The EDPB has posted a decision by Slovenia’s data protection regulator:
Background information
- Date of final decision: 04 October 2022
- Controller: employer in private sector
- Legal Reference: National Law (Personal Data Protection Act), Article 5.1(c) and 6.1(f) of the GDPR
- Decision: Order to comply
- Key words: GPS tracking
Summary of the Decision
Origin of the case
The data controller introduced GPS tracking of seven company vehicles in 2009, after a theft event at worksite. The vehicles were used for fieldwork transport and installation of equipment at client’s premises. The purpose of GPS tracking was to insure the vehicles, expensive equipment and documents, that are in the vehicle in case of theft.
The controller stated that GPS tracking did not represent data processing and that individuals could be identified only in exceptional cases (criminal offences, protection of people and property, traffic accidents, claim event, etc.). GPS application could not access personal data of employers, who used the vehicle, because they were kept in a separate record. The data was processed by application and monitored by external contractor.
Key Findings
The Slovenian Supervisory Authority (SA) determined that the controller carried out GPS tracking of eight company vehicles. The vehicles were used by employees as delivery vehicles and passenger delivery vehicles. Tracking was carried out by a special transmitter in the vehicle and monitored by an application that continuously recorded the distance travelled. Individuals were identifiable.
A special record was being created containing a large amount of location data of employees. The data was processed continuously, systematically and automatically so that the employer could determine in any moment, where an individual traveling with one of the vehicles was located. The data could be accessed also retrospectively. The employer could easily determine the employee who was using the company vehicle and to whom the location data is attributable.
The Slovenian SA was investigating if there was a legal basis for processing the personal data pursuant to Article 6 of the GDPR.
Decision
The Slovenian SA was assessing whether data processing was lawful in accordance to Article 6.1 (f) of the GDPR – legitimate interests.
Slovenian SA confirmed that providing safety of property can be in a legitimate interest of the data controller, but the controller did not demonstrate that the way the measure was carried out was appropriate and necessary. It was found that GPS tracking was carried out also while the vehicle and the property in it were under constant and direct supervision of an employee.
Slovenian SA decided that in the specific case GPS tracking could only be used in a way that the driver could turn on the GPS on the location where the vehicle, the equipment and the documents could be at risk and turn it off after returning to the vehicle, when the protected goods were again under direct supervision of an employee.
Regarding safety of individuals in case of traffic accidents Slovenian SA decided that constant GPS tracking was disproportionate. The place of the accident is usually known, the location of the accident could also be reported by the driver himself. The controller should use a less intrusive measure on individual’s information privacy.
Slovenian SA decided the controller did not demonstrate legitimate interests according to Article 6.1 (f) and that the GPS tracking was not in accordance with the principle of data minimisation (Article 5.1 (c) of the GDPR).
Slovenian SA ordered the controller to stop processing the data of employees that were collected by continuous, systematic and automatic GPS tracking.