CNPD — Vehicle geolocation: what the 2023–2025 guidance requires

The CNPD updated its guidance on geolocating vehicles made available to employees (PDF dated 22/02/2023; page updated on 10/04/2024) and confirmed in 2024–2025 that the update stands and a practical factsheet is available. Core takeaway: legitimate interest does not cover everything and proportionality is assessed purpose by purpose. See the CNPD pages and the news notice.

The case

• Authority: Commission nationale pour la protection des données (CNPD), Luxembourg.
• Fact: publication and ongoing maintenance of the “Guidelines on geolocating vehicles made available to employees” (22/02/2023; page last updated 10/04/2024) with a practical factsheet (news 27/02/2023, update 05/06/2025). PDF: guidelines.
• Scope: legal bases (notably GDPR art. 6(1)(f)), transparency (arts. 12–13), purpose limitation/minimisation (art. 5(1)(b)-(c)), DPIA (art. 35), and Luxembourg Labour Code L.261-1/L.261-2 (collective information and criminal sanctions). References: lawfulness and workplace surveillance.

Two standout points:

• Ban on repurposing geolocation data beyond the initial purpose (e.g., anti-theft setup cannot later serve disciplinary control). See necessity and proportionality.
• Mandatory off-duty deactivation when private use of the vehicle is allowed. See CNPD clarifications.

Legal reasoning

1) Legal basis: legitimate interest (GDPR art. 6(1)(f))

Consent is rarely valid in an employer–employee context (power imbalance). The CNPD favours legitimate interest, subject to a three-step test (interest – necessity – balancing) with adequate safeguards. See lawfulness and EDPB consent guidance (05/2020): EDPB 5/2020. Update: EDPB Guidelines 1/2024 detail necessity and balancing (public consultation closed 20/11/2024): EDPB 1/2024 announcement.

2) Purpose limitation and minimisation (art. 5(1)(b)-(c))

Use GPS data only for explicit purposes (route optimisation, driver safety, anti-theft) and only as strictly necessary. Re-use for speed/route disciplinary control is prohibited if not planned and justified. See CNPD – proportionality.

3) Transparency (arts. 12–13)

Provide individual information to employees and display visible notices in each vehicle (pictogram/notice). The notice must cover legal basis, purposes, retention, recipients, data subject rights and the off-duty deactivation mechanism. See transparency requirements.

4) Luxembourg labour law (L.261-1/L.261-2)

Geolocation is “monitoring” under the Labour Code: prior collective information of staff representation is required, separate from GDPR information duties, with criminal penalties for non-compliance. See CNPD – surveillance.

5) DPIA (art. 35)

EDPB criteria (systematic monitoring, vulnerability of employees due to subordination) often trigger a mandatory DPIA. A vendor’s DPIA can inform your own but never replaces it. Ref.: DPIA – CNPD. Also note EDPB guidance (17/01/2025) on pseudonymisation: EDPB 2025 news.

What this changes in practice

• Legal basis: favour legitimate interest with a structured LIA (objective, necessity, balancing, mitigating measures: private mode, non-continuous refresh, restricted access, logging). See EDPB 1/2024.
• Purpose fencing: clearly separate “security/anti-theft”, “logistics optimisation” and “client contractual requirements”, each with its own settings, permissions and retention. See proportionality.
• Off-duty deactivation: provide a physical/app switch or “private” mode with technical proof that positions are neither collected nor traceable during private periods.
• Governance and social dialogue: inform/consult staff representation and document the step (minutes, memo). See Labour Code obligations.
• DPIA and security: encryption at rest/in transit, logical separation by purpose, profiled access, bounded retention (e.g., 30 days unless incident), regular testing, and processor contracts (art. 28). See DPIA – CNPD.

Examples

• B2B fleets: legitimate interest for route optimisation; 2–5 minute refresh, no off-hours tracking, 30-day deletion, aggregated/anonymous reporting.
• Assigned vehicles with private use: mandatory “private mode” disabling collection; clear vehicle notice + display.
• High-risk anti-theft: legitimate interest for asset security; restricted Security/Insurance access, anomaly-triggered alerts, no disciplinary use.

Next steps

To frame your LIA/DPIA, GDPR compliance and social dialogue, consider a certified DPO mandate and review local expectations via our GDPR Luxembourg overview.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.