28
Thu, Mar
51 New Articles

Do You Track Company Vehicles by GPS?

Do You Track Company Vehicles by GPS?

Serbia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Supreme Court of Austria has recently passed a decision whereby it ordered an employer to compensate the employee for non-material damages in the amount of EUR 2,400.00 (cca EUR 400.00 per month of monitoring), as the company vehicle used by the employee was equipped with GPS system for monitoring without appropriate legal ground. The court deemed that the use of GPS tracking system affected the employee’s privacy and thus created basis for damage compensation.

“By using the GPS positioning system in the plaintiff’s company vehicle during his working hours (and leisure time), the defendant unlawfully and culpably (intentionally) encroached on the plaintiff’s private sphere, namely his very personal sphere of life. Since the intensity and extent of the violation also constituted a considerable violation of the plaintiff’s private sphere, the plaintiff was entitled to non-material damages under § 1328a Austrian Civil Code (ABGB).” (unofficial translation of the court decision into English)

Although this decision was passed without GDPR application – since the time schedule of employee’s monitoring refers to the period before the GDPR application started (i.e. before May 2018), it is certainly significant for the reasons that the court included in the rationale.

“[…] Thus, on the one hand, the interests of the employer, who in the employment relationship has a fundamental right to control the employees, but in addition, for example, also wants to secure and protect his property, and on the other hand, the interests of the employee in safeguarding his personal rights must be weighed against each other. The principle of proportionality has a regulatory function here. Personal rights may only be restricted to the extent that this is required by a legitimate interest of the employer in control. The most gentle – still effective – means must be chosen (9 ObA 23/15w Pkt 8. mwN; cf. RS0116695).” (unofficial translation of the court decision into English)

The court indicated the application of proportionality principle upon the introduction of technical measure of monitoring, as well as that an employee’s privacy may only be restricted to the extent that is required by a legitimate interest of the employer.

Processing of employees’ data through GPS tracking system in the Republic of Serbia

A large number of employers in the Republic of Serbia equipped their company vehicles with GPS tracking systems, the reasons for this being various. Employers are often guided by safety reasons, i.e. to be able to establish the location of their property (vehicles) in the event of unauthorised use, but the installation of GPS tracking system is also frequently motivated by desire to monitor the employees’ task performance, usually of those working in the field (e.g. sales representatives).

Alike processing of other types of data, this processing must also be based on one of the legal basis prescribed in Article 12 of the Law on Personal Data Protection (“LPDP”). Generally speaking, employee’s consent would not be considered adequate basis in this case. What is more, the consent will rarely be a relevant basis for processing employees’ data, considering the “imbalance of power” that exists in every employment relationship. It would be less probable for an employee to deny consent without fear or imminent risk from the consequences on his/her employment status (see e.g. guidelines of the European Data Protection Board: Guidelines 05/2020 on consent under Regulation 2016/679 or guidelines of the UK Information Commissioner’s Office: The Employment Practices Code). Such “consent” would not meet the criteria of voluntariness, i.e. it could not be considered as freely given in terms of the LPDP.

Accordingly, an employer should consider whether the processing is necessary for the purpose of achieving his legitimate interests which are not prevailed by the interests or fundamental rights and freedoms of an employee. If an employer based processing on his legitimate interest, such interest would have to be clearly specified and defined as well as notified to an employee in line with the LPDP.

Data protection impact assessment in the Republic of Serbia

Under the LPDP, a controller shall be obliged, before the outset of processing, to assess the impact of the envisaged processing operations on personal data protection, given the probability that certain form of processing, notably by use of new technologies and considering the nature, scope, circumstances and purpose of processing, would impose high risk on rights and freedoms of natural persons.

By-law enacted by the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (“the Commissioner”) specifies a list of personal data processing operations that require impact assessment as regards personal data protection and the opinion of the Commissioner. Among other, it is stipulated that impact assessment shall be done in case of employees’ personal data processing by the employer by means of applications or systems for monitoring their work, movement, communications etc.

This means that data processing via GPS tracking system requires a data protection impact assessment.

Impact assessment shall include at least:

  • A comprehensive description of the envisaged processing operations and the purpose of processing, including the description of controller’s legitimate interest, if any;
  • Assessment of the need and proportionality of processing operations compared to the purpose of processing;
  • Risk assessment as regards the rights and freedoms of the subjects of data;
  • The description of intended measures regarding the risk and including protection mechanisms, as well as technical, organisational and personnel measures aimed at personal data protection and provision of evidence on compliance with the LPDP, taking into account rights and legitimate interests of data subjects and other persons.

If the controller has appointed a personal data protection officer (“DPO”), the controller shall be bound to require the DPO’s opinion with respect to impact assessment.

Having performed an impact assessment and before the outset of personal data processing, the controller shall be obliged to request an opinion from the Commissioner.

Failure of the controller to perform the risk assessment and to request the Commissioner’s opinion constitute misdemeanor under the LPDP, for which the following fines may be imposed: from 50,000.00 to 2,000,000.00 dinars (legal entity), from 5,000.00 to 150,000.00 dinars (responsible person in legal entity) and from 20,000.00 to 500,000.00 dinars (entrepreneur).

This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.

By Ivana Ruzicic, Managing Partner, PR Legal