Finding of the Slovenian Data Protection Authority in the context of the use of GPS by a private sector employer

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the compliance order applied to a personal data controller – private sector employer, issued by the Slovenian Data Protection Authority (SA) under Article 5.1(c) and 6.1(f) of the GDPR.

 

Following the investigation, the Slovenian SA determined that the controller carried out GPS tracking of eight company vehicles. The vehicles were used by employees as delivery vehicles and passenger delivery vehicles. Tracking was carried out by a special transmitter in the vehicle and monitored by an application that continuously recorded the distance travelled. Individuals were identifiable. Furthermore, a special record was being created containing a large amount of location data of employees. The data was processed continuously, systematically and automatically so that the employer could determine in any moment, where an individual traveling with one of the vehicles was located. The data could be accessed also retrospectively.  The employer could easily determine the employee who was using the company vehicle and to whom the location data is attributable.

 

Slovenian SA confirmed that providing safety of property can be in a legitimate interest of the data controller, but the controller did not demonstrate that the way the measure was carried out was appropriate and necessary. The GPS tracking was carried out also while the vehicle and the property in it were under constant and direct supervision of an employee. Slovenian SA decided that in the specific case GPS tracking could only be used in a way that the driver could turn on the GPS on the location where the vehicle, the equipment and the documents could be at risk and turn it off after returning to the vehicle, when the protected goods were again under direct supervision of an employee. Regarding safety of individuals in case of traffic accidents Slovenian SA decided that constant GPS tracking was disproportionate. The place of the accident is usually known, the location of the accident could also be reported by the driver himself. The controller should use a less intrusive measure on individual’s information privacy. In this context, Slovenian SA decided that the controller did not demonstrate legitimate interests according to Article 6.1 (f) and that the GPS tracking was not in accordance with the principle of data minimisation (Article 5.1 (c) of the GDPR) and ordered the controller to stop processing the data of employees that were collected by continuous, systematic and automatic GPS tracking.

 

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.