GPS devices and corporate fleets: the issue of privacy
(NB The following article refers to the Italian legislation)
What is the geolocation of fleets?
By geolocation of company fleets we mean the monitoring of the position of the fleet vehicles by the employer, through the installation of satellite equipment.
The issue is based on the search for a balance between the legitimate interest of the employer to verify the compliance of use of vehicles, as well as to protect himself from theft and damage, and respect for the privacy of workers.
The market for GPS devices in recent years
The 2022 Report on Fleet Technology Trends in Europe documents the growth of fleet-related technology solutions in Europe and the UK. GPS tracking, in particular, would have helped improve productivity and competitiveness by lowering fuel costs, increasing operational efficiency, reducing accidents and improving customer service.
However, the activation of GPS tracking requires a series of considerations and obligations.
The preliminary evaluation of the treatment
Before evaluating the technical procedures to install and use GPS devices, an impact assessment of the processing is required in order to balance the legitimate interests of the Data Controller with respect for the privacy of the employee.
The design of the tracking devices
The preliminary assessment is followed by the design of the device, which allows data processing according to principles of proportionality, necessity and safety. The Guarantor for the protection of personal data authorizes the installation of GPS devices on company vehicles, provided that they are designed as follows:
– An icon on the device must show that the location is active
– Tracking functionality can be disabled during allowed work breaks
– It is possible to obscure the visibility of the geographical position after a period of inactivity of the operator on the operations center’s monitor
– Different authorization profiles must be identified in relation to different types of data and operations
– The retention times of the processed data must be identified on the basis of the purposes pursued
– Any reports to customers may not have references that allow the identification of employees
– The localization software provider must be considered an external data controller
– Periodic tests must be prepared on the functionality and reliability of the parameters adopted and the related corrective measures
Basically, the data collected must be strictly necessary for the pursuit of the established purposes, whether they are related to workplace safety or the protection of company assets. Any further collection must be considered illegitimate.
In detail, the Data Controller can keep the following data:
1. Location of the vehicle
2. Distance traveled
3. Travel times
4. Fuel consumption
5. Average speed of the vehicle (the notification of any violations of the highway code remains reserved to the competent authorities)
The standard service must be set to position detection time intervals (currently defined between 30 and 120 seconds) and respect the data retention times (365 days). The company must memorize and be able to make available the maps of the routes taken.
Employees must then be adequately informed about the operation of the device, the purposes of the processing and the condition of lawfulness, in the legitimate interest of the data controller.
Privacy by design and privacy by default (art.25 GDPR)
The advantages of GPS for fleet management
Optimized fleet management is conscious management. Without prejudice to the respect of employees privacy, GPS tracking is having a positive impact in terms of:
– reduction of fuel consumption
– accurate information about arrival times
– better organization of operations and greater efficiency
– monitoring of vehicle maintenance needs
– greater safety for both vehicles and workers and reduction of accidents
The issue of the geolocation of company vehicles is based on a complex balance between opposing interests, where risks coexist with opportunities and advantages. With the concepts of privacy by design and by default, the GDPR proposes a solution approach that anticipates data protection right from the design of the devices, going beyond the theoretical analysis of the problem and literally entering its mechanisms.
This is a complex issue, where the technical aspect is closely linked with that of the law and where both, in synergy, move in the direction of improving processes and working conditions.