On 8 April 2021, the Luxembourg National Commission for Data Protection (CNPD) imposed a fine of EUR 2,800 on an employer whose use of geolocation devices violated the GDPR.
This decision provides extremely useful clarification on how the supervisory authority applies the provisions of the GDPR and the law of 1 August 2018 on the organisation of the National Commission for Data Protection and the General Data Protection Regime (the ‘Law of 1 August 2018’) and provides an opportunity to provide employers with some practical recommendations.
Analysis of the decision
During March 2019, CNPD agents conducted an inspection on the premises of a company active in the provision of consulting, installation and maintenance services. The GDPR compliance check targeted the geolocation system for service vehicles that the company’s staff use to travel to clients. The company stated that it had implemented geolocation of service vehicles for the following purposes:
- geographical tracking;
- protection of company property and tracking of transported goods;
- optimal fleet management;
- optimisation of the work process,
- providing responses to customer complaints and providing proof of performance;
- invoicing of services;
- monitoring employees’ working time on the road.
At the end of the investigation phase, the employer was sent a list of GDPR breaches identified by the CNPD agents. Breaches of Articles 5, 13 and 32 of the GDPR were identified.
Excessive retention period of geolocation data (Article 5 GDPR)
The GDPR requires that the retention of data subject to processing be limited to the period strictly necessary to achieve its purpose. In this case, the employer had indicated to the investigators that geolocation data was kept for 12 months, for the purpose of billing for services provided by the employees. In fact, the oldest geolocation data was more than two years old. In addition, the 12-month retention period set by the employer only applied to the purpose of billing for services provided to customers.
The CNPD considered that by failing to provide a specific retention period for each of the purposes of the geolocation system, the employer had violated the retention limitation requirement of Article 5(1)(e) of the GDPR.
Incomplete information to users of service vehicles (Article 13 GDPR)
As a reminder, any data controller (in this case the employer) must provide a series of information to individuals whose personal data they process (e.g. employees, temporary staff, consultants, etc.). This information is listed exhaustively in Article 13 of the GDPR.
In this case, the company’s staff were informed about geolocation of the service vans by a sticker on the back of the vehicle. The sticker mentioned GPS monitoring. In addition, a notice stating that the vehicle was ‘equipped with a geolocation system’ was attached to the on-board documents for the service vehicle that were given to the employees.
However, the employer was unable to demonstrate that it had provided employees with all the information required by Article 13 of the GDPR, which should have included:
- the identity of the data controller;
- the purposes of the geolocation, or information on the rights of users (i.e. right of access, right of opposition, right of rectification, etc.).
As a result, the CNPD found that the provisions of Article 13 of the GDPR had been breached.
Unsecured access to geolocation data (Article 32 of the GDPR)
During the control operations, the CNPD agents noted that all the individuals authorised to access the geolocation system’s operating software used a common identifier and password for this purpose. In this decision, the CNPD issues a reminder of the importance of giving each person authorised to access geolocation data an access account and an individual identifier associated with a personal, confidential and periodically renewable password. The CNPD makes it clear that these are ‘minimum necessary security requirements’. If the employer did not adopt this approach, the access arrangements for the geolocation software were found to be in breach of the RGPD security of processing requirements.
An administrative fine is not an automatic sanction for a breach of the GDPR, so it is up to the authority to assess whether it is appropriate to impose one on the defaulting controller.
In this case, the imposition of a financial penalty was explained specifically by:
- The scale of the processing (number of people affected): 92 vehicles were geolocated and each vehicle was assigned to a specific employee.
- The fundamental and essential nature of the principles violated, that is: the limitation of the duration of data retention and the transparency of the information provided to data subjects (the violation of the security requirements for processing was not part of the justification for the fine).
The CNPD nevertheless took into account the following circumstances:
- the employer’s partial compliance with its obligation to inform staff about the processing of their data through the geolocation device;
- the non-deliberate nature of the offences committed and the employer’s good cooperation during the inspection;
- the corrective measures implemented by the employer in the interval between the inspection (March 2019) and the delivery of the decision (April 2021).
In view of the employer’s efforts to comply with the regulations and its good faith, the fine was set at EUR 2,800 instead of the EUR 4,000 recommended by the investigating officer. In addition to the administrative fine, the employer was ordered to correct the shortcomings found during the inspection and to provide evidence it had done so within two months of the notification of the decision.
Although at the time of writing this analysis the decision was still subject to appeal before the Administrative Court, it nevertheless allows some lessons to be drawn on the precautions any employer should take if it uses geolocation for equipment made available to its employees.
The main recommendations are summarised below.
Set an appropriate retention period for each of the purposes of the processing
First of all, it is important to remember that the retention period for the data should correspond to the duration that is strictly necessary to achieve the purpose concerned. Beyond this limit, the data must be rendered anonymous or deleted. Otherwise, the retention will be considered excessive and contrary to the GDPR. With this decision, the CNPD also specifies that an ‘appropriate and necessary’ retention period must be set for each of the purposes of the processing.
This means that if geolocation serves several purposes (e.g. monitoring of working hours, invoicing of services to customers, etc.) the employer must set a retention period for each of these purposes and inform the data subjects accordingly.
In any case, the employer should retain evidence that employees have had access to it.
Limit the retention period for geolocation data to a maximum of two months
It follows from this decision that geolocation data may only be kept for longer than two months if the geolocation has purposes other than mere geographical tracking of equipment and which justify a longer retention period.
This is particularly the case when the geolocation of vehicles is used to measure employees’ working time and to calculate their related remuneration; it must also be the only means available to the employer to achieve these objectives.
In this case, the data may be retained for the three years during which the employee is entitled to bring an action for payment of salary arrears (this three-year limitation period for the action for payment of wages is in Articles L. 221-2 of the Labour Code and 2277 of the Civil Code).
Document the information provided to employees (and other individuals concerned)
This decision provided the CNPD with the opportunity to clarify that under the ‘accountability principle’, the employer must document the information on the geolocation system that it communicates to employees.
This means that even if oral communication is not in itself contrary to the requirements of the GDPR, the proof that this communication occurred must be documented. Furthermore, in order to combine the requirements of completeness, clarity, conciseness and accessibility of the information to be provided, the CNPD recommends adopting a ‘tiered’ approach.
In concrete terms, the first ‘level’ will aim to provide employees with the most important information concerning the geolocation system, that is: the identity of the data controller, details of the purposes pursued, information about their rights and finally any information that has a significant impact on the processing (e.g. use of profiling or automated decisions).
This first level of information could, for example, take the form of labels or pictograms affixed to the professional equipment subject to geolocation.
Individualise accounts and logins and configure access for authorised individuals
Each person authorised to access the personal data processed must have an account, identifiers and an individual authentication method. It is also always useful to remember that only individuals who need access to the data to perform their tasks should be allowed to do so.
Similarly, depending on the nature of the tasks, the level of access to personal data should be limited to a greater or lesser degree. For example, only those staff who are responsible for invoicing within the finance department should have access to billing data collected via the geolocation device and access to the geolocation software should not be granted to the entire finance department. In addition, these staff should not, for example, be allowed to access the geolocation data that is used for time tracking.
The employer should therefore ensure that the configuration of authorisations takes into account the actual needs of each user at all times.
Do not delay in initiating corrective measures and ensure active cooperation during the investigation
The decision shows that the employer’s proactive and serious efforts to comply with the regulations contributed significantly to mitigating the penalty imposed on it.
Indeed, at the end of the investigation phase, the head of the investigation proposed the CNPD impose a fine of EUR 4,000; this was ultimately reduced to EUR 2,800. Employers are therefore strongly advised to implement corrective measures as early as possible in the investigation process, before the CNPD’s deliberations, (for example by completing the information notice, deleting data whose retention period has been reached, etc.) and to cooperate fully with the investigative procedure.
Please note: at the date of writing this article, the time limit for the controller to appeal against the decision had not yet expired.