CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required

Latest CNPD update (10/04/2024): employee vehicle geolocation remains possible but tightly constrained: retention “in principle” limited to two months, no tracking outside working hours when private use is allowed, and a DPIA is often required. For local support, see our page on GDPR Luxembourg compliance.

The case

On 10 April 2024, the Luxembourg Data Protection Authority (CNPD) updated its page “Guidelines on geolocation of vehicles made available to employees,” with a practical factsheet. The file clarifies:

• no prior authorization is needed since the GDPR became applicable (25 May 2018), yet all GDPR obligations still apply (records art. 30, legal basis art. 6, information art. 13/14, security art. 32, etc.);
• retention periods “in principle” capped at two months, with narrowly framed exceptions;
• tracking is prohibited outside working hours when private use of the vehicle is allowed;
• scenarios where a DPIA (art. 35 GDPR) is required.

See the CNPD page “Vehicle geolocation” (last updated: 10/04/2024) and its thematic sub‑pages. (cnpd.public.lu)

The sub‑page “Necessity and proportionality” (updated 15/04/2021) sets practical boundaries: geolocation data may not be used for disciplinary purposes beyond the initial purposes (e.g., speed monitoring, unless a legal obligation) and permanent employee tracking is prohibited. It also details retention, including “2 months by default” and, if—and only if—geolocation is the sole means to verify working time, “3 years.” (cnpd.public.lu)

Finally, the “DPIA” sub‑page (updated 27/02/2023) connects the impact assessment obligation with the CNPD’s national list (art. 35(4) GDPR), notably where geolocation leads to regular and systematic monitoring of employees. (cnpd.public.lu)

Legal reasoning

• Legal basis and GDPR framework. The CNPD recalls that the employer, as controller, must record geolocation in the register (art. 30 GDPR) and select a lawful basis (often legitimate interest, art. 6(1)(f), demonstrated via a documented balancing test). Prior authorization under the 2002 law is gone, but GDPR fully applies. (cnpd.public.lu)
• Luxembourg specific rule: Labour Code article L. 261‑1 governs processing “for monitoring purposes” in employment relationships. It imposes procedural conditions (information, consultation, etc.) and limits admissible purposes, without relieving GDPR requirements. CNPD provides a dedicated “Article L. 261‑1” page. (cnpd.public.lu)
• Necessity and proportionality. Geolocation must be “as minimally intrusive as possible” and restricted to strictly necessary purposes. Examples: (1) if the purpose is anti‑theft, data cannot be repurposed to control routes, speed or assess performance; (2) if private use is allowed, activation outside working hours is prohibited and the employee must be able to disable the device. (cnpd.public.lu)
• Retention periods. The CNPD states: • maximum 2 months in principle; • up to 3 years only if geolocation is the sole means to verify working time (relevant civil limitation period); • 1 year for invoicing evidence if no other proof is possible; • beyond that, only in case of an incident and transfer to a competent authority, or in anonymized form. (cnpd.public.lu)
• DPIA (art. 35 GDPR). The CNPD refers to WP29 “DPIA” Guidelines (WP248 rev.01), endorsed by the EDPB on 25 May 2018, and to its national list (art. 35(4)): “regular and systematic monitoring of employees’ activities,” where it produces legal or equivalent effects, requires a DPIA. In practice, geolocation for working time control or discipline typically triggers a DPIA. (cnpd.public.lu)

What changes in practice

1. Decide “admissible” purposes and segregate them technically.
   Typical acceptable purposes: fleet optimization, dispatching, proof of services/invoicing, asset security (anti‑theft). Prohibited: secondary use to assess performance or sanction if not the original purpose. Enforce access policies and usage logs, and lock reporting to prevent “HR/discipline” extracts. (cnpd.public.lu)
2. Set up “outside working hours” governance.
   If private use is allowed: on/off button in the vehicle or a “private” mode in the app under the employee’s control; logs proving deactivation; a clear policy banning off‑hours collection. If the vehicle is strictly professional, document why continuous tracking is proportionate (e.g., night courier, sensitive goods) and restrict access. (cnpd.public.lu)
3. Align retention to “2 months by default,” with narrow exceptions.
   Configure tools to purge identifiable traces within 60 days; exceed 1 year (invoicing) or 3 years (sole means for working time) only with written justification, reinforced access controls and an updated record; anonymize beyond that for statistics. (cnpd.public.lu)

In parallel, formally assess the DPIA if your purpose involves regular/systematic employee monitoring, following WP248 and the CNPD list; involve the processor (telematics provider) under article 28(3)(f) GDPR to obtain technical details on security, minimization and retention settings. (cnpd.public.lu) To accelerate compliance, our DPO mandate and managed CISO services can help.

Common pitfalls

• Confusing the “asset security” purpose with performance monitoring. Installing anti‑theft GPS does not authorize monitoring average speed, routes or sanctioning detours. The CNPD prohibits it. (cnpd.public.lu)
• Forgetting the “private mode” or off‑hours deactivation. If private use is possible, lacking an employee‑controlled deactivation mechanism is non‑compliant. (cnpd.public.lu)
• Over‑retention. Setting “12 months” for convenience breaches the 2‑month principle. Exceptions (1 year invoicing, 3 years sole means for working time) require documented justification. (cnpd.public.lu)
• Neglecting the DPIA. Projects for mobile time tracking, route optimization with scoring, or any regular systematic control frequently trigger a DPIA. Rely on WP248 (EDPB endorsement) and the CNPD list. (cnpd.public.lu)
• Overlooking the “L. 261‑1” labour framework. Employment‑relation obligations (individual information, consultation, etc.) add to GDPR requirements and cannot be ignored. (cnpd.public.lu)

Official sources

• CNPD — Guidelines: Geolocation of vehicles made available to employees (last update 10/04/2024): https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/geolocalisation-vehicules.html
• CNPD — Necessity and proportionality; retention, prohibitions, examples (15/04/2021): https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/geolocalisation-vehicules/necessite-proportionnalite.html
• CNPD — DPIA and geolocation; link to CNPD list art. 35(4) (27/02/2023): https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/geolocalisation-vehicules/aipd.html
• CNPD — Labour Code Article L. 261‑1: “monitoring” framework under Luxembourg law: https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/videosurveillance/article2611.html
• EDPB — Endorsement of GDPR WP29 guidelines (25/05/2018), confirming WP248 rev.01 (DPIA): https://www.edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_en

In short: in Luxembourg, vehicle geolocation is possible but tightly bounded. “2 months by default,” the ban on off‑hours tracking when private use is allowed, and the DPIA for any regular/systematic monitoring are explicit CNPD expectations. For implementation support, contact our certified DPO.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.