On 25 May 2018, the new European law on the protection of personal data, known as RGPD, came into force, reinforcing the obligation to inform users and requiring greater transparency regarding the use of such data. Be careful, because geolocation data, while not considered personal data, nevertheless fall under this definition if they concern directly identifiable or not natural persons. Consequently, companies using such geolocation information are obliged to comply with the new data protection rules.
RGPD and CNIL, two major data protection players
From the moment a company uses geolocation data of natural persons, whether directly identifiable or not, it is obliged to abide by the same rules as companies that use the personal data of their customers. Therefore, just like the latter, the processing of this data must be explicit and legitimate. That is to say, on the one hand, it must be announced in a transparent manner. On the other hand, the company must be able to justify the collection of this information.
In any case, the informed consent of the user must be obtained. Transparency requires that the company's reason for collecting the information be explained and that the consent of the person from whom the information is being collected be obtained.
In all cases, informed consent must be obtained from the user. Transparency requires the ability to explain why the company is retrieving the information, and to obtain consent from the person from whom the information is being collected.
- how long the data will be kept. It varies according to different scenarios. For example, the data in a customer file of a person who has been inactive for 36 months must be deleted. On the other hand, one can ask for the correction or deletion of one's data, and within a period of one month the company must be able to accede to this request. In addition, consent must be requested again each year. The retention of data does not only concern the business framework with its customers and prospects, but also employees and potential candidates within the company. The retention period is 5 years after the end of an employee's contract, but only 2 years for a candidate who was not selected during a job interview.
- the purpose of the collection, i.e. the reason for which the data are collected. In general, this information is used to improve internal processes, to better understand consumer behaviour, to establish attendance statistics, etc. and to offer more personalised services and products.
- the owner of this information.
- its rights with regard to the collection of this information. Whether it is of correction, opposition to the collection, access and thus consultation of the data collected, portability or deletion.
The Commission National Informatique et Libertés, CNIL, warns bad students and imposes heavy administrative fines on companies that have not implemented practices that comply with the data protection law.
Information and employee rights: the specific case of geolocation at work
In the corporate sphere, an employer has the right, subject to very specific conditions, to use the geolocation of its employees. This is the case, for example, when using a company vehicle for an assignment.
An employer may only use the geolocation of his employees under the following conditions:
The Commission National Informatique et Libertés, CNIL, warns the bad students, and punishes with heavy administrative fines the companies which would not have established practices respecting the data protection law.
- Because of the type of transport or the nature of the goods transported
- When monitoring a passenger or freight transport service
- For the safety of the employee or the goods being transported
- To improve services based on emergency interventions
- To check compliance with the rules of use of the vehicle
In addition, employees using tracked vehicles must be able to activate or deactivate these geolocation devices as required, to collect only the information necessary for the purpose of their collection.
It should also be noted that the employer may neither collect this data for the purpose of monitoring the speed of the vehicles, nor collect this data outside the working time of the driver of the vehicle.
A specific person must be designated to process these monitoring data, which in principle must be kept for a maximum of 2 months. This period may be extended to 5 years in the case of the monitoring of working hours performed. Finally, the company must guarantee the confidentiality of this information.
Concerning the case of monitoring of working time, it should be stressed that it is only possible if there is no other alternative to measuring working time. If an alternative is possible, even if this method is less reliable, it will always be preferred to the geolocation system considered "excessive".
Geolocation and privacy: how to protect yourself as a user
It's not easy to see through all the geolocation information that smartphone applications can gather. We often share our location because it also belongs to a form of social construction. By sharing a post located in a certain place, we identify ourselves with a social group. This information is also part of the process of building brand awareness, which a brand can set up, and thus participate at the same time in the influence of the brand.
In short, geolocation is used by many applications, because it allows us to collect highly accurate information about our daily habits, the places we go to, the transport used, etc... Very often it is a service activated by default on our devices. Beyond the fact that we can find intrusive this collection of information (which we can also refuse), it is also a powerful tool for personalizing our daily life. Google, for example, stores and analyzes your trips on Maps, from work to home. Just before you leave work, you will get a notification about the traffic conditions on your way home. You can also receive notifications that suggest new places to visit based on your preferences. If you went to the museum last week, it is likely that you will get a notification of an exhibition room near your home for example.
Geolocation is undoubtedly a major issue in improving our daily lives, and all the more important as it represents a formidable growth driver for a considerable number of companies.
But how can we control this information that we let slip out? It is a criterion that can generate anxiety and discomfort among users, but which can be 100% controlled.
Take control of your geolocation on your smartphone. On Android, it's easy to set location permissions directly in Google's settings. It's even possible to view your location history and reset it if needed. On IOS, on the other hand, each application can be customized, by adjusting its settings it is possible to allow or disallow geolocation on a case-by-case basis.