Loading

Blog details

GPS tracking must be appropriate and necessary

GPS tracking must be appropriate and necessary

Slovenia SA rules that while the security of property can be a legitimate interest for GPS tracking, it must be appropriate and necessary. 

 

The Slovenian Supervisory Authority (SA) determined that a data controller which engaged in GPS tracking of eight company vehicles, did not have a legal basis to do so, according to this report from the EDPB. The company vehicles were used by employees for fieldwork transport and installation of equipment at client’s premises. The GPS tracking was facilitated by a special transmitter in the vehicle. This was monitored by an application that continuously recorded the distance travelled by each vehicle. Giving consideration to the fact that the individuals were identifiable, the Slovenian SA has ruled this tracking unlawful and ordered the company to stop processing the data of employees that were collected by continuous, systematic and automatic GPS tracking.

 

GPS tracking was introduced within the company after a worksite theft, making it possible for the employer to track employees in real time and retrospectively.

 

After a theft was recorded at a worksite in 2009, the data controller introduced GPS tracking of company vehicles. These vehicles were being used for fieldwork transport and installation of equipment at client’s premises. The purpose of this tracking was for the security of the vehicles, expensive equipment and documents, that are in the vehicle in case of theft. Special records were then being created containing a large amount of location data of employees. This data was processed continuously, systematically and automatically, which made it so that the employer could determine at any moment, where an individual travelling with any one of the vehicles was located. This data could then be accessed also retrospectively. As a result, the employer could easily determine the employee who was using the company vehicle and to whom all this location data is attributable.

 

The Slovenian SA has determined that there was no legal basis for processing the personal data pursuant to Article 6 of the GDPR.  

 

The Slovenian SA underwent an investigation to assess whether this data processing was lawful in accordance with Article 6.1 (f) of the GDPR. This article states that processing may be carried out if it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” According to the Slovenian SA, the controller did not demonstrate that the way the GPS tracking was carried out was appropriate and necessary. It was also found that this GPS tracking was carried out even while the vehicle and the property in it were under constant and direct supervision of an employee. The Slovenian SA has ruled that the controller did not demonstrate legitimate interests according to Article 6.1 (f) and that the GPS tracking was not in accordance with the principle of data minimisation (Article 5.1 (c) of the GDPR).  

 

The Slovenian SA has asked the data controller to come into compliance with its employee data processing with regards to tracking.

 

According to the Slovenian SA, in this specific case GPS tracking should only be used in a way that allows the driver to turn on the GPS on the location where the vehicle, the equipment and the documents could possibly be at risk and turn it off after returning to the vehicle, as the protected goods would again be under the direct supervision of an employee. The Supervisory Authority has ordered the controller to stop processing the data of employees by continuous, systematic and automatic GPS tracking.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
UK Department for Education reprimanded by the ICO
november 15, 2022
Next post
Processing of health data by complementary health insurance providers: CNIL calls for further clarification
november 22, 2022

Leave a Comment