Privacy & Information Security Law Blog

On September 14, 2010, a French Appeals Court in Dijon (the “Court”) upheld a decision against an employer that had terminated an employee who not only used a company car for personal reasons, but also committed serious traffic violations while using the vehicle.  The Court rejected evidence collected using a Global Positioning System (“GPS”) device embedded in the company’s vehicle on the grounds that the employer (1) had failed to register this data processing activity with the French Data Protection Authority (the “CNIL”) and (2) had not given proper notice to employees regarding the use of GPS devices in company cars.  Nevertheless, the Court ruled that the use of a geolocation device in the employment context does not necessarily constitute an invasion of an employee’s right to privacy, provided the employer complies with applicable laws.

In March 2006, the CNIL published a recommendation on the use of geolocation devices by employers, and issued a standard (“Norm 51”) regarding the processing of personal data by private and public organizations for the purpose of locating vehicles used by their employees.  Data controllers that self-certify to Norm 51 are exempt from having to register their data processing activity with the CNIL, but must either comply with the prerequisites described in Norm 51, or file the usual notification.

Companies using geolocation devices to track employees also must inform the employees individually, and must consult with the relevant Works Council before implementing tracking programs.  Pursuant to Article L.1222-4 of the French Labor Code, “no device may be used to collect personal information about an employee without giving him prior notice.”  In addition, the CNIL’s Norm 51 provides that employees must have the ability to deactivate geolocation devices if they continue to drive company vehicles after working hours.  Companies that do not comply with these requirements may face civil and criminal sanctions.