Authors: Heidi Waem and Simon Verschaeve
On 21 February 2023, the Litigation Chamber of the Belgian Data Protection Authority ruled on a case relating to the lawfulness of a geolocation tracking system for employee vehicles used by a public authority. The decision not only sets out the conditions for the use of such systems, but also includes interesting considerations of the Litigation Chamber on the interpretation of the ‘public interest’ legal basis of article 6.1(e) GDPR.
Facts of the case
The case at hand resulted from a complaint of an employee, who was informed by the employer, a public authority, that time registration fraud had been established on the basis of a comparison between the registered time and the geolocation data of the employee’s professional vehicle. During working hours, the employee visited home and other family members’ addresses as well as a pub. The employee alleged to be unaware of the vehicle tracking as no information in relation to the system was included in the work regulations.
Public interest as a legal basis
The decision contains several noteworthy considerations. First, it rejects legitimate interest (article 6.1(f) GDPR) as a legal basis for processing vehicle tracking data by public authorities. It refers to article 6.1 GDPR in fine that excludes the possibility for public authorities to rely on legitimate interest for processing carried out “in the performance of their tasks” and concludes that the vehicle tracking system falls within the relevant authority’s tasks.
Second, the decision clarifies the scope of the “public interest” legal basis of article 6.1(e) GDPR:
- Processing “necessary for the performance of a task carried out in the public interest or in the exercise of official authority” needs to be interpreted in a broad sense (which is rather uncommon in GDPR terms).
- It also includes processing necessary for the performance of tasks that are “directly linked to” the public interest task. This includes for example HR management processing activities carried out by the body vested with the public interest task.
- By referring to a recent judgement of the ECtHR (Florindo de Almeida Vasconcelos Gramaxo v Portugal), the Litigation Chamber also accepted that in this specific case the installation of a tracking system for professional vehicles (enabled only during working hours and processing only required data types) was ‘necessary’ for safeguarding the public interest, in particular in preventing fraud and the proper management of public funds.
The decision refers to and confirms earlier guidance of the Knowledge Center (which is another division of the Belgian Data Protection Authority – guidance in Dutch or French) that contained a similar reasoning on HR management processing activities with regard to data sharing between public authorities. While the decision confirms that under Belgian law, a public authority can in principle only rely on a legal obligation or public interest as a legal basis for processing personal data, unlike the guidance of the Knowledge Center, it does not reiterate that in exceptional circumstances one of the other legal bases of article 6.1 GDPR can also be relied on. Instead, it only refers to the exceptional use of the legitimate interest basis. The decision could therefore also be interpreted as further restricting the use of consent (article 6.1(a) GDPR and contract (article 6.1(b) GDPR) for public authorities, although this is not entirely clear.
Third, the decision also clarifies the conditions of article 6.3 GDPR. In this case, the public authority was required under Belgian law to ‘establish measures and procedures concerning its organisation to ensure that it operates efficiently, utilises its resources proficiently and prevents fraud’, without explicitly defining how this should be done in concrete terms (and without any reference to vehicle tracking measures).
To comply with article 6.3 GDPR, the Litigation Chamber does not require “precisely defined obligations or legislative provisions, which lay down the essential characteristics of processing”. It seems to accept that processing takes place “on the basis of a more general authorisation to act” in which case the measures can be taken – and the necessary processing lawfully carried out – to the extent necessary to carry out that public interest task. Where a controller relies on a legal provision that does not concretely define the necessary processing operations, it is up to the controller to verify (and be able to demonstrate) that the processing is “necessary for the public interest task and the interests of data subjects”.
Track & trace policy
Aside from the legal basis for geolocation tracking, the decision also assessed other elements of the tracking system to eventually conclude that it could be used in a GDPR compliant manner.
In particular, the decision takes into account that the updated track and trace policy of the controller:
- contains all elements required to comply with the GDPR’s transparency obligations (including in any case information on the legal basis);
- describes that consultation of the vehicle tracking data will only be possible by a limited number of people defined in the policy; and
- states that vehicle tracking data will only be consulted if there is a concrete reason to do so.
At the same time, an infringement of the GDPR’s accountability and data protection by design obligation was found as the controller could not demonstrate that it had previously – upon the entry into application of the GDPR in May 2018 – updated its existing track and trace policy, recommunicated the policy to the data subjects and obtained the data subjects’ acknowledgement of receipt of the updated policy. The decision therefore also contains a clear reminder that all pre-GDPR compliance documentation should have been updated by now to avoid sanctions.
The full decision can be consulted here (in Dutch).