Belgian data protection authority clarifies the public interest legal basis
On February 21st, 2023, the Belgian Data Protection Authority’s Litigation Chamber examined a case regarding the legitimacy of a geolocation tracking system employed by a public authority for monitoring their employees’ cars. Not only did this decision clarify requirements for proper utilization of such systems, but it also incorporated intriguing interpretations of Article 6.1(e) GDPR’s ‘public interest’ licensing.
The case was triggered by an employee who was informed of supposed time registration fraud based on comparing their logged hours to the geolocation information from their work vehicle. During work times, this worker had supposedly visited their home as well as other family members’ residences and a pub. Allegedly, they were unaware of the auto-tracking since they were given no explanation regarding the system in the job policies.
Processing done “in relation to tasks concerning the public benefit or supervision of official powers” should be interpreted liberally (which is uncommon when it comes to GDPR). This incorporates activities taking place with the objective of relating to any related public interest job – including Human Resource management concluded by an organization responsible for such tasks.
