When you understand the importance of regular vehicle monitoring and the economic aspects it involves, it is almost impossible to do without telematics tools for their geolocation of professional vehicles. However, in the era of GDPR, the stakes are by definition higher. The essential question is therefore the following: How to install a geolocation solution (or real-time vehicle tracking) All in compliance with the legal requirements imposed by the GDPR?
If you are a fleet manager, you know that this topic is vast, complex but vital for your business. Here, then, is the essential information to know on this subject!
Geolocation of professional vehicles: what is it and why?
Geolocation is a system used to track a vehicle in real timeIt is based on a device installed in the vehicle, which communicates automatically with nearby relay antennas, without intervention from the driver.
The data generated by these devices is increasingly valuable and plays a key role in fleet management. Many companies are now adopting these solutions to optimize the monitoring and maintenance of their vehicles.
Concretely, real-time monitoring of professional vehicles can help businesses to improve their efficiency, save money and gain a clear view of their fleet's performance. For example, a fleet management solution that uses vehicle geolocation – such as the one offered by SoFLEET – allows you to know the exact location of each vehicle with precision. This can be used to optimize routes, reduce fuel consumption and, consequently, limit CO₂ emissions.
But, be careful ensure GDPR compliance ! Especially in the context of personal use of the professional vehicle. It is in your best interest to do the distinction between business and personal journeys.
Geolocation and vehicle fleets: what does the GDPR say?
According to the General Data Protection Regulation (GDPR), Companies have the right to adopt, at their discretion, remote monitoring of their fleet. This practice has become easier since May 25, 2018 (date of entry into force of the GDPR), because the declaration of a geolocated professional vehicle is no longer mandatory with the CNIL. By default, the basic rules of the GDPR necessarily apply to geolocation. Therefore, a fleet manager must:
- Ensure that data is clearly identified and that their typology is listed and organized in the company register;
- Ensure that only authorized persons have access to this data;
- For each data collected, including those obtained in addition to the vehicle position, ensure that they are well defined and used only for the initial purposes;
- Ensure that this data is perfectly secure.
Duty to provide reasons
Before equipping a fleet with a real-time tracking tool, the context must be defined, and especially the objectives for which it will be intended. The installation of this type of device must be motivated by very specific objectives to ensure its compliance with the GDPR in the event of an audit and to promote its acceptance by workers.
Credible justifications, under GDPR rules, are:
- Calculate working time for payment when nothing else can be applied.
- Optimize vehicle use.
- Establish a price list for a service involving transportation.
- Driver safety.
- Check that vehicles are used in accordance with the rules established by the company.
- A regulation or legislation related to the activity.
Except in cases authorized by regulations, the use of geolocation is not permitted, and employees may object to it.
For fleet managers looking for an efficient and standards-compliant solution, SoFLEET's geolocation solution is an option to consider. Simple and reliable to use, it complies with current regulations, with the possibility of deactivating geolocation to focus only on useful indicators such as fuel consumption.
Obligation to raise awareness and provide information
For the GDPR, employers, fleet managers and managers must inform:
- Unions and staff representatives;
- Each employee personally.
It is essential to organize awareness raising to inform employees about the legal basis for installing a telematics solution. This communication must include mandatory and specific information, such as:
- The reasons for the implementation place of such a device (the reasons mentioned above and, if possible, elaborated more specifically);
- The person within the company who will be the owner and user of this solution (e.g. fleet manager, administrative manager, etc.);
- The time during which the data will be retained;
- The possibility of rejection by the employee for reasons provided by law;
- Accessibility and modification of information at any time by the employee and the right to contest by filing a complaint.
To avoid employee frustration, it is essential to clearly explain the reasons that led the company to make this choice. Indeed, presenting things in a rational manner promotes better understanding and easier acceptance.
Obligation to limit the duration of data retention
As with any personal data, Data collected by geolocation can only be stored temporarily, depending on their specific purpose. In addition, the employer is required to record the use of geolocation data in the part relating to the processing of information concerning its activity.
Accountability, governance and transparency
The GDPR's liability provisions require fleet managers to: systematically document their decisions. For data processing under the best conditions, the following two concepts of the GDPR must be taken into account.
DPIA (Data Protection Impact Assessment)
Article 35 of the GDPR requires the conducting a Data Protection Impact Assessment (DPIA). This analysis is one of the cornerstones of an organization's accountability. It will lead it to design data processing that is not only respectful of privacy, but also capable of demonstrate compliance with the General Data Protection Regulation.
A DPIA is mandatory for processing likely to generate high risks for the rights and freedoms of natural persons. The CNIL provides professionals with free data protection impact analysis software to simplify and structure these analyses.
Privacy by design
The key principle of “Privacy by design” is, as its name suggests, toensure maximum possible data protection from the very beginning of system design (telematics or fleet management). As a result, no additional data protection will be necessary at a later stage.
GPDR-info.eu
