GPS AND COMPANY VEHICLE TRACKING – PRIVACY GUARANTOR DECLARES THAT THE GSP MUST ALSO RESPECT THE PRIVACY OF THE USERS

18/09/2018

For the first time with the provision n. 396 of June 28, 2018, the Privacy Guarantor ordered a provider of geolocation services to ensure that the functionality of the product respects the right to privacy, implementing the principle of data minimization and privacy by design and by default. In this way, the clients will have a system adaptable to all their organizational needs and security.

 

The Guarantor expressed his opinion following a report by an employee of a company that uses the geolocation service on its corporate fleet. According to the employee the characteristics of the system did not comply with the rules on privacy.

From the verifications carried out by the Authority, together with the collaboration of the Guardia di Finanza, it emerged that the system allowed the continuous monitoring of the activity of the employees without the employees being aware of it, which is in violation of the principle of necessity and proportionality. In addition, since employees‘ cars could also be used outside working hours and by their families, the geolocation system made it possible to collect information on the employee and other subjects that was not relevant to the performance of the working activities. This is also in violation of Article 8 of the Workers‘ Statute as well as the rights of the third parties.

The Guarantor, therefore, intervened by forbidding the company, which had installed the system on its fleet vehicle, the processing and use of data collected. The Guarantor also required the provider of geolocation services to adapt the system to the European rules on data protection by establishing the following conditions that must be complied with for the legality of the control and, precisely:

– the standard service must be reshaped with particular regard to the time intervals for surveying the geographical position of vehicles – currently set between 30 and 120 seconds – and the times for storing data – now set at 365 days – and the storage and provision of maps of all routes taken;

– the company must also inform its customers of the possibility of adapting the characteristics of the service to the specific purposes pursued;

– the function that allows the deactivation of the GPS must be made available for all types of subscription to the service without additional and excessive costs.

In any case, employees must be informed in advance of the data collection system. The company must prepare all the measures that allow workers to access the data processed for viewing or for any change. In this way, the Guarantor, in addition to resizing and regularizing the activities of the company that uses the location service on its corporate fleet in accordance with the privacy regulations, also created a fundamental precedent for the protection of workers.