How is the right to personal fleet geolocation data defined?
Since May 25, 2018, the General Data Protection Regulation (GDPR) is established to protect personal data in the European Union. It is therefore the GDPR and the CNIL that regulate the data emitted by GPS trackers, whether they are used for business or private purposes.
When a company wants to track its company cars, it must go through a process of information and regulations to be able to geolocate its fleet of vehicles legally.
All the data emitted by the GPS trackers inside the vehicles of a company is personal. The data emitted is information about the employees who are in the vehicles, so it must be controlled and supervised to protect the privacy of employees. The protection of personal data is essential, without which any geolocation system cannot be implemented.
Legal basis for the data rights of fleet GPS trackers
The basic principles of the right to vehicle geolocation data
The right to personal data emitted by GPS trackers in company vehicles is governed by basic principles. There are four principles:
- The data must be identified in advance and recorded in the company’s register.
- Only a restricted group of people has access to the data.
- Each piece of data must be used for the geolocation purposes defined by the company.
- The data must be fully secured.
These principles must be decided before the implementation of the chosen geolocation system in order to organize the data collection and processing. These are the steps to be taken by the employer to track employees’ vehicles. Thus, it will be easier for the employer to disseminate the information to the staff representatives and to inform all the geolocated employees of the company. In particular, the employer must inform the identity of the person responsible for the processing, define the duration of the data storage and define the recipient of the data.
Respect for the purposes of tracking authorized cars and prohibited reasons
It will be forbidden for the company to collect data for certain reasons of vehicle tracking. This is why the tracking purposes must be chosen and validated beforehand, according to the regulations imposed by the CNIL. For example, a company can install GPS trackers in employees’ cars for security purposes, to monitor compliance with company rules, to invoice and justify services, etc.
In case of abuse or misuse of the basic purposes, employees have the right to refuse to activate the geolocation of their vehicle and thus block the sending of personal data (read more about the rights and duties of employees and the company regarding the geolocation of vehicles). The following reasons for geolocation of employees’ vehicles are prohibited:
- Speed monitoring of vehicles
- Excessive and permanent monitoring
- Calculation of working time if a system is already in place in the company
- Monitoring of sales representatives and staff representatives
- Monitoring outside working hours.
How is the geolocation data stored?
Storage of company car geolocation data
The employer must choose in advance how it wishes to store the data. Generally, the company can access the data of its fleet of vehicles directly from the platform associated with the GPS trackers. Then, it has the possibility to export the data in Excel, PDF, etc.
It must also choose who will be responsible for processing the data and who else will have access to it.
The removal of geolocation data from vehicle fleets
Personal data, when used in the context of work, must be supervised. A maximum legal storage period has been established by the RGPD regulation in order to protect this data.
The rule is as follows: data can only be stored for up to 2 months from the time it is issued. This is the basic principle applicable. If the employer wishes to retain the data beyond 2 months, the use of the GPS trackers must meet the following exceptions:
- Route optimization
- Proof of intervention (if no other means are possible)
- Tracking of working time.
|2 months||Basic principle|
|1 year||– Optimization of the rounds
– Proof of intervention (no other way is possible)
|2 years||Monitoring of working time|
The right of employees to their company car data
Employees’ right of access to the GPS data of their company car
Only persons authorized by the company may have access to the data. These are the people who are responsible for processing and collecting the data, but also the people who are responsible for issuing the data. In this case, it is the company’s employees, who are in the vehicles assigned to them.
Employees must have personal access to the tracking platform associated with the GPS trackers, and log in with their own login and password. Employers who refuse to grant access to data to their employees may be sanctioned. Employees can therefore refuse geolocation if they do not have access to personal data about their vehicles.
According to the RGPD regulation, the employee must have access to all the data that the GPS tracker has emitted in his company vehicle. On his data, he must have the possibility to:
However, be careful with any modification that can be controlled if there is no prior justification.
Right to disconnect the data emitted by the GPS tracker
When a vehicle is used by an employee for work purposes, but also for private purposes (lunch break, home-work journey, etc.), the right to disconnect applies, regardless of the type of vehicle. It can be a vehicle provided by the company or a personal car used for work.
What is the right to disconnect?
This is the right to temporarily stop (outside of legal working hours) the transmission of personal data from GPS trackers in the vehicles with which employees work.
The employees must be informed of how to stop the transmission of the data. This can be done by pressing a button on the GPS tracker, disconnecting the GPS tracker, or switching to private mode from the interface (e.g., when the GPS tracker is not visible or accessible).
The right to disconnect and personal data does not mean that employees can disconnect at any time. The company can control abuses as these may mean that the employee does not respect the company rules (use of the vehicle for private purposes, repeated breaks, unjustified trips, etc.).
The importance of employee data security
Reliability of the device and the platform associated with GPS trackers
Securing personal data is essential. When a company decides to use a geolocation system on its fleet of vehicles, it must first do some research in order to choose a device that will be reliable and secure. You can check if the company that sells you the GPS trackers already has customers (companies in particular) and you can also ask to try the platform.
Access to the data should be done with a unique login and password. The password must have different types of characters (know the recommendations of the CNIL to create a secure password) for maximum security.
It is important that each employee can have his own access, without having to ask the company every time he wants to access his data.
Limiting who has access to GPS tracker data
The sending of data should be restricted to the company and its employees, in other words, only those who legitimately need to access the data. In order to limit the number of people in the company who have access to the data, the people in charge of processing the data must be defined in advance.
Since several different people can access the collected data, a logbook must be available to know who has accessed the data and thus be able to trace any anomalies.
Identification of data that can be collected by GPS trackers
A number of personal data can be collected and used by the company. Here is the list of these data:
- The vehicle registration number (vehicle identification)
- The identification data of the employee who drives the vehicle
- The identification number of the SIM card
- Geolocation data of the vehicle: positions, trajectory, routes taken, etc.
- Additional personal data on the use of the vehicle: date, time, kilometers traveled, current status of the vehicle (moving, stopped), time in motion, duration of stops, start and end times of activity.
The choice of data to be collected must be made upstream and associated with the purpose of monitoring the vehicle fleet. For example, if the purpose of the monitoring is the monitoring of the working time, the consultation of the kilometers driven is not necessarily necessary. The data collected is recorded in the company’s register, and each employee (new or old) will be notified. The data must only be used for the purposes for which it was collected, under penalty of criminal sanctions.