When it comes to service providers (fleet management solutions provider) and end users (their clients) GDPR separates who is responsible for what information and processes. Here we will answer 3 most frequently asked questions about the roles of the service provider and end user in the context of GDPR.
What are data controller and data processor?
With respect to GPS tracking data which is collected by service provider’s devices, service provider is considered to be the data processor, and the end user (client) of service provider on which behalf the data is collected is the data controller.
A controller is an entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
How and what personal data is processed?
Service provider by itself does not create any personal data. It only provides a platform (TrustTrack) for its end users where they may enter, control and process their data. The service provider does not control what personal data is entered by the end user. The end users may enter such data which is not considered personal data or such data which is unknown to the service provider. However, since the data usually consists of the name of the driver, its position, location, type of vehicle, its parameters, etc., Service provider considers all data provided by the end user as personal data in order to ensure maximum safety of the potential personal data.
Who should inform drivers, that their data is being tracked and collected with GPS devices?
Service provider does not create any data in its systems; it only provides a platform for its end users to collect and manage the data, i.e. Service provider is a data processor as explained above. Service provider also does not have any direct contact with the drivers of the end users. Thus the data controller, i.e. the end user of service provider, is responsible for informing its drivers about installed GPS tracking mechanisms and implementation of other rights of data subjects. However, service provider usually puts its best efforts into the implementation of the rights of data subjects where necessary and reasonably possible.