The Spanish Supreme Courtruled on 15 September 2020 that the use of data collected by a GPS geolocator installed in a company’s vehicle is lawful in cases where the employee is informed of the installation of the device, the use of the vehicle is restricted to working-related activities and it only collects information on the movement and location of the vehicle.
On April 22, 2016, a company dismissed a worker because she used for private purposes the vehicle the company had provided her, despite the fact that private use was forbidden and the employee had been timely informed that the unit was equipped with a GPS location system. The GPS collected the car’s location data and it was determined that the employee intensively used the vehicle during a period of medical leave and the weekend immediately preceding it. During that period the GPS recorded 1.935,21 kilometres. Hence, the company dismissed the employee.
The Court considered that the use of geolocation data from a GPS device installed in the worker’s company vehicle to proceed with his dismissal to be lawful because: a) the employee had been informed about the collection of geolocation data though the GPS; b) the device collected only information about the vehicle’s movements and locations; c) the use of the vehicle was restricted to working-related activities.
Further, the Court highlighted that there was no invasion of the worker’s privacy, since the data collection only affected the location and movement of the vehicle for which the employee was responsible and had to use it in accordance with the company’s rules. Then, the use of the vehicle’s location data did not reflect any personal circumstance of the worker.
Finally, the legitimate expectations to privacy of the employee played a key role. The evidence was also considered lawfully collected, and her right to privacy unaffected, because the worker was aware of the constant transmission of data on the vehicle’s position.
Hence, the court ruled that the dismissal was justified.
The facts of the case occurred before the General Data Protection Regulation entered into force. However, it is worth noticing some important aspects related to the use of location trackers in work vehicles.
First, the GDPR applies to employer vehicle tracking, since location data is personal data (art. 4(1) GDPR). Even though the Spanish Supreme Court relied on the employee’s ‘legitimate expectations to privacy’, location data do reveal personal circumstances of the data subject (e.g. places visited, from which inferences can be made).
Second, companies are allowedtoinstall GPS trackers in theirvehicles (e.g. art. 90(1) Ley Orgánica 3/2018 or ‘Ley de Protección de Datos Personales y garantía de los derechos digitales’). The most suitable legal basis is the employer’s (controller) legitimate interests in being able to locate the vehicle (art. 6(1)(f) GDPR). The consent of the employee (art. 6(1)(a) GDPR) is not appropriate legal basis since there is an imbalance of power between the employee and the employer.
Third, the principles of processing must be followed. In particular, employees must be informed about the tracking and its operation (art. 5(1)(a) GDPR) in a clear and unequivocal manner (art. 90(2) Ley Orgánica 3/2018). Besides, the purposes of collection must be limited (art. 5(1)(b) GDPR), i.e., monitor the location of the vehicles used in an employment context. On the contrary, employee monitoring is incompatible with vehicle tracking.
Finally, the principle of accountability (art. 5(2) GDPR) must be respected. One the most important components of this principle is the obligation to carry out a Data Protection Impact Assessment (DPIA) as provided for in art. 35 GDPR if the processing operations are likely to result in a high risk to the rights and freedoms of natural persons. Both the Article 29 Working Party(now European Data Protection Board) and the European Data Protection Supervisor elaborated a list ofcriteria for assessing whether processing operations are likely to result in high risks. The list is composed by 9 criteria and if the processing operation under evaluation falls in two or more, a DPIA is required. In the case of employer vehicle tracking, bothcriteria 3 (tracking movements via location data) and criteria 5 (data processed on a large scale, whether based on the number of people concerned and/or amount of data processed about each of them) would be met. Hence, a DPIA would be needed for this kind of processing operation.
The significance of the DPIA should not be underestimated. If employer vehicle tracking is deemed as likely to result in a high risk to the rights and freedoms of natural persons, and the employee (controller) has not carried it out before data collection begins, the processing operations are unlawful. Regardless of whether the evidence collected in a dismissal proceeding would be admitted or not, which will be debated before the labour courts, data protection authorities may find the processing in breach of the provisions of the GDPR. Hence,the data controller (i.e. the vehicle’ owner) may be subject to an administrative fine up to 10.000.000 EUR or up to 2% of the total worldwide annual turnover, whichever is higher, in accordance with art. 83(4)(a) GDPR.
Data protection provisions will surely play an increased role in future disputes related to privacy and data protection of employees, since the tools at employer’s disposal to carry out monitoring of employees are being used more than ever before.
 STS 3017/2020 – ECLI: ES:TS:2020:3017 http://www.poderjudicial.es/search/openDocument/8adba1406c95ebc3 retrieved 03/11/2020
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01https://edps.europa.eu/sites/edp/files/publication/19-07-16_edps_dpia_list_en.pdfretrieved on 03/11/2020
 Decision of the European Data Protection Supervisor of 16 July 2019 on DPIA lists issued under articles 39(4) and (5) or Regulation (EU)2018/1725, https://edps.europa.eu/sites/edp/files/publication/19-07-16_edps_dpia_list_en.pdf retrieved on 03/11/2020