Ireland: Employee vehicle tracking and Guidance from the DPC
Due to the importance of data protection law for employee monitoring practices, a careful and considered approach must be taken when potentially highly instrusive methods, such as tracking employee vehicles, are used. It is in this context that Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the Guidance Note: Employee Vehicle Tracking1 ('the Guidance') from the Irish Data Protection Commission ('DPC') on the data protection aspects of vehicle tracking by employers.
Broadly, the Guidance reiterates the importance of purpose limitation, full transparency, and risk assessment to employers. Key points are set forth below.
- Employees are entitled to a reasonable expectation of privacy in the workplace.
- The use of in-vehicle tracking by an employer carries a high risk of interfering with the privacy and data protection rights of the employee.
- Location data qualifies as personal data under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') any time it relates to an identifiable individual.
- An employer may track or monitor the location of the vehicles used in an employment context, but it is important to note that employers should not regard vehicle tracking as a method to track or monitor the behaviour or the whereabouts of drivers or other staff.
- Identify the purpose before the purchase or implementation of technology which allows such tracking. This purpose must be explicit and legitimate.
- Do not use the data for other, further purposes that are incompatible with the original purpose used to justify the initial processing. An example of further processing which would be incompatible with the original purpose would be the monitoring and evaluation of employees, where the original purpose of collecting the data was for security in the case that a vehicle was stolen.
- Do not use vehicle tracking if the purpose cited could be achieved by less intrusive means.
- The right to object to processing under Article 21 of the GDPR includes the right to object to vehicle tracking carried out on those grounds. In the case of objection, the employer may only proceed with the vehicle tracking if it is necessary to achieve a compelling legitimate interest that overrides the interests, rights, and freedoms of the employee.
- Legal bases for in-vehicle tracking may include: compliance with a legal obligation (such as using a tachograph on a lorry) or an employer's legitimate interest in being able to locate the vehicle at any time.
- Employee consent will only be considered an adequate legal basis in exceptional circumstances. This is because of the difficulty in obtaining 'freely given' consent, given the nature and power imbalance inherent in the relationship between employee and employer.
- To rely on legitimate interest as the legal basis, ensure that the processing is strictly necessary and proportionate for the purpose of achieving that interest, and that the legitimate interest being pursued must be balanced against the rights and freedoms of the employee, including their reasonable expectations of privacy.
- Employers implementing in-vehicle tracking must also comply with their transparency obligations under the GDPR, and ensure they meet the employee's right to be informed.
- Employees must be informed of the existence of tracking and how it operates, as well as being clearly informed of all the purposes for which their personal data is to be used, in advance of any such tracking being implemented. This means that the employer must clearly explain to the employee who is using the vehicle concerned, what records are being created, why those records are necessary, what they will be used for, how long they will be kept for, who will have access to them, and for what reason.
- In line with the recommendation of the Article 29 Working Party, display such information prominently in every car, within eyesight of the driver
- Devise and make available to drivers a policy on the use of vehicle tracking. In the context of the use of vehicle tracking devices, this document should also set out the employer's policy on the use of company vehicles for private use, if private use is permissible.
- A Data Protection Impact Assessment ('DPIA') should be carried out by the employer where there is an intention to monitor vehicle location data.
- Due to the nature of vehicle tracking and the fact that it will likely (at least indirectly) involve the collection of the personal data of the driver of the vehicle and the systematic tracking of their location, it is highly likely that DPIA will need to be done before implementing such technology.
- A DPIA should identify and mitigate the risks to an employee's rights and freedoms. A DPIA considering the proportionality of planned measures and balancing the purpose of the measures with the reasonable privacy expectations of the employee should be conducted prior to implementing an in-vehicle tracking policy, and must be kept accurate and up-to-date.
Practical compliance steps for employers
- Limit the time and/or location when tracking takes place:
- It is unlikely that tracking a work vehicle (and particularly a privately-owned vehicle being used for work purposes) outside work hours would be lawful, proportionate, or necessary within the meaning of the GDPR.
- Cases involving the theft of a company vehicle could be an example of a limited circumstance where it may be necessary to access tracking data in order to locate the vehicle, but the proportionality and necessity of the measure would need to be assessed and demonstrated, meeting a high threshold for such an intrusive measure.
- Employers should consider accessing the location data only in an emergency situation, such as by activating the visibility of the location by accessing the data already stored by the system only when the vehicle leaves a predefined region.
- Take extra care when implementing new technologies, particularly where employees may not expect or be aware of them.
- Implement opt-out measures such as the ability to switch tracking off easily:
- An 'opt-out' measure must be provided, such as allowing for the tracking to be turned off or disabled with a 'privacy switch,' particularly if a privately owned vehicle is used for work purposes.
- Employers should also ensure that all drivers are given training on the operation of the opt-out measures. This includes making all new employees aware of the existence of tracking devices and training them in the operation of the privacy switch.
- Avoid intrusion into an employee's personal life and limit tracking to what is strictly necessary:
- It is unlikely that the tracking of an employee's personal vehicle would ever be lawful outside of work hours as it would amount to a grave interference with the right to privacy and the data protection rights of the employee in the absence of a compelling legal basis grounded in Article 6 of the GDPR.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia