Skip to content

Data protection and privacy protection

Taking data and privacy protection into account when implementing our services

ajoneuvo kojelauta 1

GPS trackers may be installed in company cars, but the data may not be used for any purpose.

An employer may install GPS trackers in company vehicles, as long as there is an approved basis for this. All purposes of use must be specified, and the data may not be used for purposes other than those specified. Vehicle tracking is so-called indirect tracking, because the purpose is not to locate a person but a vehicle.

Employees must be informed about the introduction of GPS trackers in company cars. In companies with at least 20 people, information must be provided through the co-operation consultation procedure. We also recommend transparency in the introduction of tracking devices. Good information, open discussion and listening to employees are the keys to a successful introduction.

Employees should be given the answers to at least these questions:

  • What information is collected?
  • For what purpose?
  • How is it treated?
  • Who gets the information?

Is it permissible to locate people, for example for the purpose of monitoring working hours?

If the purpose is to locate individuals, the employee's consent may be required, depending on the purpose of use. According to the Data Protection Commissioner, monitoring and tracking an employee's working hours using location tracking is possible "if the employee does his or her work entirely or mostly outside the employer's premises and there are no other means available to monitor working hours that are less privacy-infringing."

For example, can a company car be located for mileage reimbursement purposes?

Tracking a private car is also permitted, as long as there is an approved reason for this and the employee is able to place the GPS device out of the employer's sight. An approved reason may be that, for example, mileage reimbursement is paid based on tracking data.

For example, an employer may determine that mileage reimbursement is based on the use of a GPS tracker. An employee may refuse to take the device into their car, but in this case they are not entitled to mileage reimbursement and can deduct the expenses for work trips in their personal tax return.

In such cases, a device that plugs into the cigarette lighter or OBD connector can be used, which is easy to disconnect if necessary. Driving data can only be made visible to the driver himself, unless separate consent has been given to share it with the employer. The driver compiles work trips from the driving data for the employer.

Deploy the service correctly – define the acceptable use(s)

When implementing the service, an acceptable purpose must be set for it. There must be an acceptable legal basis for the processing of personal data in accordance with Article 6 of the General Data Protection Regulation. Processing is lawful only if and only to the extent that at least one of the following conditions for the purpose of use is met:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject's request prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

What uses have our customers defined?

The customer organization defines the purpose of use itself. Examples of purposes of use of Navicom's service:

  • Driving logbook for the tax authorities. Driving logs for company vehicles required by the tax authorities.
  • Monitoring of employee work trips. Mileage reimbursement based on data.
  • Safety: Possibility to check the location of the vehicle if the driver cannot be contacted and the employer suspects an accident
  • Billing. Billing customers based on kilometers or hours of use.
  • Vehicle maintenance data tracking. Electronic maintenance log. (kilometer or time-based reminders)
  • Route planning. Routes can be optimized by viewing route information.
  • Resource allocation: the closest vehicle can be directed to do the job.
  • Emissions data tracking. A company can track the emissions and consumption data of its vehicles.
  • Asset tracking. A company can track the location of its vehicles, which helps, for example, in investigating possible thefts.
  • Customer surveys and customer information. For example, in the event of a complaint, the customer can be informed when the vehicle has been in a certain location or traveled an agreed route.
  • Vehicle (and job) cost center allocations for project management

These are just examples. Choose the purpose of use according to your own business needs and make sure that it has an approved legal basis. The basis must be documented. It must not be too vague or broad.

Please note that the data cannot be used for purposes other than these predefined ones without informing the employees again. Of course, the new purpose must again be acceptable, i.e. there must be a legal basis for it.

Do I need to do an impact assessment?

The purpose of the impact assessment is to identify, evaluate and manage the risks associated with the processing of personal data. According to the General Data Protection Regulation, the processor must prepare an impact assessment before starting the processing of personal data. Location data in the electronic driving logbook can be considered personal data even if a separate driver log is not in use, because in practice the driver is always known using other means.

Navicom can assist the customer with the impact assessment if necessary. Ask us for a pre-filled impact assessment Excel template.

Read the guidelines for preparing an impact assessment on the website of the Office of the Data Protection Ombudsman. You can also download a blank Excel template from the website: https://tietosuoja.fi/vaikutustenarviointi

What are data protection principles?

The processing of personal data must comply with the principles set out in Article 5 of the General Data Protection Regulation, which are:

1. legality, reasonableness and transparency

2. purpose-specification

3. data minimization

4. punctuality

5. storage restriction

6. Integrity and confidentiality

Read more here: https://tietosuoja.fi/tietosuojaperiaatteet)

More information:

https://tyosuojelu.fi/tyosuhde/oikeudet-ja-velvollisuudet-tyossa

https://www.finlex.fi/fi/laki/ajantasa/2004/20040759

https://www.finlex.fi/fi/laki/ajantasa/2018/20181050

http://www.finlex.fi/fi/laki/ajantasa/2007/20070334

https://eur-lex.europa.eu/legal-content/FI/TXT/?uri=CELEX%3A32016R0679

https://tietosuoja.fi/organisaatiot