May I install GPS trackers in company vehicles?

Yes, but only if you have a clear purpose (e.g. route planning, theft prevention), limit tracking to working hours, inform employees in advance, and document it in your processing register. 24/7 tracking is almost never permitted.

Can employees refuse to be tracked?

If the tracking is based on legitimate interest, employees can object. You must then demonstrate that your interest outweighs theirs. With consent as the legal basis, there is a problem: consent in an employment relationship is rarely 'freely given' due to the power imbalance.

Do I need to conduct a DPIA for GPS tracking?

Yes, if you systematically and/or on a large scale process location data. This applies to most transport companies and businesses with a fleet of company vehicles.

How long may I retain GPS data?

No longer than necessary for the purpose. For route planning, that is typically a few weeks. For invoicing purposes it may be longer, but then only retain the necessary data (e.g. kilometres driven, not the full route).

GPS Tracking Employees GDPR - What Is and Isn't Allowed?

GPS data from company vehicles and employees is personal data under the GDPR. This article explains when tracking is permitted, with two Belgian court cases as a warning.

GPS data is personal data

As soon as location data can be linked to an identifiable person, it is personal data under the GDPR. With company vehicles, this is almost always the case: the vehicle is assigned to a specific employee, so the vehicle’s location equals that person’s location.

This applies to:

GPS trackers in company cars
Location data from company phones
Route logging via onboard computers
Apps that track the location of field staff

Because location data provides detailed insight into someone’s behaviour and movements, the GDPR treats it as particularly sensitive.

Two Belgian cautionary tales

Labour Court Leuven: 24/7 tracking is unlawful

An employer installed GPS trackers in company vehicles and tracked employees continuously, including outside working hours. The vehicle was used both professionally and privately. The court ruled:

24/7 tracking is a disproportionate interference with private life
The employer had no clear, legitimate purpose for continuous surveillance
Employees were insufficiently informed about the data processing

Result: the processing was unlawful. The employer lost the case.

Belgian DPA fine: transport company (2022)

A transport company collected GPS data from drivers via onboard computers. The Data Protection Authority (GBA) found:

No clear legal basis (legitimate interest not properly substantiated, no valid consent)
No internal privacy policy on the use of GPS data
Insufficient information to drivers about what happened with their data

Result: administrative fine for lack of transparency.

When IS GPS tracking permitted?

GPS tracking is not prohibited, but you must meet strict conditions:

1. You have a clear, specific purpose Examples of valid purposes:

Route optimisation and planning
Vehicle theft prevention
Invoicing based on kilometres driven
Employee safety in high-risk areas

“Checking whether employees are actually working” is rarely a valid purpose.

2. You choose the right legal basis

Legitimate interest is the most common basis for GPS tracking, but you must conduct and document a balancing test
Consent is problematic in an employment relationship due to the power imbalance; an employee can hardly give “free” consent

3. You limit tracking to what is necessary

Only during working hours, not 24/7
Only the data you actually need (e.g. start and end point, not position every second)
No tracking of private journeys

4. You inform your employees

Include GPS tracking in your employee privacy policy
Explain: what data, for what purpose, how long retained, who has access
Inform employees before activating tracking, not afterwards

5. You conduct a DPIA For systematic, large-scale tracking, a Data Protection Impact Assessment (DPIA) is mandatory. Document the risks and the measures you take.

Do’s and don’ts

What you SHOULD do

Document GPS usage in your processing register and employee privacy policy
Limit tracking to working hours unless you have a specific justification
Limit access to GPS data to managers who genuinely need it
Conduct a DPIA for large-scale tracking
Apply pseudonymisation where possible (e.g. vehicle ID instead of employee name)
Set retention periods and automatically delete old GPS data

What you should NOT do

24/7 tracking without a compelling necessity
Base tracking on general consent (“you signed the employment contract, so you consent”)
Use GPS data for purposes other than those for which you collected it (e.g. collected for route planning, used for performance evaluation)
Retain GPS data longer than necessary
Ignore the data breach notification obligation if GPS data is leaked

What should you do now?

Identify whether you process GPS data (company vehicles, phones, apps)
Document the purpose, legal basis and retention period in your processing register
Check whether employees are informed via the employee privacy policy
Limit tracking to working hours and necessary data
Conduct a DPIA if you systematically process location data
Set retention periods and automatically delete old GPS data

auto_awesome GPS tracking in your processing register?

GDPRWise helps you document all your processing activities, including GPS tracking. With automatically generated privacy policies and recommendations.

Start free scan

GPS Tracking of Employees: What Is and Isn't Allowed under the GDPR?