Cyprus Law on GPS in Company Vehicles – Employer Guide

In today’s business environment, many companies consider installing GPS tracking systems in their fleet vehicles to improve operational efficiency, ensure employee safety, or protect valuable goods. However, in Cyprus, the use of GPS in company vehicles is subject to strict legal requirements under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Cyprus Law 125(I)/2018 on the Protection of Natural Persons Against the Processing of Personal Data. Employers must fully understand the law to avoid breaching employees’ privacy rights and incurring substantial penalties.

1. Is GPS tracking considered personal data processing?
Yes. Under Article 4 of the GDPR, location data constitutes personal data when it can identify a specific individual. Installing GPS devices in company vehicles involves the collection, storage, and use of such data, meaning it qualifies as “processing” under the GDPR. As a result, all the principles and legal bases of the GDPR apply.

2. Lawfulness of GPS data processing
For GPS tracking to be lawful, it must comply with the core GDPR principles:

• Lawfulness, fairness, and transparency – Employees must be clearly informed about the purpose and scope of tracking.

• Purpose limitation – Data must only be used for specific, legitimate purposes.

• Data minimisation – Only the minimum data necessary should be collected.

• Accuracy – Location data must be correct and updated.

• Storage limitation – Data should be kept only for as long as needed.

• Integrity and confidentiality – Adequate security measures must be in place.

• Accountability – The employer must be able to demonstrate compliance.

3. Legal bases for GPS tracking
An employer in Cyprus can justify GPS tracking based on:

• Performance of a contract (e.g., job duties requiring vehicle use).

• Legitimate interest (e.g., asset protection, route optimisation), provided the method is necessary, proportionate, and the least intrusive option available.

• Legal obligation (if required by specific legislation).

Reliance solely on employee consent is discouraged, as the employer – employee relationship is inherently imbalanced, making “free” consent questionable under GDPR.

4. Proportionality and safeguards
Employers must ensure that GPS tracking is proportionate to the risks addressed. For instance, tracking outside working hours is generally prohibited unless justified by safety concerns or asset protection — and even then, employees should be able to deactivate the tracker when using the vehicle for personal purposes. The system should not be used to monitor work performance or punctuality if less intrusive measures (e.g., time cards) are available.

5. International and Cyprus case law
European case law supports GPS use where employees have been informed, tracking is limited to work purposes, and only relevant data is processed. However, over-collection of data or continuous 24/7 monitoring without justification has been found unlawful by data protection authorities in several EU countries.

6. Practical recommendations for employers in Cyprus
Before installing GPS in company vehicles, employers should:

• Provide clear, accessible policies explaining how and why GPS data will be processed.

• Limit tracking to what is necessary for legitimate business purposes.

• Avoid processing data outside agreed working hours, unless essential for safety or security.

• Implement technical safeguards to prevent misuse of location data.

• Regularly review and update compliance measures in line with guidance from the Cyprus Data Protection Commissioner.

Conclusion
GPS tracking in company vehicles can be lawful in Cyprus if it is implemented with transparency, proportionality, and full compliance with GDPR principles. Employers should take a cautious approach, balancing operational needs with employees’ fundamental rights to privacy. Legal advice is strongly recommended before deployment to ensure policies, consent forms, and technical systems meet both EU and Cypriot legal requirements.