In a decision dated 25 March 2025, the Belgian Data Protection Authority (DPA) issued a ruling on the use of a geolocation system in a company car. In this decision, the DPA once again confirms the legitimacy of such a system and clarifies the established principles.
Facts
The case started with a complaint filed by an employee with the DPA regarding the allegedly unlawful use of a geolocation system by the employer. According to the employee, the system could not be disabled outside working hours or during holidays, he was not informed about its implementation, and he had not given consent for its use. The vehicle in question was used for both professional and private purposes.
The employer informed the DPA that the intended introduction of the geolocation system had been discussed during a meeting on site, but the employee concerned was not present. A written staff communication outlining the geolocation policy was then distributed to the employees present at that meeting. The absent employees (including the complainant) received the policy the following day.
Permissible purposes for geolocation
The DPA noted that the employer relied on the legal basis of “legitimate interest” for the processing of data via the geolocation system. In its decision, the DPA applied the so-called three-step test to assess whether reliance on this legal basis was justified: the purpose, necessity and balancing test.
Regarding the purpose test, the DPA found that the employer used the geolocation system for various purposes. The geolocation policy listed the following objectives: (i) simplifying registration and administration for billing and time tracking for post-calculation, (ii) gaining insight into routes taken, (iii) tracking departure and arrival times, (iv) reducing (fuel) costs, (v) accurate accounting of hours worked, (vi) providing evidence for clients, (vii) increasing safety, and (viii) reducing communication costs. The policy further stated that monitoring was technically possible through the system, but it was not the intended purpose.
However, the DPA concluded that the facts showed that the main purpose of the geolocation system was to monitor work performance and hours worked. The employer confirmed this during the hearing. Since this was not communicated in advance, the DPA found a breach of the purpose limitation principle.
Nevertheless, the DPA ruled that both the purposes listed in the policy and the monitoring of work performance and hours worked could constitute legitimate purposes for using a geolocation system.
No more data processing than necessary
With regard to the necessity test, the DPA confirmed that processing location data, mileage, start and end times, duration of travel, and stop times was necessary to safeguard the above-mentioned interests.
In this context, the DPA also addressed the issue of recording times. The employee claimed that the geolocation system operated 24/7 and could not be turned off outside working hours or during holidays. The DPA found that the processor offering the geolocation system continuously recorded data, but only transmitted the data collected during working hours to the employer.
The DPA considered that – in light of the objective of monitoring work performance – continuous data recording was disproportionate and also violated the principle of data minimisation. It emphasised that the system must be set up in such a way that it can be deactivated outside working hours. This means that not only must the employer be denied access, but the processor must also stop collecting data during those periods.
The DPA further stated that allowing employees to manually activate and deactivate the geolocation system is considered a best practice (particularly for employees with flexible schedules). At a minimum, the employer must be able to disable the geolocation tracking outside working hours.
However, the DPA did not find a violation on this point, as it lacked a detailed overview of the data recording carried out by the processor.
With regard to the balancing test, the DPA considered that the geolocation system had only a limited impact on the data subjects. It therefore ruled that the employer was justified in relying on legitimate interest as a legal basis.
Transparency
Finally, the DPA identified several breaches of the transparency principle and related information obligations. Employees were not sufficiently informed about the purposes of the processing, the description of the legal basis lacked sufficient detail, the employer failed to list the categories of personal data in an exhaustive manner (referring vaguely to “et cetera”), and the retention periods were not specified.
The DPA also noted that it considers it a best practice for an employer to enter into an agreement with employees or to add an annex to the employment contract including all the information required under the GDPR. In our view, a detailed geolocation policy and an adapted employee privacy notice are sufficient.
Action point
When implementing or revising a geolocation system, every company must take into account the principles set out by the Belgian DPA. It is advisable for companies to develop a comprehensive geolocation policy that clearly explains the purposes of the system. Where the geolocation system is intended to monitor employees, companies should, as far as possible, provide employees with the option to deactivate the system outside working hours.
