If you are a fleet manager or a fleet management solutions provider, by now you have probably heard about the new General Data Protection Regulation or simply GDPR.
We have prepared this post, to help you to understand how it will affect SureTrack & TrustTrack, your fleet management solution from JabbaTalk.
What is the General Data Protection Regulation?
The General Data Protection Regulation (“GDPR”) is a comprehensive EU data protection law, which comes into effect on May 25, 2018. The GDPR expands the privacy rights of EU individuals, and places heightened obligations on companies that process EU personal data in the context of providing goods or services to those individuals.
GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
When will GDPR be enforced/applied?
- GDPR will officially apply as of 25th May 2018.
- GDPR comes into force on the same day, i.e. 25th May 2018, in all EU member states.
What does the GDPR regulate?
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU.
Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
What is personal data?
Any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, physical location, medical information, computer IP address and many more categories of personal data.
Is GDPR only applicable within the EU?
Despite being a European Union regulation, the GDPR has far-reaching implications for any business that has a global presence. In short, it impacts any business, EU-based or not, that has EU users or customers.
GDPR for service provider and end user
When it comes to service providers (fleet management solutions provider) and end users (their clients) GDPR separates who is responsible for what information and processes. Here we will answer 3 most frequently asked questions about the roles of the service provider and end user in the context of GDPR.
What are data controller and data processor?
With respect to GPS tracking data which is collected by service provider’s devices, service provider is considered to be the data processor, and the end user (client) of service provider on which behalf the data is collected is the data controller.
A controller is an entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
How and what personal data is processed?
The Service provider by itself does not create any personal data. It only provides a platform (TrustTrack) for its end users where they may enter, control and process their data. The service provider does not control what personal data is entered by the end user. The end users may enter such data which is not considered personal data or such data which is unknown to the service provider. However, since the data usually consists of the name of the driver, its position, location, type of vehicle, its parameters, etc., Service provider considers all data provided by the end user as personal data in order to ensure maximum safety of the potential personal data.
Who should inform drivers, that their data is being tracked and collected with GPS devices?
The Service provider does not create any data in its systems; it only provides a platform for its end users to collect and manage the data, i.e. Service provider is a data processor as explained above. The Service provider also does not have any direct contact with the drivers of the end users. Thus the data controller, i.e. the end user of service provider, is responsible for informing its drivers about installed GPS tracking mechanisms and implementation of other rights of data subjects. However, service provider usually puts its best efforts into the implementation of the rights of data subjects where necessary and reasonably possible.
GDPR data protection principles
To understand GDPR better it is useful to know what are the data protection principles set forth in the GDPR.
- Lawfulness, fairness and transparency. Clause 1(a) of Article 5 of the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
- Purpose limitations. According to Clause 1(b) of Article 5 of the GDPR, personal data can only be obtained for “specified, explicit and legitimate purposes”. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
- Data minimisation. According to Clause 1(c) of Article 5 of the GDPR, data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, i.e. no more than the minimum amount of data should be kept for specific processing.
- Clause 1(d) of Article 5 of the GDPR sets forth that data must be “accurate and where necessary kept up to date”.
- Storage limitations. According to Clause 1(e) of Article 5 of the GDPR, it is expected that personal data is “kept in a form which permits identification of data subjects for no longer than necessary”, i.e. data no longer required should be removed.
- Integrity and confidentiality. Clause 1(f) of Article 5 of the GDPR requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.