Can the company geo-reference me during work?

Taking into account the technological advances that are offered in the market for the business environment, the use of geolocation for labour control of employees, allowing the employer to geolocate and know the location in real time of their workers, is one of the services that are being used more frequently by companies.

From the point of view of data protection regulations, geolocation data are considered personal data, since they refer to an identified or identifiable individual, and all the rights and obligations established in the RGPD and the LOPDGDD must be complied with.

In this sense, Article 90 of the LOPDGDD and 20.3 of RDL 2/2015 of the Workers’ Statute authorize the employer to use these geolocation systems for labour control of employees, allowing them to adopt labour surveillance and control measures, with the objective of verifying compliance with the labour obligations and duties of the workers, provided that they are exercised within the applicable legal framework.

In this regard, the Spanish Data Protection Agency (AEPD) itself states in the Guide to Data Protection in Labour Relations, and in several Supreme Court rulings (of October 26, 2017, Rec. 966/2006; of October 6, 2011, Rec. 4053/2010 and of June 21, 2012, 5259/2012) that, if this type of tool is used for labour control, certain issues must be taken into account, apart from all the obligations of the RGPD, for its implementation in the company, such as:

  • To inform workers in advance, expressly, clearly and unequivocally, in accordance with Articles 13 and 14 of the RGPD, of the existence and characteristics of the geolocation devices or applications.
  • Inform about the exercise of the rights of access, rectification, restriction of processing and erasure that the workers have.
  • The control of geolocation must comply with the constitutional principle of proportionality (suitability, necessity and proportionality)
  • The geolocation must be used exclusively during working hours, taking into account the right to digital disconnection, and therefore allowing the deactivation of the location of the geolocation application.
  • Likewise, the stored data must be kept only for the strictly necessary time.
  • Finally, it is important to highlight the convenience of carrying out a Data Protection Impact Assessment of the whole process in order to guarantee the privacy and security of the personal data processing carried out by the company.

We therefore understand that, in addition to the general obligations of the data protection regulations, the issues highlighted above by the AEPD and the rulings of the Supreme Court are specifically complied with, the labour control by means of geolocation of the employees will be lawful, being able to be used for labour management and for their position as evidence for possible disciplinary sanctions in the event of non-compliance with the same by the worker.

It is also important to highlight the need or not, to have the prior consent of the worker for the processing of such data. We understand that the legitimizing basis of article 6.1.b of the RGPD can be applied, since the treatment is within the labour scope and protected by article 20.3 of the RDL 2/2015 of the Statute of Workers, therefore we can conclude that it is not necessary, and that the treatment will be lawful as long as it is carried out for the management of the labour relation.

Finally, it should be good to bear in mind that labour control by means of geolocation cannot be disproportionate or excessive, if the limits set out above are not respected, since the workers private life may be affected if they are permanently located or outside of the working day or during rest periods. In these cases, we therefore understand that fundamental rights would be violated, both to privacy and data protection of the worker, hence the need for the Impact Assessment in terms of Data Protection established by the data protection regulations, which guarantees a safe processing of the georeferencing data of the worker.

AEPD. Guide on data protection in labour relations (http://www.bono-che.es/resources/guia_relaciones_laborales2009.pdf).

AEPD. Guide to the General Data Protection Regulations for data controllers (https://www.aepd.es/sites/default/files/2019-12/guia-rgpd-para-responsables-de-tratamiento).

Carlos Mogrovejo Riofrío.

Comments are closed.

A partir del 01-01-2024 DATA PRIVACY OUTSOURCING & INFORMATION TECHNOLOGY LAW S.L. (DPO&IT LAW) se ha integrado en el despacho de abogados de Club Legal Asesores Internacionales, S.L. (CLUB LEGAL) con el propósito de fortalecer nuestras capacidades actuales y ofrecerles nuevos servicios relacionados con cualquiera de las áreas de práctica legal y jurídica que pueden ver en https://www.clublegal.es/

X