A personal datum like any other
The position of a vehicle driven by an employee is personal data under the GDPR (Regulation (EU) 2016/679). Collecting it is legitimate to optimise routes or prove an intervention, but it follows precise rules that France's CNIL has restated and updated.
Retention periods
The CNIL sets strict periods for geolocation data:
- 2 months in principle;
- Up to 1 year when used to optimise routes or prove interventions carried out;
- Up to 5 years when used for working-time tracking.
Beyond that, keeping journeys amounts to excessive surveillance.
The driver's rights
The employee must be informed of the geolocation, be able to access data concerning them (dates, journeys), and above all switch off location outside working hours. Geolocation must not be used to assess individual performance without an explicit framework.
Best practices
- Define a clear purpose (optimisation, safety, proof) and stick to it;
- Inform in writing (note, addendum) and display the privacy policy;
- Disable tracking off-duty and limit access to the data;
- Configure compliant retention periods.
The dropfleet approach
dropfleet is built to respect this framework: configurable retention periods, a "privacy" mode for the driver, and clearly bounded optimisation purposes. Real time serving operations, not surveillance.
- An employee's position = personal data (GDPR)
- CNIL retention: 2 months, 1 year (optimisation/proof), 5 years (working time)
- The driver must be able to switch off location off-duty
- Written information and a clear purpose are mandatory
Compliant tracking, by design. Try dropfleet free for 14 days — no credit card, ready in 5 minutes.
Sources
This article is based on verifiable public sources: