In a decision of 21 February 2023, the Disputes Chamber of the Data Protection Authority (“DPA”) assessed the legality of a geolocalisation system (also known as a “track & trace system”). The decision followed a complaint filed by an employee of a municipality after it appeared that a geolocalisation system had been installed in his service vehicle enabling the municipality to identify a work time fraud. The DPA ruled that processing geolocalisation data may be lawful if the appropriate legal basis is correctly determined and transparency obligations are complied with. This was not the case with the municipality, resulting in a reprimand.
The decision is set in the context of a dispute between an employee and the municipality where he was employed. Specifically, the municipality had established that the employee concerned had visited his private address, his mother’s address, a specific pub and some random streets during his working hours, thus allegedly committing a work time fraud.
The employee received a summary comparing the recorded working hours with the vehicle’s geolocalisation data. In response, the employee stated that he was not aware of the track & trace system and that the system was also not mentioned in the work rules. The employee therefore filed a complaint to the DPA.
The investigation showed that the geolocalisation policy had been in place since 2009 and an information note on the functioning of the system was communicated to municipality staff at that time. This internal service note mentioned the purposes for which the geolocalisation system was used as well as which data were processed through the system and who had access to the data.
Assessment of the DPA: lawfulness and transparency
Since the service note was issued before the coming into force of the General Data Protection Regulation (“GDPR”) in 2018, the service note did not specify the legal basis on which the municipality was basing the processing of track & trace data. The DPA therefore ruled that since the GDPR came into force, there was a violation of the lawfulness principle as no legal basis had been determined.
During the proceedings before the DPA, the municipality amended its policy and stipulated that the processing of geolocalisation data would be based on the legal basis of legitimate interest. The DPA disagrees with this legal basis and recalls that public authorities can only invoke the legal basis of legitimate interest in very limited cases. More specifically, the DPA considers that the appropriate legal basis for the municipality’s geolocalisation system is the necessity for the performance of a task carried out in the public interest (stressing that the public interest task does not have to be prescribed in a concrete legal norm but may result from a more general authorisation to act).
Moreover, in its assessment, the DPA refers by analogy to the recent European Court of Human Rights decision of 13 December 2022, in which it was ruled that the use of a track & trace system was limited to what was necessary since only geolocalisation data relating to professional travel in a company car (which could be used for both private and professional travel) were processed. Since the municipality indeed only processes data relating to professional travel within working hours with a company car and the data are limited to what is necessary, the DPA concludes that the municipality’s geolocalisation system constitutes less invasive interference than other methods of surveillance.
Regarding the transparency obligation, the DPA confirms the need for a separate geolocalisation policy and considers that the policy updated by the municipality contains all the necessary mentions (i.e., the legal basis, the purposes, the data processed, who has access in what way and the retention period). Moreover, the DPA considers that the mere fact that the municipality did not use the correct legal basis in the past does not necessarily make future processing unlawful. The DPA does add, however, that it was up to the municipality, as data controller, to check at the time that the GDPR came into force whether the geolocalisation policy needed to be updated. Since the municipality only made the update during the course of the proceedings, the DPA decided that the municipality could not demonstrate that it had taken the necessary measures to comply with the principles of lawfulness and transparency.
The municipality was only reprimanded for these breaches, since the DPA is not authorised to impose an administrative fine on public authorities.
Use of illegal geolocalisation systems as evidence for Labour Courts?
Although companies should ensure that track & trace systems are compliant with the GDPR in light of possible sanctions by the DPA, it is not excluded to use geolocalisation data as evidence before Labour Courts even if it was obtained in violation of the GDPR. The Labour Courts apply the principles of so-called Antigone jurisprudence to this end.
For example, in a judgment dated 10 May 2021, the Dutch-speaking Labour Tribunal in Brussels ruled in a case concerning a dismissal for serious cause of an employee for false reporting in the CRM system. The employer discovered the fraud based on GPS data, which were processed in violation of the GDPR (since the track & trace system was permanently active and there was insufficient transparency about the system). The Labour Tribunal ruled that the GPS data constituted illegally obtained evidence, but were nevertheless admissible as, in particular, the reliability of the evidence was not affected and the right to a fair trial was not compromised.
In a very recent judgment dated 4 November 2022, the Liège Labour Tribunal came to the same conclusion in another case concerning a dismissal for serious cause of an employee who claimed to have visited customers, but was found to have never been on site based on GPS data. The employer concerned had not communicated sufficient information about the functioning of the geolocalisation system to the staff, but the evidence was deemed admissible.
The introduction of a geolocalisation system is lawful if you base it on the correct legal basis (i.e., the legitimate interest in the private sector and the public interest in the public sector), the transparency conditions are met, the necessary technical and organisational security measures were taken, and the system is included in the register of processing activities. If the system already existed before the GDPR, the necessary measures must be taken to make it compliant with the GDPR.
Moreover, to the extent that a geolocalisation system involves monitoring employee data, conducting a data protection impact assessment (DPIA) is highly recommended.
The Claeys & Engels Data Protection team is ready to assist you in implementing or updating the track & trace policy in your company.
Ultimately, if track & trace data were already collected under violation of the GDPR, there is still a possibility that this data could be accepted as evidence by Labour Courts.