EN
EN DE
Datenschutz im Transport - lbase Axians Driver App

Data protection in transportation

Data protection in transportation: Which guidelines must be observed?

The legal basis for compliance with driving and rest times is clearly defined. Recording is an essential part of fulfilling and continuously improving working conditions and ensuring road safety. This driver data is classified as personal data, the lawful and purposeful processing of which must be ensured in accordance with the General Data Protection Regulation (GDPR). Against this background, the question arises: 

What impact does the GDPR have on the tracking of truck driving times and what aspects must companies pay particular attention to?

What do freight forwarders need to look out for?

Companies have a responsibility to design their systems and processes in such a way that all data protection requirements are met. The most important aspects at a glance:

  • Compliance with the statutory driving and rest periods in road traffic.  
  • Data protection and deletion periods - GDPR-compliant processing of data, clear storage and deletion periods.  
  • Technical protective measures, such as access control.
  • Obligation to provide evidence and documentation for official inspections. 
  • No unauthorized monitoring and no interference with legally prescribed rest periods.

GDPR-compliant tracking in logistics

When collecting personal data, companies must consistently comply with the requirements of the General Data Protection Regulation (GDPR).

Permissibility of data collection according to GDPR: 

  • Legitimate interest of the employer or legal obligation to collect data (retention obligation, compliance with driving and driving times).

Data economy in tracking: 

  • Avoidance of excessive data collection (location tracking for business purposes only; no recording of drivers' movements during rest periods).
  • Data minimization - data collection limited to what is necessary (no private journeys, no permanent position tracking).

GDPR-compliant storage and access control: 

  • Storage only for the necessary period (statutory retention obligation).
  • Access restrictions only for authorized persons (e.g. dispatchers, authorities as part of inspections).
  • Protection against manipulation and unauthorized access - for technical and organizational measures (TOMs), such as encryption to secure data.

Transparency & duty to inform drivers:

  • Drivers must be informed about the purpose, duration and type of data collection.

Drivers' rights under the GDPR: 

  • Drivers have the right to information and can request a copy of their stored data.
  • Right to rectification & erasure if data is incorrect or the retention period has expired.
  • Further rights in detail can be found here.

Special feature: GPS tracking & movement data: 

  • Permanent GPS tracking is critical because it creates movement profiles.
  • Do not track journeys during rest periods - only record the start and end times of the rest period.
  • Employers must clearly justify why they collect GPS data (e.g. for deployment planning or vehicle tracking in the event of theft).

Deletion periods and storage of data: 

  • Driving and rest periods are prescribed for at least 2 years in Austria and one year in Germany.
  • Clear deletion periods, pseudonymization or anonymization and the restriction to necessary data are essential.

Technical measures for data protection in freight forwarding companies (TOMs) 

  • Access management (only authorized persons have access).
  • Server location in the EU to ensure GDPR compliance.
  • Regular security updates to protect against data misuse.

From data storage to the expiry of the deletion period

Responsible and legally compliant data storage therefore requires not only compliance with the prescribed deadlines, but also transparent processes, technical protective measures and the conscious balancing of operational benefits and data protection. In this way, both the rights of the drivers and the legal requirements can be optimally safeguarded.

To meet these requirements, the lbase Driver App and addHelix Mobile were developed in accordance with the General Data Protection Regulation (GDPR). The processing of driving and rest times is thus legally compliant, transparent and data protection-friendly. To this end, clearly defined deletion periods, access restrictions and modern security measures have been implemented to protect personal data.

Best Practices: 

  1. Permissibility: Legitimate interest or legal obligation.
  2. Data minimization: Only collect necessary data.
  3. Storage & access: Store data securely, only authorized persons have access.
  4. Transparency: Inform drivers about data collection.
  5. Rights of drivers: information, correction and deletion of data.
  6. GPS tracking: Only record necessary GPS data, avoid movement profiles.
  7. Safety requirements: Access control, server location EU, technical and organizational measures (TOMs).

Sources: 

Autor: Clemens Wodak, Deputy General Manager Business Unit