary when assigning urgent orders based on proximity to the location, such as in the case of emergency services. In such cases, it is not only necessary to determine which rescue vehicle is closest to the scene of the accident, but also to contact the vehicle occupants and inform them of the task ahead. If GPS tracking is used for the safety of employees transporting dangerous goods or money, the collection of location data is necessary. After all, the employer has a duty of care and the interests of the employees themselves are also protected.

Finally, when weighing up the interests of the company against those of its employees, the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data should not prevail. Depending on the specific design of the GPS tracking system, a comprehensive movement profile of the employee is created. In particular, when permission is granted for private use, location data can be used to determine where the employee stays and spends the night, visits family, goes to the doctor and personal habits. This information is classified as private or even intimate, and the employee's interests in protection are correspondingly high.

As a result, employers should specifically question the necessity of GPS tracking to protect their legitimate interests and protect the employee's private or intimate sphere.

Involvement of the works council 

In companies with a works council, Section 88 (2) GDPR in conjunction with Section 26 (4) BDSG also provides the option of justifying GPS tracking by means of a works agreement. In any case, the works council's right of co-determination under Section 87 (1) No. 6 BetrVG in conjunction with Section 26 (6) BDSG must be observed. If there is no works council, an alternative option would be a written declaration of commitment by the employer or an annex to the individual employment contract (see 24th Activity Report 2019 of the LfD NRW).

Compatibility with the principles of data protection law

If GPS tracking can be based on a legal basis, the technical arrangements must also be compatible with the general principles of data protection law under Art. 5 GDPR.

According to the principle of transparency pursuant to Art. 5 (1) (a) GDPR, location data must be processed in a manner that is comprehensible to the employee. Regardless of the legal basis – and not only when requesting consent – the employer must fulfil comprehensive information obligations. Secret GPS tracking is therefore generally unlawful; exceptions may exist in the case of detecting criminal offences. A central principle of data protection law is purpose limitation. Location data must be processed for specified, explicit and legitimate purposes. In any case, in the case of continuous monitoring, there is generally no clear purpose for GPS tracking. If the employer also allows the use of the company car for private trips, monitoring these private trips is usually not covered by a business purpose, so there should be a technical option to switch off the GPS transmitter. If this is not possible, it should be checked whether the employee can be granted sole access to the tracking app or other location tracking option. Otherwise, the employee's family environment could also be affected by the monitoring. Closely related to this is the principle of data minimisation under Art. 5 (1) (c) GDPR, according to which data processing must be appropriate and necessary for the purpose and limited to what is necessary for that purpose. Often, the intended purposes can also be achieved by less intrusive means. This could include keeping a manual logbook or collecting location data from the employee themselves, for example by means of a phone call. Furthermore, the principle of storage limitation must be observed. According to this principle, location data may only be stored for as long as it’s necessary for the purposes of processing. In most cases, storage of the data is not necessary or only necessary for a short period of time, and live tracking is sufficient. As previously stated, according to case law, storage for the purpose of theft protection is inappropriate. The same can be assumed for assigning urgent orders based on proximity to the location. For winter services, a short storage period of 24 hours should be sufficient. Finally, the employer must adequately document the use of GPS tracking and include it in the record of processing activities. In view of the movement profile that can be created and the possible decision-making by the employer on the basis of location data, the employer must carry out a data protection impact assessment in accordance with Art. 35 GDPR.

Rights of data subjects

If GPS tracking is potentially being used unlawfully by the employer, the employee has various rights. If consent has been obtained, it can be revoked at any time. It is advisable to first contact the works council and thereby obtain lawful GPS tracking. If this does not lead to a satisfactory result or if there is no works council, a request for information can be made to the employer. Of course, it is also possible to lodge a complaint with the competent supervisory authority or, as a last resort, to take legal action.

Conclusion

Companies generally want to give some of their employees special recognition or offer them an advantage by providing them with a company car. However, if GPS transmitters are installed in these vehicles, the location data allows conclusions to be drawn about the whereabouts of the respective employee and thus constitutes personal data within the meaning of Art. 4 No. 1 GDPR. In this case, employers are generally subject to the scope of the GDPR in accordance with Art. 2 (1) GDPR. Employers are often unaware of factory-installed GPS transmitters. Particular caution is required here. In such cases, employers cannot simply provide their employees with company cars, but must develop a concept for handling this (partly automatically) collected location data in a manner that complies with data protection regulations. In particular, it is important to check in advance or, if GPS tracking is intended, to determine when and for what purposes location data may be retrieved and to consider how this will be communicated to employees. This raises the question of the data protection basis for GPS tracking of vehicles. One possible legal basis is the consent of the employees, whereby the employer must ensure that the respective employee makes an unambiguous and voluntary declaration when requested to do so. If GPS tracking is associated with an advantage – for example, a salary increase or permission for private use – a voluntary declaration can be assumed. Alternatively, the employer could base GPS tracking on a legitimate interest. In this case, either (permanent) GPS tracking or the personal reference is often not necessary, so the employer should specifically question the necessity of GPS tracking. In addition, the employee's need for protection must be taken into account, which is high due to the comprehensive movement profiles that can be created with GPS tracking.

GPS tracking must also comply with the principles of data protection law. In particular, there should be no unwarranted or permanent monitoring. If the use of the company car for private journeys is permitted, it should be technically possible for the employee to deactivate the GPS transmitter. For vehicles without such a switch-off device, it should be checked whether location tracking can be deactivated in another way, for example by protecting the location app with a password known only to the employee. If, on the other hand, the employer has an interest in the location data of the vehicles, they should check whether they can pursue their interests by alternative means, for example with a manual logbook or personal location queries to the employee. Finally, the collection of location data and its storage should be assessed individually as separate processing operations; in most cases, live tracking is sufficient and the storage of old location data is superfluous.