Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection / Update Compliance


No. 64 | No. 9 | 2019-08-26


The permissibility of GPS tracking from a compliance perspective
Alexa Finke, LL.M., Anna-Lena Glander


Strict data protection requirements apply to the use of location tracking systems both in the employment context and in cooperation with other companies. In its partial judgement from March 19, 2019, the Lüneburg Administrative Court ruled in compliance with the provisions of the General Data Protection Regulation and the new Federal Data Protection Act (BDSG) that unrestricted tracking of employee vehicles is impermissible. This ruling gives reason to examine the permissibility of the use of such systems from a compliance point of view: When using location tracking systems, companies must ensure that permission under data protection law exists for processing the location data of their employees or third parties. Otherwise, there is a risk of prosecution for the company due to breaches of data protection obligations.

Under the circumstances on which the judgement is based, the plaintiff, which operates a building cleaning company, had fitted its company vehicles, which are used for business and private purposes by its building supervisors, cleaners and caretakers, with GPS systems. The license plates of the vehicles, which could be used to identify the respective users, were recorded. Over an extended period of time, the location tracking systems stored every route traveled by the employees with start and end points, including the time taken and the status of the ignition. The employees could not switch the location tracking system on or off; the system could only be deactivated after work and before work with considerable effort.

The Lüneburg Administrative Court judged that the continuous recording of the position data of employees, including outside of working hours, is not consistent with applicable data protection law. In this case, such comprehensive processing of the tracking data could not be justified on the grounds of permission granted under Sec. 26 (1) BDSG, since data processing was not necessary for the purposes of the employment relationship. The obligation to keep a logbook is sufficient in such cases. The processing of the location data could also not be justified based on the permission given by consent according to Sec. 26 para. 2 BDSG, because the voluntary nature of the consent was not adequate. This was already absent because the controller failed to inform its employees about the comprehensive location tracking.

Consequences, including for subcontractor relationships

This case law is also applicable to controllers that process location data of natural persons outside of employee data protection. This applies in particular to companies that collect location data of the employees of their subcontractors. In the absence of an employment context, the controller does not have to measure the lawfulness of processing the location data in these cases on the basis of the permitted circumstances under Sec. 26 BDSG. Rather, it must base the data processing on a legal basis under Art. 6 (1) GDPR:

If – as will usually be the case – there is no legal obligation for location tracking and this is not necessary for the implementation of a contractual relationship between the controller and the persons whose location is being tracked, then only a legitimate interest according to point f) of Art. 6 (1) GDPR or consent pursuant to point a) of Art. 6 (1) GDPR may be taken into consideration as permitted circumstances. Since the consent is generally not a secure legal basis, as it can be revoked, and should serve only as a stopgap measure, companies usually have to prove a legitimate interest in location tracking, which is not outweighed by the interests and fundamental rights of the data subjects. In the context of such a balancing of interests, comparable arguments are incorporated as in the case of the balancing of necessity under Sec. 26 BDSG. Thus, the Lüneburg Administrative Court argued that there is no fixed need for the company to monitor tolerated private use of the vehicles and therefore interference in the data subject’s right to self-determination does not prevail over a legitimate business interest. Thus, the controller also cannot track locations without limitation under point f) of Art. 6 (1) GDPR.

Practical notes: For cases such those described, the GDPR sets out fines for controllers of up to EUR 20,000,000 or, in the case of a company, up to 4% of the total worldwide annual turnover of the previous financial year. In order to avoid this risk, companies that process the location data of their employees or of third parties, such as employees of their subcontractors, are urgently advised, before using any tracking systems, to check in each case on what legal basis and to what extent they are allowed to track locations. The extensive monitoring also means the controller must carry out a data protection impact assessment in accordance with Art. 35 GDPR.


Authors


Alexa Finke, LL.M., is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.



Anna-Lena Glander is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group White Collar & Criminal Compliance.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection


T +49 211 600 55-215
F +49 211 600 55-210
E compliance@heuking.de

Visit our Website with focus on White Collar & Criminal Compliance:
Website White Collar & Criminal Compliance

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf





I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de