HomeKnowledge base › Driver data and the GDPR
Logistics

Driver data and the GDPR: destroying personal data in your fleet

Driver data and the GDPR in your fleet

Around every driver and every vehicle a stream of personal data arises. Tachograph data, driving and rest times, GPS positions, fuel cards, licence copies, medical examinations and telematics together record where someone was, how fast they drove and how long they worked. Under the GDPR that is personal data. You may collect it with a good reason, but not keep it longer than needed, and at the end you must destroy it demonstrably.

Want to check quickly whether your fleet administration is in order? Can you answer yes to each of these?

  • Do you know what your on-board computers and track-and-trace record?
  • Have you set a lawful basis and a retention period per data type?
  • Have your drivers been informed in advance about the tracking?
  • Do you destroy old licence copies and driving-time files after the period?
  • Do you wipe old on-board computers and GPS units before you dispose of them?

If you hesitate on any of these, the sections below show which data counts, on what basis you may track and how to destroy it all demonstrably.

What is driver data under the GDPR?

A personal data point is any data traceable to a person. With a fleet that is the case sooner than many operators think. A trip record without a name looks anonymous, but as soon as you know which driver was in which truck, the whole trip is traceable to a person. That brings almost all data arising around a manned vehicle under the GDPR. It is not only the personnel file, but also the digital traces the technology produces day after day. Whoever underestimates this keeps personal data for years without a basis and without a plan to clear it out. For the GDPR it makes no difference whether the data is on paper or in a system. A binder of licence copies falls under the same rules as a database of trip data. The question is always the same. Do you have a valid reason to keep this data and has the period not yet passed?

What data arises around driver and vehicle?

The stream is broader than a payroll file. In an average fleet these categories occur:

  • Tachograph data and driving and rest times, traceable to the driver card.
  • GPS and track-and-trace, locations and routes of the vehicle.
  • Fuel and charging cards, with the time and place of every transaction.
  • Driving licences and copies, often with a photo and document number.
  • Medical examinations and code 95, health data and professional competence.
  • Telematics and on-board computers, driving behaviour, speed and braking per trip.

Each category has its own reason to exist, its own basis and its own retention period. A full overview of transport administration is in the pillar article on logistics, transport and archive destruction.

Tachograph, driving and rest times

The digital tachograph records when a driver drove, paused and rested. That data is directly linked to the personal driver card and is therefore personal data. You keep it because the law requires it, for the check on driving and rest times. The European regulation asks for at least one year of retention, and in Dutch practice many firms keep two years. It is important that you do not reuse the data for other purposes, such as an appraisal, without a separate basis for that. After the period the files and printouts should be destroyed demonstrably.

GPS and track-and-trace

Almost every fleet uses track-and-trace to plan vehicles and substantiate trips. As long as the vehicle is manned, you indirectly also track the driver. That is allowed, but it is delicate. The tracking must serve a clear purpose, for example planning, protection against theft or mileage accounting. Continuous tracking outside working hours is almost never permitted. A good solution is a privacy button with which the driver can pause the recording during a break or private trip. Location history should be kept briefly, only as long as the purpose requires. After that you wipe the history. A trip log kept for years without clear necessity is a typical example of over-collecting. Decide in advance how many weeks you need the locations for planning or costing and stick to that.

Fuel cards and transactions

A fuel or charging card looks harmless, but every transaction records a time and a location. Together they form a pattern that shows where a driver was and when. That is personal data. The transactions belong to your financial administration and therefore follow the seven-year tax retention period. The link between card and person, however, you may not keep endlessly for driving-behaviour analysis. Separate the tax retention from any behaviour analysis and clear out the second part as soon as the purpose is met.

Driving licences, copies and certificates

For a licence check you may view the document, but you keep a copy with a photo and document number only if there is a ground for it. Often a note that the licence was valid, with the category and the expiry date, suffices instead of a full copy. If you do keep copies, they belong in a protected personnel file and not loose on a shared drive. The same goes for code 95, ADR certificates and forklift permits. After someone leaves employment you keep only what payroll and social law require and destroy the rest.

Medical examinations and health data

For some roles a medical or licence examination is mandatory. Health data is special category personal data with extra protection. As an employer you usually record only the outcome, fit or not fit. You do not record the medical details. Those details stay with the occupational physician. The documents you do hold should be kept briefly and tightly protected. For destruction this category requires the highest level, because the sensitivity is great. An unshredded examination result in the waste paper is exactly the kind of leak you want to prevent. Here too, collect no more than needed and clear out as soon as the role or the employment ends.

Telematics and on-board computers

Modern on-board computers measure more than location. They record speed, braking, fuel consumption and sometimes a driving-style score per driver. That is rich personal data and it tempts reuse for appraisal or reward. If you want to use the data that way, you need a separate basis, transparency and involvement of the works council. The data itself sits on the unit, on SIM cards and on central servers. When a vehicle or system is replaced, those carriers remain full of personal data. Treat an old on-board computer just as carefully as a decommissioned computer.

Lawful basis and proportionality for tracking

For every processing you need a basis. In an employment relationship consent is shaky, because an employee hardly feels free to say no. Usually you lean on a legitimate interest or on a legal duty, as with the tachograph. A legitimate interest requires a balancing test. Does your interest in tracking outweigh the driver's privacy? You record that test, preferably in a short assessment. Proportionality also means you do not collect more than needed and do not keep the data longer than the purpose requires. Ask yourself for each field whether it is really needed. Does the planning need the exact location or does a region suffice? Does a trip overview need the driver's name or can it be anonymous? The fewer traceable data you record, the smaller the risk and the easier the clear-out later.

Transparency towards your drivers

Drivers should not be surprised by the tracking. Transparency is a core obligation of the GDPR. Set out in a clear policy which data you collect, for what purpose, how long you keep it and who may view it. Make clear that track-and-trace is for planning and not for permanent control. A driver who knows what happens and why has fewer objections than a driver who discovers it by chance. Good information prevents complaints and strengthens trust on the work floor.

The role of the works council

Tracking systems touch the privacy of staff and therefore fall under the right of consent. A works council or staff representation must consent to the introduction or change of a system that records behaviour or presence. That applies to track-and-trace, to a driving-style score and to in-cab cameras. Involve the council early, then you avoid a system having to be rolled back after introduction. You record the consent and the agreements, so that at a question from the supervisor you can show it was introduced carefully.

Retention periods per data type

Keeping and destroying starts with knowing when something may go. The period differs strongly per category:

Data typeIndicative period
Tachograph data, driving and rest times1 year (EU), 2 years (NL practice)
GPS and track-and-trace historyShort, only as long as the purpose requires
Fuel and charging transactions7 years (tax)
Licence copy and certificatesUntil end of employment, then clear out
Payroll and absence dataAccording to tax and social periods
Driving-style and behaviour dataAs short as possible, purpose-bound

A broader overview of periods is in the GDPR retention periods cheatsheet. So first check the period per category and clear out afterwards.

Destroying paper files

Part of the driver administration stays on paper. Licence copies, examination results, signed policies and printouts of driving-time checks often sit in a binder. As soon as the retention period has passed, those documents should be destroyed to an appropriate level. The DIN 66399 standard sets out how finely it must be shredded. For ordinary personal data P-4 is the usual level, for ID numbers, medical data and examination results P-5 is needed. A sealed collection and a fine shred together ensure nothing can be reconstructed.

Destroying telematics and data carriers

The digital side requires as much attention as the paper. On-board computers, GPS units, SIM cards, USB sticks and servers hold personal data that does not disappear by simply disposing of a device. A factory reset or a deleted folder often leaves data recoverable. The sure route is physical destruction of the carriers. For magnetic drives the H-levels of DIN 66399 apply, for chips and SSDs the E-levels. How that works in practice and what it costs is in have hard drives shredded. The broader framework is in data destruction.

Sealed collection and the closed chain

Demonstrability begins at collection. We collect your paper and data carriers sealed within 20 km of Amsterdam, with no call-out fee. There is no loose bin standing on the yard for days and no walk-in, the chain from collection to destruction stays closed. That closed chain is called the chain of custody and matters with sensitive driver data. You supply nationwide via pooled collection rounds at a fixed price, so even a small fleet can clear out without fuss. Paper and data carriers can come in the same collection, each destroyed to its own level.

The certificate as proof

After destruction you receive a certificate with the date, the quantity and the level applied. For data carriers the serial numbers are on it, so the proof is traceable to the specific on-board computer or drive. That certificate is your proof under the accountability principle of the GDPR. At an inspection or a question from a driver you can immediately show that the data was cleared out neatly. Keep it in your GDPR file, preferably digitally. What a certificate looks like and what belongs on it is in certificate of destruction explained.

In order in 4 steps

  1. Map out which driver and vehicle data you collect and why.
  2. Set per category a lawful basis and a retention period.
  3. Have it collected and destroyed what is past its period, to the right level.
  4. Keep the certificate as proof in your GDPR file.

Common mistakes

  • Track-and-trace without a basis. Tracking without a balancing test and without informing the driver is a risk.
  • Licence copies on a shared drive. Sensitive documents belong protected, not freely accessible.
  • Disposing of old on-board computers unwiped. The data is then often still recoverable.
  • Not asking for a certificate. Without proof you cannot show the destruction.

Have driver data and telematics destroyed?

Tell us what you have in paper and data carriers and you get a fixed price. We collect it sealed, destroy it to the right DIN level and you receive a certificate as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.

Request a quote

Frequently asked questions

Is tachograph data personal data?

Yes. Tachograph data, driving and rest times and GPS locations are traceable to an individual driver and therefore fall under the GDPR.

May I track my drivers with track-and-trace?

Only with a valid lawful basis and if the tracking is proportionate. You limit it to working hours, inform the drivers in advance and involve the works council.

How long may I keep driver data?

It varies per type. Tachograph data at least 1 year, licence copies and payroll data according to the tax and social periods, then destroy.

How do I destroy old telematics and on-board computers?

Hand the data carriers over in a sealed collection. We destroy them physically to the right DIN level and you receive a certificate with the serial numbers.

Conclusion

A fleet runs not only on fuel but also on data. Around every driver personal data arises, from tachograph data to driving-style scores. Under the GDPR you may collect it with a good reason, provided you stay proportionate, are transparent and involve the works council. Just as important is the end of the trip. Determine the retention period per category, clear out in time and destroy paper and data carriers demonstrably to the right level. With a certificate in your GDPR file you are never empty-handed at an inspection.


See also the pillar article on logistics, transport and archive destruction and the related pieces on the CMR waybill explained and its retention, on destroying transport documents after retention and on customs and forwarding documents retention and destruction.


Fleet data due for a clear-out? Request a quote via desnipperaar.nl. You receive a certificate as proof.

Related sector guides: Car rental and leasing: destroying customer data, Taxi companies: destroying ride and passenger data and Moving companies: destroying customer data.

Also relevant: Installation companies: destroying customer data.

Related guides: Courier services: destroying delivery data.