Geolocation in Public Transportation - Passenger Security - 5 june 2008...
Geolocation in Public Transportation - Passenger Security - 5 june 2008 
[doc. web n. 1672796]
Geolocation in Public Transportation - Passenger Security
Decision by the Italian DPA on a Prior Checking Application Submitted by Air Pullman S.p.A. (under section 17 of Italy´s DP Code)
1. Data Processed via Satellite Location Systems and Driving Event Recording Systems
1.1 Air Pullman S.p.A. is a company managing public transportation services. They lodged an application for prior checking pursuant to section 17 of the DP Code. The application concerns the processing of personal data related to the drivers of vehicles whether owned by the company or made available to company´s subsidiaries (Air Pullman Noleggi srl and Saco srl); the said processing results from the implementation of a satellite-based location system using GPS technology. The system in question would be supplied by Digigroup srl (hereinafter, the "service provider") and include handling of a database and the portal made available to the transportation company.
Along with the processing operations performed with the above system, whose installation is a precondition for the company to participate in calls for tenders related to local public transportation services, additional information is to be processed with the help of the service provider. That information relates to the driver´s "driving pattern" and a few parameters (e.g. brake oil pressure at the beginning and end of braking, vehicle speed also during braking), which would be measured in case of an accident via a data recording and transmission device ("Event Data Recorder", called "black box" by the company).
The company is expected to be capable to:
a. locate their fleet on a cartographic map and know speed and direction of the individual vehicles;
b. check that drivers comply with road traffic legislation and corporate requirements;
c. assess security and "comfort" of driving pattern;
d. analyse on-road fuel consumption (and energy efficiency);
e. re-construct the chain of events leading to an accident;
f. detect technical/mechanical failures.
1.2 Based on the information provided by the company, processing of the personal data related to drivers via an ad-hoc encrypted identification code, whereby such data would be associated with those required for vehicle location (real-time position of vehicle, transit date and time, speed, direction of movement), is meant to "ensure passenger and vehicle security by locating their on-road position in case it is necessary to take action, so as to enable passengers to obtain the required service along with the necessary assistance" (see prior checking application, p. 4).
The data would be acquired automatically by the system on board in accordance with criteria agreed upon beforehand with the service provider (when switching the engine on/off; every five minutes if the vehicle is still or moving; every five Kms if the vehicle is moving; at start and end of each stop - see Annex A to the application); they would be fed into a database managed by the said provider.
The data in question along with the services required for processing them (e.g. a chart of the route followed) would be made available by the provider to the company via a restricted access portal called "i-Nets". No personal data related to the passengers would be processed.
1.3 As for the functions related to traffic security and energy consumption, the company plans to acquire drivers´ identification data jointly with information on their "driving pattern". The information at issue - including, in particular, the period during which the maximum rpm number was exceeded; whether the maximum speed was exceeded; driving comfort both on road and during braking; energy consumption related to use of the gas pedal - would only be processed in the form of average rates and not entail the use of analytical data.
The said information would only be used for purposes related to "compliance with road traffic legislation" and the payment of benefits to employees that adjust their driving patterns to corporate standards; the latter purpose would be in line with the incentive policy adopted by the company, which is allegedly "negotiated at corporate level". This information would also be fed into a database available to the company via the "i-Nets" portal.
1.4 Security of personal data would be monitored and implemented continuously via technical arrangements suitable for ensuring data protection. In particular, access to the i-Nets portal and - accordingly - the information it contains would only be allowed by entering a UserID and password based on the authorisation profile determined beforehand with the provider.
2. Protection of Personal Data, Location and Recording of Driving Behaviour
Except for the system functions used by the company to remotely monitor vehicle status, which the company declared to only entail the processing of information unrelated to drivers, the prior checking application at issue concerns the processing of personal data related to drivers with particular regard to location data.
The vehicle location data, where coupled with the drivers´ ID codes, are personal information that can be related to the individual data subjects (under section 4(1)d. of the DP Code). This holds true also if the vehicle location data are not matched immediately by the IT system with the drivers´ names (and/or the respective ID codes) - given that the company would in any case be capable to trace back the driver allocated to each vehicle (see opinion no. 5/2005 by the WP29 on the use of location data to provide value-added services (WP115); see also opinion no. 4/2007 by the WP29 on the concept of personal data (WP136). )
Such additional data as are processed by the agency of the service provider - i.e. the data on "driving pattern" or those recorded via the "black box" - are to be also regarded as personal data, since they can be related (albeit at a later stage, e.g. on the occasion of an accident) to activities performed by the individual drivers.
Therefore, the processing operations in question fall under the scope of application of the DP Code.
As regards all the purposes mentioned in this decision, the data will have to be processed accordingly via arrangements that can ensure respect for fundamental rights and freedoms as well as for data subjects´ dignity (section 2(1) of the DP Code). At all events, the processing must be compliant with section 11(1)a. of the DP Code, whereby it will have to abide by the safeguards and procedures that have been set forth expressly by section 4 of Act no. 300/1970 in order to protect employees.
3. Relationship between Local Public Transport Company (Data Controller) and Service Provider
Outsourcing of the activities aimed at the provision of the service in question - which relies on an ad-hoc co-operation agreement - meets legitimate organisational requirements whereby the transport company, which is the data controller, avails herself of the service provider, which acts as data processor under the terms of section 29 of the DP Code.
The service provider is entrusted with performing a specific activity and has no discretion as for the purposes to be achieved - subject to technical discretion in view of providing the relevant service; the decision-making power concerning the purposes in question lies with the transport company.
Accordingly, the agreement reached with the transport company must be such as to determine the objectives to be achieved, channel data processing operations by the service provider towards pursuing only such objectives, and detail the relevant, non-excessive data to be processed (section 4(1)g. and section 29 of the DP Code). The service provider´s activity will have to abide by the instructions issued by the data controller, which must, in turn, take account of the requirements set forth by the Garante in this decision.
4. Lawfulness, Purposes and Relevance of the Processing vis-à-vis Location
The purpose of the processing as notified by the company in connection with operation of the GPS system is lawful. The vehicle (and, indirectly, driver) location system is intended to make the local transportation service more effective by improving allocation of the company´s fleet - especially in case of supervening events - and allowing timely information to be provided to both the local transport company and, where appropriate, users as well as being helpful for the purposes of reporting to the public body that has awarded the contract and monitoring performance. The information will also be used to enhance safety status of both drivers and passengers, as stated in a letter submitted by the company.
Vehicle location data including direction and mean speed in the time spans referred to above (point 1.2) will be processed for the aforementioned purposes.
The adoption of suitable arrangements to prevent drivers´ identification data from being disclosed to the service provider - whereby drivers will be assigned encrypted codes as clarified by the company (see point 1.2) - is compliant with the data minimization principle (section 3 of the DP Code).
By having regard to the purposes in question, which are instrumental to the achievement of organisational and production objectives as well as to enhanced occupational safety, the company is authorised to implement the location system and process the personal data required for the system to operate - subject to compliance with the obligations set forth in section 4 of Act no. 300/1970.
5. Lawfulness and Purposes as Related to Compliance with Legal Requirements on Road Traffic and to Assessing the "Driving Pattern"
5.1. Generally speaking, processing the personal data related to drivers as for their "driving pattern" - summed up in the form of average indexes - is also lawful insofar as it serves purposes related to "compliance with legal requirements on road traffic" (as per the prior checking application, p. 4). In this connection, it should be pointed out that road safety - in particular when related to professional undertakings - is attached fundamental importance from a legal standpoint; this is confirmed by the Community legislation on this subject matter (see e.g. the regulations on the digital chronotachygraph: EC Regulations no. 3821/85, 2135/98, and 561/2006) as well as by domestic legislation (in Italy, reference can be made to the "Driver Qualification Certificate", whereby truck drivers are required to obtain initial certification and attend training courses on a regular basis, pursuant to sections 14 and 20 of legislative decree no. 286/2005).
Accordingly, the company is authorised to process the information related to drivers´ "driving pattern" in compliance with the specific sector-related legislation (in particular, decree no. 287/1992 containing the "New Road Traffic Code" as subsequently amended and supplemented).
5.2. As for processing the information related to the "driving pattern" in order to grant bonuses "to the employees that adjust their driving patterns to corporate standards", it may not be ruled out that the controls at issue are justified by the company´s organisational and production requirements - even though the information is derived from the use of "equipment aimed at monitoring workers´ activities remotely" (see section 4(2) of Act no. 300/1970). The said requirements can be considered to consist in the savings resulting from monitoring the "driving pattern" as well as in the use of the average indexes to grant bonuses to certain employees, where appropriate on top of the criteria that are currently applied. Indeed, based on the corporate agreement, performance bonuses are related to "reduction of the damage due to internal and/or no-fault accidents" and to "the turnover from line activities by average employee."
The company will have to carefully select such data as are relevant and not excessive in order to calculate the average indexes to be used in granting bonuses to employees (see point 1.3 above); account will have to be taken of the applicable restrictions under the law - in particular, the prohibition for a transport undertaking to "give drivers it employs or who are put at its disposal any payment, even in the form of a bonus or wage supplement, related to distances travelled […] if that payment is of such a kind as to endanger road safety" (see article 10 of EC Regulation no. 561/2006).
Processing will have to be compliant with the additional requirements set out in point 7 below, subject to fulfilment by the transport company of the obligations mentioned in section 4 of Act no. 300/1970.
6. Lawfulness of Processing as for Accident Traceability via the So-Called Black Box
Although the company has failed to fully clarify what purposes are to be achieved via the so-called black box - which clarification will have to be provided in connection with the measures implementing this decision - the processing of drivers´ data aimed at describing their behaviour on the occasion of an accident can also be considered to be lawful by having regard to the available documents.
Acquiring information to reconstruct the chain of events leading to an accident can enhance the security standards applying to passengers as well as to the driver; more importantly, it can also prove helpful to detect behaviour that is not in line with road safety legislation and/or to establish the liability vested in the driver.
The company may process the driver-related information concerning accident traceability, also in pursuance of the contractual clauses specifically applying thereto - see, in particular, articles 73 and 74 of the National Labour Contract for truck, railway and tram drivers, whereby drivers are specifically liable for compliance with road traffic legislation and payment of related damages. To ensure that the processing is lawful and fair (section 11(1)a. of the DP Code), the company will have to see to it that the procedures referred to in section 4(2) of Act no. 300/1970 are implemented beforehand; additionally, compliance with the requirements set out in point 7 below will also be a precondition.
7. Additional Requirements
The following requirements are left unprejudiced as regards all the purposes mentioned herein (see points 4 through 6):
a. The workers will have to be provided with the information required under section 13 of the DP Code along with detailed explanations on the nature of the processed data and the features of the system, by having regard to the different purposes to be achieved (see the General Provision adopted by the Italian DPA on 1 March 2007 - Guidelines on Email and the Internet, doc. No. 1408680);
b. Access to the data related to drivers, whether in connection with their location or "driving pattern", will have to only be allowed to persons that have been entrusted therewith by the company and are lawfully entitled to access the data on account of their tasks - e.g. as regards driving behaviour, the staff in charge of co-ordinating the public transport service during work shifts; as regards the average indexes used to assess driving pattern, the staff working in the HR department; etc.;
c. No personal data may be retained for longer than necessary to achieve the aforementioned purposes (see section 11(1)e. of the DP Code). In particular, location information - after being anonymized as appropriate - may only be processed for monitoring and planning the public transport service as aggregate data (see sections 3 and 11(1)e. of the DP Code);
d. The company will have to appoint the provider of the service for which the prior checking application has been lodged as data processor under the terms of section 29 of the DP Code (see point 3 above);
e. The company will have to notify the processing in compliance with section 37 et seq. of the DP Code as regards specifically location data.
BASED ON THE ABOVE PREMISES, THE GARANTE
Having completed the prior checking on use of a satellite location system Air Pullman S.p.A. and the respective subsidiaries (Air Pullman Noleggi s.r.l. and Saco s.r.l.) plan to implement for purposes related to the management of transport lines, takes note of the processing of personal data as per the statements rendered by the said company. The processing in question may be carried out providing that:
1. Data subjects are provided with detailed explanations on the nature of the processed data and the features of the system by having regard to the different purposes to be achieved (point 7) along with the information to be given in pursuance of section 13 of the DP Code;
2. Access to the processed data is only allowed to persons that have been entrusted therewith by the company and are lawfully entitled to access the data on account of their tasks (point 7);
3. The data are kept for no longer than necessary to achieve the purposes in question. In particular, location information - after being anonymized as appropriate - may only be processed for monitoring and planning the public transport service as aggregate data;
4. As regards the purpose mentioned under point 5.2, the processing takes place by having regard to the applicable legal restrictions - in particular those set forth in section 10 of EC Regulation no. 561/2006 of 15 March 2006;
5. The procedures referred to in section 4(2) of Act no. 300/1970 are complied with beforehand;
6. The company notifies the processing to the Garante as regards, in particular, location data; the company must also appoint the service provider as data processor under the terms of section 29 of the DP Code.
Done in Rome, this 5th day of the month of June 2008.
THE SECRETARY GENERAL