Do I need employee consent to track fleet vehicles?

In most EU countries, no — legitimate interest is the recommended legal basis for business vehicle tracking. However, you must inform employees clearly and in writing before tracking begins. Consent may be required in some jurisdictions or for personal-use tracking.

Can employees refuse to be tracked?

Employees can object to tracking under GDPR Article 21. You must then demonstrate that your legitimate interest overrides their objection. For company-owned vehicles used for business, the company's interest typically prevails. For vehicles with personal use, you may need to offer alternatives such as privacy modes.

How long can I keep GPS tracking data?

Most data protection authorities recommend 60 days for detailed position data. Trip summaries can be retained longer (up to 1 year). Financial records related to vehicle use must be retained per commercial law (typically 6 years in Spain). Always document and justify your retention periods.

What fines can I face for non-compliant tracking?

GDPR fines for data protection violations can reach EUR 20 million or 4% of annual global turnover, whichever is higher. In practice, fines for fleet tracking violations have ranged from EUR 10,000 to EUR 400,000 depending on the severity and number of affected individuals.

GPS Tracking Legal Compliance: GDPR, Employee Consent & Fleet Guidelines

GPS tracking of fleet vehicles is legal across the European Union — but only when implemented correctly. The General Data Protection Regulation (GDPR)...

The legal basis for tracking fleet vehicles

Under GDPR, processing personal data — which includes GPS location data linked to identifiable drivers — requires a lawful basis. For fleet vehicles, the most commonly used legal basis is legitimate interest (Article 6.1.f): the company has a legitimate interest in knowing where its assets are, ensuring driver safety, optimizing operations, and complying with regulations. This basis applies clearly to company-owned vehicles used for business purposes. However, legitimate interest requires a balancing test: the company's interest must be weighed against the driver's right to privacy.

Employee notification and transparency

Regardless of the legal basis, GDPR requires transparency. Employees must be clearly informed that their vehicles are tracked, what data is collected, why it is collected, how long it is retained, who has access, and what their rights are. This information should be provided in a clear, written tracking policy — not buried in page 47 of an employment contract. Best practice is a standalone vehicle tracking policy document that employees acknowledge in writing before tracking begins. The policy should be written in plain language, not legal jargon.

What you can and cannot track

Fleet tracking is permissible during working hours for business purposes. Tracking outside working hours is the most legally sensitive area. If the vehicle is used exclusively for business, continuous tracking is generally acceptable because the vehicle should not be driven outside of work. If employees are allowed to use fleet vehicles for personal purposes (a common perk in corporate fleets), tracking during personal use raises serious privacy concerns. The French data protection authority (CNIL) and the Spanish AEPD have both ruled that tracking must be limited to working hours when vehicles have dual business-personal use.

Data retention and deletion requirements

GDPR Article 5.1.e requires that personal data be kept only as long as necessary for the purpose for which it was collected. For GPS position data, most data protection authorities recommend a retention period of 60 days for operational purposes — long enough to investigate incidents, resolve disputes, and analyze route efficiency, but not so long that you are building permanent movement profiles of your drivers. Trip summaries (without detailed route polylines) can be retained longer for billing and business analysis, typically up to one year.

Practical compliance checklist

To ensure your fleet tracking is legally compliant, follow this checklist. First, document your legal basis (typically legitimate interest) and complete a Legitimate Interest Assessment (LIA) or Data Protection Impact Assessment (DPIA) if required by your national authority. Second, create a clear, standalone vehicle tracking policy. Third, notify all drivers in writing before tracking begins and obtain acknowledgment. Fourth, configure your tracking system to respect working hours and privacy modes if vehicles have personal use. Fifth, implement automatic data retention and deletion aligned with your documented retention schedule.

Fletaro — Software de gestión de flotas con GPS y acceso remoto