Track en trace systems in employees vehicles recent developments in case law of protection rules

There is no specific law on track & trace in Belgium, but employee tracking does raise questions under both privacy and data protection law.

A 2005 opinion by the Belgian Privacy Commission - the predecessor of the current Data Protection Authority - held that track & trace systems may be permissible if they comply with certain purposes (such as theft prevention or the optimization of routes or control of the professional use of the vehicle and the proper execution of the work regime).

Many companies aligned their track & trace policies with this opinion (which predates the GDPR) but in the meantime, there have been a number of recent rulings that provide further clarification on track & trace systems in terms of data protection, privacy and use as evidence in court.

1. Is the use of track & trace reconcilable with the GDPR (Belgian DPA, 21 February 2023)?

In a decision of 21 February 2023, the Belgian Data Protection Authority (“DPA”) assessed a complaint filed by an employee of a municipality after it appeared that a track & trace system had been installed in his service vehicle enabling the municipality to identify a work time fraud.

Specifically, the municipality had established that the employee concerned had visited his private address, his mother’s address, a specific pub and some random streets during his working hours, thus allegedly committing a work time fraud. The employee received a summary comparing the recorded working hours with the vehicle’s track & trace data. In response, the employee stated that he was not aware of the track & trace system and that the system was also not mentioned in the work rules. The employee therefore filed a complaint to the DPA.

The investigation showed that the track & trace policy had been in place since 2009 and an internal note on the functioning of the system was communicated to municipality staff at that time. This internal note mentioned the purposes for which the track & trace system was used as well as which data were processed through the system and who had access to the data.

Since the internal note was issued before the entry into force of the GDPR in 2018, it did not specify the legal basis on which the municipality was basing the processing of track & trace data. The DPA therefore ruled that from the moment the GDPR came into force, there has been violation of the lawfulness principle as no legal basis had been determined.

During the proceedings before the DPA, the municipality amended its policy and stipulated that the processing of track & trace data would be based on the legal basis of its legitimate interest. The DPA disagrees with this legal basis and recalls that public authorities can only invoke the legal basis of legitimate interest in very limited cases. More specifically, the DPA considers that the appropriate legal basis for the municipality’s track & trace system is the necessity for the performance of a task carried out in the public interest. For private sector companies, however, the legal basis of legitimate interest remains correct.

Regarding the transparency obligation, the DPA confirms the need for a separate track & trace policy and considers that the policy updated by the municipality contains all the necessary mentions (i.e., the legal basis, the purposes, the data processed, who has access in what way and the retention period). Moreover, the DPA considers that the mere fact that the municipality did not use the correct legal basis in the past does not necessarily make future processing unlawful. The DPA does add, however, that it was up to the municipality, as data controller, to check at the time that the GDPR came into force whether the track & trace policy needed to be updated. Since the municipality only made the update during the course of the proceedings, the DPA decided that the municipality could not demonstrate that it had taken the necessary measures to comply with the principles of lawfulness and transparency.

The municipality was only reprimanded for these breaches, since the DPA is not authorised to impose an administrative fine on public authorities.

2. Is the use of track & trace reconcilable with the right to privacy (European Court of Human Rights, 13 December 2022)?

The European Court of Human Rights recently assessed an employee’s right to privacy who was working as a medical representative for a pharmaceutical company in Portugal. This company permitted the use of the company vehicle for private journeys and journeys outside working hours, although the expenses associated with the mileage on private trips had to be reimbursed. The company vehicle was equipped with a track & trace system.

The pharmaceutical company dismissed the employee because the track & trace data showed that he had increased the distances travelled in a professional capacity, in order to reduce the proportion travelled on private trips at weekends and on public holidays and thus avoiding having to reimburse the corresponding amounts.

The European Court of Human Rights remarked that the employee had been informed about the installation of the track & trace system in his vehicle with the aim of monitoring the distances travelled in the course of his professional activity and on private journeys. The European Court of Human Rights considered that the Portuguese court had carried out a detailed balancing exercise between the employee’s right to respect for his private life and his employer’s right to ensure the smooth running of the company, taking into account the legitimate aim pursued by the company, namely the right to monitor its expenditure. Hence, the European Court of Human Rights decided that there had been no violation of the employee’s right to respect for his private life.

3. Is use of data from illegal track & trace system allowed as evidence before Belgian labour courts?

Although companies should ensure that track & trace systems are compliant with the GDPR and with the right to privacy, it is not excluded to use track & trace data as evidence before labour courts even if it was obtained in violation of the GDPR. The Belgian labour courts apply the principles of so-called Antigone jurisprudence to this end.

For example, in a judgment dated 10 May 2021, the Dutch-speaking Labour Tribunal of Brussels ruled in a case concerning a dismissal for serious cause of an employee for false reporting in the CRM system. The employer discovered the fraud based on GPS data, which were processed in violation of the GDPR (since the track & trace system was permanently active and there was insufficient transparency about the system). The Labour Tribunal ruled that the GPS data constituted illegally obtained evidence, but were nevertheless admissible as, in particular, the reliability of the evidence was not affected and the right to a fair trial was not compromised.

In a judgment dated 4 November 2022, the Liège Labour Tribunal came to the same conclusion in another case concerning a dismissal for serious cause of an employee who claimed to have visited customers, but was found to have never been on site based on GPS data. The employer concerned had not communicated sufficient information about the functioning of the track & trace system to the staff, but the evidence was deemed admissible.

Lauren Daniels
Attorney – associate Claeys & Engels