Data protection & telematics: GDPR-Compliant use of subcontractors in logistics
Without subcontractors, supply chains would not only collapse in Germany. Freight forwarders in other European countries also rely on subcontractors to fulfill transport orders in the cargo and general cargo sector. No wonder, because so-called “self-entry” is on the decline. Self-entry (§ 458 HGB) allows a freight forwarder to carry out the transportation of goods itself with its own vehicles (or personnel) instead of subcontracting it to a carrier.
Subcontractors therefore also play an important role in the use of telematics systems. Subcontractors must be integrated into the data flow without violating data protection in accordance with the GDPR. Driver apps such as the app developed by the proLogistik Group “pLG Drive” developed by the proLogistik Group play a key role here.
1. Data protection as a central requirement in telematics
Telematics systems collect and process a wide range of sensitive data – including location information, proof of delivery and communication data. As soon as subcontractors are involved in the processes, the complexity of data processing increases considerably.
In this context, the GDPR requires transparency regarding data processing, purpose limitation and data minimization as well as technical and organizational measures to protect the data. Last but not least, there must also be clear contractual regulations with processors.
Especially when working with external service providers, it is crucial that access to personal data is strictly controlled and documented.
What the DSGO requires with regard to data processing:
- Transparency about data processing
- Purpose limitation and data minimization
- Technical and organizational measures to protect data
- Clear contractual regulations with processors
2. Distribution of roles: client and processor
A key aspect of the GDPR is the clear definition of responsibilities. In practice, the client – such as a logistics company – assumes the role of controller. The technical platform, on the other hand, is often operated by specialized providers such as the proLogistik Group.
This constellation requires a data processing agreement (DPA), clear powers of instruction for the client and verifiable security measures. In the case of the “pLG Drive” app, proLogistik Transportation GmbH is behind the application. It processes personal data on behalf of the customer and therefore acts as a processor in accordance with Art. 28 GDPR.
3. Data minimization when using subcontractors
A key principle of the GDPR is data minimization. When using subcontractors, this principle is implemented through targeted access restrictions. ProLogistik has implemented this requirement in the “pLG Drive” app.
Drivers who work for subcontractors only have indirect access to the absolutely necessary data via the “pLG Drive” app. This is the company and order data that the driver needs for the respective transport. Access to the central web portal is therefore precisely restricted in order to avoid unnecessary data exposure.
This architecture ensures that only relevant information is provided, sensitive data is not disseminated in an uncontrolled manner and the requirements of the GDPR are met.
4. Technical protective measures: Encryption and security
The security of data transmission is a core element of every GDPR-compliant telematics solution. With pLG telematics, communication between the “pLG Drive” driver app and the server is always encrypted. This ensures that sensitive information – such as proof of delivery or location data – is protected from unauthorized access.
Additional security mechanisms can also be integrated into this solution. There is a choice of VPN connections to secure data flows and blockchain components to ensure integrity.
5. Functionality of the app in the area of conflict between efficiency and data protection
The “pLG Drive” app is a comprehensive mobile solution for drivers and logistics employees. It supports all relevant operational processes such as order and route management, the recording of delivery status and shipment information or the provision of digital signatures as proof of delivery.
The “pLG Drive” app is also capable of photo documentation of deliveries and damage, scanning QR and barcodes and communicating with the scheduling department. These functions are essential for efficient processes – but they must also be designed to comply with data protection regulations.
Essential data protection-compliant functions of the “pLG Drive” app:
- Order and route management
- Recording of delivery status and shipment information
- Digital signatures as proof of delivery
- Photo documentation of deliveries and damage
- Barcode and QR code scanning
- Communication with the scheduling department
6. Location data and GPS tracking
One particularly sensitive area is the processing of location data. Driver apps such as pLG Drive record the device’s location via GPS. This not only displays the vehicle’s position in real time, but also calculates the estimated time of arrival (ETA). Last but not least, the GPS data provides the basis for geofencing functions and route optimization.
Important from a data protection perspective: the data is recorded exclusively during the driver’s active working hours. This prevents unauthorized monitoring outside of working hours – a decisive factor for GDPR compliance.
Reasons for recording GPS position data using a driver app:
- Displaying the vehicle position in real time
- Calculating the estimated time of arrival (ETA)
- Enabling geofencing functions
- Tour optimization
7. Privacy policy
A driver app should have its own privacy policy. You can find this document for the pLG Drive app here.
A privacy policy should contain the following information:
- Responsible body
- Information on data protection officers
- Information on data processing
- Purpose of the app and data processing
- Information about which data is collected and processed
- Information on any additional app authorizations
- Information on the recipients of the data
- Information on the storage period of the data
- Information on the rights of customers
- Information on data security
- Information on whether and to what extent health data is collected
- Information on whether the app is aimed at minors
- Contact information
Conclusion
The use of driver apps in collaboration with subcontractors requires a well thought-out data protection concept. Solutions such as the “pLG Drive” app show that efficiency and GDPR compliance do not have to be mutually exclusive. Targeted access restrictions, encrypted communication and a clear allocation of roles allow the requirements of the GDPR to be implemented in a practical manner.
Companies that see data protection not as an obligation, but as a quality feature, create trust – with customers, partners and not least with their drivers.
Recommendations for the GDPR-compliant integration of subcontractors:
- Define access concepts: Subcontractors only receive the minimum necessary data
- Secure contracts: Conclusion of an AV contract (order processing) in accordance with GDPR
- Implement technical measures: Encryption, VPN, access controls
- Creating transparency: Clear information for drivers about data usage
- Limit data collection: No processing of data generated outside of working hours
We will be happy to advise you on our products
We are here for you.Give us a call or send us a message. We look forward to welcoming you.
proLogistik Holding GmbH
Fallgatter 1
44369 Dortmund
Tel.: +49 (0) 231 5194-0
Tel.: +41 (0) 44 200 40-00
Tél.: +33 (0) 251 81 85 85