Is tracking GPS location always Employee Monitoring under GDPR?
We recently had a discussion with a company (lets call them GPS Co) that is involved in the tracking of GPS Data and storing it in the cloud - they wanted to know how the new GDPR would treat the collecting of GPS data. GPS is "location data" and is thus considered Personal Data. Therefore, the full ramifications of GDPR and controlling and processing of Personal data are relevant. And there is more! Imagine the scenario where GPS Co produces a GPS tracker that is fitted to a vehicle for security reasons. It is only tracking a vehicle. However, this vehicle is used by only 1 employee. Lets take 2 scenarios here (could be more!)
- GPS Co only collects the location of the GPS tracker and the unit IMEI. Nothing else is added to the data set.
- GPS Co allows the customer add details like Vehicle Type, Name of Driver, Email of Driver, Department, Phone number of driver etc...to make the data more relevant and identifiable.
In both cases, GPS Co could be enabling the monitoring of employees. In the second scenario, it is very clear that they are. Consent generally is the most important legal ground for the processing of personal data, this is not the case in the workplace. Because the employer has authority over the employee and the employee is financially dependent on the employer, permission from an employee to an employer in principle cannot be considered as freely given. Because consent cannot be used, another legal ground must apply. This means that the processing must be necessary, for one or more of the purposes listed here:
- Necessary for the performance or preparation of the employment contract
- Necessary to comply with a legal obligation
- Necessary to protect the vital interests of an employee or another natural person
- Necessary for the fulfillment of a task carried out in the public interest or in the exercise of public authority
- Necessary for the legitimate interests of the employer or a third party, unless the fundamental rights of the employee outweigh these interests
- Consent of the employee for one or more specific purposes
The employer & processor must also clearly inform the employees that a tracking device has been installed in a company vehicle that they are driving, and that their movements are being recorded whilst they are using that vehicle (and that their driving behavior may also be recorded). Preferably such information should be displayed prominently in every car, within eyesight of the driver. There is an EU working party established to refine this - ARTICLE 29 DATA PROTECTION WORKING PARTY
Suffering from GDPR anxiety? Get in touch with us using the form below and we might be able to help.