The permissibility of GPS tracking from a compliance perspective
Update Compliance 9/2019 / Update Data Protection No. 64
Strict data protection requirements apply to the use of location tracking systems both in the employment context and in cooperation with other companies. In its partial judgement from March 19, 2019, the Lüneburg Administrative Court ruled in compliance with the provisions of the General Data Protection Regulation and the new Federal Data Protection Act (BDSG) that unrestricted tracking of employee vehicles is impermissible. This ruling gives reason to examine the permissibility of the use of such systems from a compliance point of view: When using location tracking systems, companies must ensure that permission under data protection law exists for processing the location data of their employees or third parties. Otherwise, there is a risk of prosecution for the company due to breaches of data protection obligations.
Under the circumstances on which the judgement is based, the plaintiff, which operates a building cleaning company, had fitted its company vehicles, which are used for business and private purposes by its building supervisors, cleaners and caretakers, with GPS systems. The license plates of the vehicles, which could be used to identify the respective users, were recorded. Over an extended period of time, the location tracking systems stored every route traveled by the employees with start and end points, including the time taken and the status of the ignition. The employees could not switch the location tracking system on or off; the system could only be deactivated after work and before work with considerable effort.
The Lüneburg Administrative Court judged that the continuous recording of the position data of employees, including outside of working hours, is not consistent with applicable data protection law. In this case, such comprehensive processing of the tracking data could not be justified on the grounds of permission granted under Sec. 26 (1) BDSG, since data processing was not necessary for the purposes of the employment relationship. The obligation to keep a logbook is sufficient in such cases. The processing of the location data could also not be justified based on the permission given by consent according to Sec. 26 para. 2 BDSG, because the voluntary nature of the consent was not adequate. This was already absent because the controller failed to inform its employees about the comprehensive location tracking.
Consequences, including for subcontractor relationships
This case law is also applicable to controllers that process location data of natural persons outside of employee data protection. This applies in particular to companies that collect location data of the employees of their subcontractors. In the absence of an employment context, the controller does not have to measure the lawfulness of processing the location data in these cases on the basis of the permitted circumstances under Sec. 26 BDSG. Rather, it must base the data processing on a legal basis under Art. 6 (1) GDPR:
If – as will usually be the case – there is no legal obligation for location tracking and this is not necessary for the implementation of a contractual relationship between the controller and the persons whose location is being tracked, then only a legitimate interest according to point f) of Art. 6 (1) GDPR or consent pursuant to point a) of Art. 6 (1) GDPR may be taken into consideration as permitted circumstances. Since the consent is generally not a secure legal basis, as it can be revoked, and should serve only as a stopgap measure, companies usually have to prove a legitimate interest in location tracking, which is not outweighed by the interests and fundamental rights of the data subjects. In the context of such a balancing of interests, comparable arguments are incorporated as in the case of the balancing of necessity under Sec. 26 BDSG. Thus, the Lüneburg Administrative Court argued that there is no fixed need for the company to monitor tolerated private use of the vehicles and therefore interference in the data subject’s right to self-determination does not prevail over a legitimate business interest. Thus, the controller also cannot track locations without limitation under point f) of Art. 6 (1) GDPR.
Practical notes: For cases such those described, the GDPR sets out fines for controllers of up to EUR 20,000,000 or, in the case of a company, up to 4% of the total worldwide annual turnover of the previous financial year. In order to avoid this risk, companies that process the location data of their employees or of third parties, such as employees of their subcontractors, are urgently advised, before using any tracking systems, to check in each case on what legal basis and to what extent they are allowed to track locations. The extensive monitoring also means the controller must carry out a data protection impact assessment in accordance with Art. 35 GDPR.