The installation of a GPS tracking tool on the company fleet cars has always been a pretty delicate and sometimes controversial topic, on which data protection implications have a critical role when deciding the way it is implemented, in accordance with the principles of privacy by design and by default.
The case of the Austrian DPA’s investigation shows how important it is to ensure a lawful legal basis and to perform a data protection review to the operation in scope, to make sure that the rights of the data subjects are not undermined.
Findings of the Austrian DPA
An anonymous claim was filed with the Austrian DPA (or DSB) in 2019, alleging that the GPS tracking system installed by an employer on company leased cars would be able to construct the full itinerary of the drivers using company cars not only for business reasons, but also for private purposes. The DPA started an investigation and discovered the following facts: an employer has made available to its employees 15 cars leased from a provider. The employees using those cars were allowed to drive the vehicles for business and for private purposes. After one year of usage, in 2020, the employer engaged a GPS tracking tool provider and instructed to install the tool on the company cars, with the purpose to know the location of the car, upon request.
However, in 2021, the use of the GPS tracking became more extensive. In particular, the activation of the tracker was contextual to the start/turn-off of the vehicle engine and additionally, the GPS tool was enabled to collect information on the complete trip with the following purposes: keeping record of working hours, refund and calculation of business trips and travel expenses. It has to be noted that the tracking tool could be switched-off manually by the driver (mostly in the case of private journeys). With the support of the tracking tool, the employer could be able to define the full trip including start time and arrival time, date and distance covered (including the route).
Who could access the data collected?
In principle, it has to be said, the employer would have no need to track the employees by using a GPS tracker, because the customer address where the employees were heading, was already known by the employer, as well as the business trip plan of the employees, organized daily by the appropriate staff. In terms of data access, the tracking tool information was available to restricted staff of the employer (payroll, finance and coordinators) by accessing an app under a specific account. The processor (GPS tracking tool provider) also had access to the data.
Legal basis assessment
The employer, as a data controller, relied on two specific legal bases for processing personal data, in particular information obtained from the GPS tracking:
- First legal base: the necessity to comply with a legal obligation to which the controller is subject (Art. 6.1 (c) GDPR); and
- Second legal base: the legitimate interest of the controller (Art. 6.1 (f) GDPR).
With regard to the first legal basis (compliance with a legal obligation), the controller referred to a local law requirement that obliges employers to keep a precise and complete record of hours worked by its employees, allowing also the use of digital devices. It was noted by the Austrian DPA that indeed, GPS could be a digital device enabled to keep track of the working hours, however this processing was not found to be compatible with the principle of data minimisation (Art. 5.1 (c) GDPR). In fact, the previous manual system used until the installation of the GPS tracking did not show any issue in terms of accuracy of the working times records, therefore an additional processing of personal data by using the GPS tracking was deemed unjustifiable and unproportionate.
Does the employer have a legitimate interest?
Most of the concerns however, were focused on the second legal basis. It is indeed known that: the legitimate interest of the data controller should be balanced with the rights and freedoms of the data subjects. In this case, the right of the data subjects is not to be tracked when driving a company car. It was recognized, in the specific case, that the controller had several interests in processing personal data by using a GPS tracking tool, including the following: providing correct compensation to the employees based on the trips made, knowing the location of the car in business hours (to prevent damages or thefts), reacting to last minute customers’ requests by instructing the closer employee to reach the premises of the customer in case of need. Anyway, the question to ask is: Are those interests legitimate? According to the judgment of the DPA, those interests seemed to be not balanced over the right of the employees not be tracked via GPS. In particular, the DPA identified a number of reasons for which the interests of the controller would not override the rights and freedoms of the data subjects:
- There were less intrusive means to obtain the same purpose (for example ask the organization staff about the precise trip in order to provide related compensations);
- There was no requirement to use GPS tracking to record the working hours nor to assign travel expenses (because previous systems seemed to satisfy the purpose and no additional data was required to provide a compensation for the trip);
- The necessity to be at the customer’s premises following a last-minute call did not apply since most of the services provided by the driver employees were to deliver spare parts to the customer, therefore it would have not been possible to react to a last minute call without the appropriate spare part to deliver;
- Finally, there was no evidence that a GPS tracking tool was required to prevent the leased vehicles from being damaged or stolen.
In conclusion, because of the lack of necessity requirement for processing personal data by using the GPS tracking device, the legitimate interest of the controller as a legal basis was not deemed by the DPA to be an appropriate legal basis for the processing operation in scope.
Following to the investigation, in a decision of the 1st of March 2022, the Austrian DPA ordered the controller to immediately stop the use of the GPS tracking device installed on the 15 company cars in scope, declaring that the processing operation was conducted in breach of the Art. 6 GDPR (without an appropriate legal basis) and in contrast with the data minimization principle (as per Art. 5.1 (c) GDPR).
Privacy invasive technologies, like GPS tracking, might be an immediate and efficient solution in many occasions but they have on the other hand, very important personal data protection implications. In the specific case, it can be highlighted that:
- special consideration should be given to the processing operations involving personal data of the employees, due to the fact that there is imbalance in the relationship between the controller and the data subject. This is a very heavy counterbalance element, especially when performing the legitimate interest balance test on operations based on this legal basis;
- the data protection principles stated at Art. 5 GDPR should always be a lighthouse for the compliance of the processing of personal data and should always be taken into consideration in the privacy by design and by default of the operations carried-out by the controllers;
- the lawful legal basis for processing is the basement ground of any processing operation and relying on the legitimate interest (as per (Art. 6.1 (f) GDPR) is not a parachute solution to process personal data if the other legal basis mentioned in the GDPR do not apply.
A privacy review, especially to the operations involving employee’s data is essential in order to ensure compliance and avoid orders and fines to the controllers that can create financial and reputational damages.