Do I need employee consent to track their vehicles?

Not necessarily. Consent is one lawful basis under UK GDPR, but for employee monitoring, 'legitimate interests' is more commonly used. This allows you to track vehicles without explicit consent, provided you conduct a Legitimate Interests Assessment (LIA), inform employees through a tracking policy, and ensure the tracking is proportionate and not excessively intrusive. Relying on consent from employees can be problematic because of the power imbalance — employees may not feel they can freely refuse.

Can I track vehicles outside of working hours?

Tracking company vehicles outside working hours is legally sensitive. The ICO's guidance suggests that continuous 24/7 tracking is likely to be disproportionate and difficult to justify, particularly for private use periods. Best practice is to disable or limit tracking outside working hours, or to implement a mode where employees can indicate they're using the vehicle for personal use and tracking is paused or anonymised.

What should a vehicle tracking policy include?

A vehicle tracking policy should include: what is being tracked (GPS location, journey history, driving behaviour), why it's being tracked (operational management, safety, compliance), who has access to the data, how long the data is retained, employees' rights under UK GDPR (including the right to access their own data), and whether tracking occurs outside working hours. The policy should be provided to employees before tracking begins.

How long can I retain vehicle tracking data?

UK GDPR requires that personal data (including GPS tracking data linked to identifiable employees) is kept for no longer than is necessary for the purpose it was collected. For operational purposes (journey management, timesheets), 90–180 days is typically sufficient. For compliance and legal purposes, longer retention may be justified, but this should be documented in your data retention policy.

Vehicle Tracking and GDPR: What UK Fleet Managers Need to Know

Vehicle tracking is personal data processing

GPS tracking data linked to an employee — showing where they drove, when, and for how long — is personal data under UK GDPR. That means it must be processed lawfully, fairly, and transparently. The ICO (Information Commissioner's Office) is clear on this: employee monitoring, including vehicle tracking, is subject to data protection law.

The good news is that UK GDPR doesn't prohibit vehicle tracking — it just requires you to do it correctly. Most fleet operators can implement compliant tracking without significant complexity.

The lawful basis for vehicle tracking

Under UK GDPR, you need a lawful basis for every type of personal data processing. For vehicle tracking, the most commonly used bases are:

Legitimate interests

This is the most commonly used basis for employee vehicle tracking. It allows processing where the business has a genuine and legitimate purpose, and that purpose is not overridden by the employee's fundamental rights and freedoms.

For vehicle tracking, legitimate interests typically include: operational management (knowing where vehicles are to coordinate work), safety (ensuring vehicles are being driven safely), security (recovering stolen vehicles), compliance (DVSA audit trails), and cost management (fuel and mileage monitoring).

To rely on legitimate interests, you should conduct a Legitimate Interests Assessment (LIA) — a short documented analysis of the purpose, necessity, and balance of interests. This doesn't need to be lengthy, but it should exist.

Contract performance

If tracking is a contractual condition of employment (i.e. the employment contract explicitly refers to vehicle monitoring), contract performance may also apply. In practice, most fleet operators combine contract terms with a legitimate interests assessment.

Why consent is problematic for employees

Consent requires that it be freely given — but in an employment context, the power imbalance between employer and employee means consent may not be truly free. Employees may feel they cannot refuse. For this reason, the ICO generally discourages reliance on employee consent for monitoring, and legitimate interests is the more defensible basis.

What you must tell employees

Transparency is a core UK GDPR principle. You cannot legally track employees without informing them. The requirement is not to obtain their agreement — it's to ensure they know the tracking is happening and why.

A vehicle tracking policy shared with employees should include:

What data is collected (GPS location, journey history, driving behaviour, speed)
Why it is collected (the legitimate purposes listed above)
Who has access to the data (management, HR, fleet administrators)
How long the data is retained
Whether tracking occurs outside working hours
How employees can exercise their rights (access their data, raise concerns)

This policy should be provided before tracking begins — not retrospectively.

Out-of-hours tracking

The ICO's guidance is explicit that continuous, 24/7 tracking is likely to be disproportionate — particularly during personal use hours. For fleet vehicles that employees are allowed to take home or use for private purposes, best practice is:

Disable tracking outside working hours (where technically feasible)
Allow employees to indicate private use mode, which pauses tracking or anonymises the data
If 24/7 tracking is operationally necessary (e.g. for vehicle security), document this clearly and minimise what data is recorded during private use

Data retention

UK GDPR requires that personal data is not kept longer than necessary. For vehicle tracking data:

Operational data (daily positions, routes): 90–180 days is typically sufficient
Timesheet data linked to tracking: retain for as long as required for payroll and employment records (typically 6 years to align with limitation periods)
Compliance records (DVSA audit trails): retain per DVSA requirements (minimum 15 months for O-licence holders)

Document your retention periods in a data retention policy and configure your tracking system accordingly.

Practical steps for compliant vehicle tracking

Conduct a Legitimate Interests Assessment documenting why you track vehicles and the balance of interests
Create a vehicle tracking policy covering what, why, who, how long, and employees' rights
Communicate the policy to all relevant employees before tracking begins (or before a new system is implemented)
Update your privacy notice to include vehicle tracking as a processing activity
Configure tracking to respect private use where vehicles are used outside working hours
Set data retention periods in your tracking system and honour them
Respond to employee data subject access requests within one month if employees ask to see their tracking data

Frequently asked questions

Yes, vehicle tracking of employees is legal under UK GDPR, provided it's done correctly. You need a lawful basis for processing (typically legitimate interests), you must tell employees about the tracking in advance (usually via a written policy), and the tracking must be proportionate to the legitimate business purpose. Covert tracking without disclosure is not compliant.

GPS tracking built for UK fleet compliance

FleetGS combines live vehicle tracking with driver management, compliance records, and job dispatch — all built around UK regulatory requirements.

Start Free Trial Tracking features