Guidelines on geolocation tracking of employee vehicles under the GDPR from the Luxembourg DPA

The Luxembourg National Commission for Data Protection (“CNPD”) issued on April 15, 2021 practical guidelines on geolocation systems for employee vehicles under the GDPR.

The CNPD acknowledges the increased use of geolocation systems for employee vehicles in the business field and underlines that the use of these devices involves the processing of personal data and raises certain data protection issues and risks for the privacy of employees. For example, geolocation exposes employees to the risk of being tracked in real time by their employer outside working hours, or to the risk that the geolocation system is used by the employer for purposes other than those for which it was installed.

In this context, the CNPD recalls some of the principles and obligations applicable to the geolocation of employees with regard to the legislation on the protection of personal data:

1. Principle of lawfulness of processing

In the context of a geolocation device implemented by an employer in relation to its employees, a valid legal basis for this processing activity could be the employer’s legitimate interests.

Furthermore, in case the installation of a geolocation device of employees' vehicles is imposed on the employer by a rule of national or European law (e.g., legislation applicable in the field of national and international road transport), the legal basis of compliance with a legal obligation could be applicable.

The CNPD underlines that consent is not an appropriate legal basis in relation to employee geolocation, given the dependency and imbalance of power that exists in employment relationships.

2. The purpose limitation principle

Without claiming to be exhaustive, the CNPD notes that the following purposes could be envisaged for the processing activity under discussion, depending on the case in question and the nature of the controller's activities:

• Optimisation of the work process by better allocation of available resources (e.g., dispatch of the vehicle closest to the place of intervention, management of the vehicle fleet etc.);
• Tracking goods due to their special nature (hazardous materials, food products);
• Establishing the follow-up and the constitution of proof of the execution of a service linked to the use of the vehicle (for example, intervention on the road network, collection of household waste etc.) with a view to invoicing the services to the customers;
• Contribute to the safety of goods (vehicles, transported materials etc.);
• Ensuring the safety of employees (with regard to the risk to which they are exposed, due to the particular nature of the products transported (cash, valuables, hazardous materials, etc.) or the nature of the activity carried out by the employees);
• Tracking employees' working hours, only when this cannot be done by other means, such as a "classic" clocking-in system (for example, in the case of an employee who holds a sales position, when the latter is on the move all day, and does not pass through the employer's premises in the morning and evening; clocking-in is therefore not possible);
• Comply with a legal or regulatory obligation, under national or European law, requiring the implementation of a geolocation system, for example because of the type of transport or the nature of the goods transported, particularly in the field of national and international road transport.

Prior to the installation of a geolocation device, the controller should precisely define the purpose(s) that it wishes to pursue by using such a system, and may not subsequently use it for other purposes. Consequently, an employer who decides, for example, to install a geolocation system with the sole aim of ensuring the protection of his vehicles against theft, cannot then use it to monitor the working time of its employees.

3. Principle of transparency

When a company decides to install a vehicle geolocation system, it may, for example, inform its existing employees by providing them with a specific document regarding vehicle geolocation. For employees who start working after the installation of the system, the company can inform them via a document attached to the employment contract.

Furthermore, the CNPD recalls that the information should preferably also be displayed in a prominent place in each vehicle, within sight of the driver.

Finally, the CNPD draws the attention of data controllers to possible additional obligations, such as information/consultation with the employee representatives.

4. Principle of necessity and proportionality (data minimisation)

The principle of data minimisation in relation to geolocation implies that only data that appears strictly necessary to achieve the purpose(s) pursued should be processed and that processing operations should not be disproportionate.

Geolocation systems undoubtedly present risks for the privacy of employees in the workplace and the employer's interests must therefore be reconciled with the rights and freedoms of employees. It follows that geolocation should be as non-intrusive as possible. Furthermore, an employer should only use a geolocation device when there is no alternative, less privacy-invasive way of achieving the intended purpose.

In light of the positions taken in the authorisation decisions previously adopted by the CNPD (under the law of 2 August 2002) and in the light of Luxembourg case law on the subject, the CNPD has identified, in terms of proportionality, the following principles imposing conditions and requirements for the use of a geolocation device on employees' vehicles:

4.1 Prohibition of permanent surveillance and monitoring of employees outside working hours

In principle, a geolocation system should not aim at permanent monitoring of the employees concerned, as such data processing would be considered as electronic "shadowing" and would, due to its intrusive nature, disproportionately infringe on the privacy of employees at their workplace.

Furthermore, the employer is not entitled to monitor the employee outside working hours.

For this reason, the CNPD differentiates between geolocated service vehicles that can be used for private purposes and those that are strictly for professional use. If the employee is also allowed to use the company car for private purposes, the employer cannot geolocate the company car outside working hours. Thus, tracking employees outside working hours, which includes days off (legal, sick etc.), lunch breaks, journeys to and from work, possible medical visits and weekends, is prohibited.

Therefore, if the employee has the possibility to use the vehicle privately outside working hours, the employer must necessarily offer him the possibility to deactivate the geolocation device outside these working hours. In this respect, the CNPD believes that it is necessary for employees to have control over the activation and deactivation of the geolocation system in order to ensure that their privacy is respected. The fact that the employer has control over the activation and deactivation of the geolocation system could create significant psychological pressure on employees, who would not be able to know whether the system has actually been deactivated or not by the employer and could feel observed and controlled at all times.

On the other hand, if the vehicle is exclusively for business use, the CNPD considers that the employer can decide that the geolocation system remains permanently active.

4.2 Prohibition on monitoring employees' performance and/or behaviour

The data collected by the employer may not be used to monitor the performance and/or behaviour of employees outside the initial purposes invoked and pursued by the installation of the geolocation device.

For example, where the controller decides to install a geolocation device for the purpose of protecting company property against theft of a vehicle or its contents, the data from the geolocation device may not be used to monitor, for example, speeding (unless the employer is legally obliged to do so), or the time taken by the employee to travel between different customers, or to assess the route taken by the employee to reach a customer, and then used for disciplinary purposes.

4.3 Categories of personal data related to the use of the geolocation system

According to Article 5.1 (c) of the GDPR, personal data processed must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".

The CNPD considers that the following personal data in particular may be processed by the controller in the context of the use of a geolocation system, provided that they are necessary for the purpose or purposes pursued:

• the vehicle registration number;
• the driver's identification data;
• the identification number of the SIM card integrated in the GPS module;
• geolocation data: vehicle positioning (locality and street), routes taken;
• additional data associated with the use of the vehicle (known as data related to geolocation): date, time, distance travelled, state of the vehicle (on the road or stationary), driving time, average speed, time and number of breaks or stops, start and end times of activity.

On the other hand, the CNPD considers that the employer cannot process data related to possible speeding. The CNPD is of the opinion that the processing of such personal data would in principle not be proportionate to the purposes that could be envisaged for the processing of data relating to the implementation of a geolocation system, unless such processing results from a legal obligation applicable to the employer.

4.4 Limited retention period

The GDPR provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. With regard to the geolocation of employees' vehicles, the CNPD is of the opinion that the following retention periods meet this principle:

• personal data obtained through geolocation can in principle only be kept for a maximum period of two months;
• if the geolocation device is installed for the purpose of verifying working time (where this is the only possible means), the personal data obtained by geolocation which make it possible to verify working time may nevertheless be kept for a maximum period of three years in accordance with the limitation period laid down in Article 2277 paragraph 1 of the Luxembourg Civil Code. With regard to actions for the payment of employees' remuneration in the public sector, such data may be kept for a maximum of five years;
• if the personal data obtained by geolocation are used by the data controller as evidence for the billing of services performed for its customers, the data necessary for such billing may be kept for a period of 1 year, provided that it is not possible to prove the services by other means;
• in the event of an incident, the data may however be kept beyond the above-mentioned periods, in the context of the transmission of data to the competent judicial authorities and to the law enforcement authorities competent to establish or prosecute criminal offences.

Data obtained by geolocation may also be retained beyond the above-mentioned periods if they have been rendered anonymous beforehand, i.e., it is no longer possible to link these data - directly or indirectly - to a specific employee.

5. Is a data protection impact assessment ("DPIA") required for the installation and use of a geolocation device?

The CNPD is of the opinion that the implementation of a geolocation system requires in principle the carrying out of a DPIA.

In this respect, the CNPD notes that in the vast majority of cases, data controllers (i.e. employers who decide to install a geolocation system in their company cars) use service providers to install the geolocation system. These service providers often provide an off-the-shelf solution, which includes the installation of the geolocation devices in the vehicles, but also the hosting of the data collected by the devices and an IT interface allowing the controller to access this data. Insofar as these service providers process the personal data of the controller's employees on behalf of the controller, they are to be considered as "processors" within the meaning of Article 4 (8) of the GDPR.

The CNPD wishes to recall the important role that the processor must play in the performance of a DPIA. Although the controller remains ultimately responsible for the obligation to carry out a DPIA concerning the processing of personal data that it decides to implement, the processor has the obligation to help the controller to comply with its obligations. In practice, this means that even if the controller is ultimately required to carry out its own DPIA for the specific implementation of the solution it purchases, it can rely on a DPIA drawn up by the processor (the service provider) for the solution it markets. The latter has greater technical and legal expertise and more information on the solution it is selling.

The CNPD draws the attention of data controllers in particular to the importance of regulating the issue of carrying out the DPIA in the subcontracting agreement that must be concluded with the subcontractor.

6. Other obligations under the GDPR

In addition to the principles set out in these Guidelines, all the provisions of the GDPR remain, of course, applicable to the processing of personal data arising from the use of a geolocation device.

Thus, the CNPD wishes to recall in particular that if the controller uses a service provider to install and manage the geolocation device, this service provider will be considered as a processor within the meaning of Article 4. 8) of the GDPR, if the latter processes personal data on behalf of the controller. This will be the case, for example, if the geolocation data are sent to the service provider's servers and then accessible by the controller via a platform made available by the service provider. In this case, a processing contract meeting the criteria of Article 28 of the GDPR will have to be concluded between the controller and the processor.

Furthermore, the CNPD wishes to draw the attention of controllers and processors to the obligation under Article 32 of the GDPR to put in place adequate technical and organisational measures to ensure the security and confidentiality of the data processed. This means in particular that:

• The IT tool linked to the geolocation system must be parameterised in such a way as to collect and save only the data strictly necessary to achieve the purposes pursued, even if this tool would in practice allow more data to be collected and saved.
• Access to the data collected via the geolocation system must be limited to those persons who, in the context of their duties, have a legitimate need to have access to it, in view of the purposes pursued. Similarly, these persons must only have access to data which are strictly necessary in the context of their respective functions and in view of the purposes pursued. In particular, access to "sensitive" data, such as data providing the exact geolocation position (whether data that can be consulted "in real time" or "recorded" and subsequently consulted) must be strictly limited according to the "need-to-know" principle.
• Access to the data should be secure (e.g., by means of a strong password and user ID) and each person with access to the data should have an individual access account. In addition, an access log should be available so that it is possible to trace who has accessed the data, and which data has been accessed by whom, in case of abuse.

Finally, the CNPD draws the attention of data controllers to the importance of the issue of the country in which the personal data collected via the geolocation system are stored, whether this storage is carried out by the data controller itself or by its processor.

In accordance with Articles 44 et seq. of the GDPR, a transfer of personal data to a country outside the European Economic Area (hereinafter, a "third country") can only take place under certain conditions. Thus, except where the third country to which the data is transferred has been considered by the European Commission as offering an adequate level of protection (via an "adequacy decision"), a transfer to a third country may in principle only be carried out if appropriate safeguards have been put in place. These appropriate safeguards may for example consist of binding corporate rules in accordance with Article 47 of the GDPR or standard data protection clauses adopted by the European Commission.

Nevertheless, in view of the decision of the CJEU of 16 July 2020 in case C-311/18, the use of such appropriate safeguards should be considered with caution, and the recent recommendations of the EDPB regarding data transfers to third countries should also be respected.

Wherever possible, the CNPD therefore recommends that the storage of personal data from a geolocation system takes place within the European Economic Area. If a subcontractor is used, the question of the country of storage of the data should be discussed and regulated in the subcontract.

7. Specific legal provisions concerning data processing for surveillance purposes in the context of employment relationships

The CNPD highlights that the Luxembourg legislator has made use of the option left to the Member States by Article 88 of the GDPR to provide for more specific modalities concerning the processing of employees' personal data in the context of employment relationships.

Thus, the new Article L. 261-1 of the Luxembourg Labour Code allows the processing of personal data for the purpose of monitoring employees in the context of employment relationships by the employer only on the basis of one of the conditions of lawfulness listed in Article 6 (1) (a) to (f) of the GDPR.

For such processing of personal data, including geolocation in the workplace, Article L. 261-1 of the Labour Code provides for an obligation of prior collective information to the staff representatives, in addition to the individual information of employees under Articles 12 and 13 of the GDPR. Such information must contain:

• a detailed description of the purpose of the envisaged processing,
• a detailed description of how the monitoring system will be implemented,
• where applicable, the duration or criteria for data retention,
• a formal undertaking by the employer that the data collected will not be used for any purpose other than that explicitly stated in the prior information.

Worth mentioning that many Member States (including Romania) have made use of the option left by Article 88 of the GDPR and therefore have provided specific requirements concerning the processing of employees' personal data that need to be observed in order to implement geolocation systems for employee vehicles.

The full guidelines are available in French on the CNPD's website: https://cnpd.public.lu/fr/dossiers-thematiques/geolocalisation-vehicules.html.