The use of geolocation systems in company fleets and vehicles has become widespread as an operational management tool: route optimisation, delivery time monitoring, vehicle security and proof of service rendered are all legitimate and common purposes. However, when an employee drives the vehicle, position data becomes personal data subject to Regulation (EU) 2016/679 (GDPR) and, in Spain, to article 90 of Organic Law 3/2018 (LOPDGDD). Failure to comply with these rules exposes the company to sanctions under article 83 of the GDPR and may also result in the invalidity of evidence obtained in employment proceedings.
What is fleet geolocation and why does it fall under the GDPR?
An onboard GPS system in a company vehicle continuously or periodically records the vehicle's geographic position, speed, stops made and, in some cases, driving behaviour. When that vehicle is assigned to an identified or identifiable employee, the data generated are personal data within the meaning of article 4.1 of the GDPR: they relate to an identifiable natural person through their link to the vehicle or device.
Processing covers the collection, storage, consultation and analysis of that data by the employer. Each of these operations requires a valid legal basis under article 6.1 of the GDPR, compliance with the transparency principle (arts. 13 and 14 GDPR) and application of the data minimisation principle (art. 5.1.c GDPR). In the employment context, the LOPDGDD adds a specific layer of protection through its article 90.
At Summum Consultoría we help companies align their geolocation systems with the applicable regulatory framework, reviewing the legal basis, information procedures and retention periods.
Legal basis for processing: art. 6 GDPR and art. 90 LOPDGDD
The employer cannot rely on the employee's consent (art. 6.1.a GDPR) as the primary legal basis for geolocation. The reason is structural: the relationship of dependency inherent in the employment contract means that consent cannot be freely given, specific and unambiguous as required by article 7 of the GDPR. The AEPD has repeatedly affirmed this position in various enforcement decisions.
The applicable legal bases are, depending on the specific purpose:
- Article 6.1.b GDPR (performance of a contract): when geolocation is necessary for the service agreed upon, for example in courier or transport companies where the route forms part of the task.
- Article 6.1.c GDPR (legal obligation): in cases where sector-specific regulation — transport of dangerous goods, digital tachograph, etc. — requires position recording.
- Article 6.1.f GDPR (legitimate interest): for purposes such as fleet management, vehicle security or logistics optimisation, provided the controller's legitimate interest prevails after weighing it against the employee's rights. This balancing analysis must be documented.
Article 90 LOPDGDD: the specific provision for workplace geolocation
Article 90 of Organic Law 3/2018 is the provision that expressly governs the use of geolocation systems in the employment context. It states that "employers may process data obtained through geolocation systems for the purpose of exercising the employee monitoring functions provided for in article 20.3 of the Workers' Statute", but imposes two cumulative obligations in paragraph 2, to which a cross-cutting limitation derived from the proportionality principle and the right to digital disconnection is added:
- [Art. 90.2 LOPDGDD] Prior, express, clear and unambiguous notification to employees and, where applicable, to their legal representatives of the existence and characteristics of the system.
- [Art. 90.2 LOPDGDD] Notification of how employees may exercise their rights of access, rectification, restriction of processing and erasure in relation to the geolocation system.
- [Art. 88 LOPDGDD + art. 5 GDPR] Respect for the employee's right to privacy outside working hours, pursuant to the right to digital disconnection (art. 88 LOPDGDD) and the principles of proportionality and data minimisation (art. 5 GDPR), in accordance with AEPD criteria.
The first two obligations derive directly from article 90 LOPDGDD; the third constitutes an equally enforceable cross-cutting limit. The absence of any of these requirements invalidates the processing from the outset.
Obligation to inform employees before activating GPS
Prior information is the indispensable prerequisite for any workplace geolocation system. The company cannot limit this communication to a generic clause in the employment contract; there must be a specific, comprehensible notice provided before the processing begins.
This information must be provided at two levels:
- Information to the employees' legal representatives (works council or staff delegates, if any), as required by article 90 LOPDGDD before deploying the system.
- Individual information to each affected employee, which may be provided through a specific contractual clause, an internal circular or a signed receipt.
What the information clause must include
In addition to the elements already required by article 13 of the GDPR in any information clause (identity of the controller, purposes and legal basis, recipients, retention period and exercise of rights), the geolocation clause must specify:
- What data are collected: GPS position, speed, stops, harsh driving or other parameters.
- How frequently and during what hours position is recorded.
- Which company personnel have access to the data (fleet manager, HR, management).
- How long the data are retained and the deletion criteria.
- Whether the data are disclosed to third parties (fleet software provider, insurer, client).
- What happens to geolocation outside working hours: whether the device is deactivated, whether the employee can switch it off manually or whether it remains active.
Lawful purpose and the minimisation principle
Article 5.1.b of the GDPR requires that personal data be collected for specified, explicit and legitimate purposes and not processed further in a manner incompatible with those purposes. In the fleet geolocation context, this has direct implications for what the employer can and cannot do with the data.
Permitted uses
- Fleet operational management: route assignment, journey optimisation, delivery coordination.
- Vehicle security: location in the event of theft or accident.
- Compliance with sector-specific regulations: tachograph, driving and rest times in professional transport.
- Proof of service: verifying that the employee was at the client's premises within the agreed time window.
- Working time monitoring, if this has been expressly communicated as a purpose.
Prohibited or high-risk uses
- Continuous tracking without a documented purpose: permanent position recording without operational justification infringes the minimisation principle.
- Surveillance outside working hours: expressly prohibited by article 90 LOPDGDD.
- Profiling of private behaviour: if the employee is permitted to use the vehicle outside work and the data allow inferences about meeting places, trade union activity or personal life, the processing violates privacy and may affect fundamental rights.
- Use as the sole means of disciplinary control without procedural safeguards: geolocation data may be used in disciplinary proceedings, but relying on them exclusively for sanctions without corroboration from other sources carries a risk of judicial challenge.
Prohibition of surveillance outside working hours
The regulatory framework is categorical on this point: employers must respect the employee's right to privacy outside working hours. This requirement derives from the right to digital disconnection (art. 88 LOPDGDD), the principles of proportionality and data minimisation (art. 5 GDPR) and the AEPD's repeated enforcement criteria. The prohibition admits no exceptions on operational grounds. If the GPS system records position after the employee ends their shift and takes the vehicle home — a common practice in courier fleets, field technicians or sales representatives — the company must implement a technical solution that deactivates or anonymises tracking outside working hours.
Typical technical solutions include:
- Automatic tracking cut-off when the employee clocks out in the working time recording system, resuming when they clock in the next day.
- Manual disconnection button for the employee, with a log of when it is activated and deactivated (to ensure it is not misused during working hours).
- Time-based geofencing: the system records only within a predefined schedule, ignoring any position outside that window.
The AEPD has sanctioned companies that kept GPS active 24 hours a day when the vehicle security purpose did not justify that level of permanent surveillance over the employee.
Comparative table: geolocation in a company vehicle vs. personal mobile device
| Aspect | GPS in a company vehicle | Geolocation app on the employee's personal phone |
|---|---|---|
| Usual legal basis | Art. 6.1.b or 6.1.f GDPR + art. 90 LOPDGDD | Art. 6.1.f GDPR, with reinforced balancing test; consent is not valid |
| Mandatory prior information | Yes, before activating the system | Yes, specifying the app's scope and the employer's access |
| Tracking outside working hours | Prohibited (art. 88 LOPDGDD; arts. 5 and 6 GDPR) | Prohibited; the personal nature of the device increases the risk |
| Level of intrusiveness | Moderate: affects the vehicle, not a personal device | High: potential access to other data on the device |
| Proportionality | Easier to justify if there is a documented operational purpose | Requires reinforced justification; preferable to provide a company device |
| Transfer to fleet platform (SaaS) | Requires a data processing agreement (art. 28 GDPR) | Requires a data processing agreement (art. 28 GDPR) |
As a general rule, the AEPD recommends that, if a company needs to geolocate mobile devices, it should provide a corporate device dedicated to work and avoid installing tracking applications on the employee's personal phone. The minimisation principle reinforces this recommendation.
Data processors and contracts with fleet software providers
Most fleet management solutions (SaaS GPS tracking platforms) involve an external provider that stores and processes position data. That provider acts as a data processor within the meaning of article 4.8 of the GDPR, and the relationship must be formalised through a data processing agreement that meets the requirements of article 28 of the GDPR.
That agreement must ensure, among other things, that the provider:
- Processes data only in accordance with the employer's instructions.
- Applies appropriate technical and organisational security measures.
- Does not disclose data to third parties without the controller's authorisation.
- Returns or destroys data at the end of the contractual relationship.
- Notifies the controller without undue delay of any security breach affecting fleet data.
If the provider processes data outside the European Economic Area, the appropriate safeguards under article 46 of the GDPR must also be in place (standard contractual clauses, adequacy decisions, etc.).
How long may position data be retained?
The principle of storage limitation (art. 5.1.e GDPR) requires that data not be retained for longer than necessary for the purpose that legitimised their collection. For fleet tracking data with an operational purpose, the minimisation logic points to short retention periods, typically a matter of weeks, unless a legal obligation imposes a longer period (for example, the digital tachograph in professional transport, whose retention period is regulated by specific rules).
An indefinite or excessively long retention period — months or years of position data without justification — is incompatible with the GDPR and exposes the company to AEPD enforcement decisions.
Data Protection Impact Assessment (DPIA) for large-scale geolocation systems
When the geolocation system involves systematic and large-scale monitoring of employees — for example, a logistics company with hundreds of drivers tracked in real time — the controller may be required to carry out a Data Protection Impact Assessment (DPIA) pursuant to article 35 of the GDPR. The lists of processing operations requiring a DPIA published by the AEPD expressly include the "systematic monitoring of employees".
The DPIA must document the processing purposes, assess necessity and proportionality, identify risks to employees and define the technical and organisational measures to mitigate them. It is not an administrative formality before the AEPD (unless the assessment concludes there is a high residual risk, in which case prior consultation under article 36 GDPR is required), but an internal accountability tool.
If your company operates a significant fleet and has not yet carried out this assessment, the GDPR compliance team at Summum Consultoría can guide you through the process, with particular attention to your sector context and the size of your organisation.
Frequently asked questions
Can the company activate GPS without first informing the employee?
No. Article 90 of the LOPDGDD requires that notification be prior, express, clear and unambiguous. Activating a geolocation system without having informed the employee — and, where applicable, their representatives — constitutes a GDPR infringement subject to sanctions under article 83, and the data obtained may be declared inadmissible in any subsequent employment proceedings if the employee challenges their use as evidence.
Is it lawful to track a company vehicle outside working hours?
As a general rule, no, when an identified employee is driving. The right to digital disconnection (art. 88 LOPDGDD) and the principle of proportionality (art. 5 GDPR), together with AEPD enforcement criteria, prohibit tracking that infringes the employee's right to privacy outside their working hours. The company may keep the GPS active for vehicle security reasons (protection against theft), but in that case the position data obtained outside working hours cannot be used to monitor the employee or as evidence of employment-related conduct. It is advisable to implement a technical solution that separates the two operating modes and to document this in the internal privacy policy.
What is the difference between monitoring the fleet and monitoring the employee?
Legally, when the vehicle is assigned to an identified employee, the distinction is blurred: the vehicle's position data is also the employee's position data. The company may justify fleet geolocation on legitimate operational grounds, but the fact that the data relate to an employee requires compliance with the safeguards of the GDPR and article 90 LOPDGDD. Case law from the Supreme Court and the Constitutional Court has recognised that the employer's management authority has limits in the employee's fundamental rights, including the right to privacy under article 18 of the Spanish Constitution.
What happens if the employee uses the company vehicle for private purposes with the company's authorisation?
If the company authorises private use of the company vehicle, processing geolocation data during that private use is prohibited, unless there is an absolutely justified purpose — such as location in the event of theft — and the employee has been expressly informed that the GPS will remain active during those periods as well. In practice, the safest legal approach is to deactivate tracking during authorised private use, or at least to establish that data obtained during those periods cannot be used for any employment-related monitoring. This configuration must be set out in the internal company vehicle use policy.