Tracking systems and the AVG

By: Jan Faasse
November 2020

The implementation of solutions that follow vehicles via track & trace, driver performance or other optimizations, has consequences for the privacy of the driver. The General Data Protection Regulation (GDPR) forms a framework that regulates how these kinds of tracking systems can be introduced. 

Prior to rolling out a solution, quite a few things need to be arranged. Besides the GDPR, the Works Councils Act (WCA) is also relevant. The Works Council must be involved and prior consultation with the employees is required. In this blog I will take you through the steps.

When developing and implementing the GDPR you must take into account a number of principles of the GDPR: Privacy by design and privacy by default, purpose, foundation, data minimization, transparency, integrity and demonstrability. Privacy by design and privacy by default means that privacy is enforced as much as possible at the earliest possible stage by means of organizational and technical measures, and that maximum privacy is maintained through setting standards. The GDPR requires demonstrability. So a regulation or protocol must describe how the system is used. And of course this processing must be documented in your Register of Processing Activities. 

Purpose and purpose limitation
To implement a tracking system there must be a legitimate purpose. Your purpose may not conflict with other legislation such as labor law or road traffic law. The purpose must also be clearly and explicitly defined. Not a vague story, but clear and concrete. The personal data that you process (or have processed) for that purpose may not be used for any other purpose, unless the purposes are compatible. This also relates to the requirements under data integrity

The goals are achieved by using certain means, for example the board computer or Route42 hardware or software. Regarding the purpose, it must be considered whether it meets the requirements of proportionality and subsidiarity. Can you really achieve your goal with the means, or will you achieve much more than your goal? Can the goal also be achieved with a less intrusive tool for the privacy of the employee? If you can achieve your goal by means of the tool and no more than that, and if no less intrusive tools are available, then you can proceed. Data minimization requires that the means does not process more personal data than is necessary to achieve the objective. 

If you are also going to work with a dashcam, then you must follow the guidelines for the use of (mobile) cameras in terms of information provision and retention period. Also take into account the regulations in other countries and company-specific rules on private industrial estates, military barracks, etc. 

Personal data may only be processed on at least one of the six foundations listed in the GDPR. The most appropriate ground is the legitimate goal for which the interest of your employee must give way. For this foundation, the interests of both parties must be weighed against each other. The foundation of consent is not applicable in the employment relationship and is therefore invalid. Because there is a relationship of authority, the employee is not free to refuse permission. Moreover, for you as an entrepreneur, consent is not permanent, because a given consent can be withdrawn at any time. Do not ask for consent in addition to the legitimate interest because that makes the entire processing unlawful.

Data integrity
This means that the data is correct and sufficiently secure. Depending on the category of data, appropriate security measures must be applied. The recording of location/GPS data requires better security than just a username and password. Enforce 2-step verification to comply with the right security standards. Internally, you must ensure that only authorized employees have access to the data according to their role. 

In addition to technical measures, you must also apply organizational measures to secure the data. You do this by establishing processes for the use of the system by means of a protocol. You should also enter into a processing agreement with Route42. Also, be careful that the system does not lean towards real-time driver monitoring. That would defeat the purpose of the tool and would violate the principles of good employment practices.

Personal data may not be processed for any other purpose, unless the purposes are compatible. After an accident, for example, you may not simply provide the data to the insurer. This is only possible if you have grounds for it. The same applies to providing data to the police or judicial authorities. They can only demand the data with the authorization of the public prosecutor.

Personal data should not be processed longer than necessary. Once the purpose has been achieved, the processing must be terminated. It may be that you still want to keep certain vehicle data. This is only possible after it has been pseudonymized or even better, anonymized.   

You must inform the person involved, which can be the regular driver but also a substitute or temporary employee, in understandable language about the tracking system and his or her rights under the AVG. These include the right to inspect or correct data and the right to object. If a data subject personally objects, you must stop the processing in relation to this person and weigh up the interests at an individual level. You must also inform the data subject of the right to lodge a complaint about the processing with the national supervisory authority, the AVG.       

DPIA (Data Protection Impact Assessment)
Before you can start processing, an assessment must be carried out to assess the impact. The assessment is a description of the system that can be used to determine whether it complies with the regulations. Any shortcomings can then be included in a plan of action to be repaired. 

Data Protection Officer
If the processing is essential to the performance of the core business, then you may be required to have a Data Protection Officer (DPO). This depends on a number of factors. The DPO  should be independent and cannot be responsible for the processing of personal data in the organization. A DPO can also be hired as an external.   

Employee participation
When everything is in place, you are ready for the formal part: requesting the approval of the works council. Even if you don’t have a works council, or an organization with fewer than fifty employees, you should involve your employees in your plans. My advice is to involve your employees and the works council in the process at an early stage. By working well together on this, the final procedure will just be a formality. 

Once the preparations have been made and the DPIA completed, you can submit a well-substantiated request for approval to the works council. In the request for approval, aspects such as purpose, means, foundation, weighing of interests, security measures and information provision are addressed. You should also include at least the following appendices: 

  • the substantiation with which you demonstrate the necessity;
  • the processing agreement with Route42;
  • the DPIA;
  • the information that you provide to those involved;
  • any implementation plans;
  • the regulation or protocol.

If the works council has given its approval, you must finally include the new activities in the registry of data processing activities. 

Faasse Juridische Dienstverlening has an affinity with the transport sector. For more information, advice, guidance or DPO-as-a-service I am happy to refer you to the website or directly via [email protected] or +316 823 722 06.

Leave a Reply

Your email address will not be published. Required fields are marked *