The Portuguese Data Protection Authority (“CNPD”) approved, on October 28th 2014, an official guideline nº. 7680/2014, which establishes the general principles in respect of the processing of personal data as a result of the use of geolocation devices in a working environment.
This guideline intends to impose several obligations to companies and public entities, in order to guarantee the balance between business management and organization with the employee’s constitutional right to privacy. Geolocation devices are technological means which make it possible to know the geographical location of an object or a person. In a working environment, these devices are mainly used in vehicles, smartphones or laptops owned by the employer but available to the employee to perform his professional activity. The CNPD considers that the use of such geolocation devices represents processing of sensitive data stipulated in paragraph 2 of article 20 of the Portuguese Labour Code. This provision allows the employer to use means of remote supervision in the workplace being, for this reason, legitimate grounds for processing data. On the other hand, consent given by the employees does constitute valid grounds for processing this type of data. According to the above-mentioned guideline, geolocation data must be adequate, relevant and not excessive in relation to the purposes for which it was collected and will be processed. Geolocation is expressly prohibited for the following purposes:
- Performance control of the employee;
- Proof of compliance of contractual obligations;
- Ensuring compliance with road traffic legislation;
- Tracking the vehicle when it is being used for private purposes.
As for vehicles, CNPD has admitted processing data resulting from the use of geolocation devices in a working environment, with the following purposes
- Fleet management in external service – (i) external technical assistance or home assistance, (ii) goods distribution, (iii) passenger transportation, (iv) goods transportation and (v) private security;
- Goods Protection – (i) criminal investigation and goods recovery in case of theft, (ii) transportation of dangerous materials and (iii) high value materials.
Regarding smartphones and laptops, CNPD stated that the employer cannot use geolocation devices on these equipments nor access the information when available by telecommunications operators or install mobile applications on smartphones which activate GPS sensors. However, CNPD allows for the installation of MDM (Mobile Device Management) technologies in order to ensure the remote protection of companies’ information. This guideline also covers the situations of knowledge by the employer of criminal evidence resulting from the processing of sensitive data. In this case, CNPD has declared that this information can be used as grounds for criminal and disciplinary proceedings. The Employer must inform the employees of the existence of geolocation devices especially when these equipments are incorporated in cars, smartphones or laptops used by them to perform their work. Finally, controllers of sensitive data which intend to implement geolocation technology must notify CNPD by using a specific form available on http://www.cnpd.pt/bin/legal/forms.htm to obtain the authorization for such processing of sensitive data.