Vehicle Geo-Location and Employer-Employee Relations - 4 October 2011...
Vehicle Geo-Location and Employer-Employee Relations - 4 October 2011 
[doc. web n. 2444921]
Vehicle Geo-Location and Employer-Employee Relations - 4 October 2011
The Italian data protection authority,
Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary General;
Having regard to the Personal Data Protection Code (decree no. 196 dated 30 June 2003);
Having regard to official records;
Having regard to the considerations made by the Secretary General pursuant to Article 15 of the Italian DPA´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Mr. Mauro Paissan;
1. Vehicle Geo-Location Systems As Used to Meet Organisational or Production Requirements or to Ensure Occupational Safety and Their Interaction with Personal Data Protection Legislation
1.1. Systems for locating and communicating (also in real time) one´s positioning are installed increasingly on board vehicles that are used by public and private employers to meet organizational and production requirements, ensure occupational safety in connection with the provision of transportation services, or to perform additional tasks. These developments are impacting on the possibility to locate the employees the vehicles have been allocated to.
The data on vehicle location are (directly or indirectly) associated with the relevant employees; accordingly, they should also be regarded as personal data relating to the said employees (section 4(1)b. of the Code), which means that the provisions contained in the Code are applicable to the processing of this information. This holds true also if the vehicle location data are not matched immediately by the information system with the names of the relevant employees, given that an employer – i.e. the data controller – can usually identify which vehicle has been allocated to which employee (see, in this regard, the Opinion no. 5/2005 of 5 November 2005 on the use of location data to provide value-added services by the Article 29 Working Party, WP115 – p. 10; see also their Opinion no. 4/2007 on the concept of personal data, WP136 – p. 11).
Conversely, data protection legislation is not applicable if information on fleet management such as per-vehicle fuel consumption or distance traveled (usually aimed at effective maintenance planning) is processed in such a way as not to be traced back to the individual employees.
1.2. As regards processing operations that are performed by way of the systems in question as part of an employer-employee relationship to meet organizational or production requirements or to ensure occupational safety, the Italian DPA has already issued several decisions in connection with both prior checking applications and supervisory exercises (see decisions no. 1703103 of 18 February 2010, no. 1763071 of 7 October 2010, and nos. 1828371 and 1828354 of 7 July 2011).
Other European supervisory authorities have also addressed this issue; lastly, the Article 29 Working Party stated, in its Opinion no. 13/2011 on geo-location services on smart mobile devices (WP185 of 16 May 2011, p. 15), that "The employer must always […] avoid continuous monitoring and […] vehicle tracking devices are not staff tracking devices. Their function is to track or monitor the location of the vehicles in which they are installed. Employers should not regard them as devices to track or monitor the behaviour or the whereabouts of drivers or other staff, for example by sending alerts in relation to speed of vehicle." Furthermore, taking account that "Consent as a legitimate ground for processing is problematic in an employment context", the Working Party pointed out that "Instead of seeking consent, employers must investigate whether it is demonstrably necessary to supervise the exact locations of employees for a legitimate purpose and weigh that necessity against the fundamental rights and freedoms of the employees. In cases where the necessity can be adequately justified, the legal basis of such a processing could be based on the legitimate interest" of the controller (pursuant to Article 7(f) of Directive 95/46/EC).
1.3. In the light of the above circumstances, the Italian DPA considers it appropriate to determine, in a general perspective, under what conditions it is lawful to carry out the said processing operations to meet organizational or production requirements or to ensure occupational safety as part of the employer-employee relationship; in particular, this decision is meant to perform the so-called balancing of interests as regards the issues in question – similarly to what the DPA did in the past via its Resolution no. 13 dated 1 March 2007 concerning "Guidelines for the Use of E-Mail and the Internet at the Workplace", see in particular point 7 thereof – and lay down appropriate measures with regard to the data processing operations at issue under the terms of Section 154(1)c. of the DP Code.
2. Lawful Processing of Geo-Location Data: Balancing of Interests
2.1. Generally speaking, personal data must be processed lawfully (section 11(1)a. of the DP Code) by having also regard to sector-specific legislation (see Article 10 of EC Regulation no. 561/2006 of 15 March 2006 on the harmonization of certain social legislation relating to road transport and amending Council Regulations (EEC) no. 381/85 and (EC) no. 2135/98 and repealing Council Regulation (EEC) no. 3820/85).
2.2. As regards the issues addressed herein, determining the location of vehicles (and accordingly employees) at a given time by way of location systems may nevertheless prove helpful to meet organizational or production requirements or to ensure occupational safety. The objectives in question may apply, for instance, if the systems at issue are implemented to meet logistics requirements – e.g. to issue timely instructions to the driver of a geo-located vehicle - , work out driving reports in order to gauge the drivers´ working hours – and thereby calculate the respective wages, partly in order to fulfill the legal obligations arising out of the keeping of the Consolidated Job Register as per section 6 of Ministerial decree dated 9 July 2008 -, and/or calculate the charges to be made to one´s customers and achieve more effective management and maintenance of one´s car fleet – which may also prove beneficial in terms of occupational and public safety.
In the cases mentioned above, the provisions contained in section 4 of Act no. 300 dated 20 May 1970 ("Provisions to protect workers´ freedom and dignity, trade-union freedoms, and trade union´s activities at the workplace, and provisions on job placement") will have to be also abided by since vehicle location may give rise to the remote monitoring of employees; the latter provisions are actually referred to in Section 11(1)a. as well as in Sections 114 and 171 of the DP Code. In this connection, reference should also be made to the aforementioned decisions by this DPA and to the decree issued on 24 June 2004 by the Ministry for Labour and Welfare – Directorate General for the Protection of Occupational Conditions, Division IV concerning installation of satellite-based control systems on first-aid vehicles of a gas distribution company; see also the reply to a request lodged by the said Ministry on 28 November 2006 (no. 25/I/0006585) regarding location via palm-top devices allocated to pharmaceutical sales representatives.
2.3. Providing the safeguards laid down in section 4(2) of Act no. 300/1970 are implemented, private employers and profit-seeking public bodies may lawfully process non-sensitive personal data relating to location of their employees in order to meet organizational or production requirements or for occupational safety purposes, also without the data subjects´ consent, if any of the conditions referred to in section 24 of the DP Code is fulfilled or else by relying on this decision. Pursuant to the provisions concerning the so-called balancing of interests (section 24(1)g. of the DP Code), this decision is determining that there is a legitimate interest in processing the data at issue. In performing the said balancing, account was taken of the safeguards arising out of Act no. 300/1970 in respect to the remote monitoring of employees, whereby the data subjects´ consent is not required and either an agreement must be in place with trade union representatives or – failing this – an authorization must be granted by the geographically competent agency of the Ministry for Labour and Welfare.
2.4. As for public bodies, the different preconditions envisaged in the DP Code – by having also regard to whether sensitive or non-sensitive personal data is involved – are left unprejudiced (see sections 18 to 22 and section 112) subject to application of section 4 of Act no. 300/1970 (see section 42 of decree no. 165 dated 30 March 2001 on "General Provisions Applying to the Civil Service").
3. Relevant, Not Excessive Data
3.1. Only relevant, non-excessive data may be processed in order to achieve the purposes that are lawfully pursued by an employer (data controller); to that end, suitably configured systems shall be used (see section 3 of the DP Code) whilst the data may include the distance travelled, travelling time, fuel consumption, and average speed in addition to vehicle location. Conversely, any traffic speed violation shall have to be determined by the competent authorities.
To ensure compliance with the data minimization principle set forth in sections 3 and 11(1)d. of the DP Code, positioning of a vehicle should not be monitored continuously by the data controller; monitoring should only be performed if it proves necessary in order to achieve the purposes that the data controller is pursuing lawfully.
3.2. As for determining what personal data may be processed and for how long such data may be retained, section 3 of the DP Code shall be applicable generally – whereby "Information systems and software shall be configured by minimising the use of personal data and identification data, in such a way as to rule out their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity, respectively."
Taking also account of the principle whereby data must be relevant and not excessive (section 11(1)e. of the DP Code), the retention periods applying to the different categories of personal data must be proportionate to the individual purposes to be achieved in the specific cases.
This means that – without prejudice to the retention obligations laid down in Article 14(2) of EEC Regulation no. 3821/1985 – a data controller planning to rely on a location-based system also to keep the consolidated job register (as per section 6 of the relevant Ministerial decree dated 9 July 2008) may retain such personal data as is necessary for five years; the data shall only include the information to be entered in the register pursuant to section 39 of decree no. 112 dated 25 June 2008 (subsequently converted, with amendments, into Act no. 133 dated 6 August 2008). The latter requirement applies, in particular, to the data on employees´ presence and working hours (including extra time) and rest periods in compliance with the applicable legislation and the guidance issued by the Ministry for Labour regarding the "Vademecum" on the consolidated job register. Conversely, if the location data are only used to fulfill specific contractual requirements, they must be erased or made anonymous once the relevant requirements have been met.
4. Information Notice to Data Subjects
Employees shall have to be provided with the items of information listed in section 13 of the DP Code by having regard to the specific purposes to be achieved; detailed information shall also be provided on the data categories to be processed and the features of the relevant systems so as to clarify that the vehicles are being geo-located.
Given that the Italian DPA is empowered by section 154(1)c. of the DP Code to require data controllers to take appropriate measures to ensure that the relevant processing is compliant with personal data protection principles, any data controller relying on location systems that are installed on vehicles used for the performance of work shall also have to place stickers bearing the notice "VEICOLO SOTTOPOSTO A LOCALIZZAZIONE" [GEO-LOCATED VEHICLE] inside such vehicles; alternatively, they may rely on other visible notices to signal that the vehicle is being geo-located. To that end, the model shown in Annex 1 to this decision may also be used.
5. Data Processors and Persons in Charge of Processing Location Data
5.1. Under section 30 of the DP Code, vehicle location data shall only be processed by the persons in charge of this processing as determined by the data controller; such persons must be enabled to access the data in question, by having regard to the respective tasks, in order to fulfill the relevant obligations. This applies, for instance, to the staff in charge of managing logistics, inventory and maintenance, or human resources.
5.2. Since location data are processed as a rule by relying on entities that provide vehicle location and positioning transmission services and such entities are third parties vis-à-vis the data controller, it is necessary for them to be appointed as data processors in pursuance of Section 29 of the DP Code. Data controllers are required to instruct the said data processors as necessary with regard to the lawful use of the data they collect, which must serve exclusively the purposes set out in the agreement regulating the provision of location services; additionally, the data categories to be processed and the relevant retention mechanisms and periods must be determined.
5.3. The following requirements are left unprejudiced:
5.3.1. Processing of location data must be notified to the Italian DPA (see section 37(1)a. of the DP Code);
5.3.2. Any processing of location data that is not mentioned herein and may give rise to specific risks to fundamental rights and freedoms and/or the dignity of data subjects other than employees may be the subject of prior checking in pursuance of section 17(2) of the DP code.
BASED ON THE ABOVE PREMISES, THE ITALIAN DATA PROTECTION AUTHORITY
1. Under the terms of section 24(1)g. of the DP Code, authorizes hereby the processing operations described in the foregoing paragraphs pursuant to the provisions on the so-called balancing of interests. Accordingly, no consent shall be required from data subjects in this connection since private employers that rely on location and positioning systems installed on board vehicles to meet organizational, production and/or occupational safety requirements have a legitimate interest in processing location data relating to their employees – providing the requirements laid down in section 4 of Act no. 300/1970 are met and the agreement with trade unions´ representatives is sought beforehand or – failing this – the authorization by the geographically competent agency of the Ministry of Labour and Welfare is granted (see paragraph 2.3 above).
2. Under the terms of section 154(1)c. of the DP Code, requires hereby that public and private employers relying on location and positioning systems installed on board vehicles to meet organizational, production and/or occupational safety requirements:
a. Ensure, as a necessary measure, that vehicle location is not monitored continuously by the data controller in compliance with the data minimization principle, and that this is only done if it proves necessary in order to achieve the purposes legitimately pursued by the data controller (see point 3.1 above);
b. Ensure, as a necessary measure, that the retention periods applying to the various data categories to be processed are proportionate to the individual purposes that are to be achieved, in compliance with the principle whereby the data must be relevant and not excessive (see point 3.2 above);
c. Ensure, as a necessary measure, that any entities providing vehicle location and positioning transmission services are appointed as data processors in pursuance of section 29 of the DP Code and receive such instructions as are necessary with regard to the lawful use of the data they collect, which must only serve the purposes set out in the location services agreement, by also determining the data categories to be processed and the relevant retention mechanisms and periods (see point 5.2 above);
d. Ensure, as an appropriate measure, that a simplified information notice model is relied upon such as the one contained in Annex 1 hereto, to be used under the terms set out in the premises, in order to notify data subjects of the processing operations performed via the vehicle location system(s) (see point 4 above).
Done in Rome, this 4th day of the month of October 2011
THE SECRETARY GENERAL
See point 4 of the DPA´s decision for guidance on how to use this model notice.