Fleet and Company Vehicle Geolocation: GDPR Limits

·

The use of geolocation systems in company fleets and vehicles has become widespread as an operational management tool: route optimisation, delivery time monitoring, vehicle security and proof of service rendered are all legitimate and common purposes. However, when an employee drives the vehicle, position data becomes personal data subject to Regulation (EU) 2016/679 (GDPR) and, in Spain, to article 90 of Organic Law 3/2018 (LOPDGDD). Failure to comply with these rules exposes the company to sanctions under article 83 of the GDPR and may also result in the invalidity of evidence obtained in employment proceedings.

What is fleet geolocation and why does it fall under the GDPR?

An onboard GPS system in a company vehicle continuously or periodically records the vehicle's geographic position, speed, stops made and, in some cases, driving behaviour. When that vehicle is assigned to an identified or identifiable employee, the data generated are personal data within the meaning of article 4.1 of the GDPR: they relate to an identifiable natural person through their link to the vehicle or device.

Processing covers the collection, storage, consultation and analysis of that data by the employer. Each of these operations requires a valid legal basis under article 6.1 of the GDPR, compliance with the transparency principle (arts. 13 and 14 GDPR) and application of the data minimisation principle (art. 5.1.c GDPR). In the employment context, the LOPDGDD adds a specific layer of protection through its article 90.

At Summum Consultoría we help companies align their geolocation systems with the applicable regulatory framework, reviewing the legal basis, information procedures and retention periods.

Legal basis for processing: art. 6 GDPR and art. 90 LOPDGDD

The employer cannot rely on the employee's consent (art. 6.1.a GDPR) as the primary legal basis for geolocation. The reason is structural: the relationship of dependency inherent in the employment contract means that consent cannot be freely given, specific and unambiguous as required by article 7 of the GDPR. The AEPD has repeatedly affirmed this position in various enforcement decisions.

The applicable legal bases are, depending on the specific purpose:

Article 90 LOPDGDD: the specific provision for workplace geolocation

Article 90 of Organic Law 3/2018 is the provision that expressly governs the use of geolocation systems in the employment context. It states that "employers may process data obtained through geolocation systems for the purpose of exercising the employee monitoring functions provided for in article 20.3 of the Workers' Statute", but imposes two cumulative obligations in paragraph 2, to which a cross-cutting limitation derived from the proportionality principle and the right to digital disconnection is added:

  1. [Art. 90.2 LOPDGDD] Prior, express, clear and unambiguous notification to employees and, where applicable, to their legal representatives of the existence and characteristics of the system.
  2. [Art. 90.2 LOPDGDD] Notification of how employees may exercise their rights of access, rectification, restriction of processing and erasure in relation to the geolocation system.
  3. [Art. 88 LOPDGDD + art. 5 GDPR] Respect for the employee's right to privacy outside working hours, pursuant to the right to digital disconnection (art. 88 LOPDGDD) and the principles of proportionality and data minimisation (art. 5 GDPR), in accordance with AEPD criteria.

The first two obligations derive directly from article 90 LOPDGDD; the third constitutes an equally enforceable cross-cutting limit. The absence of any of these requirements invalidates the processing from the outset.

Obligation to inform employees before activating GPS

Prior information is the indispensable prerequisite for any workplace geolocation system. The company cannot limit this communication to a generic clause in the employment contract; there must be a specific, comprehensible notice provided before the processing begins.

This information must be provided at two levels:

What the information clause must include

In addition to the elements already required by article 13 of the GDPR in any information clause (identity of the controller, purposes and legal basis, recipients, retention period and exercise of rights), the geolocation clause must specify:

Lawful purpose and the minimisation principle

Article 5.1.b of the GDPR requires that personal data be collected for specified, explicit and legitimate purposes and not processed further in a manner incompatible with those purposes. In the fleet geolocation context, this has direct implications for what the employer can and cannot do with the data.

Permitted uses

Prohibited or high-risk uses

Prohibition of surveillance outside working hours

The regulatory framework is categorical on this point: employers must respect the employee's right to privacy outside working hours. This requirement derives from the right to digital disconnection (art. 88 LOPDGDD), the principles of proportionality and data minimisation (art. 5 GDPR) and the AEPD's repeated enforcement criteria. The prohibition admits no exceptions on operational grounds. If the GPS system records position after the employee ends their shift and takes the vehicle home — a common practice in courier fleets, field technicians or sales representatives — the company must implement a technical solution that deactivates or anonymises tracking outside working hours.

Typical technical solutions include:

The AEPD has sanctioned companies that kept GPS active 24 hours a day when the vehicle security purpose did not justify that level of permanent surveillance over the employee.

Comparative table: geolocation in a company vehicle vs. personal mobile device

Aspect GPS in a company vehicle Geolocation app on the employee's personal phone
Usual legal basis Art. 6.1.b or 6.1.f GDPR + art. 90 LOPDGDD Art. 6.1.f GDPR, with reinforced balancing test; consent is not valid
Mandatory prior information Yes, before activating the system Yes, specifying the app's scope and the employer's access
Tracking outside working hours Prohibited (art. 88 LOPDGDD; arts. 5 and 6 GDPR) Prohibited; the personal nature of the device increases the risk
Level of intrusiveness Moderate: affects the vehicle, not a personal device High: potential access to other data on the device
Proportionality Easier to justify if there is a documented operational purpose Requires reinforced justification; preferable to provide a company device
Transfer to fleet platform (SaaS) Requires a data processing agreement (art. 28 GDPR) Requires a data processing agreement (art. 28 GDPR)

As a general rule, the AEPD recommends that, if a company needs to geolocate mobile devices, it should provide a corporate device dedicated to work and avoid installing tracking applications on the employee's personal phone. The minimisation principle reinforces this recommendation.

Data processors and contracts with fleet software providers

Most fleet management solutions (SaaS GPS tracking platforms) involve an external provider that stores and processes position data. That provider acts as a data processor within the meaning of article 4.8 of the GDPR, and the relationship must be formalised through a data processing agreement that meets the requirements of article 28 of the GDPR.

That agreement must ensure, among other things, that the provider:

If the provider processes data outside the European Economic Area, the appropriate safeguards under article 46 of the GDPR must also be in place (standard contractual clauses, adequacy decisions, etc.).

How long may position data be retained?

The principle of storage limitation (art. 5.1.e GDPR) requires that data not be retained for longer than necessary for the purpose that legitimised their collection. For fleet tracking data with an operational purpose, the minimisation logic points to short retention periods, typically a matter of weeks, unless a legal obligation imposes a longer period (for example, the digital tachograph in professional transport, whose retention period is regulated by specific rules).

An indefinite or excessively long retention period — months or years of position data without justification — is incompatible with the GDPR and exposes the company to AEPD enforcement decisions.

Data Protection Impact Assessment (DPIA) for large-scale geolocation systems

When the geolocation system involves systematic and large-scale monitoring of employees — for example, a logistics company with hundreds of drivers tracked in real time — the controller may be required to carry out a Data Protection Impact Assessment (DPIA) pursuant to article 35 of the GDPR. The lists of processing operations requiring a DPIA published by the AEPD expressly include the "systematic monitoring of employees".

The DPIA must document the processing purposes, assess necessity and proportionality, identify risks to employees and define the technical and organisational measures to mitigate them. It is not an administrative formality before the AEPD (unless the assessment concludes there is a high residual risk, in which case prior consultation under article 36 GDPR is required), but an internal accountability tool.

If your company operates a significant fleet and has not yet carried out this assessment, the GDPR compliance team at Summum Consultoría can guide you through the process, with particular attention to your sector context and the size of your organisation.

Frequently asked questions

Can the company activate GPS without first informing the employee?

No. Article 90 of the LOPDGDD requires that notification be prior, express, clear and unambiguous. Activating a geolocation system without having informed the employee — and, where applicable, their representatives — constitutes a GDPR infringement subject to sanctions under article 83, and the data obtained may be declared inadmissible in any subsequent employment proceedings if the employee challenges their use as evidence.

Is it lawful to track a company vehicle outside working hours?

As a general rule, no, when an identified employee is driving. The right to digital disconnection (art. 88 LOPDGDD) and the principle of proportionality (art. 5 GDPR), together with AEPD enforcement criteria, prohibit tracking that infringes the employee's right to privacy outside their working hours. The company may keep the GPS active for vehicle security reasons (protection against theft), but in that case the position data obtained outside working hours cannot be used to monitor the employee or as evidence of employment-related conduct. It is advisable to implement a technical solution that separates the two operating modes and to document this in the internal privacy policy.

What is the difference between monitoring the fleet and monitoring the employee?

Legally, when the vehicle is assigned to an identified employee, the distinction is blurred: the vehicle's position data is also the employee's position data. The company may justify fleet geolocation on legitimate operational grounds, but the fact that the data relate to an employee requires compliance with the safeguards of the GDPR and article 90 LOPDGDD. Case law from the Supreme Court and the Constitutional Court has recognised that the employer's management authority has limits in the employee's fundamental rights, including the right to privacy under article 18 of the Spanish Constitution.

What happens if the employee uses the company vehicle for private purposes with the company's authorisation?

If the company authorises private use of the company vehicle, processing geolocation data during that private use is prohibited, unless there is an absolutely justified purpose — such as location in the event of theft — and the employee has been expressly informed that the GPS will remain active during those periods as well. In practice, the safest legal approach is to deactivate tracking during authorised private use, or at least to establish that data obtained during those periods cannot be used for any employment-related monitoring. This configuration must be set out in the internal company vehicle use policy.