GDPR and Vehicle Tracking — What You Need to Know
Legal aspects of GPS tracking in your company. Employee consent, data retention, and controller obligations.
GPS tracking of company vehicles is legal under GDPR, but it must be done correctly. Getting it wrong risks fines of up to €20 million or 4% of annual global turnover. Here's a complete guide for fleet operators in the EU.
💡 Key Takeaway
Vehicle tracking is lawful under GDPR if you have a documented legitimate interest, inform employees clearly, minimize data, and store it on EU infrastructure.
Lawful Basis for GPS Data Processing
Vehicle tracking can be justified under "legitimate interest" (Art. 6(1)(f) GDPR) — protecting company assets, ensuring driver safety, optimizing delivery operations, and complying with tachograph regulations. However, you must conduct and document a Legitimate Interest Assessment (LIA) before activating tracking.
A well-implemented fleet GPS tracking system makes this straightforward by providing built-in privacy controls and audit trails.
Employee Notification Requirements
Drivers must be clearly informed before tracking begins. Your privacy notice should cover:
- What data is collected (GPS coordinates, speed, ignition status)
- Why it's collected (route optimization, safety, asset protection)
- Who has access (fleet managers, dispatchers — named roles)
- How long data is retained
- How to exercise data subject rights (access, deletion, portability)
Data Minimization Principle
Only collect what you need. If the purpose is confirming delivery completion, you may not need second-by-second GPS pings. Configure your tracking system to collect the minimum data necessary for your stated legitimate purpose. Lither lets you adjust tracking frequency per vehicle or per use case.
Track your fleet GDPR-compliantly with Lither
Get Started Free →Defining Data Retention Periods
GPS data should not be kept indefinitely. Define clear retention periods and implement automatic deletion:
- Trip history: 90 days (sufficient for dispute resolution)
- Driver behavior data: 6 months (for coaching programs)
- Compliance records: 12 months (for tachograph audit trails)
Lither's platform includes configurable data retention policies with automatic purging — ensuring you never hold data longer than necessary.
EU Data Residency Requirements
If you track vehicles in the EU, the data should be stored in the EU. Transferring GPS data to US servers creates significant compliance risk under GDPR. Lither hosts all fleet data on European infrastructure (Hetzner, Frankfurt) — no data leaves the EU. Learn more on our security page and GDPR compliance page.
Practical GDPR Compliance Checklist
- ✅ Conduct and document a Legitimate Interest Assessment
- ✅ Issue a clear privacy notice to all tracked drivers
- ✅ Configure minimum-necessary tracking frequency
- ✅ Set automatic data retention and deletion policies
- ✅ Ensure data stays on EU infrastructure
- ✅ Implement role-based access controls for tracking data
- ✅ Maintain an audit log of who accessed what data
📚 Further Reading
Start GDPR-compliant fleet tracking — try Lither free
Get Started Free →