For mobile workers, for instance technicians visiting clients, it’s common for the company car to have a track and trace system allowing the employer to monitor the location of the vehicle.
The way the system works can vary, but it’s generally used to organise work (assigning new tasks to a technician who’s in the neighbourhood), monitoring the employee’s performance (checking when the employee arrived and left a specific client) and to protect the car (by checking its location if it’s stolen).
But are these systems acceptable from an employment law point of view?
On 25 March 2025, the Belgian Privacy Authority gave a judgement that provides a good summary of the employer’s obligations in this area.
There is no specific legislation on GPS-monitoring of employees, contrary to for instance the collective bargaining agreement n° 68 of 16 June 1998 concerning the protection of privacy of workers when it comes to camera surveillance at work. But the general provisions of GDPR apply, so the track and trace system is assessed on the basis of these general requirements under GDPR.
This case concerned a technician going onsite to work on machines sold by the employer.
The first question the Privacy Authority examined was which legal basis the employer could invoke to justify processing personal data. The Privacy Authority concluded the employer could invoke several valid reasons, notably the invoicing of clients (who were paying per hour), efficiently planning the technician’s work, and monitoring the employee’s performance.
The second question was whether the processing of personal data was limited to necessary data. Here, the Privacy Authority pointed out that the invoked reasons were only relevant during working hours. The employer had set up the system so it registered only the data between 08:30 and 17:00 on work days. The Privacy Authority pointed out this didn’t fully align with the invoked justification. Sometimes, the technician worked after 17:00. The technician also couldn’t switch off the system manually, so data was collected for each day of the working week, even if the technician was on holiday or sick leave.
When it comes to the transparency requirement, the Privacy Authority concluded the employer didn’t fully comply with GDPR. While the employer had a policy informing employees of the track and trace system, the Privacy Authority thought this policy was incomplete and too vague. The policy didn’t clearly state that one of the objectives of the track and trace system was to monitor technicians’ performance.
The GDPR also requires that the people involved are informed about the categories of the personal data processed. The policy included a list of processed data, but added the list was not exclusive. The Privacy Authority ruled that this violated the transparency requirement under GDPR, as the employees couldn’t know which data would be processed by reading the policy.
Another aspect of the transparency requirement is that the people involved have to be informed about the period the processed data will be kept. The employer’s policy didn’t include information on this point, so this also infringed the GDPR. In the absence of any information on the retention periods, the Privacy Authority didn’t have to deal with the question of how long data collected through a track and trace system can be retained.
Written by Pierre Dion and Laurent De Surgeloose
