If you are using ‘location data to track the movements of your employees, then under the GDPR this is considered employee monitoring. Examples of this are varied. From a professional athlete with a GPS tracker on their jersey to a rep driving a vehicle that has a GPS tracker installed in it.
If you are employee monitoring, then you need to carry out a DPIA
Data Privacy Impact Assessment (DPIA)
The Data controller (employer) is responsible for completing the Data Privacy Impact Assessment (DPIA). This is confirmed by the European Data Protection Supervisor (EDPS). The latest guidance (July 2019) outlines that if you tick 2 or more of the 9 criteria, then you need to complete a DPIA. The guidance spells this out in:
Criteria 3: Tracking movements via location data
Criteria 5: Data processed on a large scale, whether based on the number of people concerned and/or the amount of data processed about each of them
By its nature, GPS tracking is large scale. It is important to note that the EDPS is not restricting this to where there might be a large number of data subjects. If you are collecting a lot of data about a small number of data subjects – then this is considered large scale too.
See more about What steps are involved in completing the DPIA
Legal Basis for tracking
The DPIA will outline the legal basis for the tracking. The challenge for employers is that consent cannot be used, another legal basis must apply. Because the employer has authority over the employee and the employee is financially dependent on the employer, consent from an employee to an employer in principle cannot be considered as freely given. Examples of this can be (it is preferable to tick 2 or more of the boxes):
- Necessary for the performance or preparation of the employment contract
- Necessary to comply with a legal obligation
- Necessary to protect the vital interests of an employee or another natural person
- Necessary for the fulfilment of a task carried out in the public interest or in the exercise of public authority
- Necessary for the legitimate interests of the employer or a third party, unless the fundamental rights of the employee outweigh these interests
In many cases, it could be argued that tracking is needed to “protect the vital interests of an employee”. For professional sports teams, the data will be used to ensure the athlete will remain fit and healthy. For the sales rep, the tracking could be used to ensure that the driver is safe. Whatever the legal basis – the DPIA should clarify and document it.
Get in contact with us below if you have any questions about DPIAs and employee monitoring.