Do you equip your company vehicles with GPS trackers to optimize your rounds or secure your fleet? The CNIL has been strictly supervising this practice since 2015, and has stepped up its controls in 2024-2026. Here's exactly what you need to know to stay in compliance, avoid fines (up to 4% of your sales) and industrial tribunal proceedings.

The legal framework in 2026: 3 cumulative sources of law

Before talking about what is allowed or forbidden, it's important to understand that three texts are cumulative and apply simultaneously to any employer who geolocates its employees.

1. CNIL deliberation no. 2015-165 of June 4, 2015

This is the founding text. In it, the CNIL defines its standard framework for the geolocation of vehicles used by employees. It lists accepted purposes, retention periods and conditions for informing employees. Any installation of a GPS tracker in a company vehicle must comply with this standard.

2. RGPD (General Data Protection Regulation)

Applicable since May 25, 2018, the RGPD adds strong requirements: prior impact analysis (PIA) for risky processing, employee rights of access and opposition, register of processing, notification of violations within 72 hours. GPS tracking of an employee falls into the category of risky processing once it enables continuous monitoring.

3. French Labor Code (articles L1121-1 and L1222-4)

Two key articles:

• L1121-1: "No one may place restrictions on the rights of individuals which are not justified by the nature of the task to be performed or proportionate to the aim sought." → principle of proportionality.
• L1222-4: "No information concerning an employee personally may be collected by a device that has not been brought to the employee's attention beforehand." → obligation of prior information.

A geolocation system set up without informing the employee in advance is considered to be illicit evidence and is inadmissible before the industrial tribunal. Worse still, it may justify the nullity of any dismissal based on it.

The 5 purposes authorized by the CNIL

The CNIL accepts the geolocation of company vehicles for these 5 purposes only. Any other purpose is illegal.

The 5 prohibited purposes - what you really need to know

On the other hand, here's what you're not allowed to do, even with the employee's consent.

The 4 CNIL obligations to meet BEFORE activating geolocation

Activating a GPS tracker without checking the following 4 boxes exposes you to a major legal and financial risk.

Obligation 1 - Prior written information to the employee

Each employee concerned must receive individual written information mentioning :

• The precise purpose of the processing (which of the 5 authorized purposes)
• Categories of data collected (GPS position, speed, times)
• Shelf life (generally 2 months maximum)
• Data recipients (direct manager, accounting, etc.)
• Employee rights (access, rectification, opposition)
• Theidentity of the data controller and DPO (Data Protection Officer)

This information may take the form of an appendix to the employment contract, a memo, or a specific charter signed by the employee.

Obligation 2 - Information and consultation of the CSE

If the company has at least 11 employees (Social and Economic Committee threshold), the CSE must be informed and consulted before geolocation is implemented. Failure to consult is an offence of obstruction, punishable by criminal penalties.

During this consultation, present the chosen system, its purposes, operating procedures, guarantees for employees, and the length of time it will be kept.

Obligation 3 - Registration in the data processing register

The RGPD requires a register of processing activities to be kept. Any geolocation must be included with:

• The name and contact details of the data controller
• Processing purposes
• Categories of data subjects and data
• Recipients
• Shelf life
• Technical and organizational safety measures

Obligation 4 - Impact analysis (PIA) if required

For large fleets or high-risk uses (continuous monitoring, cross-referencing with other employee data), a Data Protection Impact Assessment (PIA / DPIA) is mandatory. It must identify the risks to employee freedoms, and the mitigation measures required.

Special cases outside working hours

This is the point that poses the most problems in practice. The employee goes home in the company car (this is often the case for sales and technical staff). What happens to geolocation between 6 p.m. and 8 a.m., at weekends or on vacation?

CNIL response: geolocation must be deactivated. Three technical solutions are available:

1. Manual deactivation by the employee: a physical button or software interface enables the employee to switch off the tracker outside working hours.
2. Programmed deactivation: the system automatically switches off tracking according to the declared working hours.
3. Privacy mode: the tracker continues to operate, but data outside the working range is neither stored nor retrievable.

If none of these mechanisms are in place, you are in breach of the law.

Concrete sanctions in 2026

The CNIL controls, sanctions and publishes its decisions. Here are the penalties.

Examples of actual penalties published by CNIL

Here are a few highlights from recent years:

• 2022 - Delivery company fined €175,000 for excessive geolocation of its drivers and non-compliant retention period.
• 2023 - Construction company with 50 employees served with formal notice for failure to inform drivers in advance and absence of an AIP.
• 2024 - CNIL decision against a removal firm: €60,000 fine for undeclared use of geolocation data for disciplinary control purposes.

10-step SME compliance checklist

Here's the checklist you need to go through in order before activating geolocation on your fleet. This is exactly what a CNIL inspector would ask you in the event of an inspection.

• Define the precise purpose of processing among the 5 authorized (optimization, security, billing, payroll, driving time)
• Check proportionality: is geolocation necessary or is there a less intrusive way?
• Inform and consult the CSE (if more than 11 employees) - formalize in minutes
• Draw up a geolocation charter or an appendix to the employment contract, signed by each employee concerned
• Register the processing operation in the company's RGPD register
• Carry out an impact analysis (PIA) for large fleets or high-risk usage
• Set the retention period to a maximum of 2 months (unless justified: 1 year for payroll, 5 years for customer invoicing).
• Activate privacy mode or off-duty deactivation
• Secure data access: strong authentication, traceability of consultations, principle of least privilege
• Guarantee employees' right of access to their own geolocation data, on simple request

If you check off these 10 steps, you're in compliance. If you skip even one, you're vulnerable.

How EZTrack automates CNIL compliance

Regulatory complexity is precisely what guided the design of EZTrack. Here's what the platform handles automatically.

Pre-set employee information

EZTrack provides a model appendix to the employment contract and a geolocation charter in compliance with CNIL deliberation 2015-165 - drafted by a partner law firm. You complete them with your purposes and have them signed.

Integrated privacy mode

Each vehicle can switch to private mode with a single click from the driver app. The position is hidden and not stored during this period. The time slot can also be automatically configured according to declared working hours.

Customizable shelf life

By default, geolocation data is stored for 2 months, in accordance with CNIL recommendations. You can adjust this period by purpose (payroll, customer invoicing) with documentary justification.

Employee's automatic right of access

Each employee has a personal portal to view their own geolocation data, request rectification or deletion. This automatically satisfies the RGPD requirement for data access.

Treatment register and consultation log

EZTrack automatically keeps the processing register (downloadable in PDF format) and logs all data consultations by managers. In the event of a CNIL inspection, these data can be supplied in just a few clicks.

Sovereign accommodation France

All data is hosted on OVH servers in France, RGPD compliant and outside extra-European jurisdictions (CLOUD Act US in particular). TLS encryption and daily backups included.

FAQ - Frequently asked questions

Can a GPS system be installed in a vehicle without notifying the employee if hijacking is suspected?

No. Even in the event of a suspected offence, prior notification of the employee is mandatory. A hidden installation constitutes an invasion of privacy and a violation of the Labor Code. The legal course of action is to take the matter to court or hire a bailiff.

Can an employee refuse to have his company car geolocated?

If geolocation is included in the employment contract or in a charter signed on hiring, the employee has accepted it. If geolocation is installed subsequently, the employee may object if he or she can prove that the intrusion into his or her private life is disproportionate. In this case, the employer must demonstrate the necessity and proportionality of the system.

How long can geolocation data be stored?

CNIL recommendation: 2 months maximum for raw data. Justifiable exceptions: 1 year for payroll (calculation of overtime), 5 years for customer invoicing (accounting proof). Beyond that, mandatory anonymization.

Is it necessary to inform the CSE for 5 employees?

The obligation to consult the CSE exists from 11 employees upwards. Below this level, however, the employer must inform each employee concerned individually in writing.

What to do in the event of a CNIL inspection

1) Don't panic. 2) Cooperate fully and be transparent. 3) Provide: data processing register, signed geolocation charter, CSE consultation minutes, PIA if applicable, access logs, retention period settings. 4) If breaches identified: formal notice to rectify within a specified period (usually 3 months). 5) If not rectified: public fine.

My employee has returned his vehicle. Should I delete his data?

Yes, within a reasonable period (recommendation: 2 months after departure). Only data related to customer invoicing or payroll may be kept longer, and then only for this purpose.

Can the GPS of the personal vehicle used for work (km allowances) be traced?

No. A personal vehicle cannot be geolocated by the employer, even if the employee uses it for business travel. To calculate mileage allowances, use a declaration on honor or a manual entry tool.

Conclusion - Compliance is not optional

Geolocation is a formidable management tool for SMEs, enabling them to optimize routes, improve safety, justify their customers and pay their bills. But it's also an area where legal compliance makes all the difference between a successful project and a major risk.

The figures are indisputable: the CNIL issues 30 to 50 public sanctions a year, and fines have tripled since 2022. With the strengthening of 2026 controls, no SME can afford to be amateurish.

The good news is that CNIL compliance is not an obstacle to geolocation: it's a framework which, properly applied, protects the employer, the employee and the company.

If you're in doubt about any of the 10 points on the checklist, now's a good time to do an internal audit - or to put your trust in software that natively supports compliance.

Further information

• CNIL - Geolocation of employee vehicles (official page)
• Deliberation no. 2015-165 of June 4, 2015 (full text)
• EZTrack rates - from €19 excl. tax/month per vehicle
• Request a personalized demo